A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. Kacper Pempel/Illustration/Reuters
The Canadian Centre for Cyber Security has issued a warning about hackers tampering with online systems that control water, energy, and agriculture systems.
The alert, which was directed to information security officers, says the Centre and RCMP have received “multiple reports” over the past few weeks of hackers gaining access to internet-accessible industrial control systems (ICS).
The Canadian Centre for Cyber Security (CCCS) is part of the federal Communications Security Establishment and offers advice, guidance, services, and support on cyber security for Canadians.
“While individual organizations may not be direct targets of adversaries, they may become victims of opportunity as hacktivists are increasingly exploiting internet-accessible ICS devices,” CCCS said in the alert, issued Oct. 29.
One of the incidents involved a water pressure system with hackers “tampering with water pressure values,” which resulted in a disruption of service to the community, CCCS said.
It said a second incident was at an oil and gas company where an automated tank gauge was “manipulated,” triggering false alarms.
A third complaint was from a grain drying silo on a Canadian farm, according to CCCS. It said the temperature and humidity levels were manipulated, resulting in “potentially unsafe conditions.”
The government agency said that organizations can become victims of “hacktivists” who are looking to “gain media attention, discredit organizations, and undermine Canada’s reputation.”
ICS components that are at risk of being hacked include programmable logic controllers, remote terminal units, human-machine interfaces, supervisory control and data acquisition systems, safety instrumented systems, building management systems, and industrial Internet of Things devices.
CCCS said leaving such components vulnerable poses “significant risks to organizations, their clients, and the broader Canadian public.”
The agency made suggestions to protect Canadian facilities, including that provincial and territorial governments coordinate with municipalities and organizations to ensure that all businesses are inventoried, documented, and protected.
“This is especially true for sectors where regulatory oversight does not cover cyber security, such as water, food, or manufacturing,” CCCS said.
The agency said that municipalities and organizations should also ensure that services are administered securely by working with their service providers.
It suggested that organizations “conduct a comprehensive inventory” of internet-accessible ICS devices, adding that precautions should be taken, such as by using virtual private networks and two-factor authentication to avoid “direct exposure to the internet.”
CCCS also said that enhanced monitoring practices should be adopted.
It advised organizations to regularly conduct tabletop exercises to evaluate and improve response capabilities.
The agency said that if any activity similar to that highlighted in the alert is discovered, information security officers are encouraged to report the incident online at My Cyber Portal or email contact@cyber.gc.ca.