Archived link

Russian cybercriminals managed to hack into a Quebec municipality’s water treatment plant systems and had the ability to wreak havoc on the crucial infrastructure before getting caught, according to Canada’s cyber spy agency.

In its latest annual report released Monday, the Communications Security Establishment (CSE) said that it detected over 3,200 cyber incidents affecting either federal government organizations or one of ten critical infrastructure sectors, such as energy, critical minerals and water.

In one particular case discussed in the report, the signals intelligence agency said it was advised last October that Russian hacktivist group NoName had broken into the Quebec water plant’s network and gained access to many crucial systems.

According to CSE, NoName claimed it had gained the “ability to covertly control pumps, chlorine dosing, pressure settings and monitoring/alerts systems.” The report does not identify the impacted Quebec municipality.

The annual report … points to two main state cyber adversaries: Russia and China. The report emphasizes that both countries pose a growing threat in the Canadian Arctic, where challenges posed by adversaries go “beyond traditional military and cyber threats to include economic and influence-related activities that seek to shape access, infrastructure, and decision-making in the region.”

  • orioler25@lemmy.ca
    link
    fedilink
    arrow-up
    0
    ·
    3 days ago

    Does anyone have any sources or knowledge on how the network infrastructure for these systems are designed? I’ve never investigated this and wouldn’t know where to look, and this article doesn’t provide much information (it’s a Postmedia Network source, btw, so take this all with a grain of salt).

    I can’t imagine that any remote access isn’t done through SSH or an intranet for exactly this reason. Is that incorrect? Or is there a reason they wouldn’t be and a way that these systems could be compromised by an employee’s device that has access to the internet?

    • quick_snail@feddit.nl
      link
      fedilink
      arrow-up
      0
      ·
      3 days ago

      Most likely Windows XP on an old dell desktop in a closet. Can’t be upgraded due to some no longer maintained driver blah blah

      • orioler25@lemmy.ca
        link
        fedilink
        arrow-up
        0
        ·
        2 days ago

        Why is that most likely? I’m having a hard time finding reliable information on how these water treatment systems are actually designed, but everyone feels very comfortable speculating.

          • orioler25@lemmy.ca
            link
            fedilink
            arrow-up
            0
            ·
            2 days ago

            Okay, but you do understand that anyone can just say that though, right? Do yo have any public links that you’d be aware of from working in the govt that relates to information on this?

            • quick_snail@feddit.nl
              link
              fedilink
              arrow-up
              0
              ·
              2 days ago

              No, they wouldn’t advertise that.

              Best you’ll find is news articles about compromises on critical infrastructure. But, even then, the government is going to do its best to bury their incompetence that was the root cause.

              • orioler25@lemmy.ca
                link
                fedilink
                arrow-up
                0
                ·
                2 days ago

                Again, I’ve never researched this before (especially so for Quebec), so I guess it is a little surprising that public spending like that wouldn’t have to disclose some specifics around the use of funds and who is involved for contracts.

                And like, yeah, but what level of government is this? Was it a consequence of municipal decisions? Provincial funding? The general neoliberalism that has dominated Canadian politics and economics for the past four decades? There are a lot of factors to determine how much of a concern this actually is and how to realistically address it.

    • I_am_10_squirrels@beehaw.org
      link
      fedilink
      arrow-up
      0
      ·
      3 days ago

      I worked in water treatment during an internship and learned about air gapping. You make it so that data can go out for monitoring, but nothing can come in. You need physical access to make changes. Because if someone can control it remotely, that means anyone can control it remotely.

      • orioler25@lemmy.ca
        link
        fedilink
        arrow-up
        0
        ·
        2 days ago

        I mean, SSH would create some barriers that makes this question even more relevant, if there was a weakness somewhere (even if just because remote access was available), it better have been a result of user error and not poor infrastructure design.

    • kent_eh@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 days ago

      The smaller the municipality (and the older the system), the less likely that they have a robust IT department managing all the access controls.

      Then again, I’ve also an encountered office (not utility infrastructure) where some random employee had plugged a WIFI access point into their desks ethernet port and set it on the window ledge so they could use their phone on the company network while they were outside having a smoke… (yes they faced consequences when management was made aware)

      As we all know, security is only as good as your weakest link.

      • orioler25@lemmy.ca
        link
        fedilink
        arrow-up
        0
        ·
        2 days ago

        Yeah I think the size of the municipality is a great thing to keep in mind for this, as I’m sure a more rural, low population, and dispersed municipality would likely have less funding to update and maintain these systems. What I’m curious about is if this is a consequence of that neoliberalization – whether this was a result of reduced public funding and therefore the adoption of privatized, profit-driven solutions – or if it was simply a consequence of older infrastructure and poor discipline. Those are very different explanations that present their own risks for the rest of us to be concerned about and options for what we are able to do about it.