{"id":79513,"date":"2021-10-24T14:00:42","date_gmt":"2021-10-24T18:00:42","guid":{"rendered":"https:\/\/newsroom.carleton.ca\/?post_type=cu_story&#038;p=79513"},"modified":"2025-08-19T09:37:12","modified_gmt":"2025-08-19T13:37:12","slug":"cyberattacks-critical-infrastructure","status":"publish","type":"cu_story","link":"https:\/\/carleton.ca\/news\/story\/cyberattacks-critical-infrastructure\/","title":{"rendered":"Cyberattacks to critical infrastructure threaten our safety and well-being"},"content":{"rendered":"\n<section class=\"w-screen px-6 cu-section cu-section--white ml-offset-center md:px-8 lg:px-14\">\n    <div class=\"space-y-6 cu-max-w-child-max  md:space-y-10 cu-prose-first-last\">\n\n        \n                    \n                    \n            \n    <div class=\"cu-wideimage relative flex items-center justify-center mx-auto px-8 overflow-hidden md:px-16 rounded-xl not-prose  my-6 md:my-12 first:mt-0 bg-opacity-50 bg-cover bg-cu-black-50 pt-24 pb-32 md:pt-28 md:pb-44 lg:pt-36 lg:pb-60 xl:pt-48 xl:pb-72\" style=\"background-image: url(https:\/\/carleton.ca\/news\/wp-content\/uploads\/sites\/162\/conversation-critical-infrastructure-1200w-1.jpg); background-position: 50% 50%;\">\n\n                    <div class=\"absolute top-0 w-full h-screen\" style=\"background-color:rgba(0,0,0,0.600);\"><\/div>\n        \n        <div class=\"relative z-[2] max-w-4xl w-full flex flex-col items-center gap-2 cu-wideimage-image cu-zero-first-last\">\n            <header class=\"mx-auto mb-6 text-center text-white cu-pageheader cu-component-updated cu-pageheader--center md:mb-12\">\n\n                                    <h1 class=\"cu-prose-first-last font-semibold mb-2 text-3xl md:text-4xl lg:text-5xl lg:leading-[3.5rem] cu-pageheader--center text-center mx-auto after:left-px\">\n                        Cyberattacks to critical infrastructure threaten our safety and well-being\n                    <\/h1>\n                \n                            <\/header>\n        <\/div>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"absolute bottom-0 w-full z-[1]\" fill=\"none\" viewbox=\"0 0 1280 312\">\n                <path fill=\"#fff\" d=\"M26.412 315.608c-.602-.268-6.655-2.412-13.524-4.769a1943.84 1943.84 0 0 1-14.682-5.144l-2.276-.858v-5.358c0-4.876.086-5.358.773-5.09 1.674.643 21.38 5.84 34.646 9.109 14.682 3.59 28.935 6.858 45.936 10.449l9.874 2.089H57.322c-16.4 0-30.31-.16-30.91-.428ZM460.019 315.233c42.974-10.074 75.602-19.88 132.443-39.867 76.16-26.791 152.063-57.709 222.385-90.663 16.7-7.823 21.336-10.074 44.262-21.273 85.004-41.688 134.719-64.193 195.291-88.413 66.55-26.577 145.2-53.584 194.27-66.765C1258.5 5.626 1281.34 0 1282.24 0c.17 0 .34 27.596.34 61.3v61.299l-2.23.375c-84.7 13.718-165.93 35.955-310.736 84.931-46.494 15.753-65.427 22.076-96.166 32.15-9.102 3-24.814 8.198-34.989 11.574-107.543 35.954-153.008 50.422-196.626 62.639l-6.74 1.876-89.126-.054c-78.135-.054-88.782-.161-85.948-.857ZM729.628 312.875c33.229-10.985 69.248-23.523 127.506-44.207 118.705-42.223 164.596-57.709 217.446-73.302 2.62-.75 8.29-2.465 12.67-3.751 56.19-16.772 126.94-33.597 184.17-43.671 5.07-.91 9.66-1.768 10.22-1.875l.94-.161v170.236l-281.28-.054H719.968l9.66-3.215ZM246.864 313.411c-65.041-2.251-143.047-12.11-208.432-26.256-18.375-3.965-41.73-9.538-42.202-10.074-.171-.214-.257-21.38-.214-47.046l.129-46.618 6.654 3.697c57.313 32.043 118.491 56.531 197.699 79.143 40.313 11.521 83.459 18.058 138.669 21.059 15.584.857 65.685.857 81.14 0 33.744-1.876 61.306-4.93 88.396-9.806 6.396-1.126 11.634-1.983 11.722-1.929.255.375-20.48 7.769-30.999 11.038-28.592 8.948-59.288 15.646-91.873 20.147-26.36 3.59-50.015 5.627-78.35 6.698-15.584.59-55.209.59-72.339-.053Z\"><\/path>\n                <path fill=\"#fff\" d=\"M-3.066 295.067 32.06 304.1v9.033H-3.066v-18.066Z\"><\/path>\n            <\/svg>\n            <\/div>\n\n    \n\n    <\/div>\n<\/section>\n\n<p>This article is <a href=\"https:\/\/theconversation.com\/cyberattacks-to-critical-infrastructure-threaten-our-safety-and-well-being-170191\" rel=\"noopener noreferrer\" target=\"_blank\">republished<\/a> from The Conversation under a Creative Commons licence. All photos provided by <a href=\"https:\/\/theconversation.com\" rel=\"noopener noreferrer\" target=\"_blank\">The Conversation<\/a> from various sources.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p><iframe loading=\"lazy\" style=\"width: 100%; height: 175px; border: none; position: relative; z-index: 1;\" allowtransparency=\"\" src=\"https:\/\/narrations.ad-auris.com\/widget\/the-conversation-canada\/cyberattacks-to-critical-infrastructure-threaten-our-safety-and-well-being\" width=\"100%\" height=\"400\"><\/iframe><\/p>\n\n\n\n<p>What would happen if you could no longer use the technological systems that you rely on every day? I\u2019m not talking about your smart phone or laptop computer, but all those systems many of us often take for granted and don\u2019t think about. <\/p>\n\n\n\n<p>What if you could not turn on the lights or power your refrigerator? What if you could not get through to emergency services when you dial 911? What if you could not access your bank account, get safe drinking water or even flush your toilet? <\/p>\n\n\n\n<p>According to Canada\u2019s <a href=\"https:\/\/www.publicsafety.gc.ca\/cnt\/rsrcs\/pblctns\/srtg-crtcl-nfrstrctr\/index-en.aspx\" target=\"_blank\" rel=\"noopener noreferrer\">National Strategy for Critical Infrastructure<\/a>, critical infrastructure refers to the processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of the public and the effective functioning of government.<\/p>\n\n\n\n<p>Disruptions to these kinds of systems, especially those caused by cyberattacks, can have devastating consequences. That\u2019s why these systems are called critical infrastructure.<\/p>\n\n\n\n<h2 id=\"a-string-of-attacks\" class=\"wp-block-heading\">A string of attacks<\/h2>\n\n\n\n<p>Over the past six months, the fragility of critical infrastructure has been given plenty of attention. This has been driven by a string of notable cyberattacks on several critical infrastructure sectors.<\/p>\n\n\n\n<p>It was revealed that in late March 2021, CNA Financial Corp., one of the largest insurance companies in the United States was <a href=\"https:\/\/www.insurancebusinessmag.com\/ca\/news\/cyber\/cna-concludes-investigation-into-cyberattack-260688.aspx\" target=\"_blank\" rel=\"noopener noreferrer\">victim to a ransomware attack<\/a>. As a result, the company faced disruptions of their systems and networks.<\/p>\n\n\n\n<p>In May 2021, <a href=\"https:\/\/www.bbc.com\/news\/business-57050690\" target=\"_blank\" rel=\"noopener noreferrer\">a ransomware attack on Colonial Pipeline halted plant operations for six days<\/a>. The attack led to a fuel crisis and increased prices in the eastern U.S.<\/p>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Pipeline Hack Exposes Vulnerability Of Infrastructure To Cyberattacks\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/3YrerKldYPM?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>Weeks later, in June 2021, a <a href=\"https:\/\/www.vox.com\/recode\/2021\/6\/1\/22463179\/jbs-foods-ransomware-attack-meat-hackers\" target=\"_blank\" rel=\"noopener noreferrer\">ransomware attack hit JBS USA Holdings, Inc.<\/a>, one of the world\u2019s largest meat producers. This attack brought about supply chain turmoil in Canada, the U.S. and Australia.<\/p>\n\n\n\n<p>Also in June 2021, the <a href=\"https:\/\/www.cnn.com\/2021\/06\/02\/business\/steamship-authority-ransomware-attack\/index.html\" target=\"_blank\" rel=\"noopener noreferrer\">Martha\u2019s Vineyard and Nantucket Steamship Authority was victim of a ransomware attack<\/a> that disrupted ferry services and caused service delays.<\/p>\n\n\n\n<h2 id=\"fragile-infrastructures\" class=\"wp-block-heading\">Fragile infrastructures<\/h2>\n\n\n\n<p>On Oct. 14, 2021, hot on the heels of cyberattacks targeting the financial, gas, food and transportation sectors, the U.S. Cybersecurity and Infrastructure Security Agency <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa21-287a\" target=\"_blank\" rel=\"noopener noreferrer\">released Alert AA21-287<\/a>.<\/p>\n\n\n\n<p>The alert turns attention to the fragility of yet another critical infrastructure sector. It warns of \u201congoing malicious cyberactivity\u201d targeting water and wastewater facilities. These activities include exploits of internet-connected services and outdated operating systems and software, as well as <a href=\"https:\/\/cyber.gc.ca\/en\/glossary\" target=\"_blank\" rel=\"noopener noreferrer\">spear phishing and ransomware attacks<\/a> \u2013 something we have seen a lot in recent cyberattacks.<\/p>\n\n\n\n<p>According to the alert, these cyberthreats could impact the ability of water and wastewater facilities to \u201cprovide clean, potable water to, and effectively manage the wastewater of, their communities.\u201d<\/p>\n\n\n\n<h2 id=\"cyberattacks-vulnerability-factors\" class=\"wp-block-heading\">Cyberattacks: Vulnerability factors<\/h2>\n\n\n\n<p>The need for combating cyberthreats to critical infrastructure is well recognized. However, the infrastructure today is far from secure. This is due to a many interrelated factors that create a perfect storm of exposures.<\/p>\n\n\n\n<p>First, many of our most critical systems are extremely complex. This complexity is rapidly increasing as the number of devices and connections in these systems continues to grow.<\/p>\n\n\n\n<p>Second, many of these systems involve a mix of insecure, outdated legacy systems and new technologies. These new technologies promise features like advanced analytics and automation. However, they are sometimes connected and used in insecure ways that the original designers of the legacy systems could not have imagined.<\/p>\n\n\n\n<p>Taken together, these factors mean that these systems are too complex to be completely understood by a person, a team of people or even a computer model. This makes it very difficult to identify weak spots that if exploited \u2014 accidentally or intentionally \u2014 could lead to system failures.<\/p>\n\n\n\n<h2 id=\"analyzing-real-world-complexities\" class=\"wp-block-heading\">Analyzing real-world complexities<\/h2>\n\n\n\n<p>In the <a href=\"https:\/\/carleton.ca\/cybersea\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cyber Security Evaluation and Assurance (CyberSEA) Research Lab<\/a> at Carleton University, we are developing solutions to address the fragility of critical infrastructure. The goal is to improve security and resilience of these important systems.<\/p>\n\n\n\n<p>The complexities of critical infrastructure can lead to unexpected or unplanned interactions among system components, known as <a href=\"https:\/\/doi.org\/10.1109\/TR.2017.2665164\" target=\"_blank\" rel=\"noopener noreferrer\">implicit interactions<\/a>.<\/p>\n\n\n\n<p>Exploitation of implicit interactions has the potential to impact the safety, security and reliability of a system and its operations. For example, implicit interactions can enable system components to interact in unintended \u2014 and often undesirable \u2014 ways. This leads to unpredictable system behaviours that can allow attackers to damage or disrupt the system and its operations.<\/p>\n\n\n\n<figure class=\"wp-block-image align-center zoomable\"><a href=\"https:\/\/images.theconversation.com\/files\/427833\/original\/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=1000&amp;fit=clip\"><img decoding=\"async\" src=\"https:\/\/images.theconversation.com\/files\/427833\/original\/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=754&amp;fit=clip\" alt=\"A diagram of a complex system with many nodes\"\/><\/a><figcaption class=\"wp-element-caption\">\n              <span class=\"caption\">Infrastructure systems become increasingly complex as new connections and devices are added to critical infrastructure with updates in technologies.<\/span><br>\n              <span class=\"attribution\"><span class=\"source\">(Shutterstock)<\/span><\/span><br>\n            <\/figcaption><\/figure>\n\n\n\n<p>We recently conducted a cybersecurity analysis at CyberSEA on a real-world municipal wastewater treatment system, where we identified and measured characteristics of implicit interactions in the system. This was part of our <a href=\"https:\/\/ciri.illinois.edu\/events\/implicit-interactions-case-study\" target=\"_blank\" rel=\"noopener noreferrer\">ongoing research<\/a>, conducted in partnership with the <a href=\"https:\/\/ciri.illinois.edu\/\" target=\"_blank\" rel=\"noopener noreferrer\">Critical Infrastructure Resilience Institute<\/a> at the University of Illinois at Urbana-Champaign.<\/p>\n\n\n\n<p>Our analysis found a significant proportion of implicit interactions present in the system, and <a href=\"https:\/\/doi.org\/10.1007\/978-3-030-64330-0_3\" target=\"_blank\" rel=\"noopener noreferrer\">approximately 28 per cent of these identified vulnerabilities showed signs of being ripe for attackers to exploit and cause damage or disruption in the system<\/a>.<\/p>\n\n\n\n<h2 id=\"a-glimmer-of-hope\" class=\"wp-block-heading\">A glimmer of hope<\/h2>\n\n\n\n<p>Our study showed that implicit interactions exist in real-world critical infrastructure systems. Feedback from the operators of the wastewater system in our case study stated that <a href=\"https:\/\/ciri.illinois.edu\/newsNew-CIRI-tool-helps-critical-infrastructure-operators-identify-risks-from-implicit-interactions\" target=\"_blank\" rel=\"noopener noreferrer\">our approaches and tools are useful for identifying potential security issues and informing mitigation efforts when designing critical systems<\/a>.<\/p>\n\n\n\n<p>This may be a glimmer of hope in the fight against cyberthreats to critical infrastructure. Continued development of rigorous and practical approaches to address increasingly critical issues in designing, implementing, evaluating and assuring the safe, secure and reliable operation of these systems is needed. <\/p>\n\n\n\n<p>A more robust infrastructure will lead to fewer threats to our security and access to services, ensuring our well-being and the effective functioning of our governments and society.<\/p>\n\n\n\n<p>&#8212;<br>\n<a href=\"https:\/\/newsroom.carleton.ca\/\" target=\"_blank\" rel=\"noopener noreferrer\">Carleton Newsroom<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/counter.theconversation.com\/content\/170191\/count.gif?distributor=republish-lightbox-basic\" alt=\"The Conversation\"\/><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article is republished from The Conversation under a Creative Commons licence. All photos provided by The Conversation from various sources. What would happen if you could no longer use the technological systems that you rely on every day? I\u2019m not talking about your smart phone or laptop computer, but all those systems many of [&hellip;]<\/p>\n","protected":false},"author":410,"featured_media":79514,"template":"","meta":{"_acf_changed":false,"footnotes":"","_links_to":"","_links_to_target":""},"cu_story_type":[1623],"cu_story_tag":[],"class_list":["post-79513","cu_story","type-cu_story","status-publish","has-post-thumbnail","hentry","cu_story_type-expert-perspectives"],"acf":{"cu_post_thumbnail":false},"_links":{"self":[{"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story\/79513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story"}],"about":[{"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/types\/cu_story"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/users\/410"}],"version-history":[{"count":3,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story\/79513\/revisions"}],"predecessor-version":[{"id":79518,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story\/79513\/revisions\/79518"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/media\/79514"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/media?parent=79513"}],"wp:term":[{"taxonomy":"cu_story_type","embeddable":true,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story_type?post=79513"},{"taxonomy":"cu_story_tag","embeddable":true,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story_tag?post=79513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}