By Glenn Miller
While the shocking events in Ukraine have raised the public profile of cyberattacks on critical infrastructure, Toronto Metropolitan University’s (TMU)—formerly Ryerson University—Cybersecure Policy Exchange project was diving deep into this complex issue long before Russia’s tanks rolled over the border.
With financial support from the Canadian Infrastructure Bank, Rogers and RBC, the report, entitled Secure Smart Cities: Making Municipal Critical Infrastructure Cyber Resilient, identifies a series of challenges the authors say must be met by the nation’s municipalities and other owners/operators of critical infrastructure. Assets such as energy, water and transportation systems are highly vulnerable to cyberattack.
The report’s authors, Stephanie Tran, Sharan Khela and Andre Côté, highlight four main points that need to be urgently addressed.
- The “scale, frequency and sophistication of ransomware and supply chain attacks” are on the increase. Although not always well publicized, disruptions to critical operations are a growing cause for concern. While headlines focus on major disruptions such as last year’s shutdown of the Colonial pipeline in the U.S., many less dramatic, but equally disruptive attacks are having a negative cumulative impact, often in smaller, under-resourced communities across Canada. The events in Ukraine underscore how state-sponsored cyberattacks can be used to cripple critical infrastructure.
- While the extent of under investment in critical infrastructure has been known for some time—the 2019 Canadian Infrastructure Report Card pulled no punches in this regard—TMU’s report suggests that a perfect storm is developing on this file. The Report Card acknowledged that infrastructure assets are physically deteriorating, but because most systems are now connected in some manner to the Internet, aging infrastructure assets are “more susceptible to cyberattacks,” suggests the TMU report. The problem for municipalities is that the cost to replace infrastructure assets is already unaffordable in many cases. Ensuring that replacement assets are also designed to be cyber-secure is out of scope for many organizations.
- The report also underscores a disturbing reality—finding the talent with expertise in cybersecurity to devise and implement strategic solutions is what one industry observer calls “mission impossible.” Even if municipalities and other owners were to put cybersecurity at the top of their spending priorities today, it would take years to fill the gap in human resources capacity. As the report makes clear, there simply aren’t enough knowledgeable people around to address the problem.
- Even though municipalities have decades of experience in developing emergency preparedness plans, traditional emergency management structures “lack clarity” in how cyber emergencies should be prepared for and responded to. Attacks on vulnerable critical infrastructure such as railways, electrical grids or even hospitals cause havoc within municipal boundaries, but municipalities do not control or manage those assets. The TMU report argues establishing collaborative relationships and a framework for cooperation within updated emergency preparedness plans must be in place before an event.
Progress is being made
Despite the dire warnings, the report also documents progress in some areas:
- Headway being made within the energy sector, resulting from expansion of NERC standards (North American Electric Reliability Corporation) to add cyber resilience criteria for the electricity grid;
- More municipalities are taking steps to prioritize cyber security;
- The insurance industry is making it easier for municipalities to qualify for insurance against attacks on critical infrastructure; and
- The federal government has launched two assessment tools for municipalities.
In this regard, initiatives from Public Safety Canada now offers two voluntary assessment tools aimed at supporting enhanced resilience against the threat of cyberattacks. The Canadian Cyber Security Tool (CCST) focuses on helping organizations “determine their operational resilience and cybersecurity maturity.” As the assessment takes only about an hour to complete, the resulting high-level report is seen as a starting point that allows “municipalities to benchmark themselves against their peers.”
The Regional Resilience Assessment Program (RRAP), on the other hand, is more comprehensive, and follows through on a commitment first articulated back in 2014 when the government updated its National Strategy for Critical Infrastructure and accompanying Action Plan. Although there is no cost, the tool takes four days to complete, and requires that municipalities first be accepted by Public Safety Canada before they can undertake the assessment.
Nevertheless, although the Secure Smart Cities report makes a strong case for collaboration across sectors, it makes only passing reference to the federal government’s National Infrastructure Assessment: Building the Canada We Want in 2050—a comprehensive engagement process dedicated to assessing national infrastructure that is currently underway. The initiative has already drawn criticism for its lack of attention to cyber issues. The resulting report, published in July 2021—Building Pathways to 2050: Moving Forward on the National Infrastructure Assessment—covers a lot of ground, but the term critical infrastructure is not addressed. More puzzling, given the increasing public profile of cyberattacks, is that the report makes no mention of cybersecurity or the need to improve resilience in the face of cyberattacks on infrastructure.
This shortcoming was noted in a submission to Infrastructure and Communities Canada by Quantum-Safe Canada, a not-for-profit organization based at the University of Waterloo whose mission is to ensure home-grown quantum innovation and talent is leveraged to Canada’s competitive advantage. But as recounted in a Globe and Mail opinion piece in 2019, “those same powerful quantum properties have a dark side: they will also enable much of today’s “unbreakable” encryption to be hacked in mere minutes.” Noting that the National Infrastructure Assessment focuses on the key role of infrastructure in “promoting economic growth, tackling climate change and improving social inclusion,” Quantum-Safe Canada observed that “none of these objectives are achievable if the country’s critical infrastructure is inoperable.”
To be fair, there are other government agencies and municipalities at work on this complex file, including:
- A recent report from Canadian Security Intelligence Service (CSIS)—Smart Cities and National Security—published in February 2022, provides another example of the federal perspective on cybersecurity. The report defines smart cities as “environments where digital technologies are used to enhance the quality and efficiency of municipal services.” Although CSIS is primarily concerned with the need to safeguard and prevent the manipulation of data, the implications for municipal and other local entities responsible for critical infrastructure are clear. CSIS states “In the hands of a hostile threat actor…data can be exploited to enable activities that compromise the safety and security of Canadians and …critical infrastructure.” (https://www.canada.ca/en/security-intelligence-service/corporate/publications/smart-cities-national-security/smart-cities-national-security.html)
- Back in 2018, Public Safety Canada, Shared Services Canada, and the Communications Security Establishment established the Canadian Centre for Cyber Security to provide stakeholders in all sectors with access to a single “high-functioning, responsive organization.” In addition to issuing advisories, technical briefings and formal threat assessments, the Centre manages the National Computer Security Incident Response Team (CSIRT), which is on call 24/7 across the country. Working with victims, the Centre works to “take down” several thousand infected websites and connected systems annually. (https://www.canada.ca/en/security-intelligence-service.html)
- In western Canada, the Alberta Urban Municipalities Association (AUMA) continues to offer specialized cost-effective access to their members through Strategm, a private company retained by the association. Strategm also authored a whitepaper, entitled Best Cyber Security Practices for Municipalities. (https://www.abmunis.ca/sites/default/files/BusinessServices/Insurance/Risk/stratejm_white_paper_-_best_practices_for_municipalities_oct_2020.pdf)
- The City of Toronto recently updated its digital infrastructure strategy. Published in March 2022, the new report places a high priority on cybersecurity. (https://www.toronto.ca/wp-content/uploads/2022/03/9728-DISFAcc2.pdf)
The Cybersecure Policy Exchange chose municipalities as the subject of its first major report because it was clear that “municipalities are not only under-resourced but are spread thin having to deal with such broad mandates.” The authors said that when they examined “the risk factor with respect to the impact of cyber vulnerability,” focusing on the needs of municipalities made the most sense and had the most catching up to do.
[This article originally appeared in the July/August 2022 edition of ReNew Canada.]
Glenn Miller, FCIP, RPP is a senior associate with the Canadian Urban Institute and co-founder of Strategic Regional Research Alliance.
Secure Smart Cities: Making Municipal Critical Infrastructure Cyber Resilient concludes with a reference to five resources the authors suggest can be helpful to municipal managers and policy makers.
- Association of Municipalities Ontario. (2020). A Municipal Cyber Security Toolkit: Best Practices to Guide and Improve Cyber Security Readiness (p. 23). Association of Municipalities Ontario. (https://www.amo.on.ca/sites/default/files/assets/DOCUMENTS/Reports/2020/AMunicipalCyberSecurityToolkit20200930.pdf)
- Miller, G. (2021, June 22). Prepare For the Worst, Hope For the Best. ReNew Canada. (https://www.renewcanada.net/feature/prepare-for-the-worst-hope-for-the-best)
- Internet Society & Next Century Cities. (2019, November 1). Security Factsheet: Why Should Municipalities Make Network and Data Security a Priority? Internet Society. (https://www.internetsociety.org/resources/doc/2019/why-should-municipalities-make-network-and-data-security-a-priority/)
- Canadian Centre for Cyber Security. (2018). State-Sponsored Espionage and Threats to Critical Infrastructure. Canadian Centre for Cyber Security. (https://www.cyber.gc.ca/en/guidance/state-sponsored-espionage-and-threats-critical-infrastructure)
- Barrett, M. (2018). Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, NIST Cybersecurity Framework. NIST. (https://doi.org/10.6028/NIST.CSWP.04162018)
Featured image: According to, Secure Smart Cities: Making Municipal Critical Infrastructure Cyber Resilient, assets such as energy, water and transportation systems are highly vulnerable to cyberattack. (Bruce Power)