Halifax’s auditor general is putting pressure on the municipal water utility to fix significant potential leaks in its cybersecurity.
Evangeline Colman-Sadd and audit manager Leanne Burnett presented their Halifax Water SCADA System Audit to council’s Audit and Finance Committee on Thursday.
SCADA stands for Supervisory Control and Data Acquisition. In the context of a water utility, it refers to the system used to monitor and control the water supply.
“There have been recent reports of attacks on water SCADA systems in other jurisdictions,” the auditors wrote in their report, “from both internal and external threats.”
“If SCADA is compromised it could lead to loss of availability and control of the system, which could impact the water quality and supply.”
While Halifax Water “manages some risks” to its system, “there are significant gaps that need to be addressed.”
“The cybersecurity program at Halifax Water is not as mature as we expected for an organization responsible for critical water infrastructure,” the auditors wrote in their report.
Recommendations from consultants in 2016 and 2019 have gone mostly unimplemented. There are also outstanding actions from a 2010 plan, the auditors found.
Swipe cards and keys in the wrong hands
Colman-Sadd’s office found issues with the physical security of Halifax Water’s infrastructure, too.
“In terms of physical access, we looked at who has swipe cards and found that there were a number who do not require it for their jobs,” Colman-Sadd told the committee on Thursday.
“There were 14 at the Pockwock plant, 15 at Lake Major, and 32 at the SCADA office.”
The same goes for the actual keys to those plants.
“Some of the keys were assigned to people who have left Halifax Water or who have retired, for example, and some keys have not been located,” Colman-Sadd said.
Auditors sent fake phishing email, 82% fell for it
The audit wasn’t really looking at Halifax Water’s information technology (IT) department. But it did perform one test of those systems.
“We sent a sophisticated phishing email to 55 Halifax Water employees,” Burnett, the audit manager, told the committee.
“The IT group allowed our phishing email to pass through their security controls for the audit. The purpose of the email was not to test the security controls but to test staff awareness. So of the 55 employees who received the email, 45 employees submitted their credentials.”
That’s 82% who not only clicked the dodgy link, but actually submitted their information afterward. Another three employees (5%) clicked the link but didn’t provide their credentials.
Completion rates for cybersecurity training varied, Burnett said.
The audit made 21 recommendations, all accepted by management. Those included better cybersecurity awareness training, an updated cybersecurity strategy, and updated policies and procedures.
There was also an in camera report to deal with more sensitive security risks. Councillors on the audit committee spent almost an hour in camera discussing that portion of the auditor’s work. When they emerged, they didn’t pass any motion.
Colman-Sadd’s office will follow up on the recommendations within 18 months.
Halifax Water’s response
In an emailed statement, acting Halifax Water general manager and CEO Louis de Montbrun said he takes the auditors’ findings “very seriously.”
“We continually work to safeguard our infrastructure and information technology systems, but there is always room for improvement,” de Montbrun said.
The utility said it has already addressed some of the issues. But “given the sensitivity and potential risks to the utility’s systems and to protect the best interest of our customers, no specific details of the utility’s response plan will be disclosed.”