The head of Canada’s cyber-defence agency is offering some insight just weeks after a ransomware attack against Nova Scotia Power.
The utility’s computer systems were breached by ransomware hackers on March 19, but Nova Scotia Power did not discover it until April 25. The company disclosed the cybersecurity incident three days after that.
About 280,000 customers — more than half of the utility’s customers in the province — were informed by letter that their personal information may have been compromised in the attack. The data included names, addresses, phone numbers, birth dates, driver’s licences, social insurance numbers and banking information.
On Thursday, the Nova Scotia Energy Board granted approval to Nova Scotia Power to move forward with a $1.8-million project to improve cybersecurity.
The attack and its aftermath have sparked many questions about the security of the company’s IT systems.
Rajiv Gupta, head of the Canadian Centre for Cyber Security, spoke to CBC News in a rare interview about how these types of incidents unfold and what people and organizations like Nova Scotia Power can do to protect themselves.
This interview has been edited for length and clarity.
Can you explain a bit about your agency and what it does?
The Canadian Centre for Cyber Security is really Canada’s cyber defence agency. So, we provide advice, guidance and services to critical infrastructure systems of importance to Canada. Work primarily with the federal government is where we had started, but have really grown into critical infrastructure. And our goal is to raise cyber resilience across Canada.
We fall under CSE, which is the Communications Security Establishment, and CSE has a mandate for foreign intelligence, which goes back 80 years in terms of WW II. We report to the minister of national defence.
What do you make of the recent attack against Nova Scotia Power, which did ultimately affect about 280,000 customers?
We don’t comment specifically on specific incidents, but as a cyber centre … any critical infrastructure providers that have incidents can report their incidents to the cyber centre. So last year we saw about 1,500 incidents. We see a lot of these, and that’s what’s really important and kind of sad to understand as well, that this is happening so often in terms of cybercriminal organizations comprising critical infrastructure organizations in Canada.
Their motivation is money. They would compromise the network. So basically getting their software inside the network, but then stealing all the sensitive information from the organization and … then going ahead and encrypting systems and locking people out of their system. So we used to call that double extortion. So that way the criminal organization could threaten to release sensitive information, unless a ransom was paid, or also basically not give back access to systems unless a ransom was paid. So that was what we’re seeing and it was incredibly impactful to system operators within Canada.
In this case, Nova Scotia Power did not pay the ransom that was asked of them. Is that common practice?
What we always do is we provide advice and guidance to organizations and we say, “It’s a business decision,” because we’re not the ones operating their business, and we don’t know their exact context, say if it’s a threat to life or something else. But we always say, “Hey there’s a lot of downside to paying the ransom.” First of all, you’re funding these criminal organizations. So, the more ransom is paid, the more we’re going to proliferate this sort of behaviour. At the same point in time, you’re paying this ransom to criminals. What’s that contract worth in the end anyway? Is there really any guarantee that they’re either not going to share the confidential information, or they’re actually going to give you the keys to decrypt your systems and get your access back? The proceeds of this can go to criminal or even terrorist type causes as well, so, worrisome in that sense.
Are you able to say whether Nova Scotia Power had actually contacted your agency [following the breach]?
The one thing that I will say is that they did reach out to us. We always recommend that organizations that are victimized reach out to the cyber centre. We’ve seen many of these in the past and we have advice and guidance to share. And not only can we help the organization in their recovery, and in terms of paying the ransom, ransom might help you unlock your systems, but there’s still always recovery costs that are part of this as well, regardless of whether you work with the criminal organization or not. But in this case, they did reach out to us.
And the other thing we always encourage is … we hope that they share information about the compromise as well. Because we can take that and share that with other critical infrastructure organizations in Canada.
Did they share with you the extent of the breach?
We wouldn’t go into any details in that sense, but they did notify us of the breach.
Is there any sense of who might have been the perpetrator in this attack from your perspective? Nova Scotia Power says it has a sense of who it is.
I wouldn’t comment on that. There’s various groups and they often change shapes and forms as they get disrupted. Unfortunately it’s an ever-evolving group of cybercriminals that are out there that seem to be performing these behaviours. And we have an assessment out in terms of a cybercriminal activity in Canada as well that kind of points to the groups that we’ve seen as active.
About 140,000 [social insurance numbers] were included in the stolen data. How serious is this, when that type of personal information is accessed?
I couldn’t speak to the seriousness of that type of information, but what I will say is that this is exactly what cybercriminals go after. And depending on the type of information, it’ll fetch a different price on the dark web. Organizations will collect personal information, whether it’s SIN numbers, or credit card numbers, or health card numbers, other sorts of confidential information. Typically that information gets resold on the dark web for other criminals that are going to actually monetize that for other purposes. It’s kind of a not very positive circle that exists on the dark web.
The way this actually works in terms of what we call “cybercrime as a service” is that it’s a whole ecosystem of criminal entities that actually work together. And because it’s typically run out of operations that are beyond the legal borders — often in Russian-speaking countries where law enforcement won’t necessarily prosecute — it’s very difficult to disrupt these organizations. And even when law enforcement is able to disrupt them, it’s fairly easy for them to kind of reconstitute themselves.
What are some of the risks when this personal information is shared on the deep web or dark web?
Once that information is out there, that often just spurs the next cycle of fraud. Whether it’s spear phishing emails that are using that information, whether it’s leveraging information about an organization or their clients to actually further compromise them. That’s why it’s really important to take note for everyone to be mindful of the things they can do to protect themselves.
Be extra vigilant of understanding what’s being mailed to you and double checking those links and making sure it’s coming from an authenticated source and whatnot. Being mindful of content, making sure you have strong authentication in terms of how you’re actually accessing applications as well.
What would be your advice to Nova Scotia Power?
Really for all of these organizations, do your due diligence. Understand what your really critical elements are of your organization that would be your worst-case scenario. And then once you know what your worst-case scenario is, then you can defend that. Build the plan according to our ransomware playbook, have the backups in place, and have the strong measures in place.
The utility [Nova Scotia Power] applied for funding about a month before the ransomware attack. They cited the Canadian Centre for Cyber Security’s most recent threat assessment, pointing out that power grids are so interconnected that they can be really vulnerable to these types of attacks. What would be the warning signs of an attack like this?
One of the things that we’ve been very mindful of … as the world gets more hostile, we’re worried about impacts to critical infrastructure like electrical guide grids, pipelines, these sorts of things. A lot of them are controlled by systems that were never meant to be connected to the Internet. Nowadays, as people are looking to optimize efficiency, and connect to cloud services and connect sensors to networks, they’re becoming more exposed to threat actors from around the world. Normally, your electrical grid would only be threatened by people that are actually in the country and nearby, but as soon as you connect it to the internet, you’re pretty much opening a lot of this up to people from anywhere.
Does your agency have any authority over a private company that’s running a provincewide utility?
We are not a regulator. The cyber centre itself provides advice, guidance and services, but we have no authority over any of these entities. We work voluntarily to provide the best practices.
MORE TOP STORIES
