The cyber threat to Canada’s water systems: Assessment and mitigation – Canadian Centre for Cyber Security

Summary

This Canadian Centre for Cyber Security assessment (current to 31 May 2025) examines cyber threats to water and wastewater systems, identifies most-likely actors and tactics, and sets out practical mitigations mapped to the Cyber Security Readiness Goals (CRGs).

Key judgements: operational technology (OT) that monitors and controls physical water processes is very likely the primary target; financially motivated cybercriminals (especially ransomware actors) pose the most immediate risk to water delivery; state-sponsored actors have almost certainly pre-positioned access and would likely act in times of crisis; and non-state actors are increasingly opportunistic, exploiting internet-exposed OT.

Key Points

OT networks (SCADA, PLCs, HMIs, IIoT) are assessed as very likely the primary target for disruption of water systems.
Financially motivated cybercrime—ransomware, extortion and business email compromise—is almost certainly the biggest near-term risk to reliable water supply.
State-sponsored actors have almost certainly gained pre-positioned access to some Canadian water systems; disruption would likely occur only in crises or conflict.
Non-state actors and hacktivists are exploiting internet-exposed OT, especially around geopolitical events, and causing real-world impacts (e.g. tank overflows).
The digital supply chain is a critical vulnerability: compromises to vendors, updates or integrators can provide indirect access to OT.
Publicly available tools and living-off-the-land techniques have lowered the barrier to entry for attackers and make detection and attribution harder.
Ransomware incidents are increasing in frequency, complexity and cost; multi-extortion and data theft are common trends.
Immediate mitigations recommended include phishing-resistant MFA, secure administrator workstations (SAW), network segmentation, and banning direct internet exposure of OT devices.
Operational best practice: maintain asset inventories, regular backups (separated from production), tested incident response plans and OT-specific training.
Procurement and supply-chain controls are essential: require vendor cyber-security assurances and prefer more secure suppliers when costs and function are similar.

Content summary

The report explains the structure and variety of Canadian water systems, showing how many smaller operators and ageing infrastructure increase the sector’s exposure. Increasing digitalisation has connected OT to corporate networks and the internet, enlarging the threat surface. Examples and historical incidents illustrate how remote access, default passwords and weak configurations have resulted in environmental and service impacts elsewhere.

It analyses the threat landscape: cybercriminals (ransomware, CaaS ecosystem and access brokers), state-sponsored groups (pre-positioning for disruptive action) and non-state actors (opportunistic scans and defacements). The assessment highlights specific groups and campaigns (for example Volt Typhoon) and emphasises cross-border dependencies that can raise risk for Canada.

The mitigation section maps practical controls to the Cyber Security Readiness Goals: implement phishing-resistant MFA, secure administrator workstations, change default passwords, limit internet exposure of OT, apply timely patching or compensating controls, segment IT/OT, enforce vendor requirements, provide training, maintain inventories, test backups and drill incident response plans.

Context and relevance

Clean water is critical infrastructure: disruptions affect public health, emergency services and the economy. The report is timely because water systems are increasingly connected but often managed by organisations with limited cyber resources, making them attractive targets. The assessment aligns with broader trends seen across critical infrastructure: increased ransomware sophistication, supply-chain compromises, and state actors seeking strategic access.

For municipal leaders, utility managers and cyber teams, this is a practical briefing that links threat analysis to specific, actionable mitigations. It also signposts further guidance and tools from the Cyber Centre for organisations that need technical detail or support.

Why should I read this?

Short version: if you run, provision, regulate or simply rely on water services in Canada, read this. It cuts through the jargon, flags actual risks (ransomware, exposed OT, vendor weak points) and gives concrete steps you can start using now to reduce the chance of downtime, pollution or costly recovery. We did the heavy reading so you can act faster.

Author style

Punchy — this is not academic fluff. The assessment is urgent and practical: leaders should treat it as a checklist for governance, investment and emergency planning.