Is Canada’s Fuel Safe from Cyber Attacks?
We have had to line up for grocery stores. https://twitter.com/Faiza_AminTV/status/1248328135780769798
We have had to line up for vaccines. https://twitter.com/blogTO/status/1387808919561588747
Will Canada have to line up for fuel too?
Our friends south of the border waited a staggering 5 hours to fill up their tanks. Some even reminisced about the Arab oil embargo of 1973 and how that caused long lineups at the gas pump. While others estimated that the current panic buying was resulting in an average of 125 cars per hour trying to get their fill.
https://twitter.com/Energy_Tidbits/status/1392105238476120070
https://www.britannica.com/event/Arab-oil-embargo
https://twitter.com/InRodWeTrustMTL/status/1392477911349972993)
All because of a cyberattack on the Colonial pipeline that involved Ransomware. Ransomware holds data hostage in return for money.
https://cyber.gc.ca/en/guidance/cyber-threat-bulletin-modern-ransomware-and-its-evolution#fn1-rf)
If there is no fuel, you cannot take your car, nor the TTC bus to work. Trucks need fuel to deliver food to grocery stores (sorry, but we cannot rely on Uber eats cyclists to get us out of this one). Ambulances, fire trucks, police cars need fuel. The delivery of life-saving medicines requires fuel. If there is a disaster and you need to flee from Toronto, you need fuel for trains, boats and airplanes to help you get out.
At first, experts have downplayed the scenario by focusing on the short-term impact of the American pipeline cyberattack on Canadian prices. At best, a “slight impact” if left for a day or two, so long as it is not more than a week. This should be reassuring.
(https://globalnews.ca/news/7848225/us-colonial-pipeline-hack-gas-prices/)
But this headline of May 11, 2021 should serve as a wake-up call:
“Canada is ‘seriously vulnerable’ to ransomware attacks on critical infrastructure, says expert”. The article warns that “Canadians shouldn’t feel smug the attack didn’t happen here…Chances are any vulnerability in Colonial’s system also exists in Canadian pipeline firms.”
It has even been reported that Canada’s critical infrastructure strategy has not been updated since 2009.
A troubling report on “Threats to Canada’s Critical Infrastructure”, archived from 2003, states that:
“…currently there is a limited ability on the part of federal and provincial government departments and agencies to collect, collate, analyze and synthesize the modest amount of substantive qualitative information on actors, their actual and potential capabilities, intended targets, and recorded attempts to penetrate or attack assets or systems.
…oil pipeline systems make appealing targets, given their diffuse nature and the difficulty of effectively protecting them from attack. • In spite of attempts to secure these systems, the threat of a malicious attack on CI could increase. Canadian society relies on these networks, services and systems to an increasing degree, thus making them even more attractive targets.
(https://www.publicsafety.gc.ca/lbrr/archives/cn000034012674-eng.pdf)
One would hope that in 18 years since this report, we have come a long way from just shrugging our shoulders, throwing our hands up in the air and saying there is nothing we can really do about this problem.
On a more current note, in November 2020, the Canadian Centre for Cyber Security released the “National Cyber Threat Assessment 2020”. While the emphasis is on the safety of the individual and businesses, there is no mention of fuel.
(https://cyber.gc.ca/sites/default/files/publications/ncta-2020-e-web.pdf)
And if you are looking for answers from Natural Resources Canada, you will end up empty-handed, despite their thorough FAQs section, for there is no mention of what is being done exactly to protect Canada’s pipelines from cyber attacks.
The Canadian Association of Petroleum Producers (CAPP) boasts of:
“Operators also using sophisticated, computerized monitoring and control systems 24/7 to provide continuous, real-time information and conduct routine inspections and aerial patrols of the pipelines.” However, it is unclear from this description whether or not this is entirely manually operated or what proportion of these activities are connected to the internet, thereby rendering them more vulnerable to cyber-attacks.
(https://www.capp.ca/explore/oil-and-natural-gas-pipelines/)
We need to look at the bigger picture, if not beyond, otherwise, we run the risk of being “digitally disabled”.
(https://www.cbc.ca/news/opinion/opinion-national-security-1.6003674)
Canada has 840,000 km of pipelines. Only 73,000 km is actually federally regulated. 8.7% of our pipelines are the responsibility of the Canadian government. Can you believe that?
Consider this revelation that 50 times per week, other countries have been trying to infiltrate the computer networks of the Government of Canada. And this was 2017 at that.
(https://www.cbc.ca/news/politics/cyber-attacks-canada-cse-1.4378711)
How hard (or should I say how easy?) would it be for a cyber attack to topple over a provincially regulated pipeline, handled by smaller players?
Forget toilet paper. I’m gassing up.