NSP hack: Canada wanders undefended in a cybersecurity Wild West

Article content

What’s worse than having the personal information of 280,000 Nova Scotian individuals and businesses released on the dark web?

What if the hackers of Nova Scotia Power had instead shut off all our electricity in March?

“Picture a power utility as a building with four walls,” said David Shipley, chief executive officer of New Brunswick-based Beauceron Security.

Article content

“Right now (Nova Scotia Power) can tell when someone breaks a window and enters the building. But what they do once they are inside is not clear enough.”

Except, Nova Scotia Power didn’t notice the window was broken until five weeks after the March 19 hack of its information technology systems.

It’s the consumer-facing building through which we are all billed.

But in Shipley’s metaphor, NSP has another big building — the computer systems running its wide network of power plants and transmission systems.

According to filings with this province’s energy regulator, Nova Scotia Power doesn’t even have an inventory of what’s in that building.

“NSP was lucky in that the operations part of their systems was not affected (by the hack),” said Srini Sampalli, a computer science professor at Dalhousie University.

“It could have caused a situation like in the United Kingdom, where grocery supply chains are being hit. It could have shut down the power grid and affected thousands of customers.”

Article content

While we rush to wag our fingers at Nova Scotia Power, Sampalli and Shipley caution that we should look in the mirror.

It’s not just electricity. All our systems are vulnerable to a quickly growing, global hacking industry.

And we, as a province or a country, haven’t created regulations demanding minimum cybersecurity standards for the computer networks essential to how we get food, stay warm, communicate and move around.

More attacks are coming.

Shipley warns that we need to start planning for cyberattacks on critical infrastructure as seriously as we do for natural disasters.

‘World of hurt’

Over recent weeks, three U.K. grocery chains have been hit by hackers, resulting in empty shelves.

The U.K.’s food distribution network, like our own, has crops harvested and animals slaughtered, processed and packaged for just-in-time delivery of perishable items to store shelves. It is highly reliant on computer systems tying all the players together.

Article content

Everyone is getting hit.

According to a compilation by risk management company KonBriefing, already this year there have been major cyberattacks against Canadian municipalities, police forces, school districts, health clinics, power companies and many private industries.

HydroQuebec reports going from 76 significant attacks on its computer networks in 2021 to over 1200 in 2024.

A group calling themselves DragonForce has taken credit for the hacks of the U.K. grocery chains Marks & Spencer, Co-op and Harrods, along with over 156 other recent attacks.

DragonForce started out as a Malaysian-based, pro-Palestine hacktivist group in 2023 and has since expanded its reach to targets ranging around the world. Except, notably, a prohibition on its members attacking Russia or former Soviet-bloc countries.

Article content

It’s just one of many groups using ransomware, as was used on Nova Scotia Power, to infiltrate computer systems and then demand payment in exchange for giving their owners back control or to not release information.

A “market and industry analysis” of ransomware by KBV Research estimates it’ll be a $46 billion global industry by 2028.

For a “quick snapshot of the world of hurt,” Shipley breaks hacker groups up into three categories.

“They are the 21st century mobsters,” said Shipley.

“They don’t roll up and say, ‘it would be a shame if something happened to your power plant or hospital.’ It all happens online.”

Then there are nations actively hostile to the West – countries like Russia, China and North Korea – who want to hit Canada in a way that can never be attributed to them but causes pain. For them, turning off power is a key priority.

Article content

Then there’s the last group, the anarchists. These are like Heath Ledger’s Joker in The Dark Knight. They’re people who just want to see the world burn.”

Nova Scotia Power refuses to pay

According to NSP, on March 19 the hackers stole a broad range of personal information of its customers that included: names, phone numbers, email addresses, mailing and service addresses, Nova Scotia Power program participation information, dates of birth, account histories (such as power consumption, service requests, customer payment, billing, and credit history, and customer correspondence), driver’s license numbers and bank account numbers of those who had set up pre-authorized payments.

The hack wasn’t discovered, according to NSP, until April 25.

Nova Scotia Power hasn’t said whether it knows who is responsible for the March hack.

Article content

Or whether it was the hackers themselves who notified them that it had happened when they demanded an unreleased ransom for not publishing all our personal information.

But it has said that it refused to make the ransomware payment.

“This decision reflects our careful assessment of applicable sanctions laws and alignment with law enforcement guidance,” reads a May 23 statement from the power company.

The hackers, which NSP described as “sophisticated,” followed through on their threats to release the personal information to the dark web.

To its 280,000 customers, NSP is offering a two-year subscription to credit monitoring service TransUnion. TransUnion directed any questions to Nova Scotia Power.

For its part, Nova Scotia Power didn’t respond to a question about whether the hackers would have had the ability to interrupt power generation. Or whether the power corporation even knows the answer.

Article content

Instead, NSP provided the following written statement: “Immediately following detection of the external threat, we activated our existing incident response and business continuity protocols, engaged leading third-party cybersecurity experts, and took actions to contain and isolate the affected servers, prevent further intrusion, and contain the threat – law enforcement officials were also notified.”

Picking up dropped balls

Then just before it would have been passed into law last fall, the Senate discovered “drafting errors” that would have resulted in some of (Bill C-26’s) clauses being made void by a foreign interference bill passed earlier in 2024.

Ottawa made an attempt to get us partway to a more secure cybersecurity infrastructure.

After thousands of hours of research and committee meetings, Bill C-26 – an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts – was introduced in the House of Commons in 2022.

Article content

The bill had two sections.

The first would have allowed the federal government to ban Canadian telecom companies from using “high-risk suppliers” like China’s Huawei and ZTE to build their networks.

The second would have compelled companies running telecommunications, interprovincial pipelines and powerlines, nuclear facilities, federally regulated transportation networks, banking and clearing and settlement systems to create cybersecurity systems meeting minimum federal targets.

It would also mandate they take additional steps to protect supply chains and that they notify the Canadian Security Establishment within 72 hours of a breach.

Bill C-26 wound through multiple readings and revisions, getting passed through the Senate in 2024.

Then just before it would have been passed into law last fall, the Senate discovered “drafting errors” that would have resulted in some of its clauses being made void by a foreign interference bill passed earlier in 2024.

Article content

It was sent back to the House of Commons to have those fixed.

Parliament was prorogued, an election was held and the bill appears to have died.

Even if Bill C-26 had passed, it wouldn’t have covered Nova Scotia Power as it only applied to federally regulated industries.

NSP and American regulations

For its part, Nova Scotia Power has known some of its vulnerabilities since a 2022 operational technology assessment. It’s currently asking the energy regulator to spend $6.83 million on network improvements, automated cybersecurity asset management, and vulnerability management at 12 of its sites (which are redacted).

Phases two and three, spending on which would also have to be approved by the energy regulator, would happen in future years and expand the work to the rest of its grid.

All that work is to bring it into compliance with an American standard for power companies feeding into the United States grid.

Article content

Nova Scotia Power didn’t respond to a question about whether its efforts to meet the Federal Energy Regulatory Commission (American body regulating power utilities) would beef up cybersecurity on the customer-facing side that was hacked in March.

“We continue to work with the assistance of leading third-party cybersecurity experts on a thorough investigation and the safe and secure restoration of our systems,” reads a written response.

“We’re also implementing additional safeguards to help prevent similar incidents in the future.”

Lack of federal, provincial protection

“The online world is like the wild west – there is no law or military for the rancher to call upon,” said Shipley.

“This mess is a result of failures at national level and a complete miss by the provinces to think about their kind of responsibilities for cyber security … we’re running out of near-misses.”

Article content

With Ottawa unable, so far, to pass cybersecurity legislation requiring minimum standards for federally regulated industries and uninterested in those subject to provincial jurisdiction, Shipley contends Nova Scotia needs to start setting its own standards.

The first step, he argues, is to have a public discussion about acceptable risk.

Are we willing to tolerate a day’s interruption to our electricity or other services due to a cyberattack? Is it a week?

Our ability to harden and back up private and government systems in health care, law enforcement and everything else, all comes with a bill.

“And Nova Scotia could spend a billion dollars on cyber-security and then still see various systems get hacked,” said Shipley.

“What I don’t want to see happen is Tim Houston and his ministers in crises room in shock wondering what happened and no one knows how to deal with it. The urban forest fires prompted deep discussion about available resources, planning and resilience. All I’m saying is you have to do the same for cybersecurity as well. Ottawa is not going to help, though there is some indication they may pick up the ball they dropped.”

Shipley is pitching that a standing committee on cybersecurity be established at the Nova Scotia Legislature, where MLAs can question and learn from experts on the issue.

Informed discussions can be held about resiliency, backups and response.

Minimum standards can be set for those operating critical infrastructure.

“Then when it happens, we can say, ‘We’ll ride it out for five days while we get our systems up and running again and not pay these bastards.’”

Article content