Some critical infrastructure at the City, such as the Toronto Water treatment plants, use Operational Technology (OT) systems called industrial control systems (ICS). ICS systems include supervisory control and data acquisition (SCADA) systems. SCADA systems monitor and control the equipment and devices used in critical infrastructure.
The Canadian Cyber Security Centre describes how ICS and SCADA systems are vulnerable if appropriate cybersecurity protections are not in place:
“As part of the drive for modernization and efficiency, critical infrastructure providers are continuing to automate their processes and connect IT and OT devices to the Internet. While connecting OT, such as ICS and SCADA devices, to the Internet provides several advantages — for example, remote management — it can also expose critical infrastructure to cyber threat activity 1”.
The objectives of the audit were to assess the adequacy of controls in place to address potential threats to the Toronto Water SCADA network, systems and applications, and to review the actions taken by Toronto Water to address concerns raised during the 2019 cybersecurity audit.
This public report contains two administrative recommendations. The confidential audit findings and recommendations to improve physical security and cybersecurity controls are presented separately to this report in Confidential Attachment 1. Management has already initiated actions to address the identified risks.
The confidential report will be made public at the discretion of the Auditor General after discussing with appropriate City Official.
Update June 23, 2020:
Management provided an update on the progress made to implement the audit recommendations made in the SCADA cybersecurity audit. It is available here and on the Attachments tab.