By Glenn Miller
Cyber security is finally emerging as a priority for municipalities.
Since the onset of the pandemic, thousands of Canadians have been forced to work remotely and the number of hours spent in front of computer screens has skyrocketed, along with our overall reliance on internet connectivity.
Unfortunately, the past 16 months have also seen an increase in the frequency of cyber attacks on municipal governments and local utilities. According to malware experts Emsisoft, more than 4,000 ransomware demands were made in Canada in 2020 alone.
Protection against cyber attacks
Most cyber attacks in Canada are ransomware demands related to data theft, but in the U.S. critical infrastructure such as municipal water, wastewater treatment plants and hydro utilities have been damaged or seen their functions impaired through malicious cyber attacks. Anca Pop-Charles, principal in charge of cyber security at Ross and Baruzzini, a U.S. consultancy working with Ontario’s Municipal Infrastructure Group, suggests that even though Canada may have experienced fewer direct cyber attacks on critical infrastructure than the U.S., the “attitude about being prepared should be, not if, but when.”
In February 2021, a small city in Florida suffered a potentially catastrophic breach when malicious hackers gained access to the town’s water treatment plant, most likely via remote access protocols put in place during COVID-19. As a horrified engineer watched in real time, the hacker raised the amount of sodium hydroxide (used to lower acidity) by a factor of 100. Officials explained that mandatory chemical checks would have prevented contaminated water reaching residents, but the ease with which the hacker gained access was of sufficient concern that the city’s mayor took the rare step of releasing details of the attack. He used the opportunity to call for more funding and IT resources to protect critical infrastructure.
Chronic underfunding of municipal water systems is not unique to the U.S. Similar challenges are faced in Canada. Even though the federal government recently announced millions for new spending to upgrade municipal water systems in Canada, the focus was on maintaining water quality, not cyber security.
But the Florida incident also raised the issue of transparency. In November last year, the City of Saint John, New Brunswick was forced to shut down all municipal services following a severe breach. Unlike the city in Florida that went public, Saint John not only refused to pay ransom demands but, controversially, elected not to reveal details of the attack, deciding instead to completely rebuild its systems. The city was then forced to communicate with the outside world through Gmail accounts until new systems had been installed and double checked.
Canada’s commitment to cyber security
Since ReNew Canada first covered this topic (Cyber Threats: Do Municipalities Have the Tools to Protect Their Critical Infrastructure? March/April 2019) local authorities have begun to see cyber security as a priority, even as the number of attacks continues to increase. The building blocks for establishing and maintaining better cyber security at the local level are being assembled, but are still at different stages of readiness.
The federal lead is the Canadian Centre for Cyber Security (Cyber Centre). Formed in 2018 following publication of “National Cyber Security Strategy—Canada’s Vision for Security and Prosperity in the Digital Age” by Public Safety Canada, the Cyber Centre brought together diverse expertise from Public Safety Canada, Shared Services Canada, and the communications security establishment into one organization. The Cyber Centre works “side by side with provincial, territorial, and municipal governments as well as private sector partners to solve Canada’s most complex cyber challenges.”
The Cyber Centre’s latest threat assessment confirms that although the number of cyber attacks on municipalities and local utilities continues to increase, the vast majority of events are ransomware attacks targeting “victims who need to avoid a disruption in service.” But the Centre cautions that attempts to interfere with the electrical grid or inflict damage on water treatment and wastewater plants cannot be ruled out. Ironically, modernization upgrades could also increase the risk threat for utilities and municipal authorities. This is because the worlds of operational technology (OT) and information technology (IT) are beginning to merge. The Cyber Centre reports that “ransomware has almost certainly improved its ability to spread through corporate IT networks and threaten adjacent industrial control systems (ICS). In some cases, victims have chosen to disable their industrial processes as a precautionary measure during a significant ransomware event.”
Although Canada may not have the same risk profile as the U.S., Israel, India or Saudi Arabia, which have all suffered “state-sponsored cyber attacks,” this doesn’t mean that local authorities can afford to turn a blind eye to the possibility of disruptions to critical infrastructure by North Korea, Iran, Russia and China. This is because the source of cyber threats is open-ended, and in the cyber environment, geographic borders are meaningless, which makes tracking, investigation, apprehension and prosecution difficult. Some attacks are criminal (often seeking payouts in Bitcoin), while other bad actors are simply malicious individuals or “hacktivists” seeking to do damage for its own sake. Another troubling source of cyber attacks is when disgruntled employees or contractors who feel they have been badly treated decide to exact revenge by taking advantage of inside knowledge.
The non-profit CyberNB (New Brunswick) is a relatively new entity focused on cyber security for municipal critical infrastructure. Led by Executive Director Tyson Johnson, the organization also manages the Critical Infrastructure Protection Network (CIPnet), dedicated to implementing a four-pronged strategy for innovation in the sector through collaboration with government, business and academia: workforce and skills development; trust and compliance; innovation and infrastructure; and, growth and commercialization.
Since 2019, municipal associations in Alberta and Ontario have also begun to focus on the cyber security needs of their members.
Shortly after Shaun Guthrie joined the Alberta Urban Municipalities Association (AUMA) as its senior director, information technology, he reviewed the Association’s own cyber assets. Then, prompted by the findings of a Municipal Information Systems Association (MISA) survey that highlighted financial constraints as one of the principal obstacles preventing municipalities from establishing and maintaining cyber security capacity, AUMA searched for a company whose services could be delivered cost-effectively to members through AUMA. “Our arrangement with Stratejm (Canada’s first cloud-based cyber security-as-a-service company) brings scale to the table,” says Guthrie. “In a nutshell, we were able to negotiate volume discounts through the size of our membership that makes cyber security more affordable to individual municipalities.”
An example of a service available through Stratejm is Security Information Event Management (SIEM). “A municipality generates millions of logs every month that are far beyond the capacity of human surveillance. SIEM runs through massive files then reduces the data down to a handful of suspicious entries—what I call ‘actionable intelligence.’ This is a true value-added contribution,” Guthrie says.
The Association of Municipalities of Ontario (AMO) takes a different approach. Pressed by members at AMO’s 2019 annual conference, AMO reconstituted its Digital Government Taskforce to focus on cyber security concerns.
The result was publication of a cyber security best practice toolkit in 2020 that provides a comprehensive overview of the challenges. Noting that “Smaller municipalities are targeted as low hanging fruit because they are often underfunded, underprepared, and do not have the capacity internally to implement effective cyber security measures,” the AMO toolkit provides advice on a number of priority steps, as well as access to vendors of record whose capabilities have been vetted.
Five pillars of cyber security preparedness for municipalities
The following points summarize current advice from multiple sources, including AMO, Ontario’s Cyber Security Centre of Excellence, CyberNB and the Cyber Centre. Municipalities and other local utilities should:
- Conduct a risk assessment, then develop a strategy to address vulnerabilities. This is an essential first step to ensure that your organization makes the most appropriate technological investments. Network segmentation addresses the imbalance between enhancements to IT systems and links to industrial control systems for physical devices such as pumps, valves and sensors. According to J.S. Edry, with Trend Micro, as the operation of electricity grids, water and wastewater treatment plants become more reliant on remote access industrial control systems, IT staff may not know enough about operational technology to ensure the system as a whole is well protected. It is also important to acknowledge that even the best intrusion detection software still requires live monitoring.
- Develop risk response protocols focused on recovery, business continuity and communications (internal and external). Make sure to integrate these findings into your organization’s emergency preparedness plan. “A municipality must also be prepared to deal with critical infrastructure owned by others but within its borders (e.g a rail corridor transporting dangerous goods),” notes detective sergeant Vern Crowley, a member of the OPP’s Cybercrime Investigation Team.
- Carry out due diligence on all digital initiatives (including an evaluation of all contractors and companies providing digital services in the municipality’s supply chain). According to Anca Pop-Charles, “The trend is towards supply chain attacks, where hackers seek out weak links among vendors involved in supporting the main application.” Occupants of an office building in New York suffered a multi-million-dollar loss when hackers breached building management systems via a vending machine connected to the internet. As the Internet of Things (IoT) becomes more entrenched as an industry standard, the trend is to display all networks on a single dashboard. While a more streamlined design has functional benefits, Pop-Charles notes that “this also creates a single point of attack, potentially making it easier for hackers to gain access, requiring municipalities to take extra care in system design.” The upside is that advanced systems are now using AI as a predictive tool to determine the probability of specific types of attack.
- Invest in insurance. There are many options, ranging from business interruption to protection against liability suits stemming from inadequate preparation. Experts suggest the benefit of this kind of coverage is useful because the insurer will likely require evidence of preparedness before agreeing to provide the coverage, which triggers a decision to upgrade or enhance cyber preparedness capacity.
- Establish permanent programs dedicated to education, training and awareness. People can be the weakest link, especially when harried staffers inadvertently trigger access to an organization’s systems through a phishing attack. The example of an unfortunate financial officer in a Saskatchewan municipality whose innocent reply to a phishing email saw $1 million transferred to a cyber thief rather than a contractor whose identify had been stolen is often cited as a cautionary tale.
Coping with COVID has understandably affected how municipalities and local utilities set their priorities, but the potential for cyber attacks to inflict financial and physical damage to critical infrastructure cyber security is finally being taken more seriously. As Brian Rosborough, AMO’s executive director says, “AMO is supporting our members on cyber security by providing tools and learning opportunities…to help build staff knowledge and capacity around an important and evolving issue.” This fall, AMO will again be co-hosting a Municipal Cyber Security Forum with the Municipal Information Systems Association of Ontario (MISA-ON) to further support member learning on this critical topic.
Glenn Miller, FCIP, RPP is a senior associate with the Canadian Urban Institute and co-founder of Strategic Regional Research Alliance.