Report finds leaks in Halifax Water cybersecurity systems - Action News
Home WebMail Saturday, November 23, 2024, 07:36 AM | Calgary | -12.2°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Nova Scotia

Report finds leaks in Halifax Water cybersecurity systems

A report by the municipal auditor general on has pointed out 21 areas for improvement in how Halifax Water handles cybersecurity.

Utility agrees with 21 recommendations made by auditor general

A Halifax water tower is shown
A new report around cybersecurity is recommending areas of improvement for Halifax Water. (Mark Crosby/CBC)

An audit of Halifax Water by the Halifax Regional Municipality's auditor general has founddeficiencies in the utility's cybersecurity,including employees clicking links in emails.

As part of the audit, an email purporting to be from a legitimate source with a link, known as a phishing email,was sent to 55 employees of the utility to test their awareness of security protocols.

According to the report, 45 employees clicked a link in the email and provided their credentials. Three others clicked the linkbut did not submit their credentials.

Auditor GeneralEvangeline Colman-Sadd'saudit looked atsupervisory control and data acquisition (SCADA) systems and made 21 recommendations for improving security.

The report said if security is compromisedit could affect control of the system and the supply and quality of water.

The logo of Halifax Water on a bill is seen through a glass of water.
Halifax Regional Municipality's auditor general issued 21 recommendations. (Jonathan Villeneuve/Radio-Canada)

The utility has agreed to all of the recommendations for strengtheningsecurity included in thereport. The audit was undertaken from January2020 to November 2022.

Weaknesses identified inthe report includea lack of adherence to policies, insufficient controls on physical access to the plant and offices, and no process to manage inventory of spare parts.

"Halifax Water has not provided sufficient oversight of its operational technology (SCADA system) security risks," Colman-Sadd said in an email accompanying the release of the report.

"The audit found gaps in internal policies and procedures, and informal procedures meant to reduce risks for the security and availability of the SCADA system."

Photo of Evangeline Colman-Sadd  at a microphone
Evangeline Colman-Sadd is HRM's auditor general. (Robert Short/CBC)

The report said recommendations to Halifax Water from a security consultant between 2016 and 2019 have not been put into effect.

No specifics

In a response to the report, Halifax Water said it accepted the findings but didn't provide specifics of its response plan.

"We continually work to safeguard our infrastructure and information technology systems, but there is always room for improvement," Louis de Montbrun, Halifax Water's acting general manager and CEO,said in a news release.

DeMontbrun said some work has already been done to improve their systems and the utility would address the rest in "a financially and operationally prudent way."

The audit included operational and monitoring systems but did not include systems managed by the information services section of the utility.