State-sponsored actors 'very likely' looking to attack electricity supply, says intelligence agency

State-sponsored actors are "very likely" trying to shore up their cyber capabilities to attack Canada'scritical infrastructure such as the electricitysupply to intimidate or to prepare for future online assaults,a new intelligence assessmentwarns.

"As physical infrastructure and processes continue to be connected to the internet, cyber threat activity has followed, leading to increasing risk to the functioning of machinery and the safety of Canadians," says a new national cyber threat assessment drafted by the Communications Security Establishment.

"We judge that state-sponsored actors are very likely attempting to develop the additional cyber capabilities required to disrupt the supply of electricity in Canada."

Today's report the second from the agency's Canadian Centre for Cyber Security wing looks at the major cyberthreatsto Canadians'physical safety and economic security.

TheCSE does say in the reportthat while it's unlikely cyber threat actors wouldintentionally disrupt critical infrastructure such as water and electricity supplies to cause major damage or loss of life,they would target criticalorganizations "to collect information, pre-position for future activities, or as a form of intimidation."

Such preliminary attacks have happened already.

The report saidRussia-associated actors probed the networks of electricity utilities in the U.S. and Canada last year and Chinese state-sponsored cyber threat actors have targeted U.S. utility employees. Other countries have seen their industrial control systems targeted by Iranian hacking groupsand North Korean malware was found in the IT networks of an Indian power plant, it said.

The threat growsas more critical infrastructure goes high-tech.

In the past, the operational technology (OT)used to control dams, boilers, electricityand pipeline operations has been largely immune tocyberattacks but that's changingas manufacturers incorporate newerinformation technology in their systems and products, says the report.

That technologymight make things easier and lower costs, but it comes with risks, said Scott Jones, the head of the cyber centre.

"So that means now it is a target, it is accessible and it's vulnerable. So what you could see is shutting off of transmission lines, you can see them opening circuit breakers, meaning electricity simply won't flow to our homes to our business," he told reporters Wednesday.

While the probability of such attacks remains low, Jones said the goal of Wednesday's briefing is to send out the early warnings.

"We're not trying to scare people. We're certainly not trying to scare people into going off grid bybuilding a cabin in the woods. We're here to say, 'Let's tackle these now while they're still paper, while they're still a threat we're writing down.'"

Steve Waterhouse, a former cybersecurity officer for the Department of National Defence who now teaches at Universit de Sherbrooke, said a saving grace for Canada could bethe makeup of itselectrical systems.

"Since in Canada, they're very centralized, it's easier to defend ... while down in the States, they have multiple companies all around the place. So the weakest link is very hard to identify where it is, but the effect is a cascading effect across the country ... And it could impact Canada, just like we saw in the big Northeastern power outage, the blackoutof 2003," he said.

"So that goes to say, we have to be prepared. And I believe most energy companies have been taking extra measures to protect and defend against these type of attacks."

In the future, attackstargeting so-calledsmart cities and internet-connecteddevices, such as personal medical devices, couldalso put Canadians at risk,saysthe report.

Earlier this year, for example,Health Canada warned the public that medical devices containing a particular Bluetooth chipincludingpacemakers, blood glucose monitors and insulin pumps are vulnerable to cyber attacks that could crash them.

The foreign signals intelligence agency also says thatwhilestate-sponsored programs in China, Russia, Iranand North Korea "almost certainly"pose the greatest state-sponsored cyber threats to Canadian individuals and organizations, many other states are rapidly developing their own cyber programs.

Waterhouse said he was glad to see the government agency call out the countries by name, representing a shift in approach in recent years.

"To tackle on and be ready to face a cyber-attack, you have to know your enemy," he said.

"You have to know what's vulnerable inside of your organization. You have to know how ... vulnerable it is against the threats that are out there."

Commercial espionage continues

State-sponsored actors will also continue theircommercial espionage campaigns against Canadian businesses, academiaand governments to steal Canadian intellectual property and proprietary information, says the CSE.

"We assess that these threat actors will almost certainly continue attempting to steal intellectual property related to combating COVID-19 to support their own domestic public health responses or to profit from its illegal reproduction by their own firms," says the "key judgments" section of the report.

"The threat of cyber espionage is almost certainly higher for Canadian organizations that operate abroad or work directly with foreign state-owned enterprises."

The CSE says such commercial espionage is happeningalreadyacross multiple fields, including aviation, technology and AI, energyand biopharmaceuticals.

While state-sponsored cyber activity tends to offer the most sophisticated threats, CSE said that cybercrime continues to be thethreat most likely to directly affect Canadians and Canadianorganizations,through vectors like online scams and malware.

"We judge that ransomware directed against Canada will almost certainly continue to target large enterprises and critical infrastructure providers. These entities cannot tolerate sustained disruptions and are willing to pay up to millions of dollars to quickly restore their operations," says the report.

Cybercrimebecoming more sophisticated

According to the Canadian Anti-Fraud Centre, Canadians lost over $43 million to cybercrimelast year. The CSE reported earlier this year that online thieveshave been using theCOVID-19 pandemic to trick Canadians into forking over theirmoney through scams likea phishing campaign that claimed to offer access to a Canada Emergency Response Benefitpayment in exchange for the target'spersonal financial details.

Online foreign influence activities a dominant theme in the CSE'slast threat assessment briefing continue and constitute "a new normal" in international affairsas adversaries seek to influence domesticand international politicalevents,says the agency.

"We assess that, relative to some other countries, Canadians are lower-priority targets for online foreign influence activity," it said.

"However, Canada's media ecosystem is closely intertwined with that of the United States and other allies, which means that when their populations are targeted, Canadians become exposed to online influence as a type of collateral damage."

According to the agency's own definition, "almost certainly" means it is nearly 100 per cent certain in its analysis, while "very likely" means it is 80-90 per cent certain of its conclusions. The CSE says its analysis is based off of a mix of confidential and non-confidential intelligence and sources.