Martin Dinel, chief information security officer for the Government of Alberta, has a lot to worry about. Personal data on the Canadian province’s citizens is a big part of that. So too are Alberta industries, which includes the considerable energy, agriculture, and forestry sectors.
But as with any modern provincial and national government, Alberta has public safety issues associated with pipes and power grids, dams, and streetlights. Each of these connected components of modern civilizations has cybersecurity vulnerabilities, the implications of which are mindboggling. No fewer than twenty dams and reservoirs dot the huge province (660,000 square kilometers, or 250,000 square miles). Threat actors could potentially open actual floodgates remotely if they found a way to penetrate a system’s security controls—in some cases endangering both lives and property on a massive scale.
That’s exactly what Dinel and his team are there to prevent. “From a government perspective, the first priority is to keep our citizens safe,” he says. There are other aspects of infrastructure that could also be targets of cybercriminals: traffic light systems, pipeline controls, sewage and drainage systems, facilities security, and environmental controls. “Such systems might be altered to impact services to citizens and can even cause loss of life,” he says. “This is a critical aspect of cybersecurity services.”
The enemy isn’t one type of criminal but many, and the hackers fall into four broad categories: those in it for the money, such as in ransomware cases; cyberterrorists who wish to disrupt critical infrastructure with intentionally deadly consequences; spies sponsored by nation-states looking to understand functions such as Alberta’s energy systems; and hacktivists, such as those opposed to Alberta’s considerable oil and gas extraction operations.
It’s heady stuff and increasingly the subject of public handwringing. That’s not wasted worry, Dinel says. The vulnerabilities are great, and much of it depends on thousands of employees not making a mistake.
Big Alberta, Big Target
Attempts to infect with malware, detected by security tools
of those incidents were due to user errors
of those incidents were due to malicious threat actors
It seems that the bulk of risks boils down to the keystrokes of the province’s 32,000 employees. By Dinel’s analysis, of the 860 million incoming emails to those employees last year, 93.4 percent are either spam or have detectable malicious content. That’s what the system’s filters catch—but they don’t catch everything.
Dinel and his team don’t allow that to be the end of the protective measures; to do so would put so much at risk. “The biggest threat to all organizations is actually their own employees, who are provided authorized access to systems,” he says. “Criminals know this, and they use social engineering techniques to trick employees into providing information to gain access to data.”
Dinel’s department educates every employee and tests them on what they learn. In 2015, a phishing test found that 30 percent of employees would be fooled by hacker emails. That number dropped to 16 percent a year later and to just 4.6 percent in 2017. The drop is due to mandatory, annual training. Success in this regard is part of the accountabilities placed on middle managers and executives, all the way up to the Alberta deputy minister, a position akin to a lieutenant governor in the United States.
Preventing these intrusions isn’t getting any easier. Phishing attempts (emails that try to induce recipients to either download or open a document, or to provide password or other confidential information to the sender) are up exponentially in just the past couple of years due to the advent of bots designed to do what was previously done manually.
Fortunately, cyber defenses aren’t entirely dependent on employees. Dinel says they also engage technologies and processes that include visible security measures that discourage hackers from even trying. “Protection controls will counter most attacks,” he says. “Detection controls will detect both unsuccessful and successful attacks.” He adds that they’ve established response plans with processes and tools for when an attack is detected, recovery plans for post-attack phases, and forensic investigative tools and processes to identify what went wrong and what can be prevented in the future.
The importance of partners in cybersecurity is a critical success factor. The Government of Alberta contracts with CGI, a managed security service provider, to monitor and protect the province’s network periphery on a 24/7 basis. The firm is a first responder when there is a breach. Another partner is FireEye, which provides tools and expertise to monitor and detect security events.
Alberta is primarily associated with oil sands resources, and major projects related to oil and gas extraction, pipelines, and related industrial projects are valued at more than $175 billion (CAD). Protecting this industry from bad elements ensures energy flow beyond the provincial boundaries, even into the US, a major processor-manufacturer with Canadian crude. But other targets of cybercriminals include financial services, manufacturing, tourism, education, commercial activity such as government procurement services, citizen identities and tax records, and government functions such as voting, tax collection, and law enforcement.
It’s no exaggeration to say a cyberwar is entirely possible were the province to let its guard down. Dinel makes it his job to see that doesn’t happen.