Pursuant to the Ontario Energy Board’s Ontario Cyber Security Framework (see our analysis of the framework), electricity utilities are required to perform an Inherent Risk Profile Tool and a related Self-Assessment Questionnaire.

But keeping up with cybersecurity developments can be challenging.

Below we highlight two threats recently identified by the Communications Security Establishment in its national threat assessment report, along with other relevant publications and developments.

The CSE report

The Communications Security Establishment is Canada’s signals intelligence agency. On November 18 it published its second national threat assessment report, which sets out general expectations about the Canadian cyber threat landscape over the next two years.

The value in the CSE report is that it is forward-looking, and published by an organization well-suited to make predictive judgements about cyber threats. The CSE cites exclusively public sources of information, but, as it makes clear, its judgement is based on public and classified information.

The CSE highlights two threats to the energy sector:

Ransomware

The CSE identifies critical infrastructure as a key target for threat actors using ransomware: “We assess that ransomware directed against Canada in the next two years will almost certainly continue to target large enterprises and critical infrastructure providers,” the report states. It also believes that increased targeting of poorly segmented industrial control systems is likely in the next two years, as threat actors “attempt to place increased pressure on critical infrastructure and heavy industry victims to promptly accede to ransom demands.”

State sponsored intelligence gathering

Although the CSE makes clear that it does not anticipate nation state attacks targeting operational technology in the absence of international hostilities, it nonetheless judges such attacks as the most pressing threat to the physical safety of Canadians. In doing so, the CSE refers specifically to operational technology used to control “dam openings, boiler activities, electricity conduction, and pipeline operations.” And while physical safety risks are currently remote, the CSE says, “Nevertheless, cyber threat actors may target critical Canadian organizations to collect information, pre-position for future activities, or as a form of intimidation.”

Other recent publications and developments

Regulators outside Canada have recently released three reports on major cybersecurity incents.

  • On October 15, the New York Department of Financial Services issued a report on the compromise of Twitter’s account management system that occurred earlier this year. The DFS report is a highly relevant resource on controlling the risks of remote access and remote work. For example, the DFS comments on the varying quality of different means of multi-factor authentication, reflective of a warning recently issued by Microsoft.
  • On October 30, the (UK) Information Commissioner’s Office issued a report on a major hospitality sector incident in which threat actors gained access to a company’s systems and undertook significant malicious activity over a two-year period before finally triggering an alert. The ICO makes prescriptions on monitoring and other network layer controls.
  • On November 13, the (UK) Information Commissioner’s Office issued a report on a major 2018 incident in which threat actors compromised a third-party “chat bot” script to scrape payment card and other data from a company’s online payment form. The ICO makes a number of prescriptions about managing supply chain risks, particularly in respect of application development.

Also of note, on November 4, ransomware recovery company Coveware published its quarterly ransomware report. The report includes a significant indication that it is starting to see a “fraying” of threat actor promises to delete stolen data. Holding data for ransom and threatening publication on leak sites has become common in 2020. If one accepts Coveware’s report, the payment option is significantly less appealing.

The regulatory environment is also on the verge of major change. The federal government has introduced Bill C-11, which will replace PIPEDA with a new act called the Consumer Privacy Protection Act and, in particular, bring in a strict new enforcement regime. The greatest impact will be on local distribution companies. See our comprehensive analysis of Bill C-11 to learn more.

Takeaway

The threats outlined in the CSE report will not be new to some clients. Other clients should consider the CSE input and adjust their processes accordingly. Bill C-11 reinforces the ongoing pressure to be ready for cyber incidents of all kinds. Clients should view their incident response polices as living documents, ones that are subject to continuous testing and refinement.