A new report from Canada’s leading authority on cybersecurity warns that criminals have our critical infrastructure in their sights. The cyber risks posed by the long lifecycles of industrial networks and utilities equipment have long been understood by those working in this space. But the real consequences of those risks are becoming increasingly clear.
In a recent report, the Canadian Centre for Cyber Security cautions that, “financially motivated cybercriminals will almost certainly continue to target high-value organizations in critical infrastructure sectors in Canada and around the world.”
Sectors like health, transportation, and telecommunications are essential to the everyday lives of Canadians, making them attractive targets for malicious actors. Successful cyber attacks against critical infrastructure could disrupt or even threaten the lives of Canadians.
The Cyber Centre’s warning comes on the heels of a major breach at one of Canada’s largest energy companies that left customers unable to use credit or debit cards at more than 1,500 Petro-Canada retail locations across Canada.
Unfortunately, the increasingly connected nature of operational technology, and the long technology life cycle of critical infrastructure, introduce new ways for attackers to access and disrupt the systems we rely on.
A telling example? In 2015, a Microsoft operating system called Windows 3.1 — first released in 1992 — was still running key air traffic control systems at one of France’s largest airports. That is, until the system crashed and brought operations to a standstill. While this interruption was not due to a cyber attack, it underscores the fact that our modern day lives are propped up in many places with dated technology that lacks modern security considerations.
By leveraging automation and artificial intelligence (AI) tools, cyber criminals are exploiting these vulnerabilities and evolving their tactics faster than infrastructure upgrades and organizational defences can keep pace with.
In one set of hands, AI can be used to identify vulnerabilities in an organization’s cyber defences. In another, it can be used to attack those very same weaknesses. The power of modern computing and AI to process massive amounts of data may change the objective of data breaches. Rather than simply demanding ransom, a breach may be the first step in a more targeted campaign based on a collection of harvested information.
When you’re operating outside the law, it’s easier to be an “early adopter” and experiment with new tools to bypass an organization’s defences. By comparison, legitimate organizations — especially large ones — often struggle to adopt new technologies, especially in critical infrastructure environments due to the complexities of process change or risk of service interruptions.
Sadly, this means that the good guys are more likely to feel the sting of new tech before they’re able to use it for their own defence.
Going forward, cybersecurity needs to be at the centre of our national approach to critical infrastructure. Strong cyber defences should be central to any evaluation of a project’s life cycle or to the viability of proposed systems. Whether it’s a new water treatment plant or an upgraded electrical grid, we need to design cyber-resilient systems at the outset, so we aren’t stuck with costly security retrofits down the road. This means embracing upgradability and extensibility, recognizing that the technology and threat landscape will change before an asset reaches the end of its lifespan.
Government can also leverage its procurement powers to promote stronger cybersecurity. Like federal procurement processes that require applicants to evaluate the environmental or gender-based impact of a project, cybersecurity should be taken into account in how federal public funds are distributed to any critical infrastructure project. Similarly, government should continue its efforts to align with recognized security standards like the Cybersecurity Maturity Model, which has been in practice in the U.S. for some time. Alignment with our global allies on strong cyber standards, especially those with which have interconnected infrastructures, can only help to improve our overall resilience.
For our existing networks, which may still be running aged (sometimes ancient) technology, we need to identify low-friction solutions that can help harden their defences. For example, a network firewall that monitors incoming and outgoing traffic for known malicious threats can often be integrated into even the most archaic information technology environments. In addition, the vast majority of cybersecurity breaches are the result of human error, so keeping our workforce up-to-date on the latest security practices is a must.
Billions have been pledged to overhaul critical infrastructure networks in the coming decade. To ensure Canada’s security and prosperity, cybersecurity and resilience must be at the core of this work going forward.
Jon Ferguson leads the Cybersecurity & DNS services unit at CIRA that builds upon the organization’s world class DNS services to provide cybersecurity services and training to Canadians and the global internet community. For the past 15 years, Jon has worked in product leadership roles for organizations building globally distributed Internet of Things and Cybersecurity solutions.
