Report finds leaks in Halifax Water cybersecurity systems

An audit of Halifax Water by the Halifax Regional Municipality's auditor general has founddeficiencies in the utility's cybersecurity,including employees clicking links in emails.

As part of the audit, an email purporting to be from a legitimate source with a link, known as a phishing email,was sent to 55 employees of the utility to test their awareness of security protocols.

According to the report, 45 employees clicked a link in the email and provided their credentials. Three others clicked the linkbut did not submit their credentials.

Auditor GeneralEvangeline Colman-Sadd'saudit looked atsupervisory control and data acquisition (SCADA) systems and made 21 recommendations for improving security.

The report said if security is compromisedit could affect control of the system and the supply and quality of water.

The utility has agreed to all of the recommendations for strengtheningsecurity included in thereport. The audit was undertaken from January2020 to November 2022.

Weaknesses identified inthe report includea lack of adherence to policies, insufficient controls on physical access to the plant and offices, and no process to manage inventory of spare parts.

"Halifax Water has not provided sufficient oversight of its operational technology (SCADA system) security risks," Colman-Sadd said in an email accompanying the release of the report.

"The audit found gaps in internal policies and procedures, and informal procedures meant to reduce risks for the security and availability of the SCADA system."

The report said recommendations to Halifax Water from a security consultant between 2016 and 2019 have not been put into effect.

No specifics

In a response to the report, Halifax Water said it accepted the findings but didn't provide specifics of its response plan.

"We continually work to safeguard our infrastructure and information technology systems, but there is always room for improvement," Louis de Montbrun, Halifax Water's acting general manager and CEO,said in a news release.

DeMontbrun said some work has already been done to improve their systems and the utility would address the rest in "a financially and operationally prudent way."

The audit included operational and monitoring systems but did not include systems managed by the information services section of the utility.