February 24, 2024

Report finds leaks in Halifax Water cybersecurity systems

An audit of Halifax Water by the Halifax Regional Municipality’s auditor standard has found deficiencies in the utility’s cybersecurity, including staff clicking backlinks in email messages.

As portion of the audit, an email purporting to be from a legitimate resource with a website link, identified as a phishing e mail, was despatched to 55 workforce of the utility to test their awareness of safety protocols.

In accordance to the report, 45 staff clicked a website link in the email and offered their credentials. 3 some others clicked the link but did not post their credentials.

Auditor General Evangeline Colman-Sadd’s audit appeared at supervisory manage and facts acquisition (SCADA) devices and built 21 tips for increasing stability. 

The report explained if stability is compromised it could have an impact on command of the system and the offer and top quality of drinking water.

The logo of Halifax Water on a bill is seen through a glass of water.
Halifax Regional Municipality’s auditor basic issued 21 suggestions. (Jonathan Villeneuve/Radio-Canada)

The utility has agreed to all of the recommendations for strengthening security involved in the report. The audit was carried out from January 2020 to November 2022.

Weaknesses determined in the report include a lack of adherence to procedures, insufficient controls on bodily entry to the plant and places of work, and no course of action to take care of stock of spare pieces.

“Halifax H2o has not supplied adequate oversight of its operational technological innovation (SCADA procedure) safety threats,” Colman-Sadd mentioned in an e mail accompanying the launch of the report. 

“The audit discovered gaps in inner guidelines and techniques, and informal procedures meant to minimize threats for the stability and availability of the SCADA technique.”

Photo of Evangeline Colman-Sadd  at a microphone
Evangeline Colman-Sadd is HRM’s auditor common. (Robert Shorter/CBC)

The report explained tips to Halifax Drinking water from a security advisor among 2016 and 2019 have not been put into influence.

No specifics

In a reaction to the report, Halifax Water mentioned it recognized the results but failed to offer specifics of its response plan.

“We regularly function to safeguard our infrastructure and details technological innovation devices, but there is generally room for improvement,” Louis de Montbrun, Halifax Water’s performing normal supervisor and CEO, said in a information release.

De Montbrun mentioned some operate has already been performed to boost their techniques and the utility would deal with the relaxation in “a fiscally and operationally prudent way.”

The audit integrated operational and monitoring devices but did not include systems managed by the data companies part of the utility.