Report finds leaks in Halifax Water cybersecurity systems

·2 min read
A new report around cybersecurity is recommending areas of improvement for Halifax Water. (Mark Crosby/CBC - image credit)
A new report around cybersecurity is recommending areas of improvement for Halifax Water. (Mark Crosby/CBC - image credit)

An audit of Halifax Water by the Halifax Regional Municipality's auditor general has found deficiencies in the utility's cybersecurity, including employees clicking links in emails.

As part of the audit, an email purporting to be from a legitimate source with a link, known as a phishing email, was sent to 55 employees of the utility to test their awareness of security protocols.

According to the report, 45 employees clicked a link in the email and provided their credentials. Three others clicked the link but did not submit their credentials.

Auditor General Evangeline Colman-Sadd's audit looked at supervisory control and data acquisition (SCADA) systems and made 21 recommendations for improving security.

The report said if security is compromised it could affect control of the system and the supply and quality of water.

Jonathan Villeneuve/Radio-Canada
Jonathan Villeneuve/Radio-Canada

The utility has agreed to all of the recommendations for strengthening security included in the report. The audit was undertaken from January 2020 to November 2022.

Weaknesses identified in the report include a lack of adherence to policies, insufficient controls on physical access to the plant and offices, and no process to manage inventory of spare parts.

"Halifax Water has not provided sufficient oversight of its operational technology (SCADA system) security risks," Colman-Sadd said in an email accompanying the release of the report.

"The audit found gaps in internal policies and procedures, and informal procedures meant to reduce risks for the security and availability of the SCADA system."

Robert Short/CBC
Robert Short/CBC

The report said recommendations to Halifax Water from a security consultant between 2016 and 2019 have not been put into effect.

No specifics

In a response to the report, Halifax Water said it accepted the findings but didn't provide specifics of its response plan.

"We continually work to safeguard our infrastructure and information technology systems, but there is always room for improvement," Louis de Montbrun, Halifax Water's acting general manager and CEO, said in a news release.

De Montbrun said some work has already been done to improve their systems and the utility would address the rest in "a financially and operationally prudent way."

The audit included operational and monitoring systems but did not include systems managed by the information services section of the utility.