The cyber threat to Canada’s water systems: Assessment and mitigation – Canadian Centre for Cyber Security

Summary

This Cyber Centre assessment (information current to 31 May 2025) lays out the evolving cyber threat to Canada’s water and wastewater systems. It judges operational technology (OT) — SCADA, PLCs, HMIs and other control devices — to be the primary target for actors aiming to disrupt water services. Financially motivated cybercriminals (ransomware, BEC and extortion) are assessed as the most likely immediate threat, while state-sponsored actors have almost certainly pre-positioned access and could disrupt systems in times of crisis. Non-state actors and opportunistic groups are increasingly scanning for internet-exposed OT with weak configurations and default credentials. The report stresses supply-chain risk, the widespread availability of offensive tools and ‘living off the land’ tactics, and provides practical mitigations mapped to the Cyber Security Readiness Goals (CRGs) including MFA, secure admin workstations, segmentation, patching, backups and incident response planning.

Key Points

OT networks that monitor and control physical water processes are very likely the main target for disruptive actors.
Financially motivated cybercriminals are most likely to affect water systems; ransomware is the single biggest cyber threat to water supply reliability.
State-sponsored actors have almost certainly gained pre-positioned access to Canadian water systems but would likely act only in times of major crisis or conflict.
Non-state actors (hacktivists, opportunists) are a rising threat, frequently exploiting internet-exposed OT with weak/default credentials.
Supply-chain compromises and internet-connected vendor access increase the attack surface and provide indirect routes to OT networks.
The availability of public cyber tools and LOTL techniques lowers the barrier for attackers and complicates detection and attribution.
Ransomware incidents are growing in frequency, cost and complexity, driven by RaaS, CaaS and multiple-extortion tactics.
Mitigations recommended include phishing-resistant MFA, secure administrator workstations, changing default passwords, strict network segmentation, timely patching or compensating controls, asset inventories, backups and regular incident response drills.
The Cyber Centre links recommended actions to its Cross-Sector Cyber Security Readiness Goals and offers support and resources for asset owners.

Why should I read this?

Short answer: because clean water is non-negotiable and this report tells you exactly how cyber threats could mess that up — and what to do about it. We’ve done the slog of analysing threat trends, real incidents and practical fixes so you don’t have to. If you run or govern a utility, manage OT, buy vendor services, or sit in local leadership, this is a must-read primer with actionable mitigations you can start applying today.