The head of the Canadian cyber defense agency is offering an idea just weeks after a ransomware attack against Nueva Scotia.
The computer systems of the public services company were violated by Ransomware computer pirates on March 19, but New Scotia Power did not discover it until April 25. The company revealed the cybersecurity incident three days after that.
Around 280,000 clients, more than half of the company’s clients in the province, were informed by letter that their personal information may have been compromised in the attack. The data included names, addresses, telephone numbers, birth dates, driving licenses, social security numbers and bank information.
On Thursday, the New Scotland Energy Board granted the approval to Nueva Scotia Power to advance with a $ 1.8 million project to improve cybersecurity.
The attack and its consequences have caused many questions about the safety of the company’s IT systems.
Rajiv Gupta, head of the Canadian Cyber Security Center, spoke with CBC News in a rare interview about how this type of incidents develop and what people and organizations can do such as new Scotland Power to protect themselves.
This interview has been edited by length and clarity.
Can you explain a little about your agency and what it does?
The Canadian Cyber Security Center is really the Canadian cyber defense agency. Therefore, we provide advice, orientation and services to critical infrastructure systems of importance for Canada. The work mainly with the federal government is where we had begun, but we have really become a critical infrastructure. And our goal is to increase cyber resilience throughout Canada.
We are under CSE, which is the establishment of communications security, and CSE has a foreign intelligence mandate, which dates back to 80 years in terms of World War II. We report to the Minister of National Defense.
What do you do with the recent attack against New Scotland Power, which finally affected some 280,000 clients?
We do not specifically comment on specific incidents, but as a cyber center … Any critical infrastructure provider that has incidents can inform its incidents to the cyber center. So last year we saw about 1,500 incidents. We see many of these, and that is really important and sad to understand too, that this is happening so often in terms of cybercriminal organizations that include critical infrastructure organizations in Canada.
Your motivation is money. They would compromise the network. So, basically, your software enters within the network, but then steals all the confidential information of the organization and … then moving forward and encrypting systems and blocking people out of their system. So we used to call that double extortion. In this way, the criminal organization could threaten to disseminate confidential information, unless a rescue was paid, or that basically does not return access to systems unless a ransom was paid. That was what we are seeing and was incredibly shocking for system operators within Canada.
In this case, New Scotland Power did not pay the rescue asked. Is that common practice?
What we always do is provide advice and guidance to organizations and say: “It is a commercial decision”, because we are not the ones who operate their business, and we do not know their exact context, let’s say if it is a threat to life or something else. But we always say: “Hello, there is a lot of inconvenience to pay the rescue.” First, he is financing these criminal organizations. So, the more the rescue is paid, the more we will proliferate this type of behavior. At the same time, you are paying this rescue to criminals. What is that contract worth anyway? Are there really any guarantee that they will not share confidential information, or in reality they will give you the keys to decipher your systems and recover your access? The profits of this can go to causes of criminal or even terrorist also, therefore, worrying in that sense.
Can you say if New Scotland Power had contacted your agency? [following the breach]?
All I will say is that they approached us. We always recommend that organizations that are victims communicate with the Cyber Center. We have seen many of these in the past and we have advice and guidance to share. And not only can we help the organization in their recovery, and in terms of paying the rescue, the rescue could help you unlock its systems, but there are always recovery costs that are also part of this, regardless of whether it works with the criminal organization or not. But in this case, they communicated with us.
And the other thing we always encourage is … We hope they also share information about the commitment. Because we can take that and share that with other critical infrastructure organizations in Canada.
Did you share with you the scope of the violation?
We would not enter any detail in that regard, but they notified us about the violation.
Is there any feeling of who could have been the author in this attack from his perspective? New Scotland Power says he has a sense of who he is.
I would not comment that. There are several groups often change their ways and shapes as they are interrupted. Unfortunately, it is a group of constantly evolving cybercounts that are out there that seem to be making these behaviors. And we have an evaluation in terms of a cybercriminal activity in Canada, as well as that points to the groups that we have seen as assets.
Around 140,000 [social insurance numbers] They were included in the stolen data. How serious is this, when you access this type of personal information?
I could not talk about the seriousness of such information, but what I will say is that this is exactly what the cybercriminals go. And depending on the type of information, you will get a different price on the dark website. Organizations will collect personal information, whether sin numbers, credit card numbers, or health card numbers, other types of confidential information. In general, this information is revealed on the dark website for other criminals who are really going to monetize that for other purposes. It is a not very positive circle that exists on the dark website.
The way this really works in terms of what we call “cybercrime as a service” is that it is a complete ecosystem of criminal entities that really work together. And because it usually runs out of operations that are beyond legal borders, often in Russian -speaking countries where the police do not necessarily process, it is very difficult to interrupt these organizations. And even when the police can interrupt them, it is quite easy for them to reconstitute.
What are some of the risks when this personal information is shared on the web or the dark website?
Once that information is out there, that often only stimulates the next cycle of fraud. Whether Spear Phishing Electronic Correos is using that information, either taking advantage of information about an organization or its clients to compromise them even more. That is why it is really important to take note for everyone to take into account the things they can do to protect themselves.
Be an additional attentive of understanding what is sent by mail and verifying double those links and making sure that it comes from an authenticated source and others. Taking into account the content, making sure to have solid authentication in terms of how it is really accessing applications as well.
What would be your advice for New Power Scotland?
Really for all these organizations, make their diligence due. Understand what your really critical elements of your organization that would be your worst scenario. And then, once you know what your worst case is, you can defend that. Build the plan according to our Playbook ransomware, have backup copies in place and have strong measures in place.
The utility [Nova Scotia Power] He requested funds approximately one month before the ransomware attack. They cited the most recent threat evaluation of the Canadian center for cyber security, noting that energy networks are so interconnected that they can really be vulnerable to this type of attack. What would be the warning signs of an attack like this?
One of the things that we have been very aware … As the world becomes more hostile, we are concerned about the impacts on critical infrastructure such as electric guide grids, pipes, this kind of thing. Many of them are controlled by systems that were never connected to the Internet. Today, as people seek to optimize efficiency and connect to cloud services and connect sensors to networks, they are increasingly exposed to the threat actors around the world. Normally, its electric grid would only be threatened by people who are really in the country and close, but as soon as it connects it to the Internet, it is opening a lot to people from anywhere.
Does your agency have any authority over a private company that manages a utility throughout the province?
We are not a regulator. The Cyber Center provides advice, guidance and services, but we have no authority over any of these entities. We work voluntarily to provide best practices.
More main stories
