As the chief information security officer for the Government of Alberta, Martin Dinel has a lot to worry about. The personal data of the Canadian province’s citizens is a big part of that. So too are Alberta industries, which includes the considerable energy, agriculture, and forestry sectors.
But as with any modern provincial and national government, Alberta has public safety issues associated with pipes, power grids, dams, and streetlights. Each of these connected components of modern civilizations has cybersecurity vulnerabilities, the implications of which are mind-boggling. No fewer than twenty dams and reservoirs dot the huge province (660,000 square kilometers, or 250,000 square miles). Threat actors could potentially open actual floodgates remotely if they found a way to penetrate a system’s security controls—in some cases endangering both lives and property on a massive scale.
That’s exactly what Dinel and his team are there to prevent. “From a government perspective, the first priority is to keep our citizens safe,” he says. There are other aspects of infrastructure that could also be targets of cybercriminals: traffic light systems, pipeline controls, sewage and drainage systems, facilities security, and environmental controls. “Such systems might be altered to impact services to citizens and can even cause loss of life,” Dinel says. “This is a critical aspect of cybersecurity services.”
The enemy isn’t one type of criminal but many, and the hackers fall into four broad categories: those in it for the money, such as in ransomware cases; cyberterrorists who wish to disrupt critical infrastructure with intentionally deadly consequences; spies sponsored by nation-states looking to understand functions such as Alberta’s energy systems; and hacktivists, such as those opposed to Alberta’s considerable oil and gas extraction operations.
It’s heady stuff and increasingly the subject of public handwringing. That’s not wasted worry, Dinel says. The vulnerabilities are great, and much of it depends on thousands of employees not making a mistake.
It seems that the bulk of risks boils down to the keystrokes of the province’s 32,000 employees. By Dinel’s analysis, of the 860 million incoming emails to those employees last year, 93.4 percent are either spam or have detectable malicious content. That’s what the system’s filters catch—but they don’t catch everything.
Dinel and his team don’t allow that to be the end of the protective measures; to do so would put so much at risk. “The biggest threat to all organizations is actually their own employees, who have authorized access to systems,” he says. “Criminals know this, and they use social engineering techniques to trick employees into providing information to gain access to data.”
Dinel’s department educates every employee and tests them on what they learn. In 2015, a phishing test found that 30 percent of employees would be fooled by hacker emails. That number dropped to 16 percent a year later and to just 4.6 percent in 2017. The drop is due to mandatory annual training. Success in this regard is part of the accountabilities placed on middle managers and executives, all the way up to the Alberta deputy minister, a position akin to a lieutenant governor in the United States.
Big Alberta, Big Target
The 32,000 employees of the Government of Alberta face a daily onslaught of hacking attempts. In 2016 alone, the government’s defensive technology identified:
5,982: attempts to infect with malware, detected by security tools
260: cybersecurity incidents
63 percent: of those incidents were due to user errors
37 percent: of the incidents were due to malicious threat actors
Preventing these intrusions isn’t getting any easier. Phishing attempts (emails that try to induce recipients to either download or open a document, or to provide a password or other confidential information to the sender) are up exponentially in just the past couple of years due to the advent of bots designed to do what was previously done manually.
Fortunately, cyberdefenses aren’t entirely dependent on employees. Dinel says that they also engage technologies and processes that include visible security measures that discourage hackers from even trying. “Protection controls will counter most attacks,” he says. “Detection controls will detect both unsuccessful and successful attacks.” He adds that they’ve established response plans with processes and tools for when an attack is detected, recovery plans for postattack phases, and forensic investigative tools and processes to identify what went wrong and can be prevented in the future.
The importance of partners in cybersecurity is a critical success factor. The Government of Alberta contracts with CGI, a managed security service provider, to monitor and protect the province’s network periphery on a 24/7 basis. The firm is a first responder in case of a breach. Another partner is FireEye, which provides tools and expertise to monitor and detect security events.
Alberta is primarily associated with oil sands resources, and major projects related to oil and gas extraction, pipelines, and related industrial projects are valued at more than $175 billion (CAD). Protecting this industry ensures energy flow beyond the provincial boundaries, even into the United States, a major processor-manufacturer with Canadian crude. But other targets of cybercriminals include financial services; manufacturing; tourism; education; commercial activity such as government procurement services, citizen identities, and tax records; and government functions such as voting, tax collection, and law enforcement.
It’s no exaggeration to say a cyberwar is entirely possible were the province to let its guard down. Dinel makes it his job to see that doesn’t happen.
Public and private sector organizations of all size and type are now considering Managed Security Services (MSS) as an essential element of their modern cybersecurity program.
The shift from “do it ourself” security management to MSS has been driven by a critical need to quickly elevate levels of protection while overcoming significant constraints of budget, skilled resources, and access to advanced technology. In today’s IT-enabled enterprise the consequence of not getting security right has become too great.
For more than twenty years, CGI has been assisting public and private sector
organizations effectively manage cybersecurity. We help organizations quickly elevate their levels of protection in the most appropriate and cost-effective way and allow them to operate with much needed agility.
Contact our Canadian cyber leaders today.
Gary.W.Miller@cgi.com