Number: AL25-016
Date: October 29, 2025
Audience
This Alert is intended for Chief Information Security Officers (CISO) and decision makers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
In recent weeks, the Cyber Centre and the Royal Canadian Mounted Police have received multiple reports of incidents involving internet-accessible ICS. One incident affected a water facility, tampering with water pressure values and resulting in degraded service for its community. Another involved a Canadian oil and gas company, where an Automated Tank Gauge (ATG) was manipulated, triggering false alarms. A third one involved a grain drying silo on a Canadian farm, where temperature and humidity levels were manipulated, resulting in potentially unsafe conditions if not caught on time.
While individual organizations may not be direct targets of adversaries, they may become victims of opportunity as hacktivists are increasingly exploiting internet-accessible ICS devices to gain media attention, discredit organizations, and undermine Canada's reputation.
Exposed ICS components, including Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Human-Machine Interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems, Safety Instrumented Systems (SIS), Building Management Systems (BMS), and Industrial Internet of Things (IIoT) devices, pose significant risks to organizations, their clients, and the broader Canadian public.
Suggested actions
Unclear division of roles and responsibilities often creates gaps leaving critical systems unprotected. Effective communication and collaboration are essential to ensuring safety and security.
Provincial and territorial governments are encouraged to coordinate with municipalities and organizations within their jurisdictions to ensure all services are properly inventoried, documented, and protected. This is especially true for sectors where regulatory oversight does not cover cyber security, such as Water, Food, or Manufacturing.
Municipalities and organizations should work closely with their service providers to ensure that managed services are implemented securely, maintained throughout their lifecycle and based on clearly defined requirements. Vendor recommendations and guidelines should be followed to secure devices and services from deployment through decommissioning. Cyber Centre guidance referenced below can greatly assist organizations in providing frameworks for securing these systems. The Cyber Security Readiness Goals (CRGs)Footnote 1 are a recommended minimum set of cyber security practices an organization can take to bolster their cyber security posture.
Organizations are advised to conduct a comprehensive inventory of all internet-accessible ICS devices and assess their necessity. Where possible, alternative solutions—such as Virtual Private Networks (VPNs) with two-factor authentication—should be implemented to avoid direct exposure to the internet.Footnote 2Footnote 3Footnote 4 If such alternatives are not feasible, enhanced monitoring practices should be adopted. This includes active threat detection measures such as Intrusion Prevention Systems (IPS), regular penetration testing, and continuous vulnerability management.Footnote 5 Technical measures should thoroughly be tested for compatibility issues and to prevent service degradation.
Additionally, organizations should regularly conduct tabletop exercises to evaluate and improve their response capabilities and help define roles and responsibilities in the event of a cyber incident.
Should activity matching the content of this alert be discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.
The RCMP supports the Government of Canada's strategy to ensure cyber resiliency for critical infrastructure. Combatting cybercrime requires a whole-of-society approach—one that depends on strong partnerships and coordinated efforts between law enforcement, government agencies, and both the public and private sectors.
In addition to reporting to the Cyber Centre, recipients are encouraged to report to your police of jurisdiction. Early contact allows police to coordinate investigation(s) with your organization's legal team and/or to assist with mitigation actions. Although not every complaint will result in an active criminal investigation, your reporting and cooperation will contribute to efforts by law enforcement to investigate and disrupt cybercriminal activities impacting the safety and security of Canadians.