Secure Smart Cities: Making Municipal Critical Infrastructure Cyber Resilient

Executive Summary

Critical infrastructure, like energy, water and transportation systems, are increasingly being connected to the internet to increase automation, facilitate remote monitoring and drive efficiency. Despite its benefits, internet connectivity has also made critical infrastructure systems more vulnerable to cyber threats. This report examines the unique challenges and needs of Canada’s municipalities for securing their critical infrastructure from cyber threats, developed through a literature and jurisdictional review, along with interviews and a round table with experts.

Key challenges faced by municipalities regarding the cybersecurity of their critical infrastructure include:

• Increasing cyber attacks targeting municipalities and critical infrastructure: In 2021, the majority of ransomware victims in Canada were critical infrastructure providers. The scale, frequency and sophistication of ransomware and supply chain attacks continue to cause major disruptions to critical operations.
• Constrained funding and aging assets: Underinvestment in critical infrastructure has left municipal budgets stretched to protect these assets from physical threats, nonetheless digital ones. This lack of funding has delayed the replacement of legacy systems, which are more susceptible to cyber attacks.
• Shortage of cybersecurity talent: The industry is struggling to hire and retain security labour, and the competitive market puts smaller municipalities at a further disadvantage.
• Lack of cybersecurity in traditional emergency management: Emergencies resulting from cyber-physical incidents do not fit into traditional emergency management structures, leaving a lack of clarity on how such emergencies should be prepared for and responded to.

Promising developments that are helping municipal critical infrastructure owners and operators secure their systems from digital threats include:

• Headway from the energy industry: Regulatory standards for advancing cybersecurity have been implemented in the energy sector over recent years. This includes the NERC Critical Infrastructure Protection standards that are mandated in eight provinces, and the Ontario Energy Board’s Cyber Security Framework.
• Federal initiatives and tools: The Government of Canada now offers two tools for critical infrastructure owners and operators to measure their cybersecurity postures, with plans to do more work on identifying municipal resilience needs.
• Municipal councils prioritizing cybersecurity: Support for cybersecurity initiatives by council members has been shown to vastly improve the cybersecurity maturity of municipalities.
• Cyber insurance: Qualifications for cyber insurance coverage have motivated municipalities to adopt better cybersecurity policies and practices.

In light of these findings, we offer five policy recommendations: 

1. Provincial mandates: As the order of government with jurisdictional responsibility for municipalities, provinces should enact mandates and provide resources for local governments in their critical infrastructure cyber resiliency efforts. Different standards should be developed for different types of critical infrastructure at the provincial level (e.g., electricity, water, public transit).
2. Cybersecure procurement: In light of increasing supply chain attacks, infrastructure procurement practices and guidelines need to be updated to mitigate cybersecurity risks. 
3. Cybersecurity investment: More dedicated funding for improving the cybersecurity of critical infrastructure is needed, including investments to enable municipalities to pay market rates for cybersecurity talent. 
4. Collaboration and information sharing: Industry and all levels of government need to partner and share information on cyber threats and incidents in a more timely manner. 
5. Training for today and tomorrow’s staff: A culture of cybersecurity needs to be fostered across all organizational levels, with municipal management and councils at the forefront of supporting cybersecurity efforts. Addressing the widespread shortage of cybersecurity talent also requires training and reskilling programs.