Back to news

September 9, 2019 | Local, C4ISR

Norad asked Canada to 'identify and mitigate' cyber threats to critical civilian sites

by Murray Brewster

The U.S.-led North American Aerospace Defence Command (Norad) asked the Canadian military to do an inventory of its bases and the surrounding civilian infrastructure, looking for critical systems vulnerable to a cyberattack.

The letter to Canada's chief of the defence staff, written by then-Norad commander U.S. Admiral William Gourtney just over three years ago, was obtained by CBC News under access to information legislation.

Despite the passage of time, two leading cyber experts said the request highlights an enduring concern of both defence planners and people in high-tech industries.

The notion that a cyberattack could shut down civilian infrastructure — such as power grids, water treatment plants or traffic systems — in the vicinity of a military base is nothing new.

What is unusual is that Norad sought reassurance, at the highest levels of the military, that Canada was on top of the evolving threat.

The Norad commander asked Gen. Jonathan Vance to "identify and mitigate" Infrastructure Control Systems (ICS) vulnerabilities on Canadian military bases, particularly at "installations that are critical for accomplishing Norad missions."

The March 24, 2016 letter also urged Canada's top military commander to "advocate developing capabilities to respond to cyber incidents on CAF [infrastructure control systems] and defend CAF [infrastructure control systems] if required."

Gourtney's concern was not limited to defence installations; he asked Vance to "work with Public Safety Canada to identify civilian infrastructure that is critical to CAF and Norad missions. This includes developing processes for reporting cyber incidents on the identified civilian infrastructure."

Vance responded to Gourtney (who has since retired and was replaced by U.S. Air Force Gen. Terrence O'Shaughnessy) three months later and directed the military to hunt for vulnerabilities.

"I share Norad's concerns for the cybersecurity" of critical defence infrastructure, Vance wrote on June 10, 2016, in a letter obtained by CBC News under access to information legislation.

He noted that the Canadian government has identified "adversaries" that pose "a significant threat and efforts have been made to identify and develop protective strategies for Canadian critical infrastructure."

The Liberal government — through its defence strategy and overhaul of security legislation — tackled some of the concerns raised by Norad.

It gave the Communications Security Establishment (CSE) and the military new powers to conduct offensive cyber operations. Perhaps more importantly, it set up the Canadian Centre for Cyber Security for civilian infrastructure, which — according to CSE — aims to "be a place where private and public sectors work side-by-side to solve Canada's most complex cyber issues."

David Masson, a cyber expert, said minimizing the vulnerability of civilian, privately operated infrastructure continues to be an extraordinarily complex task.

The major vulnerability is in what's known as operational technology systems, the kind of computer-driven tasks in utilities and other infrastructure that open and close valves or perform remote functions.

The task of securing them is made extraordinary difficult in part by the wide variety of operating systems out there.

"There's lots of them," said Masson, the director of technology at Darktrace, a leading cybersecurity company. "Look at it as 50, 60, 70 different bespoke communications systems. There's no real standardization because they're so old. Many of them were never expected to be connected to the internet."

He pointed to the 2015 and 2016 cyberattacks on Ukraine's power grid, which in one instance cut electricity to 225,000 people, as examples of what's possible when hackers go after operational technology systems.

It is also the kind of event that Norad is concerned about.

"The kinds of equipment and machinery that supports the transport of natural gas or the provision of air conditioned services, or our water supply — all of those are critical to Canadians and our militaries," Lt.-Gen.Christopher Coates, the Canadian deputy commander, said in a recent interview with CBC News.

He said Norad is focused on the capabilities that are essential to doing its job of defending North America against attack, and they try to "minimize those vulnerabilities where we can."

There is, Coates said, an interesting discussion taking place at many levels of the military about what constitutes critical infrastructure.

"You asked if we're satisfied. I get paid to be concerned about the defences and security of our nations. I don't think I should ever be satisfied," he added.

'Inauthentic activity' in Alberta election a possible preview of tactics in the federal campaign, report warns
Privacy commissioner launches investigation into licence plate breach
With ransomware on the rise, RCMP urging victims to 'be patient with police'
Christian Leuprecht, a defence expert at Queen's University in Kingston, Ont., said defining critical infrastructure is a complex and evolving task.

He pointed to Russian interference in the 2016 U.S. presidential election; prior to that event, he said, the definition of critical infrastructure was limited to power plants, electricity grids and even the financial system.

"A lot of things people are wrestling with the question of what institutions — take, for example, democratic institutions — become critical infrastructure," said Leuprecht.

The Ukrainian attacks, in the view of many defence experts, are a blueprint of what the opening shots of a future war would look like.

"There's a considerable and growing awareness that our defence and critical infrastructure systems are closely tied together because countries, such as China, preserve cyberattack as a first-strike option," Leuprecht said.

Masson said there are ways to limit the vulnerability of operational technology systems. Not connecting them to the internet would be a start, but many companies are choosing not to do that for efficiency reasons.

He said they also can be protected with "robust" security systems.

https://www.cbc.ca/news/politics/norad-cyber-civilian-1.5273917

On the same subject

  • Supporting defence innovation – Innovative Solutions Canada launches new defence challenges | Soutenir l'innovation en matière de défense – Solutions innovatrices Canada lance de nouveaux défis en matière de défense

    April 7, 2022 | Local, Aerospace, Naval, Land, C4ISR, Security

    Supporting defence innovation – Innovative Solutions Canada launches new defence challenges | Soutenir l'innovation en matière de défense – Solutions innovatrices Canada lance de nouveaux défis en matière de défense

    Supporting defence innovation – Innovative Solutions Canada launches new defence challenges Innovative Solutions Canada (ISC) recently launched six new Calls for Proposals in its defence testing stream. ISC is seeking pre-commercial innovative prototypes that can be tested in real life settings and address a variety of defence priorities within the Government of Canada. The Testing Stream aims to procure, test and evaluate innovative late stage pre-commercial prototypes in the following areas: • Digital Enablers and Cybersecurity • UAS and Drone-related infrastructure • Enhanced Warfighting • Training and in-Service support • Enhanced Soldier systems • Smart Sustain and Fleet Optimization The purpose of this call for proposals is to create pools of pre-qualified innovations that Canada may select from to address a broad range of the Government of Canada organizations' requirements. Check the Innovative Solutions Canada web site for eligibility requirements and apply by 14:00 April 22, 2022. Soutenir l'innovation en matière de défense – Solutions innovatrices Canada lance de nouveaux défis en matière de défense Solutions innovatrices Canada (SIC) a récemment lancé six nouveaux appels à propositions dans le cadre de son volet mises à l'essai en défense. SIC est à la recherche de prototypes novateurs pré-commerciaux qui peuvent être testés en situation réelle et qui répondent à diverses priorités de défense du gouvernement du Canada. Le volet mise à l'essais vise à acquérir, à tester et à évaluer des prototypes novateurs pré-commerciaux de stade avancé dans les domaines suivants : • Outils numériques habitants et cybersécurité • Infrastructure liée aux systèmes de surveillance aérienne sans pilote et aux drones • Amélioration de la conduite de la guerre • Formation et soutien en service • Systèmes du soldat améliorés • Soutien intelligent et optimisation de la flotte Le but de cet appel à propositions est de créer des bassins d'innovations préqualifiées parmi lesquelles le Canada pourra choisir afin de répondre à un large éventail de besoins des organisations du gouvernement du Canada. Consultez le site Web de Solutions innovatrices Canada pour connaître les conditions d'admissibilité et présentez votre application d'ici 14h00 le 22 avril 2022.

  • Press Release - Government of Canada Awards Drone Airspace Management System Contract to Kongsberg Geospatial

    September 18, 2017 | Local, Aerospace, C4ISR

    Press Release - Government of Canada Awards Drone Airspace Management System Contract to Kongsberg Geospatial

    PSPC awarded a contract to Ottawa-based Kongsberg Geospatial for an emergency operations airspace UAV tracking system. http://www.prweb.com/releases/2017/09/prweb14704092.htm

  • New IDEaS Challenges

    November 6, 2020 | Local, Aerospace, Naval, Land, C4ISR, Security

    New IDEaS Challenges

    New IDEaS Challenges Our colleagues at The Department of National Defence's Innovation for Defence Excellence and Security (IDEaS) program have launched their 4th Call for Proposals! Check out their website to learn how you can support our troops with your logistics solutions, new armour designs and visual and data security. Here are their current opportunities: Essential Deliveries: Getting Vital Supplies to Troops Using Autonomous Vehicles Armour Up! Modular Lightweight Armour for Land Vehicles It's not just Noise – Innovative Tools for Acoustic Sensor Operators Better than Meets the Eye: Reliable Object Detection Amongst the Waves Making Data Make Sense: Real-time Data Analysis for Rapid Decision Making Knot Vulnerable - Locking Down Cybersecurity on Naval Vessels Navigating Your Next Chapter – The Transition Back to Civilian Applications must be submitted by December 10th, 2020. Learn more

All news