The Auditor General has proactively raised concerns about evolving cybersecurity threats to the City and its Agencies and Corporations. These threats are real and large-scale attacks have disrupted public services in jurisdictions across North America and around the world, such as emergency response systems, utility services and law enforcement operations.
A SCADA system, also known as an Operational Technology (OT) system, is used to control industrial processes at facilities like water and wastewater treatment plants and at energy, utilities and transportation facilities. Toronto Water uses this system to manage and control critical infrastructure equipment and processes used in the treatment and distribution of water.
Recognizing the need to protect critical water assets, the Auditor General initiated an audit of the SCADA system in 2019 and expedited the follow-up review of the audit recommendations in 2021. The 2019 audit was the Office’s first critical infrastructure audit of the City’s Operational Technology (OT) systems.
The objective of the 2021 follow-up review was to assess the adequacy of controls in place to address potential threats to the SCADA network, systems and applications, and to review actions taken by management since the 2019 audit. The Auditor General made 11 confidential recommendations in the 2019 SCADA audit. Given the importance of critical infrastructure systems and evolving cybersecurity threats, the Auditor General re-tested the controls to verify the implementation of recommendations.
At the November 2021 Audit Committee, we provided our public report and a high-level confidential presentation on the implementation status of the recommendations. During our follow-up review, we determined that seven recommendations are fully implemented. An overview of the results is contained in Attachment 1. The details of management actions on each confidential recommendation are presented separately to this report in Confidential Attachment 1.
Note: Confidential Attachment 1 to this report involves the security of the property of the City of Toronto.
Some critical infrastructure at the City, such as the Toronto Water treatment plants, use Operational Technology (OT) systems called industrial control systems (ICS). ICS systems include supervisory control and data acquisition (SCADA) systems. SCADA systems monitor and control the equipment and devices used in critical infrastructure. The Canadian Cyber Security Centre describes how ICS and […]
Over the past decade, the City of Toronto, like other large organizations, is increasingly conducting business and key operations online and in a networked environment. This makes operations more efficient and citizens are served better. The City stores a vast amount of confidential and sensitive data, such as information about employees and citizens’ personal records. […]
Over the past decade, the City of Toronto, like other large organizations, is increasingly conducting business and key operations online in a networked environment. This makes operations more efficient and citizens are served better. The purpose of this report is to communicate security incidents that occurred at a City division and a City organization and […]
Cyberattacks are widely considered to be one of the most critical operational risks facing organizations. This Phase 1 report includes the results of a review of critical systems in Toronto Fire Services (TFS). This report contains two administrative recommendations. The confidential findings and recommendations from our review are contained in Confidential Attachment 1. Reason for […]
The purpose of this report is to: Communicate to Audit Committee and City Council that the Auditor General has commenced a review of a Toronto Fire Services’ critical system; and Recommend that the Chief Technology Officer continue expediting the Auditor General’s prior cybersecurity-related audit recommendations, so the City is ready to prevent, detect and respond […]
In a December 12, 2019 letter to the Auditor General, the Toronto Police Services Board requested the Auditor General to conduct a cybersecurity audit. Given the size and importance of Toronto Police Service (TPS) and the sensitivity of the information it retains, the Auditor General prioritized the allocation of resources on the request and agreed […]