SPECIAL FOCUS: OPERATORS’ FORUM
Incidents of cyber attacks on the rise during the COVID-19 pandemic
ties, including utilities. Chawla cites the case earlier this year where a computer hacker gained remote access to a water treatment facility in Oldsmar, Florida, and tried to compromise the water supply. A quick-thinking operator was able to interrupt the real-time attack, avoiding a potential public health emergency.
By Catherine Flannery
C
ybersecurity, the protection of internet-connected computer systems and networks from outside attacks, is one of the most serious economic and security challenges Canada and Canadians are facing, according to the Canadian Centre for Cyber Security. Since the onset of the COVID-19 pandemic, organizations in Canada and around the world have seen a rise in cybersecurity incidents affecting corporate devices (according to reports from IBM Security, Panda Security and others). “One of the reasons is because more people are working remotely,” says Sav Chawla, vice president of Information and Information Technology (I & IT) at the Ontario Clean Water Agency (OCWA), the largest provider of water and wastewater services in Canada. “Even with excellent cybersecurity for work-at-home in place, organizations can face increased risk because people tend to behave differently at home than in the office.” RISKY BEHAVIOURS Risky behaviours include visiting unsafe websites while on a work device, allowing others in the household to use a work device, and using work devices for personal reasons. These behaviours put an organization’s network and data at risk. One of the most common methods cyber attackers use against individuals is phishing. This is where an attacker poses as a legitimate source in an email. The goal is to trick the recipient into sharing confidential data such as credit card and login information or to install malware on the victim’s machine by encouraging them to click on a link. Sometimes there will be obvious indications that the email is fraudulent. For example, the sender’s email address will contain a series of jumbled letters and numbers and the message will contain typos, grammar mistakes and strange capitalization. However, Chawla notes, 38 | December 2021
thapana, stock.adobe.com
cyber attackers are becoming increasingly sophisticated and we should all be extra vigilant. EMAIL ADDRESSES FORGED “More and more, organizations are experiencing a specific type of phishing called spoofing. Your employees receive an email from a trusted source (such as a work colleague or supplier) asking for sensitive information. But, in fact, a cyber attacker has forged the sender’s address.” What can organizations do to protect themselves? “Awareness is key,” says Chawla. “You can have the best cybersecurity measures in place, but your employees are your best line of defence against cyber attacks. Help them to develop good cybersecurity hygiene through regular and up-to-date communications and training.” SIMULATION EXERCISES Organizations may want to consider phishing simulation exercises as part of their cybersecurity toolkit, says Chawla. During these simulations, an IT department sends out fake phishing emails and tracks how people react. Some staff will identify the email as suspicious and report it, whereas others will click the link in the email. The clickers will get a pop-up alerting them to the simulation. “These exercises can be very effective in raising cybersecurity awareness. They provide a real wake-up call for some staff.” While phishing as well as other cyber-security attacks against individuals are on the rise, so are those targeting businesses and organizations as enti-
DATA HELD TO RANSOM Increasingly, hackers are using a form of malware attack called ransomware against victims. The ransomware prevents users from accessing their systems or data and demands the organization pay to regain access. A number of Canadian municipalities have experienced ransomware attacks over the past several years. In the face of these increased threats, Canadian utilities are being prompted to assess their cyber systems for vulnerabilities and take action to protect their operations. For example, Halifax Water, which provides drinking water, storm and wastewater services to more than 300,000 people, is looking to beef up its cybersecurity. “As a trusted water and wastewater operator, OCWA considers the protection of client data and operational systems to be a top priority,” says Chawla. “The Agency employs robust cybersecurity measures, such as real-time detection, intrusion protection, advanced anti-malware software and regular employee training on cybersecurity threats.” EDUCATE STAFF Chawla adds that it’s “vital for municipalities themselves to also have protocols in place to protect their water and wastewater systems. For example, ensuring that any third-party contractors they hire are accessing the systems in a safe way.” She also recommends that municipalities and all organizations educate staff (especially those working from home) on cybersecurity hygiene and provide a clear and easy way to report suspicious activity. Reprinted with permission from OCWA. Catherine Flannery is a marketing and community outreach specialist with OCWA. For more information, email: ocwa@ocwa.com
Environmental Science & Engineering Magazine
