Critical infrastructure (CI) plays a role in the delivery and support of the necessities of daily life. This includes commonly used utilities and services, such as water, energy and banking. Disruptions to CI could lead to failure of essential services, endanger public safety or result in loss of life. This publication provides information on how CI sectors can be compromised and what security measures can be implemented to mitigate the risks.
On this page
- Critical infrastructure sectors
- How cyber attacks impact critical infrastructure
- The main threats to critical infrastructure
- How to protect your sector from cyber attacks
- Learn more
Critical infrastructure sectors
CI refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. CI is often interconnected and interdependent within and across provinces, territories and national borders.
The National strategy for critical infrastructure identifies the following 10 CI sectors:
- energy and utilities
- finance
- food
- government
- health
- information and communication technology
- manufacturing
- safety
- transportation
- water
Operational technology and industrial control systems as potential threat targets
Operational technology (OT) refers to computing systems used to automate industrial processes and operations in many different sectors. Industrial control systems (ICS) are a major subset within OT that allows CI providers to remotely monitor the processes and control the physical devices in their infrastructure.
OT systems that have to be connected to the Internet or other networks and systems are attractive targets to threat actors who are focused on OT disruption.
How cyber attacks impact critical infrastructure
Cyber attacks on a CI can have serious and devastating consequences. Some of the impacts can include:
- interruption of essential services, such as electricity, water and natural gas
- disruption in the production and supply of food and medical supplies
- loss of public trust and confidence in the economy, national security and defence, and the democratic processes
- damage to environment and risk to public health from chemical spills, toxic waste discharges or hazardous air emissions
- lost revenue, reputational risks, job losses or legal consequences for companies and employees
- disruption to hospital operations, or even compromised medical devices, that could lead to loss of life
- damage to CI components that could disrupt, destroy or degrade processes and operations
The main threats to critical infrastructure
Cyber threats to CI sectors can involve stealing mission-critical information, locking sensitive files or leaking proprietary or sensitive information. Damage to CI can threaten national security, public safety and economic stability.
Threat actors may target CI sectors for financial gain. Some CI sectors, such as healthcare and manufacturing, are popular targets because their owners and operators cannot withstand loss of sensitive information and long-term disruption of essential services. These CI sectors often have significant financial resources to pay ransom.
Insider threat actors may target CI for personal reasons, such as an act of revenge by disgruntled former employees or customers.
State-sponsored cyber threat actors may target CI sectors to collect information in support of broader strategic goals like influencing public opinion or policy development.
The following are some examples of the threats to CI.
Ransomware
Ransomware is a type of malware that denies users access to systems or data until a sum of money is paid. Other types of malware (for example, wipers and spyware) are used to target CI by infiltrating or damaging connected systems.
Denial-of-Service attack
A denial-of-service (DoS) attack is any activity that makes a service unavailable for use by legitimate users or that delays system operations and functions. A threat actor could make large parts of a CI sector unavailable and cause potentially catastrophic failure.
Insider threats
An insider threat is when anyone who has or had knowledge of or access to an organization's infrastructure and information and uses it, either knowingly or inadvertently, to cause harm. Insider threats can have a significant impact on a CI sector and its business functions.
These threats can cause a temporary or permanent loss of visibility and control within the CI processes and OT. Loss of control can prevent operators from being able to issue commands to mitigate malicious interference. This can result in uncontrolled damage and shutdown of system components, requiring hands-on operator intervention on the OT.
How to protect your sector from cyber attacks
CI network operators can reduce their risks of cyber attacks by implementing the following security measures.
Isolate CI components and services
Implement firewalls, virtual private networks (VPNs) and multi-factor authentication (MFA) for remote access connections with corporate networks. When using OT, test manual controls to ensure critical functions will remain operable if your network is unavailable or untrusted. Use secure administrative workstations to separate sensitive tasks and accounts from non‑administrative computer uses, such as email and web browsing. Implement network security zones to control and restrict access and data communication flows to certain components and users. OT systems should be on an isolated network and not connected to the Internet.
Enhance your security posture
Implement offline backups that are tested frequently to ensure you can recover quickly in the event of an incident.
Adopt a risk-based approach with updates
Evaluate your system requirements with vulnerability management to determine necessary updates. Many updates might be unnecessary to implement and could pose potential risks to your OT environment. Some vendors issue emergency patches to address critical security vulnerabilities, so it is important to keep informed of what your system might require.
Develop an incident response plan
Include the processes, procedures and documentation related to how your organization detects, responds to and recovers from cyber attacks in your incident response plan. Have a plan specifically for OT and ensure the critical system components can operate safely in manual mode. Test and revise the plan periodically to ensure critical functions and operations continue in case of system disruptions or unexpected downtime.
Train your employees
Educate your employees on the importance of cyber security best practices, such as identifying phishing, using strong passphrases and reporting incidents as soon as they are detected. Have clearly defined standard operating procedures for security practices and acceptable use of process control systems that interface directly with control of systems and environments.
Monitor organizational activities
Collect, analyze and store records that are associated with user actions on information systems. Enable logging to better investigate issues or events. Monitor traffic at your Internet gateways and establish baselines of normal traffic patterns. Highly sophisticated threat actors may influence or coerce employees (for example, using social engineering, bribery, blackmail or intimidation) to help them compromise security. To guard against these actors, enhance your insider threat monitoring and consider implementing a two-person rule when performing critical administrative functions.
For more security measures to consider, read the Cyber Centre's Cross-sector cyber security readiness goals toolkit.
Learn more
- Protect your organization from malware (ITSAP.00.057)
- Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)
- Secure your accounts and devices with multi-factor authentication (ITSAP 30.030)
- Offer tailored cyber security training to your employees (ITSAP.10.093)
- Protect your organization from insider threats (ITSAP.10.003)
- Ransomware playbook (ITSM.00.099)