How can we secure the processes, facilities, technologies, systems, assets, networks, and services essential to the safety, health, or economic well-being of Canadians? How can we enhance the cybersecurity posture for critical infrastructure that can be interconnected and interdependent within and across provinces, territories, and national borders? Cyber-attacks and disruption of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and harm to public confidence, as is the case with the Colonial Pipeline hack.

Cyber Threats Targeting Canadian CI

As more critical infrastructure systems connect to the internet, hackers get an opportunity to target virtual systems installed to monitor and operate physical structures. As a result, targeted attacks against critical infrastructure are increasing on a global scale. Current cyber attacks against CI range from rendering computer networks and systems inaccessible for users to manipulating virtual and physical equipment. Some attacks also result in the theft or deletion of sensitive information.

According to the Canadian Center for Cyber Security (CCCS), cyber threat activities against critical infrastructure can have consequences more severe and wide-reaching than activities against businesses and individuals. In fact, such data breaches have the potential to compromise national security and public safety. 

It is apparent that the proliferation of malicious cyber tools allows even less sophisticated hackers to target critical infrastructure. Meanwhile, as the number and sophistication of the devices and technologies used to support, control, and monitor CI operations increase and become more interconnected, there is an increased threat landscape for threat actors targeting the systems.

CCCS has reported high-profile cases where cybercriminals have unwittingly compromised critical infrastructure systems while exploiting vulnerabilities in more generic contexts. The agency had also observed malware spread uncontrollably, infecting critical infrastructure networks even when hackers did not target them specifically. That is to say that CI providers are vulnerable to indiscriminate cybercrime activity.

Likewise, critical infrastructure's essential role in daily life means the systems and services are potential targets amid hostilities between states. By and large, state-sponsored cyber threat actors have launched cyber espionage attacks against CI networks in Canada and allied nations. For instance, CCCS states that state-sponsored threat actors have conducted reconnaissance and intelligence-gathering in the energy, aerospace, and defense sectors. 

The rise of ransomware attacks that allows cybercriminals to seize and encrypt crucial data from systems and demand a ransom for its return has also heightened the CI cyber risk. Such attacks have unintended consequences. A case in point is the Colonial Pipeline shutdown. It appears the critical infrastructure provider shut down the pipeline network and other crucial operations to prevent the malware from spreading. Unfortunately, the events resulted in a cascade of unintended widespread effects and collateral damage.

What are some of the interrelated factors in critical infrastructure that create a perfect storm of security exposures?

• Complex CI systems: Undeniably, many critical infrastructure systems are incredibly complex, with a growing number of devices and connections
• A mix of legacy and new systems: Many critical infrastructure systems involve a blend of insecure outdated legacy systems and new, safer technologies. Typically, new technologies offer features like automation and advanced analytics. However, connecting them to legacy systems compromises their security.
• Inadequate internal resources: as a whole, the security industry struggles with a shortage of internal resources. In particular, CI services lack a sufficient number of trained security personnel to meet their security needs.
• Situational awareness: all organizations need to be proactive about their security. CI sectors need to monitor their industrial environments to identify threats before they wreak havoc on systems. Spotting digital attacks with legacy systems is a challenge, and critical infrastructure providers need situational awareness to enhance the security of their industrial systems and networks.

Enhancing CI Cyber Resilience

The Government of Canada deploys a risk-based approach for strengthening the resiliency of the country's vital systems and assets, such as transportation, communications, public safety, electric grids, and food supply systems. Additionally, the government provides a National Strategy that establishes a collaborative, federal-provincial-territorial, and private sector approach built around partnerships, risk management, and information sharing and protection. Other than that, the Government of Canada has an Action Plan that acts as a blueprint for how the National Strategy will be implemented to enhance the resilience of the country's critical infrastructure.

With such strategies in place, the challenge here is that they remain as guidelines only, which critical infrastructure providers can choose to follow or not. For example, the New York Times quotes unnamed U.S. federal and private sector officials saying a preliminary investigation showed poor security practices at Colonial Pipeline. Christian Leuprecht, a Queen's University professor, also complained that Ottawa's cybersecurity was not prioritized. Leuprecht pointed to the recently proposed federal budget, which has few resources for enhancing the cyber resilience of the country's CI.

"One of the areas where we are profoundly vulnerable in a federal system is coordinating not just with the private sector but with provincial governments, municipal governments. All of them own pieces of the critical infrastructure," said Leuprecht. All indicators show that the need for combating cyber threats to critical infrastructure is well recognized. Still, the sectors remain far from secure due to various interrelated factors that create a perfect storm of exploits.  

In that case, Canada needs private-public cybersecurity partnerships. Overall, enhancing the cybersecurity posture of Canadian critical infrastructure requires an appropriate combination of security measures and processes to address accidental and intentional incidents. Besides that, business continuity practices are necessary to deal with disruptions and ensure the continuation of essential services. It is also vital to implement an emergency management plan to ensure adequate response procedures are in place to respond to unforeseen attacks and disruptions.

Furthermore, critical infrastructure providers need stringent cybersecurity compliance programs, making it compulsory for companies to follow strict security rules. For instance, the Canadian administration can demand such organizations to comply with existing guidelines and require certification for cybersecurity baseline. This was the case with the U.S. government that responded to the Colonial cyber-attack with an executive order to improve cyber resilience and federal government networks. Notably, the directive proposes a raft of measures to modernize standards and enhance information sharing and reporting requirements. Likewise, on October 14, 2021, hot on the heels of cyber incidents targeting various critical infrastructure sectors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released alert AA21-287, turning attention to the fragility of the sectors. 

Eliminate Cyber Threats with Sentia

Sentia provides security solutions to safeguard critical infrastructure systems and valuable data from unwanted threats. Some of the cybersecurity solutions we offer include enterprise network security, compliance consulting, cybersecurity consulting, and managed security services, such as Log/SIEM management, IDS/IPS/HIDS management, file integrity monitoring, patch management, vulnerability scanning, PCI scanning, firewall management, and breach readiness as a service.

With Sentia's team of seasoned professionals, you'll get the consultative advice you need to help your business grow. So let's get the conversation started to see how we can help meet your unique needs to enable you to focus on what matters most – getting business done.

Request a conversation.