Just before security consultant Ray Boisvert stood to address a Toronto conference on cyber security and Canadian critical infrastructure, the buildingโs fire alarm went off and filled the room with a warning siren.
It was the perfect prequel for his speech, which warned governments, utilities and financial institutions arenโt doing enough to defend critical infrastructure for online attacks.
In an interview Boisvert โ former assistant director of intelligence at the Canadian Security Intelligence Service (CSIS) and currently president of consultancy I-Sec Integrated Strategies, rated the countryโs efforts as only B-, although he admitted no country yet has an A. However, he believes the U.S. and Western European countries are ahead of us.
While the federal government has developed a national cyber security strategy for critical infrastructure and pushed provinces and 10 sectors to form groups for sharing information, Boisvert dismissed it as mainly โprocessโ with little action.
At the local level, civic governments โare left to their own devices,โ he said. Some hydro systems owned by cities or townships โare really, really vulnerable. They have no funds, and very little awareness of cyber security.โ
Provincially, Ontario, New Brunswick and Alberta are the leaders, he said. As for the federal government, it needs a cyber czar with deputy minister authority to lead the charge at that level.
This person would be the โspokesperson in chief to drive the agenda amongst the agencies, because in my estimation there isnโt great co-ordination between agencies in Ottawa, even for those who have the money.โ
He wasnโt alone in thinking critical infrastructure here isnโt facing the problem as well as it should. Robert Wong, executive vice-president and chief information and risk officer at Toronto Hydro, acknowledged in an interview that his industry isnโt as prepared for attacks as it could be.
โWeโre not very matureโฆ the whole industry is somewhat behind.โ
On security for traditional IT systems weโre โmiddle of the road, Wong said. โWhere we really are behind is in the operational technologiesโ such as power line relays, monitors and sensors that until recently were electromechanical. Now theyโre becoming IP-enabled but their security isnโt good enough. As a result โweโre playing catch up in terms of cyber security for the critical infrastructure in the grid.โ
โWe need to get our OT vendors to raise their games and make security a priority in their products.โ
It is a priority of the technology committee of the Canadian Electricity Association, a industry group he said. But, he said, Canada isnโt big enough to influence equipment manufacturers.
In a pre-conference email interview a spokesman for Public Safety Canada said that since announcing its national critical infrastructure plan in 2010 the government has created partnerships with the provinces and private sector that โhave helped the Government achieve significant progress in enhancing the resilience of Canadaโs critical infrastructure. For example, the Government has published a risk management guide for critical infrastructure sectors; developed risk assessments of vital assets and systems; and conducted exercises to ensure that our plans will work in the event of a disruption or attack.โ
Parts of the plan, which stretches to 2017, are still ongoing.
Critical infrastructure covers a wide range of facilities โ banks, utilities, gas stations, stadiums, hospitals, governments โ that could bring parts of the country to its knees through a successful cyber attack.
However, conference chair and cyber security consultant Curtis Levinson said in an interview that Canada and the U.S. are โvery comparableโ in what they are doing to prepare their countriesโ critical infrastructure for cyber attacks. ย Levinson is an advisor to Ottawa as vice-president of the U.S.-based ย Center for Strategic Cyberspace and Security Science, as well as the U.S. cyber defence advisor to NATO.
However, he adds that SCADA automated industrial systems in both countries are vulnerable to cyber attack.โCanada is no more ready that the U.S.,โ on these devices, he said, โand there needs to be considerable investment in hardening and protecting these industrial control systems.โ
All levels of government should evaluate their supply chains to identify and harden these systems, he said.
In his opening address to the conference Levinson noted that that while many organizations can live with remediation after a successful cyber attack, โwe cannot afford to have attacks on critical infrastructure.โ
An electric grid failure with no lights, no gas pumps, no stores open would be โpretty horrific,โ he said.
In his address Boisvert noted the wide range of threat actors most organizations face โ โscript kiddies,โ insiders, criminals, nation states โ have over the years attacked critical infrastructure around the world. They may have different motives but the consequences of a successful attack are the same.
โPro-active defence in depthโ is what CISOs need to implement, he said. Organizations need to be aware of the likelihood of being attacked, and to manage cyber risk as a core business. There are still too many executives who think spending money can make the threat go away. โIt will take money,โ he added, but โit takes smart investing โฆ itโs not one thing, itโs multi-layer.โ
The conference, which continues Wednesday, is organized by the Canadian Institute.