One of the country’s biggest technology associations is undertaking a national cyber security study of the manufacturing and critical infrastructure to warn and educate small and medium enterprises in these sectors of the threats.
The Canadian Advanced Technology Alliance, whose members are mainly SMEs, said Monday it wants to measure the increasing attention being paid by criminals and nation states to the manufacturing and critical infrastructure sector.
Internet-connected industrial control systems (ICSs), which include supervisory control and data acquisition (SCADA) devices, are increasingly being adopted by all sizes of manufacturing firms. Add to them Internet of Things devices like sensors on pipelines and it is a huge attack vector that can, if successfully breached, cripple a country.
The problem is serious enough that Public Safety Canada hosts an annual Industrial Control Systems Security Symposium.
However, many of the incidents the public knows about – such as two attacks against the Ukraine’s power grid and a ransomware attack on an Ottawa hospital – are against big institutions, Jean-Guy Rens, vice president of the CATA Alliance and project manager, noted in an interview.
“But we know SMEs will be attacked … The big utilities usually they have more money, they have already deployed some protection. These best practices that have already been deployed by public utilities, we’d like to make them known to the small and medium-sized enterprises because they are next victims.”
One problem, Rens said, is that many companies – especially SMEs – are reluctant to admit they’ve been victims of a cyber attack. “We know it [the study] will not be a rosy story,” he added. “We know that there are several horror stories. We won’t be able to speak about them precisely but … we can put them in an aggregated form.”
But most importantly, SMEs are “who we want to educate.”
Rens said one of the sparks for the project was a speech by Hydro Quebec’s CISO “who told us of a story of an American utility that was attacked by ransomware. They didn’t get off the hook, they had to change their whole information system. What was costly was not so much the ransom itself but the money they had to invest afterward.”
The project, dubbed Cybersecurity Infrastructures and Manufacturing 4.0, will have three components:
— an invitation-only online questionnaire of organizations to get a good idea of the kind of Internet-connected physical equipment they have (sensors, interfaces with machines etc.), what kinds of defences have been deployed, how many cyber attacks they’ve seen. The goal is to understand who is and isn’t aware of the problem.;
–about 20 interviews of CISOs to get more granular information;
–and two workshops, one each in Toronto and Montreal, with organizations and security researchers at the end of February or early March to discuss what was gathered from the survey and interviews.
A report with recommendations and best practices is expected around the end of April. “We want to show not a list of things to do [to secure industrial devices] but also the process – how to begin,” said Ren.
The critical infrastructure sectors CATA is looking at are the 10 sectors identified by the federal government in its national cyber security strategy: Government, finance, energy, water, health, food, telecommunications, manufacturing, transportation, and defence.
The project is being undertaken with four partners: CyberNB, an arm of the province of New Brunswick; Siemens Canada; and Quebec’s Ministry of Economy and Innovation.
“The need to protect critical infrastructure has given rise to new priorities,” Richard Wunderlich, director of smart grid initiatives at Siemens Canada, said in a statement accompanying the announcement. “It’s no longer just about protecting data, network integrity, or privacy, but about the availability of the infrastructure itself”.
Tyson Johnson, CyberNB’s chief operating officer said in a statement that critical infrastructure is Canada’s critical front line in the event of a physical or virtual attack. “For organizations mandated to protect critical Infrastructure, security is at the very heart of the operational mandate. With critical Infrastructure, it is the daily operation of society that is at stake. Just consider the consequences of an extended power loss for a given population.”