Backgrounder: Malicious cyber activity targeting Canadian critical infrastructure

Canada’s critical infrastructure (CI) – including energy, water, food, transportation, and health systems – underpins the safety and well-being of Canadians. Disruptions caused by malicious cyber activity can lead to service outages, economic losses, and risks to public health and safety.

Cyber threats against CI are becoming more frequent and more complex. Cybercriminals are expected to escalate their extortion tactics using increasingly sophisticated cyber tools such as ransomware-as-a-service and artificial intelligence (AI).

Potential targets

• Operational technology (OT): Computing systems used to automate industrial processes and operations in many different sectors
• Internet-accessible industrial control systems (ICS): Components such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Human-Machine Interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems, Safety Instrumented Systems (SIS), Building Management Systems (BMS), and Industrial Internet of Things (IIoT)
• Supply chains: Collection of third-party services and products used by critical infrastructure

Common attack methods

• Ransomware and ransomware-as-a-service: Denies users access to systems or data until a sum of money is paid
• Denial-of-service (DoS) attacks: Overloads system to make services unavailable
• Insider threats: Malicious or negligent actions by a person who has or had knowledge of or access to an organization's infrastructure and information (e.g., employee)
• Supply chain compromises: Exploit vulnerabilities in third-party software, services or products
• Exploitation of Internet-accessible ICS: Targets ICS to disrupt physical processes

What critical infrastructure operators can do

To protect systems and strengthen resilience, operators should implement the following measures:

• Conduct an inventory of all ICS devices and remove unnecessary ICS and OT connections to the Internet
• Use virtual private networks (VPNs), firewalls and multi-factor authentication (MFA) for remote access
• Change default passwords
• Enhance monitoring of ICS and OT environments to detect unusual activity and ensure logging is enabled and reviewed regularly
• Develop and test an incident response plan specific to OT environments
• Conduct tabletop exercises and regular cyber security awareness training for employees
• Verify manual controls and maintain offline backups
• Separate information technology (IT) and OT environments to prevent lateral movement
• Apply security patches and updates promptly to address known vulnerabilities

Secure-by-design principles

CI operators using ICS should prioritize security when procuring digital products and services. Select technologies that are secure and verifiable, in line with secure-by-design principles.

Manufacturers of such technologies should build security into products from the start – addressing cyber threats through thoughtful design, development, architecture, and security measures to reduce vulnerabilities.

Strong, secure technology helps protect the essential services that Canadians rely on.

Government of Canada support

As described in the 2025 National Cyber Security Strategy, the Government of Canada will continue to work with domestic partners and industry, such as critical infrastructure owners and operators, on countering and mitigating cyber threats to Canada’s most essential systems.

The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment Canada (CSE), recently issued an alert about hacktivists targeting Internet-accessible industrial control systems (ICS) in critical infrastructure such as water, food, and energy and utilities.

The Cyber Centre has also published a dedicated assessment of the cyber threat to Canada’s water systems, which includes guidance for water utilities owners and operators to protect their systems.

Reporting cyber incidents

Should you or your institution be the target of malicious cyber activity:

• report it to the Cyber Centre via the My Cyber Portal or by e-mail at contact@cyber.gc.ca
• report it to your police of jurisdiction and to the Royal Canadian Mounted Police’s cybercrime and fraud reporting portal as appropriate

Reporting potential cyber security incidents will ensure that the Cyber Centre can provide guidance during the investigation and recovery process.

Additional resources

• Security considerations for critical infrastructure (ITSAP.10.100)
• Cyber threat bulletin: Cyber threat to operational technology
• Cross-Sector Cyber Security Readiness Goals Toolkit
• Canada's National Cyber Security Strategy
• National Cyber Threat Assessment 2025-2026