Just before security consultant Ray Boisvert stood to address a Toronto conference on cyber security and Canadian critical infrastructure, the building’s fire alarm went off and filled the room with a warning siren.
It was the perfect prequel for his speech, which warned governments, utilities and financial institutions aren’t doing enough to defend critical infrastructure for online attacks.
In an interview Boisvert — former assistant director of intelligence at the Canadian Security Intelligence Service (CSIS) and currently president of consultancy I-Sec Integrated Strategies, rated the country’s efforts as only B-, although he admitted no country yet has an A. However, he believes the U.S. and Western European countries are ahead of us.
While the federal government has developed a national cyber security strategy for critical infrastructure and pushed provinces and 10 sectors to form groups for sharing information, Boisvert dismissed it as mainly “process” with little action.
At the local level, civic governments “are left to their own devices,” he said. Some hydro systems owned by cities or townships “are really, really vulnerable. They have no funds, and very little awareness of cyber security.”
Provincially, Ontario, New Brunswick and Alberta are the leaders, he said. As for the federal government, it needs a cyber czar with deputy minister authority to lead the charge at that level.
This person would be the “spokesperson in chief to drive the agenda amongst the agencies, because in my estimation there isn’t great co-ordination between agencies in Ottawa, even for those who have the money.”
He wasn’t alone in thinking critical infrastructure here isn’t facing the problem as well as it should. Robert Wong, executive vice-president and chief information and risk officer at Toronto Hydro, acknowledged in an interview that his industry isn’t as prepared for attacks as it could be.
“We’re not very mature… the whole industry is somewhat behind.”
On security for traditional IT systems we’re “middle of the road, Wong said. “Where we really are behind is in the operational technologies” such as power line relays, monitors and sensors that until recently were electromechanical. Now they’re becoming IP-enabled but their security isn’t good enough. As a result “we’re playing catch up in terms of cyber security for the critical infrastructure in the grid.”
“We need to get our OT vendors to raise their games and make security a priority in their products.”
It is a priority of the technology committee of the Canadian Electricity Association, a industry group he said. But, he said, Canada isn’t big enough to influence equipment manufacturers.
In a pre-conference email interview a spokesman for Public Safety Canada said that since announcing its national critical infrastructure plan in 2010 the government has created partnerships with the provinces and private sector that “have helped the Government achieve significant progress in enhancing the resilience of Canada’s critical infrastructure. For example, the Government has published a risk management guide for critical infrastructure sectors; developed risk assessments of vital assets and systems; and conducted exercises to ensure that our plans will work in the event of a disruption or attack.”
Parts of the plan, which stretches to 2017, are still ongoing.
Critical infrastructure covers a wide range of facilities – banks, utilities, gas stations, stadiums, hospitals, governments – that could bring parts of the country to its knees through a successful cyber attack.
However, conference chair and cyber security consultant Curtis Levinson said in an interview that Canada and the U.S. are “very comparable” in what they are doing to prepare their countries’ critical infrastructure for cyber attacks. Levinson is an advisor to Ottawa as vice-president of the U.S.-based Center for Strategic Cyberspace and Security Science, as well as the U.S. cyber defence advisor to NATO.
However, he adds that SCADA automated industrial systems in both countries are vulnerable to cyber attack.”Canada is no more ready that the U.S.,” on these devices, he said, “and there needs to be considerable investment in hardening and protecting these industrial control systems.”
All levels of government should evaluate their supply chains to identify and harden these systems, he said.
In his opening address to the conference Levinson noted that that while many organizations can live with remediation after a successful cyber attack, “we cannot afford to have attacks on critical infrastructure.”
An electric grid failure with no lights, no gas pumps, no stores open would be “pretty horrific,” he said.
In his address Boisvert noted the wide range of threat actors most organizations face – “script kiddies,” insiders, criminals, nation states – have over the years attacked critical infrastructure around the world. They may have different motives but the consequences of a successful attack are the same.
“Pro-active defence in depth” is what CISOs need to implement, he said. Organizations need to be aware of the likelihood of being attacked, and to manage cyber risk as a core business. There are still too many executives who think spending money can make the threat go away. “It will take money,” he added, but “it takes smart investing … it’s not one thing, it’s multi-layer.”