Skip to content

Secure Smart Cities: Making Municipal Critical Infrastructure Cyber Resilient

April 2022

Secure Smart Cities



Stephanie Tran


Sharan Khela

André Côté

André Côté


  • Nour Abdelaal
  • Sam Andrey
  • Karim Bardeesy
  • Sumit Bhatia
  • Zaynab Choudhry
  • Charles Finlay
  • Mohammed (Joe) Masoodi
  • Ana Qarri
  • Yuan Stevens



Executive Summary

Critical infrastructure, like energy, water and transportation systems, are increasingly being connected to the internet to increase automation, facilitate remote monitoring and drive efficiency. Despite its benefits, internet connectivity has also made critical infrastructure systems more vulnerable to cyber threats. This report examines the unique challenges and needs of Canada’s municipalities for securing their critical infrastructure from cyber threats, developed through a literature and jurisdictional review, along with interviews and a round table with experts.

Key challenges faced by municipalities regarding the cybersecurity of their critical infrastructure include:

  • Increasing cyber attacks targeting municipalities and critical infrastructure: In 2021, the majority of ransomware victims in Canada were critical infrastructure providers. The scale, frequency and sophistication of ransomware and supply chain attacks continue to cause major disruptions to critical operations.
  • Constrained funding and aging assets: Underinvestment in critical infrastructure has left municipal budgets stretched to protect these assets from physical threats, nonetheless digital ones. This lack of funding has delayed the replacement of legacy systems, which are more susceptible to cyber attacks.
  • Shortage of cybersecurity talent: The industry is struggling to hire and retain security labour, and the competitive market puts smaller municipalities at a further disadvantage.
  • Lack of cybersecurity in traditional emergency management: Emergencies resulting from cyber-physical incidents do not fit into traditional emergency management structures, leaving a lack of clarity on how such emergencies should be prepared for and responded to.