VANCOUVER — Cyber attacks target companies in Canada’s energy and utilities sector at nearly double the rate of all other industries combined, according to documents obtained by The Logic, creating “significant consequences for national security, public safety and the economy.” 

The sector “continues to be one of the most targeted sector[s] by cybercriminals,” reads a memo to the deputy minister of Natural Resources Canada (NRCan) which The Logic obtained via an access-to-information request. Government records show NRCan received the memo in November 2020.

In early May, hackers forced Colonial Pipeline, the largest refined products pipeline in the country with roughly 8,850 kilometres covered, to take some of its operations offline. The company said a group called DarkSide demanded it pay a ransom of 75 bitcoins. Colonial Pipeline’s CEO confirmed the company paid US$4.4 million and the FBI later recovered 63.7 bitcoin valued at about US$2.3 million, part of the alleged ransom payment.

It’s an example of how hackers increasingly target not only corporations whose security may be lax, but also those with “mission-critical operations that cannot risk stoppages, or [have] a clear ability to pay up,” CIBC analyst Stephanie Price wrote in a note in the wake of the Colonial cyberattack. 

In Canada, 39 per cent of businesses in the energy and utility sector that responded to a Statistics Canada survey said they were impacted by a cyber security incident in 2019. That’s nearly double the average—21 per cent—across the 23 industries surveyed. (The more-detailed findings come from Statistic Canada’s survey of about 9,300 businesses with at least 10 employees between January and March 2020 from industries including construction, utilities, manufacturing and retail trade. A 2017 survey provided baseline data for future reference.)

Three of the industry’s four subsectors—pipeline transportation; oil and gas extraction; and electric power generation, transmission and distribution (electricity)—reported the highest share of incidents across all sectors at nearly 65 per cent, nearly 42 per cent and about 32 per cent, respectively. Eighteen per cent of businesses in the remaining subsector, natural gas distribution, reported incidents.

NRCan did not provide comment on the memo before publication.

“Typically hackers want to go after businesses or industries that are either easy targets or, even if they are difficult targets, they do see a potential of getting some sort of a financial gain,” said Vivek Gupta, partner of cybersecurity and digital forensics at BDO Canada. “I think it’s a combination of both in the case of oil and gas.” 

The companies tend to be easy targets because they operate two information technology systems, he said. The first includes traditional email and financial systems. The second is an operational technology system that was traditionally isolated and hackers had to be onsite to infiltrate it. However, the COVID-19 pandemic forced companies to change these systems—which often don’t have the latest security provisions—to be accessed remotely, giving hackers a new way in.

Secondly, “attackers are going to attack organizations that have a lot to lose,” he said, like in  the Colonial Pipeline attack where the level of disruption can force the company’s hand to pay the ransom.

Hackers may target Canadian companies to create disruptions and make out with a bounty, as well, according to the note. In fact, businesses in the sector reported attacks against them most frequently, or 25 per cent of the time, were attempts to steal money or demand ransom payments. That’s 16 per cent higher than across all sectors. However, only three per cent of all businesses attacked said they paid a ransom.

The problem for the industry is not likely to disappear. The Canadian Centre for Cyber Security believes “that ransomware directed against Canada will almost certainly continue to target large enterprises and critical infrastructure providers,” according to its 2020 national cyber threat assessment report. “These entities cannot tolerate sustained disruptions and are willing to pay up to millions of dollars quickly to restore their operations.” It also raised alarms about state-sponsored actors, such as those in China, Russia, Iran and North Korea. These “are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure, such as the supply of electricity, to further their goals,” it said. However, it’s “very unlikely” they’ll intentionally disrupt these systems without international hostilities present.

The memo acknowledges that “cybercriminals will almost certainly continue to target Canada’s energy and utilities sector.” While ransom is one motivating factor, there are other risks beyond lost profits. Hackers may target the sector to “steal intellectual property and proprietary business information, and obtain personal data about customers. Malicious actors may also intentionally seek to disrupt energy operations and cause power outages, disruptions to oil and natural gas supplies or physical damage to infrastructure.” 

These kinds of disruptions can cause, for example, gas shortages at the pumps and price increases, as the company may have to slow down production due to storage constraints until they sort out the distribution problem, said Gupta. 

Companies in the sector are becoming more proactive, rather than reactive, in dealing with cybersecurity now, based on his experience. They tend to conduct risk assessments and hire third-parties to do so-called ethical hacks to expose potential weaknesses, he said, rather than wait to deal with the problem only if they are attacked. The memo notes that companies in the sector outperform others on security measures, being more likely to use anti-malware software, as well as network and email security.

“Although, there’s still a lot more work to be done,” said Gupta, “I don’t necessarily see that clients are doing everything that they need to do to protect themselves.” The memo acknowledges that many businesses in the sector don’t use mobile security, hardware and asset management, and web security. Gupta would like to see companies do more than ad-hoc cybersecurity, but have a strategy that allows them to continually assess and evolve.

NRCan, which contributed $100,000 to the $1.5-million survey project, will use the findings “to identify gaps, and inform policy and program development.” It plans to continue prioritizing cybersecurity “by deepening collaboration with domestic and international partners through a number of shared initiatives, and enhancing the cyber security of Canada’s domestic and cross-border energy infrastructure.”

— With files from Claire Brownell in Toronto