CYBERSECURITY IN CANADA - The Details · 2019. 12. 11. · CYBERSECURITY IN CANADA Jean-Guy Rens In collaboration with Huguette Guilhaumon Montréal, QC, Canada The nature of cybersecurity

CYBERSECURITY IN CANADA

Survey of Cybersecurity in Canadian Manufacturing and Critical Infrastructure

November 2019

CYBERSECURITY IN CANADA

Jean-Guy Rens In collaboration with Huguette Guilhaumon

Montréal, QC, Canada The nature of cybersecurity has changed. Since manufacturing companies have begun to link operational technologies (OT) from their manufacturing chain to their information systems (IT), any cyber-attack can not only damage computer data, but also physical devices. Any machine thus connected can be slowed down, stopped or destroyed remotely. It is no longer our computer or our information that is at stake. It is our physical goods and, ultimately, our lives. Are Canadian businesses and critical infrastructures protected? To answer this question, the authors commissioned by the Canadian Advanced Technology Alliance (CATA) surveyed more than 200 companies throughout the country. They then organized one-to-one interviews with 28 cybersecurity officers.

The study covers more precisely: ü Which companies are digitized? ü Intensity of IT / OT digitization ü Who is responsible for cybersecurity? ü What measures are in place? ü Scope of cyber-attacks and their impact ü Major issues: information, manpower,

sovereignty…

Who is this study for? ü Security industry executives ü Users of security goods and services ü Public and private investors ü Government decision makers ü Current or potential foreign partners ü Specialized media ü University researchers

For information on this publication, please contact: Huguette Guilhaumon 5801 Claude Masson Street, Montréal, Québec H1K 0H2 Telephone: 514 656-3254 – [email protected] For information on or any other CATAAlliance activity, please contact: Cathi Malette 207 Bank Street, Suite 416, Ottawa, Ontario K2P 2N2 Telephone: 613-236-6550 – [email protected]

This study was made possible through the partnership of the CATA Alliance, CyberNB and Siemens Canada.

Table of Contents1. Introduction

1.1 – OTs are at the heart of the battle for cybersecurity 1.2 – Definition of critical infrastructure 1.3 – Cybersecurity in the world 1.4 – Purpose and organization of the study 1.5 – Implementation team 1.6 – Financing of the study 1.7 – Acknowledgements

2. Industry profile 2.1 – Total population and respondents 2.2 – Size of companies responding to the survey 2.3 – Nature of the companies 2.4 – International dimension of companies

3. Characteristics of digitization 3.1 – IT digitization in companies 3.2 – Intensity of IT digitization in companies 3.3 – Digitization of OT in companies 3.4 – Intensity of OT digitization in companies 3.5 – Type of automated equipment used 3.6 – Companies that have crossed the Industry 4.0 threshold

4. Position of cybersecurity in the organization

4.1 – Cybersecurity organizational structure 4.2 – Cybersecurity Practices Dashboard

5. Cyberattacks and their impacts 5.1 – Magnitude of the Phenomenon 5.2 – Reaction to Cyber-attacks

6. Regulation, standardization and management of cybersecurity

6.1 – Standards or Regulations 6.2 – Who is part of the critical infrastructure community? 6.3 – Federal Government Consultation Process 6.4 – Investment in Cybersecurity 6.5 – Cybersecurity Insurance 6.6 – Overall Company Readiness for Cybersecurity 6.7 – Short-term Projects of Companies

7. Issues and possible solutions Issue #1 – Information Sharing Issue #2 – Shortage of Qualified Labour Issue # 3– Enhance the CISO Function Issue # 4– Insert Cybersecurity in the Employee Job Description Issue # 5– Software Vulnerability Issue # 6 – The Special Case of Industrial SMEs Issue # 7 - Strategic importance of e-insurance Issue # 8– A question of sovereignty

Appendix 1 – Case Studies Aéroports de Montréal (ADM) Agropur Dairy Cooperative Air Canada APN Global ATCO Group Business Development Bank (BDC) Canadian Broadcasting Corporation (CBC) Canadian Nuclear Laboratories (CNL) CIO Association of Canada (CIOCAN) Cisco Canada Computer Research Institute of Montréal (CRIM) Concordia University CyberNB Desjardins Group Difenda In-Sec-M Industrial Alliance Kryptera Technologies Ontario Provincial Police (OPP) Public Safety Canada Royal Bank of Canada (RBC) Secrétariat du Conseil du Trésor (SCT) Siemens Canada Sobeys Société de transport de Montréal (STM) Toronto Police Service Union des municipalités du Québec (UMQ) Xittel Telecommunications

Appendix 2 – Methodology Appendix 3 – Selected Bibliography

Table of Illustrations Figure 1– Percentage of manufacturing companies and critical infrastructure attacked Figure 2 – Distribution of cybersecurity investments in Canada Figure 3 – Countries with the best cybersecurity Figure 4 – Respondents rate Figure 5 – Size of the companies that responded to the survey Figure 6 – Distribution between the industrial sector and critical infrastructure Figure 7 – Companies with employees abroad Figure 8 – Canadian exports Figure 9 – Destinations of Canadian exports Figure 10 – IT digitization Figure 11 – Intensity of IT digitization Figure 12 – OT digitization Figure 13 – Intensity of OT digitization Figure14 – The tools of automation Figure 15 – The 4.0 companies Figure 16 – Companies that have appointed a cybersecurity official Figure 17 – Few cybersecurity specialists Figure 18 – Cybersecurity employees report to the IT department Figure 19 – Cybersecurity specialists are often isolated individuals Figure 20 – Outsourcing of cybersecurity Figure 21 – Rate of cybersecurity activities outsourced Figure 22 – Availability of a written cybersecurity program Figure 23 – Deployment of some basic processes Figure 24 – Cybersecurity technologies Figure 25 – Does the company have special measures for cyber-physical security? Figure 26 – Nature of the special measures Figure 27 – Has your company suffered a cyberattack with damage? Figure 28 – The target of cyberattacks is the big business Figure 29 – Types of cyber-attacks Figure 30 – Amount of damage Figure 31 – Who did the company use in response to the cyberattacks? Figure 32 – Cybersecurity standards or regulations in force in the company Figure 33 – Do you know if your company operates a critical infrastructure? Figure 34 – Satisfaction with the Federal Government Figure 35 – Amount invested in cybersecurity (annual basis) Figure 36 – Investment forecast (2019) Figure 37 – Who has an insurance to cover cyber risk? Figure 38 – How prepared is your company for cybersecurity? Figure 39 – Next steps in the deployment of cybersecurity in the enterprise Figure 40 - The RageBooter Web Page Prior to its Forced Closure Figure 41 - The RageBooter Web Page After its Forced Closure Figure 42 - Geographical Origin of the Respondents Figure 43 - Respondent's Position Within the Organization Figure 44 - Service to Which the Respondent Refers Figure 45 - Sectoral Distribution of Respondents

Abbreviations and Acronyms ASIS American Society for Industrial Security ATM Automatic Teller Machine C-TPAT Customs-Trade Partnership Against Terrorism CANASA Canadian Alarm and Security Association CFO Chief Financial Officer CGEIT Certified in the Governance of Enterprise IT CIO Chief Information Officer CIPS Canadian Information Processing Society CISA Certified Information Systems Auditor CISM Certified Information Security Manager CISO Chief Information Security Officer CISSP Certified Information Systems Security Professional CNC Computer Numerical Control COBIT Control Objectives for Information and related Technology CRIM Centre de recherche informatique de Montréal CRIQ Centre de recherche industrielle du Québec ERP Enterprise Resource Planning GDPR General Data Protection Regulation GIAC Global Information Assurance Certification GSEC GIAC Security Essentials (GSEC) IATF International Automotive Task Force ICS Industrial control system IDS Intrusion Detection System ISA International Society of Automation ISC International Security Conference ISP Information Systems Professional IT Information Technologies ITCP Information Technology Certified Professional ITU International Telecommunications Union OT Operational Technologies PIPEDA Personal Information and Electronic Documents Act PKI Public Key Infrastructure PLC Programmable Logic Controller POS Point of Sale R&D Research and Development RFID Radio Frequency Identification SCADA Supervisory Control And Data Acquisition SCC Standards Council of Canada SME Small and medium-sized enterprises SSCP Systems Security Certified Practitioner TSCP Transglobal Secure Collaboration Program TTNRC National Research Council VPN Virtual Private Network

Cybersecurity in Canada

Cybersecurity is the preservation – through policy, technology, and

education – of the availability, confidentiality and integrity of information and its underlying infrastructure so as to enhance the security of persons

both online and offline. Freedom Online Coalition

(with the collaboration of the Government of Canada)1

We are very much in a hyperconnected world, so whether you are an individual, a corporation, or in the public sector,

you have to be committed to protecting your assets, which includes ordinary citizens. John Reid (1950-2019)

(Former CATA President)

1 Quoted by Holly Porteous, Cybersecurity: Technical and Strategic Challenges, Library of Parliament, Ottawa, February 16, 2018. The Freedom Online Coalition (FOC) is a group of 30 governments committed to working together to defend freedom on the Internet and protect fundamental human rights. The Coalition was created in December 2011 and is headquartered in London, UK. Canada is a founding member of the Coalition.


1. Introduction

Executive Summary - When Iranian centrifuges were destroyed in 2010 by anonymous hackers, the nature of

cybersecurity changed: it was no longer simply a matter of preserving the integrity of computer data, but of physical equipment and, ultimately, of human life. However, 21% of Canadian companies have been affected by cyber-attacks that have caused damage. The threat has been directed primarily at critical infrastructure (mainly oil and gas, electricity grids and the financial sector) and industrial companies. It is a multifaceted threat that can come from lone wolves and disgruntled employees, as well as from organized criminals and even from state secret services.

- So far, it has been impossible to respond to these diffuse forces in an organized fashion. Since 2004, the United Nations Group of Governmental Experts (GGE) has been trying to approach cybersecurity at the global level. In vain, however. At the same time, the Council of Europe has adopted its own cybersecurity treaty, known as the Budapest Convention, which has been ratified by 69 countries, including Canada. It is the only international treaty in force presently, although a majority of countries still refuse to accede to it. In response to this failure of the international community, the private sector has tried to respond through three major initiatives: The Charter of Trust launched by Siemens in February 2018, the Cybersecurity Tech Accord launched by Microsoft in April 2018, and the Open Cybersecurity Alliance by IBM Security and McAfee in October 2019.

- Canada is a major player in the international cybersecurity arena. Ranked among the top five safest countries by the various existing comparative studies, Canada invests $14 billion annually in cybersecurity (Statistics Canada).

- The purpose of this study is to: (1) assess the level of adoption of industry 4.0 in manufacturing and critical infrastructure, (2) analyze the intensity of cybersecurity in companies 4.0 and (3) share best practices in cybersecurity adopted by infrastructures.

- The development of the database and the study were funded mostly by Siemens Canada and CyberNB.

- Stuxnet Revolution: the physical world is vulnerable to cyberattacks. - International cooperation breaks down and private sector intervention. - Canada is among the leaders in the fight against cybercrime.

The three goals of this study: (1) assess the level of adoption of industry 4.0, (2) analyze the intensity of cybersecurity and (3) share best practices.


Cybersecurity has changed in nature. The key moment is the year 2010 with the cyberattacks on Iran’s nuclear program by the Stuxnet computer virus. Presumably designed by the National Security Agency (NSA), in collaboration with unit 8200 of the Israel Defence Army, the virus targeted exclusively system software used by uranium enrichment centrifuges in Iran. A centrifuge necessarily operates at a very high speed to physically separate the isotopes from the uranium to produce a highly enriched nuclear fuel. The Stuxnet code was programmed to successively slow down this speed, making refining inoperative, and accelerate it, causing the centrifuge to explode. For the first time, a computer virus was able to destroy hardware equipment.

With the Stuxnet case, it is no longer our computer or our information that is at stake. It has now become a matter of our physical possessions and, ultimately, our very lives. When a villain or hostile power can remotely shut down the power supply to an entire region, stop the engines of an airplane in flight or interrupt pacemakers, the nature of the damage has changed. We are no longer talking about a simple computer incident, but a global crisis. 2 This new vulnerability is the consequence of a company's digitization. It is no longer enough to equip a business with computers and robots. From now on, the project is global. Everything digital, from smartphones to sensors, digital cameras and 3D printers to robots, is networked and functions as a vast unified system – this is called Industry 4.0 or the Industrial Internet of Things (IIoT).

1.1 – OTs are at the heart of the battle for cybersecurity

This fluidity of processes affects the industrial world, which is in the process of rapid automation. Indeed, more than 70% of Canada’s manufacturing companies are fully or partially automated3. An increasing number of these companies have interconnected their automated equipment or operational technologies (OT) with information technology (IT) systems, in order to extract big data and control production in real time.

2 Steven Cherry, “How Stuxnet Is Rewriting the Cyberterrorism Playbook”, (A computer virus targeting industrial control systems provides a blueprint for a new generation of cyberweapons), IEEE Spectrum, 13 October 2010. Nicolas Falliere, Liam O Murchu and Eric Chien,

The weak link in the digital enterprise lies in the operational equipment. An industrial machine has a life expectancy of about 20 years, often more. For example, the Vestshell smelter in Montréal still uses a 1970s robot with, albeit, a new control system. But the robot with its articulated arm, control cabinet and inertial unit is still in operation almost half a century after its commissioning.4

3 CATAAlliance, “Advanced Manufacturing Sector”, Montréal, 2017, 80 pages. 4 Idem

“This was the first digital attack that infiltrated from the digital world into the physical world, causing physical destruction, not to the computers that were infected, but to devices that these computers controlled – namely the Iranian centrifuges.”

Interview with Kim Zetter, European Cybersecurity Journal, vol. 5, issue 1, 2019.


A life expectancy of 20 years, or even 25 or 30 years, represents an eternity in the IT world which is constantly innovating. Computer generations are succeeding each other at ever faster rates. Criminals and intelligence services have been quick to exploit the inevitable gaps that emerged in the conjunction between the IT and OT worlds. According to the Canadian Centre for Cyber Security (Cyber Centre), cybercriminals have already successfully infiltrated thousands of devices – from baby monitors to air quality monitors to surveillance cameras – to launch botnet attacks. Anything that is connected can become a target. That is why, following the study on “Advanced Manufacturing Sector”, the CATA Alliance undertook to examine the physical aspects of cybersecurity in the manufacturing sector. Our study looked at not only companies that have equipped themselves with robots, but also those that have installed control systems for air conditioning or heating, sensors, or even simple digital cameras.

How many times do these common industrial systems have a default password in the Internet instructions? If by any chance a conscientious user wants to program a slightly more sophisticated protection system on his online device, he is given a warning message “Memory Full”. The memory of many devices is too limited to allow to download anything in it, let alone run a cybersecurity program. In Canada, 21% of companies have already been victims of cyber-attacks that have caused serious damage (with repercussions on operations). Large companies are targeted more often than SMEs and manufacturing companies and critical infrastructure are targeted more often than the national average (see Figure 1 – Percentage of manufacturing companies and critical infrastructure attacked)5. This assessment is probably conservative because many SMEs do not know if their networks are contaminated, remotely controlled and/or if their computers are not used as zombie machine.

Figure 1– Percentage of manufacturing companies and critical infrastructure attacked

Source: Statistics Canada, Cyber Security and Cybercrime in Canada, 2017, table 22-10-0076-01.

5 News release, “Impact of cybercrime on Canadian businesses, 2017”, Statistics Canada, 15 October 2018.

15%

44%

32%26% 27%

5%

22%30% 33%

13%

0%

10%

20%

30%

40%

50%

Agricultu

re

Oil & Gas

Electr

ic Power

Manufa

cturin

g

Wholesal

e Trad

eFo

od

Transporta

tion

Info & Cult

ural In

dustr

ies

Finan

ce & In

suran

ce

Healthcar

e


In addition to the manufacturing sector, we included critical infrastructure in this study because it is at the forefront of cybersecurity. Companies and organizations that manage infrastructure have the means to invest massively in cybersecurity, which they willingly do, because they are prime targets for cybercriminals. Moreover, they are generally regulated by governments or international institutions. Critical infrastructure can serve as a model for the manufacturing sector. Like the latter,

critical infrastructure has to protect its physical assets, and like the latter, it is digitizing its operating processes. With its strong research and development (R&D) capacity and access to the latest innovations, critical infrastructure plays an essential role in the evolution of cybersecurity and its best practices. Moreover, it is made up of entities that are accustomed to cooperating with each other and thus it commands real sources of information on cyber threats.

1.2 – Definition of critical infrastructure

The concept of essential or critical infrastructure emerged in the mid-1990s in the United States. After the attacks of 11 September 2001, it spread throughout the world. In the following years, most industrialized countries launched think-tanks or commissions on the identification and protection of critical infrastructure. Canada occupies a special place because of its close bilateral cooperation with the United States. In addition, the 1998 ice storm crisis in Canada was a major factor in placing the concept of critical infrastructure at the heart of the political agenda. Freezing rain fell for five days in Québec, eastern Ontario, New England and northern New York State. The ice layer which was more than 100 mm thick in some places, covered all structures and caused the collapse of hundreds of electrical pylons and tens of thousands of local distribution poles. To understand the exact role played by such a disaster, one must consider its cascading effect. When an electricity grid breaks down, as it did during the ice storm, not only is the population without electricity and heat, but drinking water treatment plants stop

purifying water, airlines divert flights, gas stations no longer operate, stores close, etc. The effects of an electrical interruption are the most visible, but every infrastructure has its own cascade effect. All it takes to paralyze an entire region with ricochets, is to hit a key industrial sector. While all industrialized countries have taken increased steps to protect their critical infrastructure, they have all attributed different definitions to the concept. The National Strategy on Critical Infrastructure, coordinated by Public Safety Canada has proposed its own definition: “Critical infrastructure refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic


effects and significant harm to public confidence.6" This definition is inclusive. But its operational application is less so. Indeed, critical infrastructure is divided into ten sectors, namely: • Energy and utilities: electricity, gas, oil

and petrol production and distribution systems, etc.

• Information and communication technologies: telecommunications and broadcasting networks, software and hardware, computer networks including the Internet, etc.

• Finance: banking networks, stock exchanges, etc.

• Health: hospitals, vaccine supplies, blood supplies, pharmaceutical companies, etc.

• Food: food industries, agriculture, etc. • Water: drinking water treatment and

distribution, wastewater management, etc.

• Transport: bridges, road networks, airports, ports, etc.

• Safety and security: police, firefighters, chemical, biological, radiological and nuclear hazards, dams, hazardous materials, search and rescue, etc.

• Government: government services (federal, provincial and municipal), some national sites and monuments, etc.

• Industry: defence-related companies, chemical industries, metals, etc.

When Public Safety Canada officials are asked to clarify what these categories cover, they respond that there is no detailed definition, let alone lists of critical organizations. The

Canadian government believes that each crisis is different in nature and generates its own circumstantial definition of critical infrastructure. A dam that overflows puts at risk a crisis perimeter that is disproportionate to a falling plane. The nature of the crisis defines the infrastructures to be mobilized on a case-by-case basis. The Canadian situation is in contrast to the European doctrine defined in the 2016 Network and Information System Security (NIS) directive, which calls for the establishment of nominal lists of public or private organizations operating critical infrastructure. There are about 500 essential service operators (ESOs) in the United Kingdom, 200 in Germany and 122 in France – these figures are expected to be revised upwards shortly. Canada must be content to live with an elastic and, moreover, incomplete perimeter. Indeed, Canadian universities are omitted from the government's list. However, they often have very advanced laboratories. There is not even an NAICS code definition that would indicate which categories of companies and organizations are included in Public Safety Canada's 10 sectors. To get an idea of the composition of these sectors, one must refer to Tyson Macaulay's well-documented book, which gathers an irreplaceable amount of information for anyone interested in critical infrastructure. It has thus created a table that defines sectors according to the four-digit NAICS code, which represents a major step forward in relation to the government's blurring of the definitions. Whenever possible, we adopted Tyson Macaulay's methodology for this study (see Appendix 2 – Methodology).

6“National Strategy for Critical Infrastructure", Public Safety Canada, Ottawa, 2009, 10 pages.


“Scholarship in this area describes different state-level models for regulating cybersecurity: first, a principle-based framework focused on good practice, and second, a more ad hoc style of regulation focused less on good practice and more on repelling cyber threats, which approaches risk regulation on an industry-specific basis. Canada’s cyber regulatory regime favours the second model, at least in some respects. To begin, it adopts threat repulsion rather than best practices as its organizing principle. Canada’s national cyber security strategy, in place since 2010 (although legislation to update it was proposed in June 2017), focuses on repelling foreign-state actors, criminals and terrorists. This strategy advances a three-pillar program: securing federal government systems; partnering with lower levels of government and the private sector to secure cyber systems outside the federal government; and improving online security for Canadians, through a combination of public education and enhanced law enforcement capabilities.”

Brent J. Arnold, Gowling WLG (Canada) LLP7

1.3 – Cybersecurity in the world

Just as it is not possible to address cybersecurity in an isolated enterprise, it is not possible to address it in a city, province or

country. To counter a threat that is global, strong alliances and international cooperation must be put in place.

1.3.1 – International Cooperation

Naturally, it was the United Nations that took the initiative to develop a policy of cooperation among States to reduce risks in cyberspace. For example, in 2004 the United Nations established a Group of Governmental Experts (GGE) to review developments in information technology and telecommunications in the context of international security. Canada was a member in 2012-2013 and 2016-2017. After many false starts, a report was produced in 2015, one of the important recommendations of which was that "A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of

7 Brent J. Arnold, “Cyber Security in Canada: Structure and Challenges” in Christian Leuprecht et Stephanie MacLella (edited by), "Governing Cyber Security in Canada, Australia and the United States", Centre for International Governance Innovation, Waterloo (Ontario), 2018, 36 pages. 8“Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security”, United Nations General Assembly, 22 July 2015. 9“Cybersecurity: technical and policy challenges”, Library of Parliament, Ottawa, February 2018, 20 pages. Cf. p.10-11.

critical infrastructure to provide services to the public. ”8 Unfortunately, the United Nations Group of Experts has not been able to reach a consensus on how to respond to cyber-attacks, nor on the role that the United Nations should play, if any, in imposing sanctions against the perpetrators of cyber-attacks. The impasse occurred in 2017 due to opposition between the United States and its allies – including Canada – who believe that existing international law should apply in cyberspace, and the Chinese, who argue that an entirely new treaty should be concluded based on a code of conduct for cybersecurity9.


Meanwhile, the Council of Europe was developing its own cybersecurity treaty, but from the outset with a global perspective – observers from Canada, Japan and China participated. Concluded in November 2001, this Convention on Cybercrime is generally referred to as the Budapest Convention after the city where it was signed. It entered into force in July 2004 and has since then been the only international treaty with binding effect on computer crime, including the Internet. The Budapest Convention defines in detail acts against computer systems, copyright violations, hate speech, abuses related to child pornography, as well as network security offences. The document also provides for a series of powers to be conferred on law enforcement, such as the search of computer networks and the seizure of stored data, even if they are located in another country. Its main objective is to pursue a common criminal policy to protect society against cybercrime by encouraging each country to adopt appropriate legislation.10 Canada ratified the Budapest Convention in July 2015. As of March 2019, a total of 63 countries have ratified the Convention. It has been used as a basis for the drafting of many laws around the world but is still the subject of strong and essential action by countries that refuse to sign it (China and Russia) as well as human rights defenders (Amnesty International). To extend the work of the Budapest Convention and bypass disputing countries, a forum bringing together states, intergovernmental organizations and private companies, was created in 2015 in The Hague under the name of the Global Forum on Cyber Expertise (GFCE). The United States and

10 Brigitte Pereira, “La lutte contre la cybercriminalité : de l’abondance de la norme à sa perfectibilité”, Revue internationale de droit économique, 2016.

Canada are represented, but not China or Russia. The private sector is represented by Microsoft, Cisco, HP, Huawei, IBM, Deloitte, Symantec, etc. The GFCE is a global platform to identify and promote effective cybersecurity policies, practices and ideas at the global level. Its work focuses on the exchange of best practices in a framework that closely unites security and human rights interests. Its 71 members are developing concrete cybersecurity initiatives in collaboration with 15 partners. France has also tried to revive international cooperation by pulling together the public and private sectors. This is the meaning of the Paris Call for Trust and Security of November 2018. But its founding document continues to affirm that international law is applicable to cyberspace. One element of the Paris Call was controversial, namely that it prohibited non-state actors from "hacking back, for their own purposes or those of other non-State actors."

Hacking back would be tantamount to allowing private companies to engage in "vigilantism" and would suffer from the same


problems. At the same time, however, the United States was in the process of developing a new cyberdefence doctrine that would give the Pentagon a delegation to allow immediate responses to an attacking computer system.11 Indeed, the Paris Call only prohibited reprisals by non-state actors. Nevertheless, the notion of hacking back remains controversial. The Paris Call was supported by 67 States, including all members of the European Union and Canada, 139 non-profit groups and 358 private companies and universities. Microsoft was very active in the preparatory work; Facebook, IBM and Oracle also signed. The notable absentees from signing the commitment were China, Russia, Iran, Iraq, Israel and the United States, ironically the countries most likely to be in cybersecurity conflict with each other.12 In all these initiatives, Siemens has played a very active role. But in the face of the blockage of all projects involving contradictory national policies and, above all, the acceleration of cyber-risk, a question has gradually emerged: as long as it is necessary to create a public-private organization that inherits the slowness of the state, why not design a purely private organization? This is why at the Munich Security Conference in February 2018, Joe Kaeser, the President of Siemens, acknowledged the growing threat posed by cybercriminals to critical infrastructure and industry: "In the United States alone, cyberattacks on manufacturing plants doubled between 2015 and 2016. The energy sector, in

11 Bill "HR 4036 – Active Cyber Defense Certainty Act" by Republican Representative Tom Graves, aimed at preventing computer fraud prosecutions against people who protect themselves against intrusions into their computers. 12Report of the Group of Governmental Experts on Developments in the Field of Information and

particular, is an increasingly frequent target... Thus, 30% of all attacks have targeted operational technologies (OT). In other words, hackers are not only trying to infect computer networks; they are actively trying to interrupt power networks or take control of autonomous machines.”13

Siemens then launched a Charter of Trust with seven other companies: Airbus, Allianz, Daimler, Deutsche Telecom, NXP, SGS and IBM. This agreement focuses more specifically on critical infrastructure and OTs, i.e. cyber-physical risk. The Charter of Trust claims not to replace state action and instead claims to encourage it, it intends to “promote multilateral collaborations in regulation and standardization to set a level playing field matching the global reach of the World Trade Organization (WTO); inclusion of rules for cybersecurity into Free Trade Agreements.”

Telecommunications in the Context of International Security, United Nations, 22 July 2015. United Nations, 22 July 2015. “Derrière l'Appel de Paris”, Digital Watch, Geneva Internet Platform, November 2018. 13 Joe Kaeser, "How Siemens’ Charter of Trust Aims to Improve Industrial Security", IoT World Today, 16 February 2018.


The Charter of Trust aims to contribute to a more secure digital world and, to this end, defines three objectives: - The protection of personal and company

data; - The prevention of damage to persons,

businesses and infrastructure; - Building trust in the connected and digital

world. One year after the publication of the Charter of Trust, the initial group has grown to 16 full members and three associate members: the German Federal Office for Information Security (BSI), the National Cryptologic Center (CCN) of Spain and the Graz University of Technology in Austria. The priority of Charter of Trust member companies is supply chain security. According to Accenture, 60% of cyberattacks target the supply chain, via factories, warehouses or logistics departments. The probability that the client himself will be the victim of hackers is constantly increasing. That is why Charter of Trust member companies have developed basic requirements and deployment proposals to ensure that cybersecurity becomes an absolute quality in all digital supply chains14.

Private sector involvement in international cooperation is not limited to the Charter of Trust proposed by Siemens. In April 2018, at the opening conference of the RSA conference in San Francisco, Microsoft President Brad Smith proposed a "Digital Geneva Convention". Brad Smith referred to 2017 as a year that could be described as “cyber-geddon”. With the WannaCry (North Korea) and NotPetya (Russia) attacks, cybercrime has changed dimension, he explains. Governments have been “attacking civilians in a time of peace. It’s essential that we convey the message to governments of the world that these cyber-attacks are not just attacks on machines, but they endanger people’s lives. We need to open eyes to the impact of these attacks and rally the world to address it.”15 For the Microsoft president, this new situation places a special responsibility on the cybersecurity industry. It then proposes for private companies a Cybersecurity Tech Accord where signatories commit to prevent the malicious manipulation of their products and not to help governments launch cyberattacks against citizens or innocent companies.16

14 Julie Le Bolzer, "Entre optimisation des chaînes et exposition au hacking: la voie étroite de la logistique digitalisée", Les Échos, 06 February 2019. 15 Eleanor Dallaway, “Microsoft President Calls for Governments to Form Digital Geneva Convention", Infosecurity Magazine, 17 April 2018.

16 Raquel Vázquez Llorente, "A Digital Geneva Convention? The Role of the Private Sector in Cybersecurity", LSE Ideas, 21 May 2018.


One year after its foundation, the Cybersecurity Tech Accord has already been ratified by 106 companies (May 2019). Among the signatories to this text are the main players in the sector, whether they are cybersecurity experts such as Symantec, CA Technologies, FireEye, F-Secure, TrendMicro, or major technology players such as Facebook, HP, Microsoft, Nokia, Oracle, Cisco or SAP. The signatory companies undertake to collaborate with each other to implement and extend it. All their projects will be made public as they are implemented. A brand-new initiative was launched in October 2019 under the name Open

Cybersecurity Alliance (OCA), which aims to promote open-source cybersecurity solutions. At present, enterprises use up to 50 different security tools from 10 major cybersecurity vendors. Kick-started by IBM Security and McAfee the initiative will enable information security companies that are a part of the new consortium to freely exchange information, insights and even threat orchestration. The OCA was formed under the auspices of the Organization for the Advancement of Structured Information Standards (OASIS) which is an open standards and open-source group.17

Summary of international cooperation

United Nations – Group of Governmental Experts (GGE) 2004 In a deadlock since 2017

Council of Europe – Budapest Convention 2001 63 States

Global Forum on Cyber Expertise (GFCE) 2015

71 members and 15 partners (States, intergovernmental groups and private companies)

Paris Call 2018 51 states, 90 non-profit groups and 130 private companies and universities

Charter of Trust 2018 16 private companies’ members and 3 partners (public sector and university)

Cybersecurity Tech Accord 2018 106 private companies Open Cybersecurity Alliance 2019 2 founders and 16 members from the IT sector

In general, international cooperation is hampered by the slow pace of consensus decision-making that is the rule in international institutions. The endless slow work of the United Nations on cybersecurity is a major handicap to the speed of technological development. There is still no international law on cybersecurity, countries do not even agree on the definition of the concept of cybercrime.

17Jonathan Greig, "McAfee, IBM join forces for global open source cybersecurity initiative", TechRepublic, 10 October 2019.

The international situation is characterized by a lack of clearly defined and implemented international governmental will. The United Nations is blocked. Even the Budapest Convention is not ratified by the entire international community. In the vacuum created, the private sector has rushed into the role with Siemens and Microsoft in a leadership role.18

18 Robert Gorwa et Anton Peez, “Tech Companies as Cybersecurity Norm Entrepreneurs: A Critical Analysis of Microsoft’s Cybersecurity Tech Accord”, SocArXiv (University of Maryland), 11 December 2018.


1.3.2 – Canada's place on the international stage

According to Statistics Canada, Canadian companies invested $14 billion in cybersecurity in 2017, representing less than 1% of their total revenues. Most of this

amount is made up of the salaries of the companies' employees and the fees paid to specialized cybersecurity firms.19

Figure 2 – Distribution of cybersecurity investments in Canada


To better understand the cybersecurity performance of Canadian companies, it is necessary to situate the country on the international scene. The various studies consulted agree on one point: Canada's relative excellence compared to other countries. The most recent of these was conducted by the British firm Comparitech and ranks Canada third among the most cybersecure countries based on a series of seven criteria (used by 60 countries).20 Regarding Comparitech's comparisons, it should be noted that the higher the score, the more dangerous the country is considered to be in terms of cybersecurity (with the exception of the last two criteria on the best prepared places and on updating legislation where a high score means a positive score). Thus, the safest country is Japan because it

19“Impact of cybercrime on Canadian businesses, 2017”, Statistics Canada, Ottawa, October 2018. 20 Rebecca Moody, “Which countries have the worst (and best) cybersecurity?” Comparitech, 6 February 2019.

has the lowest overall score. At the sectoral level, Canada leads the world in banking security with a very low attack rate. In terms of the International Telecommunication Union's (ITU) Global Cybersecurity Index (GCI), Canada ranks 9th (out of a total of 175 countries).21 However, Comparitech's comparison seems to take better account of recent developments in Canada than that of the ITU – the publication of the National Cybersecurity Strategy and the creation of the new Canada Centre for Cybersecurity. This is also the opinion of the Israeli firm CyberDB, which ranks Canada 4th (out of 10 countries) in its own ranking.22 This does not mean that there is no cyber security problem in Canada – far from it. But this allows us to put the results of the study into perspective.

21“Global Cybersecurity Index 2018”, International Telecommunication Union (ITU), Geneva, 2019, 86 pages. 22 Top 10 Countries Best Prepared Against Cyberattacks, CyberDB, Israel, 7 July 2018, 4 pages.

57%29%

14%

Staff &ContractorsRelated Software

Prevention &Recovery


Figure 3 – Countries with the best cybersecurity

# Countries Score Infected

mobiles Financial attacks

Infected computers

Attacks Telnet (IoT)

Attacks by crypto-minors

Best Prepared

Updated legislation

The lowest rating refers to the safest country. Highest rating 1 Japan 8.81 1.34% 0.5% 8.3% 1.23% 1.10% 0.786 6 2 France 10.51 4.72% 0.4% 16.2% 0.67% 1.12% 0.819 7 3 Canada 11.19 3.91% 0.4% 14.3% 0.47% 0.81% 0.818 6 4 Denmark 12.04 1.98% 0.4% 5.9% 0.04% 0.61% 0.617 5 5 USA 12.20 7.68% 0.5% 10.3% 4.47% 0.71% 0.919 5.5 6 Ireland 13.41 3.73% 0.5% 7.9% 0.06% 0.85% 0.675 5 7 Sweden 13.78 3.15% 0.4% 11.0% 0.45% 1.31% 0.733 5 8 Britain 14.15 3.68% 0.7% 10.5% 1.07% 0.88% 0.783 5 9 Holland 15.00 3.71% 0.6% 8.1% 0.32% 1.06% 0.760 4 10 Singapore 15.13 8.18% 0.8% 8.5% 0.14% 1.61% 0.925 4

Source: Comparitech – February 2019

1.4 – Purpose and organization of the study

The CATAAlliance initiative focuses on physical cybersecurity in manufacturing companies and critical infrastructure that they have already adopted, or they are in the

process of adopting the Industry 4.0 paradigm – production automation and network integration. The study has three goals:

Our study has three distinct sources:

Assess the level of Industry 4.0 adoption in manufacturing companies and critical infrastructure

Analyze the intensity of cybersecurity in enterprises 4.0

Share best practices in cybersecurity in an industrial 4.0 environment and critical infrastructure

• A CATAAlliance/Sciencetech Communications survey of a number of 2,521 companies and organizationsInternal survey

• A series of 28 personalized interviews conducted by Mr.Rens with high-level cybersecurity experts (manufacturing and critical infrastructure, academics, and government)

Interviews

• Statistics Canada, “Cybersecurity and Cybercrime in Canada”, survey of a number of 12,000 businesses (released in October 2018)

External survey


1.5 – Implementation team

The 2019 study on physical cybersecurity in manufacturing companies and critical infrastructure in Canada was led by Jean-Guy Rens, Vice-President of the Canadian Advanced Technology Alliance (CATA) and Senior Partner of ScienceTech Communications, in collaboration with Huguette Guilhaumon, Senior Partner of ScienceTech Communications. They were assisted by Luc Bourbonnais for data collection.

John Reid,23 President of the CATAAlliance, oversaw the funding and administration of the study in collaboration with Cathi Malette, Membership Services Manager. Since taking over the CATAAlliance, Suzanne Grant has instilled all her energy and enthusiasm into piloting this initiative.

1.6 – Financing of the study

The development of the database and the study were funded primarily by Siemens Canada and CyberNB.

The CATAAlliance team would like to thank its partners who have supported the initiative since its inception in September 2018 and made it possible through their contributions and their advice and guidance. Without them, nothing would have been possible.

1.7 – Acknowledgements

The CATAAlliance team would like to extend special thanks to Oliver Winkler of Siemens Canada and Tyson Johnson of CyberNB who acted as “champions” of the cybersecurity initiative within their respective organizations. Throughout this study, they provided us with advice and encouragement.

We are also indebted to several people who provided us with insights from their experiences and knowledge:

- Benoit Dicaire, President, Infrax Inc. - Barry Gander, EVP CATAAlliance, co-founder of the i-Canada Alliance - Odile Guilhaumon, Sales Director PCI DSS, Control Gap - Denis Hardy, President and Chief Executive Officer, CRIQ - Gaétan Houle, independent cybersecurity consultant - Françoys Labonté, Executive Director, CRIM - Alastair Sweeny, VP, Business Development, Kryptera Technologies - Kevin Valko, independent consultant in intelligence and data mining

23 John Reid left us on 24 June 2019. His team wishes to pay tribute to his memory and to highlight the essential role he has played in this initiative, from conception to promotion.


We are particularly indebted to those working in the voluntary sector. The security industry is represented by several associations that have not hesitated to give us access to their

members to distribute the survey questionnaire and promote the study. From helping with networking, preparing the questionnaire, promoting the study to analyzing the responses, their input was invaluable:

- Bertrand Milot, Association de sécurité du Montréal Métropolitain (ASIMM) - Pierre Ouellet, Advisor to the Executive Director, CRIQ

Cautionary remark: The ScienceTech team assume responsibility for any errors that may have occurred in the Canadian Cybersecurity study. The many people who generously collaborated on this project, as well as the partners and customers who trusted us, can in no way be held responsible for the content of the study.


2. Industry profile Executive Summary - The CATA/Sciencetech survey covers all of Canada. Out of 2,421 companies contacted, only 8%

responded, which attests to a high degree of secrecy within the family of cybersecurity specialists.

- Generally speaking, the companies covered in this survey represent the most advanced sector of the Canadian economy: 41% of the respondents are large companies (more than 500 employees). While more than half operate industrial companies, of which a full 45% of the respondents consist of critical infrastructure.

- There are few multinationals among this population and a relatively low level of exports, due to the over-representation of critical infrastructure which, depending on their very mission, does not generally export. The minority that exports does so mainly to the United States.

2.1 – Total population and respondents

Out of an initial population of 2,421 companies and organizations, 208 responded, representing a rate of 8%. This response rate is relatively low, but it is predictable in the

highly sensitive environment of cybersecurity. Two e-mails were sent to the general public and each company then called up to eight times before being declared non-respondent.

Figure 4 – Respondents rate

Source: Survey CATAAlliance/Sciencetech communications – January-April 2019.

The mission of cybersecurity specialists is to conceal their strategy, technology deployment and management process. No wonder it is so difficult to decide to answer a survey and, even more so, to give a personalized interview. On the other hand,

the small group that agreed to give us an interview generously shared their knowledge. These CISOs put the interests of their profession ahead of the short-term interests of their personal concerns.

92%

8%

Total population Respondents


2.2 – Size of companies responding to the survey

For the purposes of this study, we used the Government of Canada's proposed definition of a business: small businesses have fewer than 100 employees, medium-sized businesses have fewer than 500 employees and large ones have more than 500 employees. These categories have the advantage of being fairly well suited to the typology of cybersecurity behaviours: no or few IT executives below 100 employees; one IT executive, but no cybersecurity executive between 100 and 500 employees, an IT and

cybersecurity executive or more above 500 employees. We have not created a category for very large companies (more than 5,000 employees), as cybersecurity behaviour does not vary significantly between large and very large companies. On the other hand, we eliminated small businesses with fewer than 10 employees because they lack IT specialists – their behaviour is similar to that of the individual consumer. Here is the classification used:

Small company 10 to 99 employees Medium-sized company 100 to 499 employees Large company Over 500 employees

Small and medium-sized companies are under-represented, while large companies are over-represented. There are two reasons for this. Our survey covers both the manufacturing sector and critical infrastructure. The latter are mainly composed of large organizations such as

Sobeys, Royal Bank of Canada (RBC) and Air Canada. In addition, the industrial companies selected for this survey are those that have fully or partially automated their operations and are almost exclusively of medium or large size (see Appendix 2 – Methodology).

Figure 5 – Size of the companies that responded to the survey

Source: Survey CATAAlliance/Sciencetech communications – January-April 2019 (208 respondents)

27%

41%

32% Samall Companies

Medium-sizedcompanies

Large companies


2.3 – Nature of the companies

Almost half of the respondents are organizations that own critical infrastructure, which is of course infinitely higher than their relative weight. This bias is voluntary. Long before the notion of Industry 4.0 or the Internet of Industrial Things was mentioned, critical infrastructures were the first to use telemetry to control their operations remotely. Hydro-Québec's telecom network is used to manage, monitor and control dams, most of which are located in remote areas on sites that are difficult to access. Not to mention financial institutions that have automated a large portion of customer service through the installation of automated banking.24 First to be automated, critical infrastructures were the first to deal with cybercrime and

therefore the first to develop secure responses. The study of their experience is essential for anyone who wants to identify best practices in cybersecurity and learn about major trends in this field. Details of the economic sectors to which the companies (essential infrastructure as well as industrial sector) that participated in this survey belong are given in the appendix I. The majority of respondents are therefore medium-sized or large manufacturing companies and critical infrastructures. This means that this is the most advanced segment of the Canadian economy that is most likely to have sophisticated cyber security policies.

Figure 6 – Distribution between the industrial sector and critical infrastructure

Source: Survey CATA Alliance/Sciencetech communications – January-April 2019 (208respondents)

2.4 – International dimension of companies

The international dimension of a company is significant in terms of cybersecurity. Indeed, a multinational company must not only comply with national regulations, but also with those

24 The first Canadian ATM was opened in 1969 in Toronto. Sarah Boesveld, “ATMs: 40 years of 24-hour dough”, The Globe and Mail, 23 November 2009.

of the countries in which it does business. Two criteria were used to define a multinational: the presence of employees abroad and exports.

55%

45% Manufacturing Sector

Critical Infrastructure


From the outset, it appears that few respondents have offices abroad. This is explained by the presence of a large number of critical infrastructures among the respondents. Most public services by definition have purely domestic activities.

Think of the City of Toronto Water Division or the Calgary Airport Authority. If we look only at the industrial sector, the ratios are reversed, and we see the emergence of internationally oriented companies.

Figure 7 – Companies with employees abroad

Source: Survey CATA Alliance/Sciencetech communications – January-April 2019 (208 respondents)

The situation is very similar if we consider exports. The exporting minority must comply with international cybersecurity regulations. This does not mean that international regulation is irrelevant to the majority that does not export. Even domestic critical infrastructure makes comparisons with its

counterparts in other countries. Canadian airports may not export, but they follow very closely what is being done elsewhere in terms of standards and good practices. International pressure is exerted in many ways, but the figures do not reflect its true intensity.

Figure 8 – Canadian exports


As is always the case, the vast majority of Canadian exports go to the United States. But

other destinations are emerging that play an important role in the Canadian economy.

69%

31%

Canada only Foreign countries

61%

39%

Do not export Export


Note the presence of the Asian continent (24%), which is relatively new in an economy like Canada’s, traditionally oriented towards Europe. The remaining exports go to Africa

and South America. The Middle East and Australia are also mentioned by a few respondents.

Figure 9 – Destinations of Canadian exports


76%

37%

24% 23%

0%

20%

40%

60%

80%

US Europe Asia Other


3. Characteristics of digitization Executive Summary - The major transformation of Canadian companies is well underway. Nearly 90% of

respondents have already digitized processes based on information technologies (IT) and most often in an intensive way.

- The digitization of operational technologies (OT) is less advanced. While nearly two-thirds of companies have already digitized their OTs, the vast majority did it marginally only.

- However, once they have digitized their OTs, companies tend to link them to their IT, thus entering the industrial revolution of the Industry 4.0 paradigm. A new industrial world is emerging where sensors have invaded factories and robots have ceased to be the exception to become a basic tool.

3.1 – IT digitization in companies

Digitization in information technology (IT) is not just about introducing computers into an office. Rather, IT digitization refers to the introduction of complex computer systems to automate entire business processes, including decision-making. Similarly, in operational technologies (OT), the arrival of robots is not synonymous with digitization. The latter involves the multiplication of intelligent systems at all stages of the production chain, which becomes a fully transparent mega-system using and generating large data flows.

The digitization of business processes began with the introduction of computerized accounting systems in the 1970s (SAP/R1 software package in 1972). Gradually, all the other services followed: purchasing, sales, human resources and especially marketing with CRM systems. Each application fulfilled the task perfectly, but in a silo. That is why the Enterprise Resource Planning (ERP) solution was developed in the early 1990s. The aim was to unify functions that had previously developed separately within the same system.

Figure 10 – IT digitization


89%

3% 8%

Digitized Under way Not digitized


This is why the digitization of management and decision-making processes is very advanced. These processes have long been IT-based. It can even be said that IT was designed to digitize business processes. It is therefore not surprising that almost all respondents say that their information activities are digitized. A representative of the tiny minority who did not do so explained the decision not to digitize as follows: “The current staff is old-school, old-fashioned, in the old way, within five years, that may change.” This is a residual anomaly though.

3.2 – Intensity of IT digitization in companies

This high penetration of digitization in IT goes hand in hand with a high intensity of its use: 57% of companies report having digitized more than half of their information activities.

This ratio rises to 100% when considering large companies only (500 employees and more).

Figure 11 – Intensity of IT digitization


3.3 – Digitization of OT in companies

The position of physical equipment is quite different. Although the introduction of Supervisory Control and Data Acquisition systems (SCADA) dates back to the 1970s, they were cumbersome, one-machine only systems that required extensive maintenance and some form of supervision. This involved

operating a field control (such as a valve) from a remote-control centre, rather than by manual intervention on site. Subsequently, the SCADA systems were connected by means of local area networks (LAN) and then finally by Internet. But SCADA systems are not

15%

25%

52%

5% 4%

1% TO 24% 25% TO 49% 50% TO 99% 100% DNK

Nine out of 10 companies have digitized

their IT and a large proportion of them have

digitized the vast majority of their processes.


intended to fully automate manual work and even less decision-making. It is only recently that the arrival of robots, big data and artificial intelligence has changed the situation. From now on, everything or almost everything is on the way to becoming cyberphysical and therefore automatable as well as measurable. Two years ago, 27% of Canadian industrial companies claimed to use robots.25.This did not include sensors, 3D printers and digital cameras. Moreover, the automation of cyberphysical systems is not limited to industrial companies. It also includes some of the physical functions of service companies such as the automated banking machine and the retailer point-of-sale system.

In our sample, 65% of respondents have digitized all or part of their operations and this ratio rises to 73% if we include those who intend to do so during the year. This is less than in the IT field. However, considering the recent nature of the phenomenon, this is a considerable achievement. It is due to the high representation of critical infrastructures and companies that have already automated their production lines.

Figure 12 – OT digitization

Source: Survey CATA /Sciencetech– 2019 (208 respondents)

Throughout this study, it should be kept in mind that we are dealing with a group of industries that are at the forefront of digital Canada. Our aim is not to depict an average situation, but to identify best practices – and problems – of companies at the forefront of the Industry 4.0 phenomenon.

3.4 – Intensity of OT digitization in companies

While a large number of companies have started to digitize their OTs, the transition is clearly in its early stages: only 30% of companies have digitized more than 50% of their operational activities. The low rate of companies that have digitized all of their operational activities means that the full

25 CATAAlliance, “Advanced Manufacturing Sector”, Montréal, 2017, 80 pages. Cf. p. 30.

effect of digitization is still not felt in the majority of the companies considered. This means that the full effect of digitization is not yet felt in most of the companies considered. This transition will take place primarily in high-tech manufacturing corporations as well as regulated organizations.

65%8%

27%

Digitized Under way Not digitized

Two-thirds of companies are involved in the

digitization of their OTs, but this is still a marginal

process.


Figure 13 – Intensity of OT digitization


3.5 – Type of automated equipment used

The technology most frequently used in companies is the sensor (79%). It is also the most influential technology in digitization. These are the eyes and ears of the system's intelligence. More efficient sensors coupled with Big Data are a key driver of progress in digitization. These technologies allow the collection and processing of data from TO systems to optimize their operation and interaction with their environment. The proportion of companies using robots is

the second highest (49%). This is all the more remarkable because many critical infrastructures do not use robots (financial institutions, governments, police, etc.). Online trading platforms are mentioned in 33% of cases, which is not insignificant. The "other" category covers a wide range of technological tools, from barcodes to police cars, laser cutting, digital welding machines and geo-location systems. In general, digital tools have penetrated all segments of economic activity.

Figure14 – The tools of automation


39%

27% 28%

2% 3%

1% TO 24% 25% TO 49% 50% TO 99% 100% DNK

79%

49%

33%28% 27% 24%

16% 16%10%

77%

0%

20%

40%

60%

80%

Sensors RobotSystems

OnlineCommerce

IoT Points ofSale

CNCSystems

SCADA 3D Printers ATM Others


3.6 – Companies that have crossed the Industry 4.0 threshold

For Industry 4.0 to exist, the company must have linked its information systems to its operational systems, in other words, the company's intelligence must communicate with its physical equipment. The Industry 4.0 concept was used for the first time in Germany at the 2011 Hannover Trade Fair (Industrial Technology Fair). Its application was purely industrial, and Industry 4.0 was synonymous with “connected factory” or “smart factory”. As part of this study, we opened the concept to all companies, industrial or not. Indeed, according to Robert Albach (Cisco): “Everywhere, there are small-scale industrial systems and we are not even aware of them.” He mentioned an office with central heating, ventilation and air conditioning systems: the industrial world is everywhere. This is particularly true in the case of critical infrastructure where we are dealing with electricity or telecommunications companies that are not factories but manage physical networks that exceed in complexity most of the manufacturing production lines.

Several questions in this survey took into account this extension of the “Industry 4.0” concept to “Enterprise 4.0”: financial institutions' ATMs and food retail chains' point-of-sale (POS) systems were treated as robots or CNC machines. What is essential for us is to connect information systems to so-called intelligent physical devices, i.e. those with embedded systems, to send them commands, to control them and finally to extract data from them that will feed the next command-control-extraction cycle. About two-thirds of respondents reported that they had interconnected their OT systems, 71% if those in the process of transition are included. This means that in the majority of cases, companies that have digitized their OTs intend to maximize their investment and adopt the new business paradigm 4.0. This applies to both manufacturing and critical infrastructure.

Figure 15 – The 4.0 companies


67%4%

25%

5%

Yes Under way No DNK


4. Position of cybersecurity in the organization

Executive Summary - There are three essential parameters for assessing cybersecurity in an organization: is there a

chief information security officer (CISO)? Is there a written cybersecurity program? Has the organization already conducted a cybersecurity audit of its systems? Only 57% of Canadian companies have appointed a CISO; 58% have a formal cybersecurity program; just 44% have audited their IT systems – much less their OT systems.

- The “good students” of cybersecurity are the organizations that meet these three criteria simultaneously: less than one-third do so. This means that more than two-thirds of the Canadian companies surveyed are at risk. The situation is all the more serious since these are the most advanced companies in Canada in terms of digitization.

- If we look at the details of cybersecurity governance, we can distinguish other weaknesses. Thus, in more than a third of companies, there is no cybersecurity manager, nor a part-time person. The majority of companies that have created a CISO position have assigned it to an IT specialist. Only 10% of CISOs report to senior management. More than half of these belong to the IT department, while the others report to other departments (finance, corporate affairs, operations, etc.) Generally speaking, it can be said that Canadian companies have not yet grasped the importance of cybersecurity and the versatile nature of the CISO function.

- Finally, it should be noted that outsourcing is a widespread practice among Canadian companies: 49% entrust part of their cybersecurity to specialized firms, 10% entrust all of it. Outsourcing partly compensates for the weakness of internal cybersecurity teams.

Whereas in the past, information infrastructure security was an issue for the Information Technology (IT) team, today it is a global risk that applies to all departments of the organization and no longer to only specialized departments. How is this evolution reflected in the governance of the organization? Is it always the Chief Information Officer (CIO) who is responsible for cybersecurity? If an Information Systems Security Officer (CISO) position has been created: to whom does he or she report? What is his or her rank in the organization: vice-president or middle manager, junior manager, or even a simple technician?

The “good students”

are the organizations that meet the three basic

requirements of cybersecurity:

only 30% do so.


Cybersecurity is a matter that sets up precise administrative and technical procedures. This chapter examines how Canadian organizations adopt the good practices that

have long been advocated by various stakeholders (governments, regulatory bodies, professional associations and consulting firms)

4.1 – Cybersecurity organizational structure

4.1.1 – Companies that have appointed a cybersecurity official

A majority of 57% of companies say they have appointed a cybersecurity official. It's not much. In addition, the nature and quantity of

positions created to respond to the online threat need to be analyzed.

Figure 16 – Companies that have appointed a cybersecurity official


4.1.2 – Cybersecurity specialists or IT specialists?

The majority of the people responsible for cybersecurity are IT specialists – not cybersecurity specialists. For example, 54% of the people responsible for cybersecurity are Chief Information Officers (CIOs), IT

professionals, IT technicians or IT employees (we have called “employees” positions that are not known whether they belong to the professional or technical category). Only 32% of the people responsible for cybersecurity are specialized in this field of expertise – Chief Information Security Officers (CISOs), professionals and finally undefined “employees”. In the “Other” category, there are people responsible for cybersecurity with various titles: Vice President Legal Affairs, Chief Financial Officer, Chief Technology Officer, etc.

57%

42%

1%

Yes

NoDNK

The majority of CISOs are IT specialists,

only the minority are specialized in cybersecurity. Too often, cybersecurity is

considered a “simple” IT province.


Figure 17 – Few cybersecurity specialists


Analysis

Too often in Canada, business leaders confuse cybersecurity and IT. This is a mistake. Meeting the needs of cybersecurity requires professionals with knowledge from different fields: in addition to IT, you must have a solid knowledge of law, administration, criminology, sociology, economics, education and finally communications. In the cyber-

physical world, this requirement for multidisciplinary skills is combined with the mastery of the operational engineering-based universe and the long-time of industrial machinery. In manufacturing and critical infrastructure, cybersecurity straddles IT and OT, which is not yet reflected in the title of cybersecurity managers.

4.1.3 – Cybersecurity employees report to the IT department

This predominance of IT is reflected in the organizational hierarchy: 59% of the people responsible for cybersecurity report to the IT department. Twenty-seven percent report to other departments: finance, general administration and other (in five cases, this “other” is the operations department). There are almost no full-fledged cybersecurity departments. In only 10% of companies, the cybersecurity manager reports to the senior management (president or senior executive).

Analysis

Cybersecurity has difficulty distinguishing itself from IT and when it is separated from it, it is in some cases still entrusted to the finance department which is, as we have seen, a survival of the past (introduction of ERP). Linking cybersecurity directly to senior management is still exceptional outside the banking sector and government. Only one respondent reported making presentations to his company's Board of Directors. Too often,

25%

18%

14%

10%8% 7%

4%

10%

5%

ITProfessional

CISO CIO SecurityProfessional

IT Technician IT Employee SecurityEmployee

Other DNK


cybersecurity is buried in the administrative hierarchy.

Figure 18 – Cybersecurity employees report to the IT department


4.1.4 – Number of cybersecurity employees in the company

It is when we talk about the quantitative aspect of cybersecurity that we realize how weak this function is in the Canadian industry. More than 20% of companies have no staff to

deal with cybersecurity. More than a quarter of the companies have only one person devoted to cybersecurity.

Figure 19 – Cybersecurity specialists are often isolated individuals


59%

10% 10%6%

3% 11%1%

IT Dpt ExecutiveManagement

Finance Dpt Corporate AffairsDpt

CybersecurityDpt

Other DNK

7%

27%

26%

17%

21%

2%

10 employees +2 - 9 employees

1 employeePart-time

NobodyDNK


Analysis

Very few companies have real cybersecurity teams, the exceptions being banks and government that have developed such teams, and as well some very large companies such as Air Canada (see case study in Appendix 1).

Companies without cybersecurity managers are SMEs – both medium-sized and small businesses. Half of them are manufacturing companies that have adopted the Industry 4.0 paradigm. These companies are at risk.

4.1.5 – Outsourcing cybersecurity or not?

A majority of 59% of Canadian companies outsource their cybersecurity activities – 49% for part of their activities, 10% for the whole.

Analysis

It is surprising to note that 19% of companies that manage their cybersecurity entirely internally do not have a CISO. How can we manage an activity for which no one is responsible? This rate rises to 53% for companies that outsource all their cybersecurity. It is as if the managers of these companies thought they could shift their responsibility to the subcontractor. But who

gives the mandates to the subcontractor? Who controls it? There is clearly a lack of understanding of the intimate and enveloping nature of cybersecurity in some companies. The behaviour of companies does not vary significantly with their size – except for large companies that do never outsource all their cybersecurity activities.

Figure 20 – Outsourcing of cybersecurity


49%

41%

10%

In part outsourced Entirely internally Entirely outsourced


4.1.6 – Outsourcing intensity

Companies that outsource part of their cybersecurity tend to split the task in two: 53% of organizations outsource between a quarter and three quarters of their activities. About a quarter of companies outsource marginally.

Figure 21 – Rate of cybersecurity activities outsourced


Analysis

The main reason for outsourcing is the company's desire to focus on its core business and not scatter its efforts in areas where it has little expertise. An additional reason has emerged in recent years: the difficulty of recruiting qualified personnel. A cybersecurity specialist is often reluctant to work in a company where he or she will be professionally isolated and without the possibility of promotion in his or her field. How could an industrial SME offer a cybersecurity job comparable to those available in a large specialized firm such as Symantec, Fire Eye or BlackBerry? By outsourcing all or part of their cybersecurity, companies can get rid of this difficulty.

Typically, companies outsource highly technical tasks (e.g., the SOC) and retain tasks closely related to human resources (access to information management, granting special access rights and privileges, removing codes when an employee leaves). Even a company that intends to manage internally its own cybersecurity will nevertheless choose to outsource certain tasks that require a neutral view (cybersecurity audit and intrusion tests). Finally, the virtual nature of a SOC allows companies to outsource internationally at a lower cost. India is becoming increasingly important in this market.

22%

28%

24%26%

Intensive(75% to 100%)

Medium-high(50% to 74%)

Medium-low(25% to 49%)

Marginal(1% to 24%)

Companies outsource cybersecurity to focus on their core business and

because they are unable to recruit qualified personnel.


4.2 – Cybersecurity Practices Dashboard

At the heart of good cybersecurity practices is the cybersecurity program. It is a structuring document that will enable the company to improve information protection in a targeted way. This security program includes a set of actions including what tasks go to what employees, a detailed schedule, definition of process controls, costs forecasts, etc. Such a

program is highly confidential – although sections may be disclosed to employees for enforcement or educational purposes. Without a cybersecurity program, a company is dedicated to ad hoc and contradictory decisions by its employees. Any monitoring becomes random. In short, the door is open to all kinds of threats.

4.2.1 – Implementation of a formal cybersecurity program

Nearly 60% of companies have a written cybersecurity program. Of the companies that answered YES, one acknowledged that their

plan was not up to date. Of the companies that answered NO, nine said they were in the process of developing their program.

Figure 22 – Availability of a written cybersecurity program


58%38%

4%

YesNoDNK


Analysis

Among companies with a program, 31% do not have a CISO. This means that cybersecurity is managed by CIOs with no particular expertise in cybersecurity. Such a result among companies that are more advanced than the average in terms of technology is worrisome. Companies 4.0 have the most to lose in the event of a cyberattack. What is the profile of these high-risk companies? The majority are industrial SMEs, but not all of them. There even was a large

health-sector organization that did not have a program: it claimed it was the responsibility of the subcontractor managing its cybersecurity. This is an extreme and probably isolated case. The most common reasons given for not having a cybersecurity program are lack of need (17 companies), lack of time (15 companies) and lack of expertise (9 companies). Overall, therefore, the situation is quite problematic although it is expected to improve somewhat over time (ten companies reported that they are in the process of developing a program).

4.2.2 – Best practices in cybersecurity

Any cybersecurity program is generally based on an audit and includes some good practices such as intrusion tests, risk analysis, training and awareness programs, system access policy, backup plan, incident management and succession plan, etc. The list is not exhaustive. We have made a choice in favour of certain practices only, based on their structuring nature.

Cybersecurity measures are aimed primarily at information systems (IT): 44% of companies conduct complete audits and risk analyses; 35% conduct intrusion tests. When dealing with operational systems (OT), these rates are reduced to 31% for audits, 28% for risk analysis and 23% for intrusion tests.

Figure 23 – Deployment of some basic processes


44%

31%

35%

23%

44%

28%

40%

0% 10% 20% 30% 40% 50%

Audit of IT systems

Audit of OT systems

Penetration test on IT

Penetration test on OT

Risk assessment of IT

Risk assessment of OT

Awareness-Training


Only 40% of companies organize training and awareness campaigns. There is a significant difference between training and awareness. Training consists of formally teaching concepts or processes, while awareness is

more a matter of communication and aims to raise attention among the employees. We have combined the two practices to avoid any confusion in a time-limited survey.

Analysis

The difference between IT and OT in the deployment of cybersecurity processes quite precisely reflects the digitization rates of companies (only 65% of respondents have digitized their operations while about 90% have digitized their information processes).

Nevertheless, the degree of penetration of the cybersecurity fundamentals (audit and training) is disappointing in both the IT and OT domains. It appears that some of the companies, which claim to have adopted a cybersecurity plan, have not carried out an audit.

4.2.3 – Cybersecurity technology measures

Altogether, almost all Canadian companies (95%) have at least one cybersecurity technology solution in place to protect themselves. Not surprisingly, the most widely used tools are anti-malware (mainly antivirus), e-mail security (mainly anti-spam) and network security (mainly firewalls), but their simultaneous adoption is not universal – with the exception of large companies.

Figure 24 – Cybersecurity technologies


76% 74%68%

45% 44% 40% 34%28% 28% 28% 24% 7% 5%

Anti-malw

are

Email

security

Network

securi

ty

Web se

curity

Identity

& acces

s man

agem

ent

Mobile se

curity

Data protec

tion &

contro

l

POS secu

rity

Softw

are & ap

plicatio

n security

Hardware

& asset

man

agemen

t

Physica

l acces

s contro

lsDNK

No measu

res in

place

95% of Canadian companies use at least one cybersecurity solution


4.2.4 – Adaptation of cybersecurity to the digitization of OT

Nearly 60% of companies that have started their OT digitization process have adopted new measures to ensure the security of physical equipment. About 30% of these companies did not take any specific action. The dividing line is the transition to Industry 4.0. When companies have linked their OT systems to their IT systems, they have generally adopted special security measures.

However, the nearly 30% of companies that have not taken any special measures are almost equally divided between companies that have digitized their operational processes but have not linked them to their information activities (15%) – and companies 4.0 (14%). Although they had carried out the OT-TI integration, the latter did not take any special measures. These companies are at risk.

Figure 25 – Does the company have special measures for cyber-physical security?


Of course, the nature of the cybersecurity measures adopted as a result of passage 4.0 varies from company to company. About half have deployed technological solutions, but in the majority of cases (33%), they are ad hoc solutions such as firewalls or antivirus

software. Those that have implemented strategic technological solutions (19%) talk about new communications networks, network partitioning or enhanced data centre protection.

59%

29%

12%

Yes

NoDNK


Figure 26 – Nature of the special measures


Governance includes the introduction of OT audits, global risk analysis and the strengthening of control processes. Physical access control is designed to protect OT facilities and sometimes the entire plant. No one is talking about access to IT data centres.

Companies that improve their backup all refer to servers located in a separate building. Finally, it should be noted that data protection in the form of encryption remains the lame duck of cybersecurity.

33%

19% 18%

13%11%

7%4% 6%

0%

5%

10%

15%

20%

25%

30%

35%

Ad hoc techsolution

Strategic techsolution

Governance Training Physicalaccess

Back-up Dataprotection

DNK/Refusedto answer


5. Cyberattacks and their impacts Executive Summary - Only 28% of respondents reported that their companies had already suffered one or more

cyberattacks that caused damage. It is the large companies that are most likely to be attacked. - The vast majority of cyberattacks target IT, while OTs are only marginally affected. Another

way to classify attacks is to distinguish between vandalism (viral attacks, website hacking) and profit-motivated fraud. It appears that at least half of all cyberattacks are aimed at a monetary advantage.

- More than half of the cyberattacks caused damage of less than $100,000. The small amounts

reported have two reasons. A large part of cyberattacks are non-targeted (viruses) and can be curbed before significant damage has been done. Targeted cyberattacks with a motive of gain are rare, but cause damage of up to several million dollars.

- Most companies rely primarily on their internal resources to counter cyberattacks. A large

proportion also use external consultants (44%) and the police (23%). On the other hand, government departments and agencies are notably missing from this response to cyberattacks.

5.1 – Magnitude of the Phenomenon

5.1.1 – Companies that have suffered cyberattacks

A minority of 28% of companies admit to having been the victim of cyberattacks that caused damage. Here again, it is necessary to

add the companies that claim not to have suffered such attacks with non-responses, which gives 70% of companies unharmed.

Figure 27 – Has your company suffered a cyberattack with damage?

28%

29%

41%

2%

YesNoNo answerDNK



Analysis

It should be noted that the question only concerns cyberattacks that have caused damage. This explains the relatively low proportion of companies affected. All companies face cyberattacks in continuous mode. But the vast majority of cyberattacks are curbed by technological security measures and those that enter the security perimeter only contaminate three or four workstations - in some instances a server - that are immediately isolated and restored. There is a grey area here: should we consider these cyberattacks, which are quickly circumscribed, as cyberattacks that have caused damage? Literally, yes. But all the CISOs we interviewed believe the opposite. For them, the cyberattack was nipped in the bud, it was blocked, so it didn't succeed. These cyberattacks are rarely reported and their costs are not recorded – with the exception of the Québec government's CISO, who recorded 8,642 blocked attacks last year (see Appendix 1 – Case Studies). Most often the impact

represents lost working time – a few hours, a day at most. Another is the ’successful’ cyberattack that manages to take control of an information system, steal its data or paralyze its operation. These cyberattacks can cost up to several million dollars, or even cause the loss of the company as in the Xittel example studied below (see Appendix 1 – Case Studies). So, there are two types of cyberattacks: the most numerous, that have a minor impact and are ignored, and the minority that has a devastating effect. The main targets of these large-scale cyberattacks are large companies. What's the point of intruding into the local grocery store's accounting software? Money and sensitive data are found in the systems of financial institutions, utilities and governments. Statistics Canada shows that large companies are twice as likely to be attacked as small ones.26

Figure 28 – The target of cyberattacks is the big business

26 In its cybersecurity study, Statistics Canada did not follow its own typology and classifies large companies with more than 250 employees-while large firms typically start with 500 employees.

19%

28%

41%

Small businesses(10 to 49 employees)

Medium businesses(50 to 249 employees)

Large businesses(250 and more employees)



5.1.2 – Nature of cyber-attacks

The vast majority of cyber-attacks target IT: phishing, ransomware and website hacking are the most frequently cited. Only telephone frauds were carried out by an extra-computing means (4 companies). Cyber-attacks targeting OTs are still the exception and yet they seem to be quite conventional virus attacks. Overall, ransomware attacks are the most frequent (32 companies) followed by virus attacks (26 companies) and phishing (11 companies). Denial of service attacks,

telephone scams and website hacking are mentioned marginally. Another way to classify attacks is to distinguish vandalism (viral attacks, website hacking) from profit-driven fraud: ransom, phishing, identity and data theft, and telephone fraud. This is more than half of all cyber-attacks that are robberies (57%). This is in addition to denial of service attacks (DDoS) or website hacking, which can be linked to a ransom demand as well as other non-pecuniary reasons (vandalism, cyberactivism, etc.).

Figure 29 – Types of cyber-attacks

(The total does not equal 100, as some companies have suffered several types of attacks)


5.1.3 – Cost of attacks

The financial impact of cyber-attacks is difficult to assess because, as we have seen, companies are reluctant to admit that they have suffered damage and even more reluctant to give a figure. Among the few companies that have agreed to discuss their costs, the majority mentions a few thousand

dollars: 51% report losses of less than $100,000; in some cases, they refer to cumulative losses spread over several years. Among those who did not want to give any figures, there were respondents that spoke of a simple question of a few hours of lost work.

69%

37%

11%

Attacks IT Attacks (other) Attacks OT


Analysis

Most cyber-attacks fail or are blocked before they have done significant damage. This insignificance of the cyber threat is only apparent. Too often, people confuse generic attacks with targeted attacks. Generic attacks work like background noise on the Internet. Viruses, ransom software and social engineering are knocking on all doors all the time. Their nuisance mainly affects poorly prepared companies, without a cybersecurity program and without a real CISO to keep a close watch. We have seen that these companies are still very numerous, a large majority in Canada.27 Entirely different are the targeted attacks. Here, we leave the domain of amateurs and vandals to enter the domain of organized crime – although lone wolves can cause considerable damage, as the Xittel case attests (see Appendix 1 – Xittel). The targeted company always has valuable information or a strategic situation. For years, the goal was to steal data and therefore money related to

credit cards. The orderly and massive reaction of the credit card industry, which imposed the Payment Card Industry Data Security Standard (PCI DSS), has reduced this form of targeted attack to the benefit of highly diversified attacks. Today, it is the cyber-physical systems that are in the crosshairs of organized crime: critical infrastructure and large manufacturers. That's where the money is. Targeted attacks are intended to cause large-scale damage – costs can range from several hundred thousand to several million dollars. The spectacular nature of these attacks and their relative rarity made it appear that they were reserved for large institutions (Adobe, Sony, Target, Equifax, Marriott, Yahoo, etc.). Maybe that was true in the past. This is no longer the case today. With the democratization of cybercrime, it is likely that SMEs will be the next victims of this type of attack – they are already victims, as we saw in the case of the small company Xittel in Trois-Rivières.

27 This survey shows that 42% of the respondents do not have a CISO (not even part-time) and 38% do not have a written cybersecurity program. The situation is all the more serious since the companies surveyed in this survey are more technologically advanced than the Canadian average.


Figure 30 – Amount of damage [including employee time, recruitment of computer consultants, cybersecurity applications and related

equipment, customer reimbursement, fines imposed by authorities, etc.]


5.2 – Reaction to Cyber-attacks

Most companies rely primarily on their internal resources to counter cyber-attacks. A large proportion use external consultants (44%) and the police (23%). On the other hand, government departments and agencies are the most absent from this response to cyber-attacks. Among the few companies that responded that they had contacted the public authorities were: Shared Services Canada, Communications Security Establishment Canada, Canadian Security Services (without further clarification), a federal department (without further clarification) and the Québec Ministry of Health (in the case of a hospital). When asked about the lessons learned from the cyberattacks, the leaders consulted placed the purchase of new technological tools (23%) and increased employee training (13%) at the top of their list. Other responses include, in bulk, the creation of a cybersecurity committee, the reorganization of internal responsibilities, the implementation of a backup policy and even the blocking of all e-mails from foreign countries.

.

3%

10%

27%

24%

36%

$1 M +

$100,000 to $999,999

$10,000 to $99,999

Less than $10,000

DNK/Other

The vast majority of cyberattacks are

never reported to the police or

government authorities.


Figure 31 – Who did the company use in response to the cyberattacks? (the total does not equal 100, as some companies have used more than one category of stakeholders)


Analysis

The absence of governments when a cyber-attack occurs is a noteworthy finding of this investigation. Indeed, until now, incident reporting has not been mandatory – except for regulated infrastructure. Indeed, the latter only report ’successful’ cyber-attacks, not those that have been curbed. SMEs never report incidents except when they call the police. It is therefore impossible to know and evaluate the volume and distribution of attacks by sector on a Richter-type scale. The absence of mandatory reporting is a serious deficiency. In doing so, public

authorities do not fulfil their role of advising companies and, in addition, they deprive themselves of an invaluable source of information. In principle, this is no longer the case since November 1, 2018, due to an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA). The law now provides that contravening the new provisions is an offence that could result in a conviction and a fine of up to $100,000 for each person that a company has not notified. In practice, none of the people interviewed for this survey seem to be aware of this change.

6%

5%

7%

23%

44%

87%

0% 30% 60% 90%

Other

Federal Government

Provincial Government

Police

External experts

Internal means



6. Regulation, standardization and management of cybersecurity

Executive Summary - A bit more than a third of companies do report having adopted cybersecurity standards (34%).

Again, this is an ’optimistic’ assessment because there is a great deal of confusion in the minds of respondents who readily cite standards unrelated to cybersecurity or internal standards that are often simple ethical rules.

- Amazing phenomenon: many CISOs do not know whether their organization is a critical infrastructure or not. This ignorance on the part of the managers who are primarily concerned is worrisome.

- The companies consulted have significant hopes for the role of cybersecurity authorities: they are calling for tax credits, subsidies, technical assistance and training. In short, the private sector expects some sort of government involvement.

- Overall, the companies surveyed invest little in cybersecurity: 65% of respondents put their budgets below $100,000. This under-investment is all the more a concern as budgets tend to stagnate. It is worth noting the major exception of banks which have all reached a very high degree of maturity.

- A third of companies have already taken out cybersecurity insurance. This low penetration is the result of a lack of willingness to adopt cybersecurity standards and chronic underinvestment.

- Finally, 39% of respondents say they are satisfied with their company's level of cybersecurity preparedness. However, some of these security ’optimists’ do not even have a CISO or a formal cybersecurity program. These poorly prepared – but satisfied companies – are the most at risk.

6.1 – Standards or Regulations

Nearly 60% of companies report that they are not subject to cybersecurity standards. This picture still seems to be underestimated since there is a great deal of confusion in the minds of respondents. When asked to name the cybersecurity standards in place in their company, only a minority mention NIST (17 companies), ISO/IEC 27001 (15 companies), PCI DSS (4 companies), COBIT (2 companies),

CRTC, Common Criteria (CC), GDPR and Cyber Essentials (one company each). Other respondents cite standards that have nothing to do with cybersecurity: ISO 26000, IATF 16949, C-TPAT and multiple financial standards for publicly traded companies. Many companies also mention internal standards, but when verification is done, it is more a question of ethical rules.


Figure 32 – Cybersecurity standards or regulations in force in the company


Analysis

The adoption of recognized cybersecurity standards remains the exception. To the extent that companies adopt such standards, they are mainly international or American standards. Not a single respondent identified the Personal Information Protection and Electronic Documents Act (PIPEDA) as a standard to be met. PIPEDA applies to any company that collects, uses or discloses, personal information for commercial purposes. This law, which has been in effect since 1983, is the most absent from the Canadian industrial landscape.

The reason for this deficiency is explained as follows by IT World Canada magazine:

“The federal Privacy Commissioner is responsible for protecting and promoting privacy rights, but he does not have the power to force companies to comply with the Personal Information Protection and Privacy Act (PIPEDA), which protects Canadian consumers, or to impose fines on companies that violate the Act," notes the Senate Committee's report. The Privacy Commissioner, Daniel Therrien, has long called on Parliament to give him these powers. ”28

6.2 – Who is part of the critical infrastructure community?

When asked if their organization is considered an infrastructure by the federal government, only 18 officials who participated in the survey answered yes. In fact, there were 50 companies in this case. This means that only 36% of the infrastructures surveyed knew their status. Among the infrastructures that were not aware of their status were a hospital authority, a telecommunications service

28 Howard Solomon, “Government failing to protect Canadians from cyber threats, says Senate report”, IT World Canada, 29 October 2018.

provider and a port authority. The situation is similar in the rest of Canada.

34%

57%

9%

YesNo

DNK


Analysis

If IT or cybersecurity managers do not know whether their company is a critical infrastructure or not, it means that the variable geometry definition used by Public Safety Canada is not operational.

Figure 33 – Do you know if your company operates a critical infrastructure?

[absolute numbers]

] Source: Survey CATA Alliance/Sciencetech communications – January-April 2019 (208 respondents)

6.3 – Federal Government Consultation Process

When companies are asked what they think about the Federal Government's consultation process on cybersecurity, we get mixed feedback. A large proportion of companies even refrained from answering the question.

Yet the investigation was conducted in the wake of the publication of the National Cybersecurity Strategy (June 2018) and the creation of the Canada Centre for Cybersecurity (October 2018).

32

133

23

93

115

0

YES NO DNK

Response data Actual data


Figure 34 – Satisfaction with the Federal Government


When companies are asked what they expect from government, the first proposal is the introduction of a cybersecurity investment tax credit (10 companies), a subsidy system (6 companies), training and bootcamps (9companies), technical assistance (8 companies) and more information (7 companies). Among the interesting suggestions collected were the following:

- The creation of a cybersecurity

standard for all; - The creation of an information

platform on spam, phishing, etc.; - The responsibility of IT publishers for

the vulnerabilities contained in their products.

Analysis

Business wait-and-see attitude towards the federal government is predictable. The government's commitment to cybersecurity is too recent and has not yet had a direct impact.

The one-on-one interviews used to prepare the case studies show that there are high expectations of the government. It therefore emerges a general attitude of expectation mixed with goodwill.

6.4 – Investment in Cybersecurity

6.4.1 – Annual investment (2018)

About two-thirds of companies invested less than $100,000 in cybersecurity in 2018. Not surprisingly, it is manufacturing SMEs that provide almost all of this category – the

exceptions being a hospital institution and two transportation companies. Generally speaking, the investment curve follows the size of the company quite exactly.

4%

19%

27%

15% 15%

19%

Very satisfied Somewhatsatisfied

Neithersatisfied nordissatisfied

Somewhatdissatisfied

Verydissatisfied

DNK


The companies that responded that they had invested $1 million or more last year ranged from $1.3 million to $30 million – the highest

amount being from a financial institution without surprise.

Figure 35 – Amount invested in cybersecurity (annual basis)


6.4.2 – Investment trends

Cybersecurity budgets are divided into two parts: those that remain stable (56%) and those that increase (40%). Budget cuts are

non-existent or almost non-existent. All companies with budgets over $100,000 have their budgets increased.

Figure 36 – Investment forecast (2019)


65%

14%

6%

8%6%

Less than $100,000

$100,000 to $499,000

$500,000 to $999,000

$1 M +

DNK/Refusal

40%

2%

56%

2%

IncreaseDecreaseStay stableDNK


Analysis

Cybersecurity investment is still characterized by relative inertia. Companies with frozen budgets are precisely those that would most need growth: about 60% of them do not have a CISO, half of them do not have a formal cybersecurity program. Conversely, the more companies invest in cybersecurity, the more they intend to increase their budgets.

Two-thirds of companies under-invest

in cybersecurity and

budgets are stagnating.

6.5 – Cybersecurity Insurance

When it comes to cybersecurity insurance, the striking phenomenon is the large proportion of respondents who say that they do not know whether their company is insured or not. Just a third of all companies

are insured. A distinction between infrastructure and manufacturing would show the former having an adoption rate of 37% and the latter 29%.

Figure 37 – Who has an insurance to cover cyber risk?

Source: Survey CATA/Sciencetech – January-April 2019 (183 respondents)

Of the companies that do not have insurance, five explained that they were in negotiations with insurers. For the others, the main reasons given are as follows:

No need for it 17 answers Most of these companies report that they have taken the necessary cybersecurity measures and therefore do not need insurance. Others invoke their size: “we are a large company and we self-insure ourselves”; or on the contrary, “we are too small and do not have enough IT assets to justify insurance”.

Lack of information

10 answers The words that come up most often are: “we haven't thought about it”, “we've never been presented with an offer”, “we don't know what kind of coverage is available”.

33%

35%

32%YesNoDNK


Cost too high 3 answers These companies consider that the cost of insurance is too high in relation to the risk involved.

One of the most interesting answers was about the mismatch between the insurers' offer and the real needs of the companies. Indeed, insurance policies only cover the

remediations costs, not lost revenue, nor the physical assets’ replacement cost. But the biggest expense item in a cyberattack is often the loss of revenue.

Analysis

While cyber-risk insurance has been around for many years – it appeared in the 1990s in anticipation of the "Y2K bug" – it has had difficulty getting out of specialized niche markets (telecommunications and computer companies). It is the privacy regulations and mandatory disclosure of security breaches in the United States (California Data Breach Notification Law in July 2003) and more

recently in Europe (General Data Protection Regulations in May 2018) that have triggered a demand for cybersecurity insurance.29 Canada has remained outside the United States and European legislation. This explains why the cybersecurity insurance offer has remained largely unknown. However, recent changes to the Personal Information

Protection and Electronic Documents Act (PIPEDA) require companies to report any breaches of their information systems since November 2018.30. It is way too early to judge the effects of this legislative change on companies' insurance habits. To this main reason, we must add the IT culture of cybersecurity managers. Quite

often, computer scientists tend to trust technological solutions. They declare as follows: “we rely on upstream security” or “we have the necessary protections in place, so we don't need insurance.” While the situation is changing slowly, it is changing nonetheless – as witnessed by companies that say they are in the process of acquiring insurance.

6.6 – Overall Company Readiness for Cybersecurity

Almost a quarter of respondents do not hesitate to consider their company's state of readiness as very or somewhat unsatisfactory (23%). If we add the mass of those who refuse

to make a decision (39%), we obtain a large majority of managers who do not consider the cybersecurity measures deployed in their company satisfactory (62%).

29 Mark Camillo, “Cyber risk and the changing role of insurance”, Journal of Cyber Policy, London (United Kingdom), March 2017. 30 Andy Green, "Canada's PIPEDA Breach Notification Regulations Are Finalized", Varonis, 3 May 2018. – Bethan Moorcraft, "With PIPEDA around the corner, cyber insurance has never been more important", Insurance Business Canada, 14 September 2018.


Figure 38 – How prepared is your company for cybersecurity?


Analysis

It should also be stressed that this data is a matter of perception. In reality, the situation is somewhat different. Some of the companies, whose managers are satisfied with the degree of preparedness, do not have a CISO (24%) or a formal cybersecurity program (17%). It is these few companies with satisfied

IT managers and executives, while the fundamental foundations of cybersecurity are lacking, that are most at risk. Fortunately, they are a relatively small minority. However, this overall picture once again refers to the lack of maturity of cybersecurity in the industrial sector and critical infrastructure.

7%

32%

39%

15%

8%

Very satisfied Somewhatsatisfied

Neither satisfiednor dissatisfied

Somewhatdissatisfied

Very dissatisfied


6.7 – Short-term Projects of Companies

Within the great diversity of cybersecurity projects, three main themes stand out: acquisition of technological solutions, day-to-day maintenance and training/awareness. It is significant to find at the top ’use of technology’ and ’maintenance’ which are two technological approaches. When they talk about technology projects, respondents think first and foremost of firewalls and antivirus software. But there is a minority who talk about enhancing the entire technological infrastructure and protecting content (continuous backup, encryption, double authentication, etc.).

In the maintenance category, we included the full range of responses from ’day-to-day maintenance’ to ’no changes planned’ and ’everything is in place right now’. This category contains well-equipped companies as well as eternal laggards without a coherent strategy, but who believe that they are well protected. The type of these ’bad students’ of cybersecurity is symbolized by this answer: “It's not a concern, I think it's because we feel very secure.” This latter response was provided by a manufacturing company that has no CISO or cybersecurity program. However, in this group, some responses are similar to calls for help: “we will need to establish a policy and receive training on the subject.” Or: “it's a matter we'll have to start studying very seriously.”

Figure 39 – Next steps in the deployment of cybersecurity in the enterprise


29%

23%

18%

Technologicalsolutions

Maintenance Training/awareness

Maintenance often means companies intend to

continue as before. They have no project, they feel safe. These are

the usual cybersecurity stragglers.


Analysis

Despite the relatively high number of companies that are digitizing their operational systems and linking their OTs to their IT, there is little mention of Industry 4.0 security projects and no reference to the Internet of Things (IoT). However, we saw in section 3.5 – Type of automated equipment used that several companies had deployed IoT-type systems. In addition, Section 4.2.4 – Adaptation of Cybersecurity to the Digitization of OT, revealed the existence of a small group of companies 4.0 that had not taken any special measures when linking their OT and IT systems. Most of these companies continue to do nothing or to adopt ad hoc technological solutions.

While the rise of cybercrime has become one of the major issues of our time, to the point that some people talk about the ’cyber-geddon’ phenomenon, the majority of Canadian industrial companies and even some critical infrastructure continue to act as if nothing had happened. The sense of urgency seems to be shared only by a minority of stakeholders.


7. Issues and possible solutions Executive Summary The transition to the Enterprise 4.0 paradigm is well underway, yet many companies have not realized the increased risk involved. Based on this overall situation, it is possible to identify some fundamental issues. - Issue and solution track 1: Information sharing – No organization can fight cybercrime in

isolation. This is why information sharing between companies and between governments must be systematized. The federal government has a role to play in mobilizing both critical infrastructure and manufacturing companies.

- Issue and solution track 2: Labour shortage – All companies agree that there is a lack of qualified resources. Two solutions are needed: at the enterprise level, computer scientists and even non-IT specialists should be systematically recycled into cybersecurity experts; at the level of the education system, it is imperative to mobilize university and college networks like those in Israel and, closer to home, in New Brunswick.

- Issue and solution track 3: Enhance the CISO function. – The CISO is not and should not be a specialist under the direction of the CIO. The CISO should be treated as a versatile executive who must have the status of vice-president or equivalent with access to the company's executive committee.

- Issue and solution track 4: Register cybersecurity in the employee job description. –Since employees are asked to participate in the cybersecurity effort of the corporation, this activity must be included in their job description with all that entails in terms of annual assessment, performance level, career progression and promotion, salary conditions, etc.

- Issue and solution track 5: Software vulnerability – Similarly, all stakeholders agree that there are vulnerabilities in operating systems and application software. A code of conduct could be imposed on software publishers to hold them accountable for product vulnerabilities.

- Issue and solution track No. 6: The special case of industrial SMEs – The SME is the neglected stepchild of cybersecurity. Although aware of the dangers, they are less likely to have a cybersecurity manager than medium-sized and large organizations. A form of financial incentive should be designed for them, provided that it is not an isolated measure, but an element integrated into a general support framework.

- Issue and solution track No. 7: Strategic importance of e-insurance – Insurers acquire expertise in cybersecurity and support their clients in strengthening security processes and adopting national or international standards. Any national cybersecurity strategy must take into account the multiplier effect of insurers in this domain.

- Issue and solution track No. 8: Sovereignty issue – With the ongoing migration of data centres to cloud-based solutions, cybersecurity is changing dramatically. The protection of Canadian data, particularly in the public sector, should be hosted by Canadian companies. To this end, it would be appropriate to create a support unit within the Cyber Centre and to create a public or quasi-public sector co-location facility to house Canadian providers of cloud solutions and cybersecurity solutions.


Almost two-thirds of the Canadian industrial companies and critical infrastructure covered in this study have digitized their OT and, within this group, 70% have merged their OT and IT systems. Even if these data concern the most advanced segment of the Canadian economy, they attest that the transition to the Enterprise 4.0 paradigm is well underway in Canada.31 We can certainly be pleased with the dynamism of Canada's industrial fabric. But this extremely rapid innovation has very real consequences in terms of cybersecurity. As the Microsoft president rightly pointed out a year ago, “cyber-attacks are now not just attacks on machines, they put people's lives at risk.” Specifically, the Global Risk Report published in January 2019 by the World Economic Forum in Davos lists cybersecurity twice as one of the most likely risks to occur over the next 10 years. Data theft and cyber-attacks on infrastructure rank fourth and fifth respectively, behind (1) extreme weather conditions, (2) failure of climate change adaptation measures and (3) natural disasters.32

However, many Canadian industrial companies and even some critical infrastructure managers seem not to have understood the entirely new nature of ’cyberphysical’ attacks. We have seen that, while 57% of companies have appointed a cybersecurity manager, this person is often an IT expert, usually alone or even part-time. More importantly, 38% of the companies do not have a written cybersecurity program – we made it clear that the program must be ’written’ to eliminate companies that rely on a few basic principles transmitted by word of mouth. The transition to paradigm 4.0 was not always accompanied by measures adapted to the new type of risks involved (29% of 4.0 companies did not take any additional measures). Based on this overall situation, the case studies make it possible to identify some of the fundamental issues at stake in the future of cybersecurity in industrial companies and critical infrastructures.

31 We prefer to use the expression Enterprise 4.0 rather than Industry 4.0, which seems too restrictive. See section 3.6 - Businesses that have crossed the Industry 4.0 threshold.

32The Global Risks Report 2019, World Economic Forum, Geneva, 2019, 107 pages. Cf. figure IV in p.8, p.16 and p.83.

- Issue 1: Information sharing - Issue 2: Labour shortage - Issue 3: Enhance the CISO function. - Issue 4: Register cybersecurity in the employee job description - Issue 5: Software vulnerability - Issue 6: The special case of industrial SMEs - Issue 7: Strategic importance of e-insurance - Issue 8: Sovereignty issue


Issue #1 – Information Sharing

All stakeholders without exception have a cooperation policy based on information sharing. In cybersecurity, information sharing is not a networking activity, but rather a tool to prevent cybersecurity incidents – perhaps even the best cybersecurity tool. As Fred Bedrich, Assistant Vice-President at the Business Development Bank of Canada (BDC), clearly states, information sharing must encompass the entire industrial ecosystem: “Cybersecurity cannot be provided by a team of 20 or 30 people, no matter how talented,

but by creating constant exchange of best practices among the entire expert community.”

Shared information focuses on the threat itself, technical indicators (threat characteristics) and operational data (nature of the attack and nature of the target, countermeasures deployed, etc.). This sharing is generally voluntary, but it requires the right legislative, regulatory and financial

framework as well. When Israel wanted to encourage its financial institutions to share information, it placed its CERT at their disposal and adopted a regulation exempting sharing activities from antitrust prosecution.33

Information sharing may also be mandatory, as is the case in the European Union (EU) with the 2016 Directive on security of network and information systems known as the NIS Directive, which aims to facilitate the exchange of technical information on risks and vulnerabilities between critical infrastructure operators. To achieve this, EU

Member States had to set up national computer incident response teams (CSIRTs) within two years. Any incident with a significant impact must be notified to the national authority or the CSIRT, which then determines whether or not the information should be transmitted to other Member States.

33 Deborah Housen-Couriel, “Information Sharing for the Mitigation of Hostile Activity in Cyberspace: Comparing two

Nascent Models”, Part 2, European Cybersecurity Journal, vol. 5, issue 1, Krakow (Poland), 2019.

Information sharing is not a social activity, but the best tool to tackle cybercrime at

its root.

“Working together must become automatic in order to increase our resilience to cyber-attacks. We should be looking to learn from each other and not trying to re-invent the wheel.”

Aymeric Dussart, Montréal Airport

“It must always be borne in mind that cybercriminals conspire with each other to commit their misdeeds, share tools, processes and personal data that they have stolen. Everything is on the ’dark web’ where millions of dollars circulate permanently. To stay ahead of this ever-changing threat, you have to do the same thing!”

Fred Bedrich, Business Development Bank of Canada


Solution Track 1: Information Sharing

The critical infrastructure disclosure system put in place by the federal government is poorly known and unsatisfactory. The government could consider creating a working group to study the various modalities to encourage information sharing among critical infrastructure and some large industrial companies on a voluntary or mandatory basis. In the short term, it is essential that a fixed list of critical infrastructures is established and that the companies concerned play an active

role. Information must flow in both directions: from government to critical infrastructure and from critical infrastructure to government. As a medium-term objective, consideration should be given to expanding the system to manufacturing companies that are not critical infrastructure. Canada's industrial fabric must behave as a unified intelligent network that is automatically mobilized in its entirety whenever one of its components is attacked.

“Unfortunately, the ability to cooperate through sharing information across governments and industries is not as strong as it is in the world of the bad guys who collaborate for economic benefit and share their insights for mutual gains. In the government world and as well in the commercial world, we tend to operate in silos and that cannot continue.”

Tyson Johnson, CyberNB

“Street outlaws have moved online. The only way for police to deal with this recent trend is through radical collaboration and partnerships. Radical collaboration can take strange forms: the Toronto Police Computer Cyber Crime Section began to work with hackers.”

Shawna Coxon, Toronto Police Service


Issue #2 – Shortage of Qualified Labour

Not surprisingly, almost all of the stakeholders interviewed raised the issue of the shortage of cybersecurity talent and the fierce competition in recruitment. This shortage is of course the consequence of the

in-draught created by cybercrime. This phenomenon has long been underestimated. The emergence of organized crime and state terrorism has changed the situation

There are currently 4,899 people holding the CISSP ISC2 designation in Canada. The number of Canadian holders of the GIAC GSEC

certification is approximately 10,730. Membership in the LinkedIn group for Canadian information security professionals includes 3,879 members, InfoSec's management professionals’ group 2,876 and the Canadian Security Partners Forum 6,976. Based on these data, it is reasonable to estimate the number of people working in cybersecurity in Canada at between 5,000 and 10,000. However, to meet demand, the number of skilled practitioners would have to be doubled or tripled over the next four years.34

The immediate consequence of this labour shortage is that the salaries of cybersecurity specialists are high, which is not negative in itself, but creates recruitment problems among industrial SMEs. The median wage for cybersecurity jobs in Canada is about $92,000

per year or $47.00 per hour. Entry level positions start at around $81,000 per year while the most experienced workers earn $110,000 per year.35 Specialists who manage large cybersecurity teams have salaries of $250,000 or more.

34 Hugh Burley, “Here’s how to solve Canada’s cyber security talent shortage”, IT World Canada, 14 October 2017.

35 Estimate made by the international job search website Neuvoo : https://neuvoo.ca/salary/?job=cybersecurite (accessed on 15 October 2019).

“I have positions open in Montréal since 2016 that are still unfilled. There is a critical shortage of IT experts. Competition in recruitment is intense. Of course, artificial intelligence and robots will be a valuable contribution, but in the end, it is a human being who must make the decision.”

Olivier Caré, Industrial Alliance

Canada currently has between 5,000 and 10,000

cyber security professionals and this number is expected to double or triple over the

next four years.

“One of the main reasons I outsourced cybersecurity is the scarcity of talent. Now it is up to KPMG to solve the talent acquisition problem. This allows us to focus on defining the main strategic orientations for cybersecurity and on linking it to the airport's management needs.”

Aymeric Dussart, ADM


Why such inflation? In addition to the scarcity of talent, there are several unavoidable reasons: the heavy penalties for non-compliance with various international regulations;36 the guidelines of insurance companies that require companies to at least comply with certain standards and, of course, the strength of attacks that will become more numerous and sophisticated.

Universities and Colleges

Universities and colleges have been slow to respond to this labour market demand and even today, they still produce few graduates for this particular task at hand. Indeed, cybercrime lacks appeal and prestige. When

the Government of Québec launched its tax credit program for the video game industry in the mid-1990s, the training offer exploded. In the Greater Montréal area alone, approximately 60 establishments offer various programs to gain access to the industry. Universities, colleges, private institutions: the mobilization was immediate and intense. A computer student wants to design games or applications. In any case, he wants to create, while cybersecurity offers a reactive activity. You have to learn to predict the worst, to close doors, and to suspect everyone: the approach is negative. How to attract students to this environment?

36 In the context of the GDPR alone, the fines can be up to €20 million or 4% of the annual worldwide turnover, whichever is greater.

“Cybersecurity is a specialized technical field. Given the actual shortage of IT talents, compounded by the ever-increasing threats to cybersecurity, cybersecurity must be quite imaginative to find market-ready staff. The market law of supply and demand will need to be adjusted. That means salaries must be adjusted.”

Gary Davenport, CIO Association of Canada (CIOCAN)

“We are already lacking young specialists and in the coming years, the situation will get worse. At the same time, attacks are growing in number and complexity. There will be no truce. The problem is that cybersecurity does not immediately appeal to teenagers as does the profession of pilot or television presenter.”

Jean-Sébastien Pilon, Senior Director, Information Security, Desjardins


Currently, colleges and universities across Canada are aiming to double the number of graduates in four years, but at the same time they are struggling to keep their curricula up to date. A change is underway, and more and more teaching programs are being implemented in close collaboration with companies. Colleges are traditionally more integrated into the market. Many of them organize long

internships for students in companies. Finally, like Siemens, large companies pay tuition fees and select students on a five-year employment contract after graduation. Cisco also has a paid professional development program for new graduates and university students in their final year of undergraduate studies. New Brunswick is a pioneer in education in Canada. Starting in high school, students are encouraged to study computer programming and cybersecurity.37 How does New Brunswick proceed? First of all, through games! The CyberTitan Nationwide Championship features students who must follow scenarios that show how to lock an operating system, delete various hostile codes or check a firewall's resistance to attacks. Of the 190 teams that participate in the Canadian Championship each year, 120 are from New Brunswick. The best teams will then face the winners of the American championship. At the other end of the New Brunswick education system, a doctoral student will receive a total of $80,000 for his or her work (40,000 from the University of New Brunswick and the other half from various government programs). This mobilization was modelled on the Israeli model, which, in five years, has made it possible to make this small country the world leader in cybersecurity.

37 “Objective 5: Improve learning in, and application of, the arts, science, trades and technology for all learners”, in “10-year education plan: Everyone at their best”, (Anglophone

sector), Province of New Brunswick, Fredericton, NB, August 2016. Curiously, this objective does not appear in the plan for Francophones in New Brunswick.

Cybersecurity is negative. You have to predict the

worst, to close doors, and to suspect everyone. How to attract students to this

environment?

“The fundamental problem is that the technology footprint is growing, the business is adopting technology faster than it ever has before and it is very difficult to find talent to insure that as they transform, they can put the appropriate security capabilities in place, to protect these new business services.”

Adam Evans, RBC

New Brunswick is a pioneer in education in Canada. Its

approach is based on incentives. In elementary

school, it focuses on games. At the doctoral level,

scholarships are given that are real salaries.


In the rest of Canada, some institutions are taking action, including investing in colleges and universities. Desjardins Group invested $1.25 million in 2018 in the École Polytechnique de Montréal for a research program in the field of cybersecurity and artificial intelligence (AI). In the same year, RBC invested $1.78 million in a new cyber security lab at the University of Waterloo. But this investment waltz is not limited to Canada. Also, in 2018, RBC invested $2 million in BGN Technologies, a spin-off from Ben-Gurion University in Israel, for AI-based cybersecurity research.

In general, major critical infrastructures seek to raise awareness and integrate universities and colleges by all means possible into the realities of the labour market and to accelerate the delivery of an undergraduate degree. Cybersecurity firm Difenda is even proposing to outsource responsibility for college student training to companies and to increase internships for university students. According to Frank Roth, Senior Director of Difenda, the number of specialists able to manage a SOC could thus double in four years.

In addition to training, there are ’natural’ reservoirs of human resources: employees themselves, women, immigrants, retirees and people with disabilities. As of 2010, RBC has chosen to address the talent shortage by increasing initiatives to attract women to its IT and cybersecurity divisions. The result of this ambitious policy is surprising: 44% of RBC's IT employees are women – compared to an average of 29% in Canada.

Solution Track 2: Shortage of talents

There is no single solution to the labour shortage. Any solution requires a mix of structural measures whose impact will be felt in the medium and long term. Solutions exist. Here are three solutions, two short-term and one medium-term: ü Each company can meet its needs for

cybersecurity experts through the use of

internal resources. Indeed, the ongoing IT transformation (cloud computing transition and introduction of artificial intelligence) is about to reduce IT resource requirements, leaving experts available to join the cybersecurity team.

ü Resources from non-IT departments can also be trained in cybersecurity. These people are experienced executives, who know the corporate culture and, if they have an interest in IT, they can be

“BDC is working with universities and colleges and plans to expand this collaboration with the Canadian Army Reservists as early as next year. They have an incredible expertise. The Army is one of the best schools in terms of security.”

Fred Bedrich, BDC

Massive training of cybersecurity experts is

possible, as Israel and New Brunswick

demonstrate every day.


advantageously retrained in cybersecurity. There is no need to separate from these employees to send them to a full-time educational institution. All they need is a few hours a week to obtain the appropriate certifications through professional bodies such as ICASA, ISC2 and SANS. At the beginning, they will also need mentoring from an experienced cybersecurity expert.

ü Massive training of cybersecurity experts

is possible, as Israel and New Brunswick demonstrate every day. Of course, these models need to be adapted to the various provincial contexts. To this end, it would be important to plan a kind of national cybersecurity summit where the provincial Ministers of Education and all relevant stakeholders would be invited.

“The cooperation between CyberNB and the education system… involves coop work terms and R&D programs with college, undergraduate, graduate and postgraduate students. There are even grade 12 students who are… hired just after their graduation by major institutions... Beyond Master and PhD graduates, there is a need for cyber trade graduates coming out of college programs that are immediately employable and fill this much-needed growth in the talent pipeline.”




Issue # 3– Enhance the CISO Function

All too often, the CISO function is considered a purely technological activity in the IT field – 54% of cybersecurity managers surveyed in this poll are Chief Information Officers (CIOs), IT professionals, IT technicians or IT employees. Such an approach is simplistic, false and dangerous. Information security is not limited to technical roles. On the contrary, it requires multidisciplinary training with knowledge in

administration, training, human resources management, communication, digital forensics and even law, as legal requirements are likely to increase over time. In total, more than thirty security-related roles have been identified.38 While the CISO function obviously requires a solid technical background in information and network security, it cannot be summed up to it in any way.

If the salaries of cybersecurity experts are soaring due to talent shortages, organizational valuation is not keeping pace. Few CISOs sit on the company's executive committee – with the exception of the financial sector. As for governments, the working conditions of their CISOs are no different from the private sector, except that they earn less money.

According to the authors of The Emerging Role of the CISO, companies have difficulty defining the profile of CISOs they are looking for to ensure their cybersecurity. They seek a

38 Val Hooper and Jeremy McKissack, “The emerging role of the CISO”, Business Horizons, Indiana University, United States, November-December 2016. Cf. p. 588.

technological profile and end up entrusting him or her with the management of a host of purely operational tasks as well as some strategic responsibilities. The CISO's place in

“Cybersecurity will rise in importance in the coming years. Each institution will use it to protect itself, but also as an argument to gain public trust. Think back to 10 years ago, both private and public sectors did not think much of IT security. A source of useless expense, many said. My colleagues in the CIOCAN Ontario Chapter told me that up until recently, a CIO could not sit in an executive chair. Now a lot of CIOs are top executives. You do not need to sell cybersecurity anymore.”

Dave Quigley, Ontario Provincial Police

“Public sector wages are lower than those in the private sector. What drives people to come to work in public administration is the magnitude of the cybersecurity challenge.”

Benoît Boivin, Treasury Board Secretariat

CISOs are not limited to a technical role. They are also

versatile humanists with skills in training,

human resources management, communication, digital forensics and even law.


the company's organizational chart varies from one company to another. However, according to the authors, it is now established that a CISO is a senior manager, rather than a specialized technical expert, and in addition to his technological skills, he or she must be

an excellent communicator, particularly to the Board of Directors. In addition, as of now, CEOs must take their cybersecurity objectives into account in their criteria for selecting Board members.39

Thus, the most important step to take is not the accessibility or not of CISOs to Boards of Directors, but rather to exempt CISOs from the supervision of CIOs, quite simply because the two jobs are distinct and have in common only the technical aspect. This anomaly reminds us that about ten years ago, the cybersecurity teams of many companies reported to the Vice Presidents of Finance simply because they were responsible for overseeing the deployment of ERP systems. Today, the distinction between the missions of the CIO and the CISO clarifies the objectives of each and the allocation of budgets. In

advanced companies that pay a lot of attention to cybersecurity, such as banks, ATCOs or the OPP, the CISO reports directly to the highest levels, on an equal footing with CIOs. Several factors will contribute even more to the enhancement of CISOs in the coming years. Cloud computing, in particular, changes the configuration not only of system architectures, but also frees the CISO from routine surveillance work to focus on defining active defence and risk assessment strategies.

Solution Track 3: Enhance the CISO function

The associative sector must be called upon to raise awareness among companies, particularly medium-sized companies, of the strategic importance of the CISO function. The aim is to encourage them to give the CISO full access to the Executive Committee – vice-president status. There are groups such as In-Sec-M, the Canadian cluster of the cybersecurity industry, ISACA, a world association with a strong presence in Canada,

the CIO Association of Canada which has created a CISO Chapter, and there are as well local associations (Association de sécurité du Montréal Métropolitain and Association de la sécurité de l'information du Québec). All these associations are campaigning for the enhancement of the CISO function. These associations should be supported by public authorities and all other institutions with activities aimed at the same objective.

39 Val Hooper and Jeremy McKissack, idem, cf. 589.

“Governance will have to evolve rapidly, because today most of the CISOs are middle or at best senior managers, whereas they should be vice-presidents and report directly to the president and CEO. Alcan and Bombardier have already upgraded the CISO function and have focused all physical as well as cyber risks in one position. It is essential to have a single risk discourse and a single decision-making point to organize the countermeasures.”

Michel Arredondo, CBC


Issue # 4– Insert Cybersecurity in the Employee Job Description

In June 2019, Desjardins Group reported that it had been the victim of a data theft: a former employee is suspected of having stolen the personal information of 4.2 million individuals and 173,000 businesses and of having sold them to some accomplices – one of them having resold them on the dark web. Desjardins management indicated that only personally identifiable information was stolen from its system, but no electronic banking passwords, security issues, account PIN codes and credit and debit card numbers. The financial institution has later indicated that it spent $70 million in the second quarter related to the data privacy breach.40

It is estimated that in Canada about 35% of cyber-attacks are caused by an internal employee, supplier, customer or partner. All companies, regardless of their size or nature, must deal with the possibility that an internal resource or a business relationship may act in such a way as to put the company at risk.41 Even the police forces are being hit by the plague. Beyond malicious intent, there is clumsiness or simple recklessness: employees still fall for phishing scams and click on a compromised link.

Employee cybersecurity awareness programs will not solve all internal fraud problems. Offending employees who, alone or with accomplices, steal data, as in the case of Desjardins Group, will not be deterred by an awareness campaign. However, there are ways to reduce incidents due to clumsiness or negligence. Indeed, this is the bulk of internal cyber-attacks. Employee awareness strategies are very diverse. The high-end solution is a multidisciplinary approach: teams of psychologists, criminologists and even former military personnel work together to create a sense of urgency and responsibility among employees. This is a significant investment, but this type of approach is effective in

40 Julia Sowells, “Data Breach Hits Desjardins, 2.7 Million People Affected”, Hacker Combat Community, 22 June 2019. Debroop Roy, “Desjardins spends C$70 million related to data breach”, Reuters, 12 August 2019. Frédéric Tomesco,

identifying almost all careless people and changing their behaviour.

Among the companies that use more traditional strategies, there is Sobeys which holds an annual competition based on a phishing simulation with approximately 25% of its workforce. This test allows Sobeys to assess employee readiness. The company regularly reviews its approach when too many people have ’taken the bait’.

“Desjardins data breach much larger than first estimated, affecting 4.2 million”, The Gazette, 01 November 2019. 41 See the story of the attack on Xittel in the case studies (Appendix 1).

“When an incident occurs, OPP follows best practices... I must admit that at the moment, our biggest risk is not the hacker attacking from the outside, but some of our own employees with delinquent tendencies. They can access our network with impunity. The shift to cloud computing is not going to help me resolve this issue.”

Dave Quigley, Ontario Provincial Police (OPP)

About 35% of cyber-attacks are caused by an internal

employee, supplier, customer or partner.


A number of companies distribute gifts, organize games or pay bonuses to employees who comply with cybersecurity guidelines.

The principle is to give a positive value to cybersecurity actions.

When awareness programs fail, companies can use the latest monitoring technologies. The Montréal-based CRIM laboratory has developed a monitoring program based on the creation of various employee profiles and the detection of anomalies.

An intermediate approach between random testing and continuous monitoring would be to acknowledge that the cybersecurity effort required of an employee, who does not belong to the IT department, is important and comes in addition to his or her duties. Indeed, companies require employees to be vigilant at all times about e-mails and the status of the network. This vigilance extends beyond regular working hours, when the employee is at home and contacts the office or uses professional resources (e-mail).

But this 24/7 vigilance requirement is very rarely included in job descriptions or employment contracts. The extra efforts required from employees are not taken into account and this work is never paid for. Companies inadvertently create an inequality among human resources: there are cybersecurity experts who are paid to provide protection and there are others, the bulk of employees, who are encouraged to contribute to protection, but who are not paid for it.

“Agropur's awareness program is dictated by a directive that every employee who uses a digital asset must have successfully completed the basic IT-OT digital security training and a second training course in digital security, social engineering techniques, such as phishing. People who do not attend classes within the required period are denied access to the company's IT resources.”

Michael Glenn, Director, Agropur

“We have initiated a process to change its awareness program for employees. The principle is to switch from ‘shamification’ mode to ‘gamification’ mode. In the past, people were constantly disturbed by exercises such as phishing simulations to identify who was lurking. The new program reverses the scenario. Thus, employees are warned that the following Friday, at a given time, a phishing attempt will take place. The first three to identify what is the suspicious e-mail wins a prize.”

Fred Bedrich, Business Development Bank of Canada (BDC)

“For example, if suddenly, a computer under surveillance transfers hundreds of documents while the employee does not, according to his job description, communicate with the public, we block the account and then investigate the matter: did the employee transmit the documents or is it a malicious hand that took control of the employee's computer?”

Fehmi Jaafar, CRIM

The employees of the cybersecurity group are paid

to ensure cybersecurity, while the other employees

are not.


This non-recognition of the value of employee contributions to cybersecurity by companies stems from the unprecedented nature of the risk. Awareness of the severity of cyberthreats is recent. Company managers and human resources managers are alerted, but they do not always grasp the nature of the phenomenon. The purchase of technological solutions only solves part of the problem. Employees must therefore be mobilized to fight cybersecurity. But how can we encourage individuals to take action and perform additional tasks if we do not recognize that this is an integral part of their work?

Solution Track 4: Recycle employees into cybersecurity experts

It should be recognized that the cybersecurity measures required from employees are part of their job description and are therefore an integral part of their work. This must be included in their job description with all that it implies in terms of annual evaluation, level of performance, career development and promotion, salary conditions, etc. The systematic inclusion of cybersecurity activities in all job descriptions and, in the case of unionized employees, in collective agreements, is therefore recommended. There is a role for governments to develop a matrix description of basic cybersecurity activities that is both detailed and comprehensive enough to anticipate future developments in cybersecurity, and that would be made available to all businesses.

“At CNL, every new employee gets a security package where the measures are explained, from privacy to the management of e-mails. Many have taken to cybersecurity first as a chore, then a game and now as a mission. As soon as they see an anomaly, they report it to me.”

Tom Vaughan, Canadian Nuclear Laboratories (CNL)

The cybersecurity tasks required of employees

must be included in their job descriptions with

what this implies in terms of promotion and salary.


Issue # 5– Software Vulnerability

All stakeholders agree to deplore the vulnerabilities that exist in operating systems and application software. This is a computer-related deficiency that is not unavoidable. As Tyson Johnson of CyberNB says very well:

“Responsibility is a word that needs to be more present in our cyberworld… New policies are required to manage processes by which the Canadian Government would report flaws it discovers directly to vendors.”

The symbol of this generalized defect is the ’zero-day’ vulnerability. These are software flaws present from the day of the launch of a new application, exposing its users to cyberattacks until a patch is distributed. Sometimes, vulnerability remains unknown to everyone – with the exception of cybercriminals. Some of them sell their discoveries on the dark web.

As an aggravating circumstance, the intelligence services of some States identify these vulnerabilities with the considerable resources at their disposal, but they do not warn the publisher of the faulty software, or even their own citizens. Indeed, there is a kind

of zero-day vulnerability barter reserved for intelligence agencies that exchange the results of their research. For the intelligence community, these vulnerabilities are a key working tool for obtaining information discreetly.42

42 Andy Greenberg, “The Strange Journey of an NSA Zero-Day—Into Multiple Enemies' Hand”, Wired, May 72019. | Miles Kenyon, “Christopher Parsons Testifies Before Standing Committee on Public Safety and National Security”, The Citizen Lab, 08 March 2019. | Kevin Townsend, “UK Spy Agency Joins

NSA in Sharing Zero-Day Disclosure Process”, Security Week, December 2018. | Matthew Braga, “When do Canadian spies disclose the software flaws, they find? There's a policy, but few details”, CBC, 06 September 2017.

“The concept of minimum viable product leads to getting software out as quick as possible, whereas vendors protect themselves with terms and conditions that are insane. They basically waive their responsibility to keep their customers safe.”

Mel Crocker, Air Canada

“Old versions of Windows are plagued with security holes, and Microsoft will not provide security patches. Worse yet, every Windows update requires rebooting the hardware, which results in downtime, and can also result in the underlying hardware no longer working because Microsoft failed as usual to test their updates...”

Richard Evers, Kryptera

“The market produces software that has flaws, and these companies are not being prosecuted.” Olivier Caré, Industrial Alliance

The intelligence services of the major states do not warn

users when they discover zero-day vulnerabilities.

They keep them to themselves.


In Canada, the Communications Security Establishment (CSE) does exactly this: when it discovers a vulnerability in software, it assesses whether it is appropriate to notify the software publisher to fix the problem, or whether it is preferable to store the vulnerability in a kind of virtual library where it can be used for computer espionage or as a bargaining chip with another intelligence agency. Under no circumstances are the heads of infrastructures or large Canadian companies consulted in the decision-making process, which remains entirely opaque. Similarly, when a foreign agency such as the National Security Agency (NSA) spies on Canadian organizations such as RBC or Rogers Communications, the latter should not expect

any help from their government. Worse, everything indicates that the U.S. NSA had shared the results of its data theft with... the Canadian CSA!43 Can the new Canadian Centre for Cyber Security (Cyber Centre) play a significant role in addressing software vulnerabilities? It is too early to judge. But the conditions for its creation are unfavourable. Indeed, the Cyber Centre is part of the Department of National Defence and not the Department of Innovation, Science and Economic Development. Its chief executive officer comes from CSE, where he has spent his entire career. A large part of the Cyber Centre's staff also comes from CSE. CSE is an intelligence agency, a member of the Five Eyes. The umbilical cord does not appear to have been really cut between the Cyber Centre and the intelligence community from which it originated. Will it be possible to evolve the Cyber Centre into an economic development mission? While waiting for a clear signal from the federal government, companies can only rely on their own internal cybersecurity measures.

43Colin Freeze and Christine Dobby, “NSA trying to map Rogers, RBC communications traffic, leak shows”, The Globe and Mail, 17 March 2015.

“IoT hardware that is sourced from cheap sources such as China has major problems with default accounts and passwords being hard-coded into the electronic boards… Taken as a whole, this has led to an endless series of cyberattacks that use compromised IoT devices.”

Richard Evers, Kryptera

“To reduce (and ideally prevent) security vulnerabilities from being used in such attacks, new policies are required to manage processes by which the Canadian government would report flaws it discovers directly to vendors. In addition, the government should exclude from its tenders all companies that have been blacklisted for non-compliance and flawed technologies.”


Can the new Canadian Centre for Cyber Security play a

significant role in addressing software vulnerabilities? To

do so, it should cut the umbilical cord with the intelligence community.


Solution Track 5: Software vulnerability

Mobilization against software vulnerabilities has two components: ü Upstream, a code of conduct should be

promulgated requiring software publishers that do business with the public sector (ministries and agencies as well as health and education networks) to test all their products before delivering them to the public sector. These tests will have to be submitted to the client for approval (as exists in the health care environment with pharmaceutical products). Any defective product will not be delivered until corrective measures have been taken.

ü Downstream, the identification of

vulnerabilities could be entrusted to the Cyber Centre. Today, this institution only serves government departments and agencies, as well as critical infrastructure, which is an extremely satisfactory first step. In a second step, the Cyber Centre should also play a supporting role for non-critical companies, including SMEs.

“The government could play a role to make companies more accountable for their products. A good example of a beneficial government intervention is the GDPR introduced by the EU. It was a bold move in the privacy domain. Now, imagine a similar set of rules that would make software vendors responsible for cybersecurity breaches in their products.”

Mel Crocker, Air Canada


Issue # 6 – The Special Case of Industrial SMEs

The SME is the poor relation of cybersecurity. They are less likely to have a cybersecurity manager than the Canadian average. As noted above, the inability to pay the salary of a specialist is only part of the problem (Section 4.1.6 – Outsourcing Intensity). The lack of professional stimulation offered by the working environment of an SME is another, all

the more serious because it is structural. Whatever is done, a cybersecurity professional will always be reluctant to work alone in a company whose core business is foreign to him or her: by definition, the company cannot offer promotion and even less career planning.

It is not surprising that the complaints of SMEs are relatively numerous. Of the companies surveyed in this survey, 31% would like to receive some form of financial incentive for their cybersecurity activities (compiled from the results of Section 6.3 – Federal Government Consultation Process). Similarly, some other respondents are seeking technical assistance, training and bootcamps. In all cases, these are industrial SMEs, both small and medium-sized enterprises.

“At the moment, in the general field of cybersecurity, I don't see any cooperation between the public and private sectors. The government published the ambitious 2018 cyber strategy and created the Cyber Centre, but I have seen nothing trickling down to the market, especially in the SME sector.”

Gary Davenport, CIOCAN

“The biggest obstacle to robust cybersecurity is money. It is not only necessary to acquire new technologies, but also to organize cultural changes to adopt new ways of operating. The bulk of cybersecurity spending is therefore not on the capital investment side, but on the operational expenditure side. In terms of funding, that means you cannot capitalize, you have to recourse to cashflow. All companies face the same problem that greatly limits the development of cybersecurity programs.”

Michel Arredondo, Radio-Canada

“It should not be forgotten that SMEs are often poorly equipped for cybersecurity. Indeed, specialists are rare and require high salaries. SMEs cannot afford to hire top talents. In the best of cases, they use the services of cybersecurity firms – there are some excellent ones in Canada.”

Fred Bedrich, BDC

Nearly a third of the companies surveyed in this survey would like to receive some form of financial incentive for their

cybersecurity activities. All these respondents

are SMEs.


With the digitization of industrial processes and the transition to Industry 4.0, SMEs are reaching a higher level of risk for which they are not equipped: “Some SME managers feel little or no concern, however, because they believe their company is too small to be of interest to hackers,” explains Professor

Sylvestre Uwizeyemungu. “They are wrong here, since SMEs are a rather perfect target: their systems are often poorly protected, and attackers know that they generally do not have the means to unmask them and initiate possible legal proceedings against them.”44

Solution Track 6: The special case of manufacturing SMEs

A form of financial incentive could be considered. This is the opinion of the Canadian Senate:

“Smaller companies that operate in the critical infrastructure sectors without adequate cybersecurity practices are cause for great concern. To assist these businesses, the federal government should decide whether it can provide support to the private sector for cybersecurity-related expenses, such as through accelerated capital cost allowance deductions for these expenses under the Income Tax Act.”45

However, such a measure should be part of an overall support framework for manufacturing SMEs. An isolated measure would be like a sword in the water.

We have seen that many companies lack all the basic tools of cybersecurity: no CISO (in 42% of companies), no formal program (38%), no risk analysis (56%), no training (60%), no audit of OT systems (69%), and finally no penetration tests of OT systems (77%). The bulk of these companies are SMEs: they need support and also, let us not hide it, a certain constraint (for example, the government could make public sector contracts conditional on Cyber Essentials Canada type certification). In short, a concerted action, such as a ‘general mobilization’, in favour of a cybersecurity commitment, must be put in place.

44 Sylvestre Uwizeyemungu, professor in the Department of Accounting at the University of Québec at Trois-Rivières (UQTR) and Researcher at the Institute for Research on SMEs. Quoted in Ariane Normand, “L'importance de la cybersécurité pour les PME”, Actualité du réseau, UQTR, 3 April 2019.

45“Cyber assault: it should keep you up at night”, report of the Standing Senate Committee on Banking, Trade and Commerce, Ottawa, October 2018, 35 pages. Cf. p. 26.

“SMEs do not have money; cybersecurity costs are on their budget, they innovate less, same thing for primary, secondary and university schools as well as the health network.”

Fehmi Jaafar, CRIM

“The incentives to support SMEs to become secure are essential. The means are diverse: tax credit, rebates on products and solutions, more favourable insurance premiums, better opportunity to compete on procurement bids for government contracts…”



Issue # 7 - Strategic importance of e-insurance

Barely a third of the respondents are insured against computer crime. If we consider only the manufacturing sector, it is even less (29%). How do we explain these low rates? Cyber insurance is incomplete. A basic policy covers the costs related to the immediate impact of the incident, but never the income lost during the incident. Many critical infrastructure managers believe that the coverage provided should be more comprehensive as they seek to reduce their actual financial exposure. However, insurance companies do so on a case-by-case basis, in the absence of cyber-risk standards.

Another reason for the reluctance of companies to adopt cyber insurance is their underestimation of their own risk and the impact on their organization in a major event scenario. If the financial impacts are real, they are all the more difficult to quantify. There is indeed little benchmarking in this area because many incidents are never reported. Finally, companies are often reluctant to disclose the cybersecurity tools they have deployed in their IT perimeter, the results of audits or penetration tests. Most CISOs cultivate secrecy.

It should be noted that an e-insurance policy is not only about financially protecting the company's balance sheet in the event of a disaster, insurers require also a comprehensive assessment of a company's level of vulnerability (including supply chains, subcontractors, customers...). When the incident occurs, the insurer must be able to carry out or validate the digital investigation (forensic) after the disaster, evaluate losses, restoration costs, etc. In short, the relationship between the insured and the insurer is governed by a digital security framework that encompasses all the information activities involved.

“APN Global is in the process of negotiating insurance against the risk of cybercrime. The problem is that this type of insurance is relatively expensive to cover only a limited part of the risk. The cyber insurance market is new, and experts have difficulty assessing the risk.”

Yves Proteau, APN

“Some general insurance clauses in effect at Radio-Canada allow for certain elements of cybersecurity to be covered, but it remains to negotiate insurance that would cover the cost of the impact associated with an incident as well as the response plan. To do this, it is necessary to determine the levels of control, qualify the risks according to the impact categories and then quantify the coverage accordingly. Each type of attack must be measured against the possible scenarios. This exercise is all the more complex, because the insurance offer is still underdeveloped. There are several types of coverage, but they are often incomplete.”

Michel Arredondo, Radio-Canada

A small minority of a third of companies are insured against computer crime. This type of coverage is

often incomplete or inappropriate for business needs.


To cover cybersecurity, the insurer must acquire in-depth expertise in this area. There is more to it than that. When a company takes out insurance, there is a transfer of the risk incurred from this company to the insurer. The latter will therefore do everything in its power to limit the level of risk exposure by encouraging its client to invest in cybersecurity. In practice, the insurer will support its client in its cybersecurity approach directly or through a third party from the cybersecurity consulting industry. The speed with which the world of cybercrime is evolving is challenging insurance companies. Indeed, risk analysis specialists must accumulate a large number of experiences over several years to establish a model based on historical series of past events. The Club des juristes, a French legal think-tank, summarizes the problem as follows: "In the case of cyber risk, however, there is little perspective on the frequency and severity of cyber incidents: the risk itself being recent, actuarial calculations are based on narrow historical comparisons."46

At the same time, insurers must find answers to delicate questions: do they have to reimburse ransom payments when the RCMP and the Government of Canada advise against them? Indeed, the payment of ransoms could be used to finance criminal or even terrorist acts. However, some insurance companies do cover this type of incident. In addition, there are questions of pure and simple legality: can the insurance company pay penalties for violations of the law, such as non-compliance with the General Data Protection Regulation (GDPR) enacted in Europe but applicable to Canadian companies operating in Europe?

At the moment, about 40 insurers offer a cybersecurity product in Canada: Allianz Global, Aviva, AXIS Canada, etc.47. Some of these insurers have even developed a product specially adapted to SMEs. Cyber insurance is a tool under development, but it reduces financial risk. Industrial Alliance Insurance Company uses a third party specialized in cyber insurance to insure its own risks.

In the cyberinsurance market, critical infrastructure customers are valued. This sector generates significant recurring revenues, and, in addition, the means used by the infrastructure to ensure their safety considerably minimize the insurer's risks. To penetrate this coveted market, insurers multiply the services that accompany their costed proposal.

46 Cyber Risk Ad Hoc Commission, “Assurer le risque cyber”, Le club des juristes, Paris, 2018, 97 pages. Cf. p. 28.

47 “Cyber Insurance Products”, website of Insurance Business Canada (last accessed on 17 October 2019).

“Cyberinsurance is not new to the market, although many are suddenly discovering it. Some companies were already selling policies in the 1990s to cover themselves against the Y2K problem. Industrielle Alliance does not offer cyber insurance, but I believe that anyone doing business on the web must take out insurance and protect themselves. And we are no exception.”

Olivier Caré, Industrielle Alliance

Insurance companies that offer cyber coverage

require their customers to comply with the best

available cyber security practices.


In some cases, the insurer even makes available to the client a proprietary cybersecurity platform (AXA or AIG) or subcontracted to specialized companies (the Crawford expert network in the case of Chubb). These platforms play the role of both sorting incidents and putting them in contact with specialized service providers (technical investigation, legal advice, crisis management advice or communication, etc.) as the case may be. With this new type of support services, insurers are employing more and more cybersecurity experts who, as a result, are becoming familiar with the practices of the insurance industry. This convergence between the insurance world and rising technology is not new. In the 19th century, Lloyd's of London was the world's leading insurer in the marine industry. The company had achieved this feat by studying all the components of maritime transport, from the hull of a ship, manoeuvres at sea, modes of communication to the various risks posed by certain oceans and seas. Lloyd's representatives were primarily marine experts present at the damage site whenever possible.48

It is therefore not surprising to see insurers offering their customers a type of cyberinsurance with technological support. To do so, it is to be expected that the number of mergers between insurers and cybersecurity firms – or IT manufacturers – will increase. In some cases, cybersecurity firms can even be expected to take the lead in developing automated risk management solutions for insurers. Cybersecurity firms specializing in the insurance market can play a role comparable to that of fintechs in the banking market. By requiring companies to provide proof of their cybersecurity program, an audit, and a history of attacks, insurers are guiding companies towards the adoption of best practices or a cybersecurity standard.

48 “Addressing the Private Sector Cybersecurity Predicament: The indispensable role of insurance, Carnegie Endowment for International Peace”, October 2018,

https://carnegieendowment.org/files/Cyber_Insurance_Formatted_FINAL_WEB.PDF (last accessed on 18 October 2019).

“The insurance company provides breach coaching. In the event of a security or privacy breach, a specialist will help us work through the processes. If CNL has to deal with a ransomware situation that paralyzes a server, the insurance specialist coaches us on how to deal with the attacker. That’s what won me over.”

Paul Vaughan, CNL

Insurers are increasingly offering a cyber insurance

policy coupled with technical support.

Insurance companies are thus becoming

key partners in cybersecurity.


Solution Track 7: Strategic importance of e-insurance

How can we encourage companies to insure themselves? Public authorities, both at the federal and provincial levels, could require their suppliers to be insured for cyber-risk. This low-cost measure is easy to implement and would send a clear signal to both goods and services companies and insurers. In a second phase, companies could receive public support to improve their means of protection and comply with the safety standards required by insurance companies.

In general, governments would benefit from close consultation with insurance companies to develop strategies to protect companies from cyber risk. Since insurers are constant partners of economic actors in the management of business risk (civil liability, property, claims, etc.), they are well placed to add a cybersecurity component to their traditional offer.


Issue # 8– A question of sovereignty

Almost all the companies surveyed in this poll are migrating their data to the cloud. Since trust is essential when it comes to entrusting institutional information to a third party, the hosts chosen are systematically the giants of cloud computing. No one wants to run the risk of depending – because that's what it's about – on a company that is a fly-by-night.

As a result, most of the information content will be hosted abroad – mainly in the United States. The main vendors of cloud computing solutions in terms of revenue are:49

- Microsoft (Azure) $21 billion United States - Amazon Web Services (AWS) $20 billion United States - IBM $10 billion United States - Oracle $6 billion United States - Google Cloud/G Suite $4 billion United States - Alibaba $2 billion China

Since 2016, the federal government has authorized the cross-border migration of its data, which is considered non-essential and non-personal, but still needs to be encrypted. All essential and personal information must be stored in Canada. What will remain of this obligation once the new Canada-U.S.-Mexico Agreement (CUSMA) comes into force? No one knows because the agreement sets out

49 Larry Dignan, “Top cloud providers 2018: How AWS, Microsoft, Google, IBM, Oracle, Alibaba stack up”, ZDNet, 11 December 2018.

“ATCO has partnered with a few major cloud providers, such as Microsoft, IBM and Oracle. This choice is not coincidental. We think that the very big cloud providers are security focused, so we know they are doing everything I would expect my internal team to do. While there are a bunch of small cloud providers which are quick to development, quick to market, and not as focused on security. We may use them as a sandbox for a development proof of concept, but not for our business and critical applications. We do not tolerate any security shortcuts.”

Steve Biswanger, ATCO

CBC does not believe that hosting its content in American cloud solutions is a problem: “Agreements with these companies do not allow any third party to access our data. We often talk about the powers granted to the American government by the Patriot Act, but it is a threat that is more theoretical than real. In fact, most US providers are installing hosts in Canada.”

Michel Arredondo, CBC

Is Canadian data stored in cloud solutions owned

by foreign companies protected from

prying eyes?


conflicting and interpretable obligations on this issue.50 Nevertheless, since 2018, the federal government's strategy has been "the cloud first". There is no doubt that the major American players are well positioned to take the bet. Even though these companies have built server farms in Canada and more particularly in Québec thanks to the presence of cheap and abundant hydroelectricity, they remain American and therefore subject to American

laws. Whether we admit it or not, this general relocation of content raises the question of Canadian sovereignty. It is as if transborder data flows have left the spotlight – in April 2019, the Office of the Privacy Commissioner of Canada launched a ’Consultation on Transborder Data Flows’, but it seems to be more of a rearguard battle that is limited to citizens' right to consent or not to the disclosure of their personal information outside Canada.51

However, recent events attest to the highly political nature of the use of IT by the United States. From Edward Snowden's revelations in June 2013 on online information collection to the Huawei case in May 2019, which cut off the Chinese company's access to American technology, history teaches us that anything is possible. It is therefore not surprising that both the German Minister of the Interior and the French Minister of the Armed Forces have asked their respective industrial sectors to urgently develop technologies to take over the foreign technological presence on their territory.

50 “Post USMCA: Canada is still the right choice for data sovereignty”, ROOT Data Center, 17 January 2019. Branko Vlajin, “Cloud Storage in Canada: A Safe Haven in 2019?”, Cloudwards, 11 September 2018 51 “Consultation on transborder dataflows” and “Consultation on transfers for processing” (reframed discussion document),

When the interests of the major powers are blanketed, as is currently the case, what is the value of the contractual agreements between the Government of Canada, including the various provinces that do the same, and foreign private companies?

Office of the Privacy Commissioner of Canada (OPC), 9 April 2019 and 11 June 2019. “Government of Canada White Paper: Data Sovereignty and Public Cloud”, Treasury Board of Canada Secretariat, 2018.

“The long-term issue that critical infrastructure will face has less to do with skill shortages than with larger questions to be asked around sovereignty. What is the level of sovereignty in critical infrastructure that each country needs to have? This covers digital sovereignty as well. So how do we ensure that the products and devices being installed and used in critical infrastructure in Canada are sovereign? And is that doable? Can we create enough Canadian technologies to fulfill the needs of our critical infrastructure? This also requires interoperability in communications between technologies. This is the kind of incredibly large issues we need to tackle.”


Germany and France are actively pursuing a policy of technological independence

in the field of cloud computing.


However, there is a Canadian industry of cloud providers including telecom giants Telus and Bell Canada and many pure players: Long View Systems, Cogeco Peer 1, iWeb, RackForce, CentriLogic, Coveo, Micro Logic, SherWeb, etc. The problem of these players is their relatively small size and lack of visibility in the market.52

Solution Track 8: A Question of Sovereignty

The cloud computing dimension is at the heart of cybersecurity. Canada has so far played its energy advantage in a purely commercial way: attracting the big US players (Microsoft, IBM and Amazon) through advantageous pricing (especially in Québec). This policy would benefit from being complemented by a vigorous action to support Canadian suppliers of cloud computing solutions. Two measures could have a structuring effect on the maturation of the Canadian cloud- hosting industry.

- Creation of a support unit within the Ottawa-based Cyber Centre to establish permanent consultation with providers of cloud solutions and cybersecurity services in general in order to (1) inform them in advance of government needs and (2) play an advisory role to help them meet the Government of Canada's quality standards;

- Installation of a co-location facility to

house cloud solution providers. The building should meet the highest safety standards: secure access to Internet, disaster-resilient, emergency power supply, etc. A redundancy agreement could be concluded with CyberNB, which is currently constructing such a building in Fredericton (Cybersecurity Business Park). The operation of this facility could be entrusted to a neutral organization such as In-Sec-M or an ad hoc group of IT stakeholders.

Generally speaking, it is important to instill a Canadian national vision into all IT decisions.

52 Mandy Kovacs, “Who is the top public cloud provider in Canada?”, IT World Canada, 15 March 2018. Dave Yin, “Top 10

Canadian cloud providers revealed: IDC Canada”, Channel Daily News, 20 February 2015.


Appendix 1 – Case Studies The companies that are the subject of a detailed presentation were selected based on their membership in the manufacturing sector and critical infrastructure in order to provide as complete an overview as possible of the various uses of cybersecurity. It is therefore not a ranking of the best companies chosen on the basis of any comparative criteria (best practices, adaptation of governance, technological innovation, etc.).

The length of the case studies varies greatly from one company to another and should not be seen as a value judgment: just because a case study is detailed does not mean that the company is necessarily more innovative, active or valuable. Rather, it should be seen as a reflection of the leaders' policy on information sharing: some of them were very generous with their time, others had reservations about some issues that they considered confidential.

List of Case Studies: Aéroports de Montréal (ADM) Difenda Agropur Dairy Cooperative In-Sec-M Air Canada Industrial Alliance APN Global Kryptera Technologies ATCO Ontario Provincial Police (OPP) Business Development Bank of Canada (BDC) Public Safety Canada Canadian Broadcasting Corporation (CBC) Royal Bank of Canada (RBC) Canadian Nuclear Laboratories Secretariat of the Treasury Board (SCT) CIO Association of Canada (CIOCAN) Siemens Canada Cisco Canada Sobeys Computer Research Centre of Montréal (CRIM)

Société des transports de Montréal (STM)

Concordia University Toronto Police Service (TPS) CyberNB Union des Municipalités du Québec (UMQ) Desjardins Group Xittel Telecommunications


Aéroports de Montréal (ADM)

975 Roméo-Vachon Blvd. North, Suite 317, Dorval, QC H4Y 1H1 514 633-2697 www.admtl.com

Contact Aymeric Dussart, Director, Technology and Innovation Basic data Founded

Headquarters N. of employees Main activity Clients

1992 Dorval 650 Airport transport 20 million passengers

Mission - Ensure the provision of quality airport services that meet the specific needs of the community while seeking efficiency, safety and security.

- Contribute to the economic development of the Greater Montréal Area (GMA), in particular by enhancing the facilities for which it is responsible.

- Maintain harmonious cohabitation with the community, particularly with regard to environmental protection.

Strategy ADM intends to succeed in its various sectors of activity – airport, real estate and commercial services – and to develop each of its platforms to their full potential.

Means ADM includes two airports: - Montréal-Trudeau International Airport acts as a hub for domestic,

cross-border and international passenger transportation and stands out around the world for its quality of service and safety.

- Mirabel's aeronautical and industrial park is being developed as a world-class all-cargo airport and aerospace hub.

Markets Canada and the world Cyber Issue Moving from a defensive to a proactive posture by focusing on artificial

intelligence and the mobilization of all ecosystem stakeholders.

Professional Experience

Aymeric Dussart holds a master’s degree in information systems from the École des Hautes Études Commerciales (HEC Montréal). Early in his career, he joined Hydro-Québec as a business process analyst and then became manager of both SCADA operations and the global energy trading market. In 2012, he joined ADM as an air traffic data analyst. After a stint in the Business Strategy group, he

accepted the position of Director of Technology and Innovation. His task is to ensure the protection of all aspects of ADM's technological systems, including operations, system evolution and cybersecurity. To support him, there is a person specialized in cybersecurity who coordinates the work outsourced to many large consulting firms.


Background Information

Montréal-Trudeau International Airport welcomes 20 million passengers, making it the third busiest airport in Canada after Toronto-Pearson and Vancouver. ADM is renowned for its performance in clearing snow from runways and taxiways and de-icing aircrafts in winter, which earned it the first American Balchen/Post Award in 2008 for the “major airports” category. ADM has 650 permanent employees, but this figure does not include the 27,000 stakeholders who work in check-in, customs, border police, restaurants and shops (regular and duty-free), information kiosks, maintenance, handling, luggage management, traffic and physical security.

IT Organizational Structure

The permanent IT team consists of 80 employees, with approximately 40 additional contract employees. In the organizational chart, Aymeric Dussart reports to the Vice President Finance, who in turn reports to the President. He considers this structure to be very effective and facilitates the exchange of information. He explains: “The Vice-President has an overview of ADM's corporate risks. He shares information and contributes to putting technological risks into perspective.” Overall, ADM manages more than 1,000 workstations. In addition to this number, there are display booths and those of the various stakeholders that are independent of ADM but are included in ADM's overall IT management system. The technological risk assessment and the strategic development plan are submitted to the Board of Directors every three years. Previously, it was a five-year plan, but the rapid development of technology has reduced it to three years. In addition, ADM has opted for a rigorous preventive approach in recent

years: audits, risk analysis, revision of the plan are carried out on a fixed date, sometimes monthly or quarterly. Aymeric Dussart explains: “Regular document submissions allow us to accurately measure our progress and revise success indicators, if necessary.” ADM relies heavily on outsourcing for its IT. While the company owns and operates its own data centres, it is increasingly using cloud computing. Similarly, office automation, such as Windows 365, is in the Microsoft cloud, while other applications have joined the Amazon cloud. When new vulnerabilities arise in the environment, ADM reassesses the risks. Like IT, cybersecurity relies heavily on outsourcing, typically large and experienced firms. As a result, KPMG was entrusted with the management of the SOC as well as the audit, management and analysis of incidents. Aymeric Dussart explains: “Every three months, KPMG reports to us on the intensity of the attacks. As these attacks continue to increase, we review the risks and measures to be taken together. Gradually, cybersecurity is becoming more and more cumbersome and complex. I can't entrust all the contracts to KPMG, so I also turn to CGI. Each of these firms has its own area of responsibility.” The quarterly reports are presented to the Board of Directors, which invariably discusses their content. “The exercise has an educational value,” says Aymeric Dussart: “Gradually, everyone at ADM, from Board members to kiosk managers, becomes a cybersecurity specialist. And that's good.”

Talent Crisis

The lack of IT specialists is hitting ADM hard – and this is no exception, especially in the field of cybersecurity. Here is how Aymeric Dussart


explains his preferred solution: “I would have liked to have had a few more resources in the cybersecurity group, but there are few of them, and the salaries are high. One of the main reasons I outsourced cybersecurity is the scarcity of talent. Now it is up to KPMG to solve the talent acquisition problem. This allows us to focus on defining the main strategic orientations for cybersecurity and on linking them to the airport's management needs.”

Employee Training

ADM devotes significant resources to cybersecurity training for its non-IT employees. A Learning Management System (LMS) has been developed that offers courses in the form of animated video clips. Its purpose is to make the subject entertaining rather than to present it as a punishment. That's why ADM's online training program focuses on educational cartoons. Aymeric Dussart is proud to be able to say: “I have seen executives having fun watching the course.”

Insurance

For several years now, ADM has been taking out cybersecurity insurance. However, as ADM has never been attacked, the effectiveness of the hedging plan has not been tested yet. Also, Aymeric Dussart plans to conduct a complete review of cybersecurity insurance: “In 2019, I must assess whether the coverage is adequate in relation to our exposure. Moreover, insurers are evolving rapidly. Some of them offer their customers cybersecurity services to proactively protect them. They have become as sophisticated as IT consulting firms.”

Culture of Cooperation

ADM has links with several organizations in Ottawa, including the new Canadian Centre for Cyber Security, as well as with its institutional partner, NAV Canada (air-traffic control), and its regulator, Transport Canada. In addition, ADM is working with other Canadian airports to create a large aviation ecosystem. Once a year, Air Canada and NAV Canada organize a cybersecurity meeting on the theme “Stronger and Safer Together”. Now in its fifth year, this event is called the Annual Cybersecurity Summit and brings together the entire broader aviation community. Aymeric Dussart attended several times: “Everyone participates, and everyone leaves the Summit with new knowledge. Among other things, we see how airlines and even regulators benefit from the perceptions of other players in the ecosystem. In addition, it gives us the desire to go further and build partnerships.”

Issues

ADM's maturity level is comparable to that of other Canadian airports. For Aymeric Dussart: “This is a normal situation. We exchange and compare ourselves continuously. In the absence of Canadian cybersecurity standards for airports we create our own and call them: basic hygiene measures. These provisions are the same as those of most airports in the world, with the exception of high-risk airports such as those in the United States or the Middle East.” In general, cybersecurity is evolving towards greater pro-activity. Airports have no choice, explains Aymeric Dussart: “To avoid losing the battle of cybercrime, we must move forward with more confidence. For 15 or 20 years, we have been stuck in a defensive position and this has not helped us. Today, we are testing


tools based on artificial intelligence (AI) that will allow us to adopt an active defence posture. The new algorithms make it possible not only to detect an intrusion when it occurs, but also to anticipate it, based on the identification of anomalies in traffic or even in individual behaviour. We are already working with several cybersecurity providers and we plan to extend this collaboration to the academic world. For example, we plan to partner with Professor Debbabi's Concordia University Cybersecurity Centre and hire young interns who can ensure the safety of the next generation.”

Regulation

Government regulation can either foster the emergence of more robust cybersecurity or lead to the complete paralysis of an entire industry sector. Aymeric Dussart believes that interventions must be carefully balanced: “In 2018, the European Union introduced the General Data Protection Regulation (GDPR) to limit abuses of personal information. This is an example of a constructive directive. But

that same year, the European Union classified airports as critical infrastructure. This choice requires airports to comply within a few months with standards as high as those in effect at nuclear power plants.” Dussart sees flaws in this latter European directive: “An average airport does not have the financial means of a hydroelectric power plant, or a large oil company. To be beneficial in terms of cybersecurity the regulation must be adapted to the industry to which it applies.” “In Canada too” he adds, “airports are considered critical infrastructure, but unlike Europe, they do not have to comply with cybersecurity standards. Airport authorities obey to basic hygiene measures established on the basis of consensus negotiated by ecosystem stakeholders – these normative practices emerge from the bottom up. There is a whole management framework to set in motion. Any organization with a direct or indirect link to the airport environment is involved in building resilience to cyber threats.”


Agropur Dairy Cooperative

4600, Armand-Frappier St Saint-Hubert, QC J3Z 1G5 450-928-5416 https://www.agropur.com/

Contact Michael Glenn, Director, Global Architecture and Security – CISO Data Founded

Headquarters N. of employees N. of coop members Activity Clients Production Revenus

1936 St-Hyacinthe 8,800 3,163 Milk production and derived products Canada and the United States 2,6 billion litres of milk $6,4 billion CAN

Mission Stay true to the vision of sustainability of its members, who are the owners of efficient processing assets, by offering quality dairy products to its customers and consumers.

Strategy - Develop dairy products valued by consumers and be a supplier of choice for all of our business partners.

- Continue to grow by transforming milk into innovative, value-added products and ingredients.

- Create a dynamic work environment. - Always keep in mind the long-term benefits of our members.

Means Optimization of plants across Canada and the USA. Accelerate the production cycle of new products. Plant acquisition program.

Markets Canada and the United States Cyber Issue Upgrading recently acquired plants and harmonizing IT-OT processes.


Michael Glenn is Director, Global Architecture and Security, CISO, and has been with Agropur for over 18 years with a short intermission of 4 years with TD Insurance. He has also acted as Captain of the Health Services Administration of the Canadian Armed Forces from 1983 to 2014. He graduated from McGill University as Programmer-Analyst.


Agropur has 39 plants across Canada, including 11 in the United States. More than 6,000 employees work in these plants. Its back office is managed by 14 ERP systems from various vendors such as SAP, Microsoft, SAGE and Oracle – the variety results from the company's acquisition growth strategy. Agropur’s goal is to centralize the 14 systems into a single ERP and in 2017 Oracle was entrusted with this task.


Agropur’s overall production lines are organized by specialty: milk, cheese, yogurt and other milk derivatives. The production equipment is connected to servers that integrate information gathering software for data collection and analysis as PI System – Production Information. The ERP interfaces allow information to flow in both directions: from product lines to ERP and vice versa. Much of the plants’ physical production is still manual. Automation is just beginning, and it started in the large warehouses. Agropur's servers are located in two data centres: the first at the head office in Saint-Hubert and the second at CGI's offices in Montréal. However, Agropur does not rule out the use of the cloud. A growing amount of data is already managed from the cloud: Office 365 for office applications, OneDrive for files, Skype for telephony, ServiceNow for the call centres, Workday for Human Capital Management, Planview for user training projects, and Kronos for timesheets management – all the software and data are hosted in the Microsoft cloud. The migration to the cloud resulted in the redefining of Agropur’s concept of perimeter. The protection of resources by traditional firewalls had become insufficient and had led Agropur to focus on identity management. To ensure continuous monitoring of all processes, Agropur entered into an agreement early in 2019 with GoSecure to manage its SOC.

The Organization of Cybersecurity

As CISO, Michael Glenn reports to the CIO who answers to the CEO. The CISO’s team consists of a person specialized in analysis. The IT team has 230 specialists. Agropur's senior management is now very committed to the cause of cybersecurity, particularly OT. “It

did not happen by magic,” says Michael Glenn. “Upper management lit up during a risk analysis exercise. We gave them the example of a possible misuse of the software that locks the electrical circuits of the machines during maintenance. If a malicious individual modifies this virtual lock, we explained, the maintenance worker would be snatched up by the machine. The Board immediately understood the connection between IT-OT security and the workers’ health and safety.” In 2016, Agropur launched a comprehensive digital security program rather than a pure cybersecurity program – the company wanted to cover not only IT but also the company's physical operations. A charter – destined to all employees and managers in data or physical positions – was drafted defining a series of essentials: user training, identity and access management, multi-factor protection, etc. The application of the Charter of Digital Security was to be overseen by a Digital Security Governance Committee, which includes the CIO, the CFO, the Vice President of Human Capital and the Vice President of Operational Excellence.

The IT/OT Challenge

Agropur now focuses on the OT side. To secure OT operations is a challenge because the applications used in the production lines are interdependent with the operating systems of the manufacturing servers. It is sometimes impossible to update the server's Windows operating system because some of the actual applications are incompatible with the new version. All these situations add more constraints on digital security. Michael Glenn sums up the situation: "The two worlds have long functioned as two solitudes, but today communication between the corporate network and the factory network has become


essential to complete the digitization of the production cycle."

Training

“Once our risks reviewed, we felt then that our greatest risk came from our users,” says Michael Glenn. The centralization process of the 39 plants created new risks. In response to the new situation, the Digital Security Governance Committee issued a directive that every employee who uses a digital asset must have successfully completed the basic IT-OT digital security training and a second training course in digital security social-engineering techniques, such as phishing. People who do not attend classes within the required period are denied access to the company's IT resources. The courses use interactive online capsules and are delivered by Terranova on the Workday Human Capital Management platform which includes an e-learning application. They are supplemented by phishing tests. Michael Glenn describes the program: “We realized that from one year to the next, the improvements were minimal. We started by publishing the test results on the intranet and submitted the same tests again. We understood that awareness needed to be increased through the repeated dissemination of information.” In 2016,

Agropur launched an awareness-training program targeting everyone from bottom-up to sign on. The program is included in the Charter of Digital Security. The charter aims to educate all employees, including those who work on the physical side and who have only a limited exposure to computers.

Issues

One forward-looking on-going project is to create a standardized IT infrastructure in each of the 39 plants so that engineers and other leaders can host their servers and applications and have them managed by head-office. Michael Glenn explains: “At first, there was some misunderstanding on the part of managers on the fabrication side. But we worked it out through meetings and now there is an internal IT-OT community that brings together engineering managers from each of the 39 factories with IT specialists to share best practices. Now, plant managers are relieved. They no longer have to worry about updating the servers and support their maintenance and they can focus solely on their core business, manufacturing.” In the medium term, all of Agropur's efforts are focused on creating a fully automated "smart factory" and fully transparent processes, all in a secure environment.


Air Canada

7373 Côte-Vertu Blvd. West Saint-Laurent, QC H4S 1Z3 514-422-5213 https://www.aircanada.com/

Contact Mel Crocker, Managing Director, Enterprise Services and Head of Technology Data Founded


1937 Saint Laurent, Québec 30,000 Air transport Consumers and businesses

Mission Air Canada’s principal objective is to be among the best global airlines, to continually improve customer experience and employee engagement, and to create value for its shareholders.

Strategy Air Canada focuses on five core strategies: - Identifying and implementing cost reduction and revenue generating

initiatives; - Pursuing profitable international growth opportunities and leveraging

competitive advantages by increasing connecting traffic through existing and new international gateways;

- Expanding and competing effectively in the leisure market to and from Canada;

- Engaging customers by continually enhancing their travel experience and providing a consistently high level of customer service;

- Fostering positive culture change through employee engagement programs. Means Air Canada implements measures to reduce unit costs and expand margins,

including through fleet modernization and greater fleet productivity. Additionally, Air Canada seeks to improve its ability to generate incremental passenger and ancillary revenue, including through its improved suite of branded fare products and investments in technology to generate incremental sales.

Markets Air Canada flies to 217 direct destinations on six continents, comprised of 64 Canadian cities, 57 destinations in the United States and a total of 96 cities in Europe, Africa, the Middle East, Asia, Australia, the Caribbean, Mexico and South America.

Cyber Issue Air Canada concurrently addresses three cybersecurity issues: integrity of the aircraft, protection of customer privacy and a business continuity plan.

Personal background

Mel Crocker graduated in mathematics and physics and completed a master’s degree in software engineering from the Royal Military

College of Canada in 2001. He began his career in the Signal Corps where he specialized in cybersecurity. He moved on to


the Communications Security Establishment (CSE) which is Canada's national cryptologic agency. There he participated in several major projects on cryptographic key management, cryptographic systems and security. After having worked 20 years in national defence, he joined the defence firm General Dynamics. He oversaw the information insurance team which acted as a cybersecurity team. Three years later, Mr. Crocker joined Enbridge, a first step outside the defence environment. He quickly climbed the ranks and was named vice-president and chief information security officer (CISO). The challenge of protecting an energy pipeline and its hazardous material is one of the most serious responsibilities in computer system operations. As CISO, Mr. Crocker strengthened the security capability of the company from both the IT and the Operational Technology (OT) side. This senior level of responsibility for a vital technology led to Mr. Crocker’s recruitment by Air Canada CIO Catherine Dyer.

Air Canada’s Perimeter

Air Canada has over 30,000 employees and operates a fleet of 390 aircraft, serving approximately 50 million passengers annually. Its main hubs are in Montréal, Toronto and Vancouver, with flights all across the globe to more than 200 airports. The company has started focusing more on expanding its international markets. Air Canada has initiated several major projects in information technology. As an example, Air Canada recently announced a new loyalty program for 2020 (Aeroplan), and the introduction of its new Amadeus Altéa Suite passenger service system (PSS) by the end of 2019. Air Canada’s telecommunications network covers all of the locations serviced by the

airline. Any gate agent around the world can communicate with personnel at a Canadian airport. The network is part of an extensive information system that includes a combination of data centres operated internally, as well as a substantial and growing cloud footprint. At the application level, Air Canada runs over 500 systems with nearly a third of them being connected to the airline’s operations, doing everything necessary to safely and efficiently move people around the world. Nearly half are tied to the commercial activities of the airline, such as selling tickets, buying products, marketing, and everything associated with running a retail business. The rest are made up of applications related to the cargo business, vacations packages, affiliations with other carriers (Rouge, Sky, Jetz, etc.), and also with foreign carriers that are members of the Star Alliance network (Lufthansa, Swiss, Singapore Airlines, etc.). The biggest IT project at Air Canada involves the PSS known as Res III – an IBM-based legacy system. It is by far the largest of the 500 systems. It manages such tasks as ensuring optimum passenger loading, payment processing for tickets, departure control, reservations, and inventory management. The engineering work to replace the 22-year-old system started in 2017 with the choice of the cloud-based Amadeus program.

Risks and Vulnerabilities

There are three different kinds of risks faced by airlines concerning cyberthreats. The first is the direct threat to the aircraft and passengers. 9/11 was a catastrophic warning to the airlines of the repercussions of compromised aircraft. While the emergency


at that time involved a handful of individuals who were physically on board the aircraft, tomorrow it could be attackers using cyber tools to compromise aircraft remotely without any physical threat to themselves. Such an act could extend well beyond the affected aircraft and passengers, to significantly disrupt or damage the airlines’ supporting industries, and the confidence of the public in the safety of air travel. Mr. Crocker describes how Air Canada manages such a threat: “We think about it at a high level and then we break it down into basic details. For example, control systems on the aircraft need protection. So, the separation between the control system and the Wi-Fi in the passengers’ section has to be carefully carried out. As the new aircraft are increasingly digitized, they generate terabytes of data at every flight; we must study how to move data on and off the plane in a secure way. Then, at the airport itself, we make sure that the air traffic controller’s assistance systems are not compromised by outsiders.”

The second significant risk faced by Air Canada stems from its retail activities. Customers expect their personal information, such as credit card data and loyalty program details to be strictly protected. These requirements are particularly complex as privacy is now heavily regulated in most jurisdictions. For example, the adoption of General Data Protection Regulation (GDPR) by the European Union will fundamentally reshape the way in which data is handled in every sector, including the airline industry. As Mr. Crocker summarizes it: “Privacy has become an important part of our business.” The third and last type of risk faced by Air Canada is business disruption. “Its impact is less visual than hijacking a plane,” says Mr.

Crocker, “you cannot make a movie about it, but the airline industry relies on IT to conduct daily business.” Air Canada must manage some 500 different applications and systems that interact in complicated ways. If there is a breakdown, whether intentionally or inadvertently, it could paralyze the company’s operations. This risk does not endanger employees or customers, nor does it infringe on their privacy, but all operations would be disrupted during an indefinite period. With the size of Air Canada, a significant disruption for an extended period could detrimentally impact Canada’s GDP.

A Cyberattack

In the summer of 2018, 20,000 accounts belonging to Air Canada customers – roughly one per cent of the 1.7 million users of the airline’s mobile application – were hacked. Between August 22 and 24, the airline’s internal monitoring analysts picked up an "unusual login behavior" on the mobile application which stores basic information such as a user’s name, e-mail address and telephone number, all of which could have been improperly accessed. Fortunately, the customer’s credit card information was encrypted and stored in compliance with PCI standards. On August 29, Air Canada contacted potentially affected customers by e-mail and asked them to reset their passwords using improved guidelines to further enhance security measures. The ongoing challenge then became a matter of keeping the applications open for users, while countering the efforts of the hackers. As the latter were ingenious, every time a gate was closed, they would go around it. “It was a kind of cat-and-mouse game that went on for a little while as we were trying to ensure service,” explains Mr. Crocker: “We removed what was essentially a very small number of


attack attempts from the bulk of legitimate traffic.” But the attackers became smarter. The cybersecurity team then chose to shut down the system and within three days they had released a hardened version of the application. The attackers persisted for a while but the new filter on the traffic in and out the organization and a few fixes succeeded in keeping them out. To this day, the attackers remain unknown as they used very sophisticated ways to anonymize their attacks through bots coming from multiple countries. “We are still dealing with some ramifications of that attack,” adds Mr. Crocker. “This is a horrendous situation for the customers and therefore for the company. The regulator is also involved, and every action must be thoroughly documented. Above all, we had to work twice as hard to prevent such a situation from happening again or at the very least to be able to detect and react very quickly.”

Organizational overview

The current team is made up of around 40 people and the CISO reports to the CIO, who then reports directly to the President and CEO, Călin Rovinescu. Mr. Rovinescu is very much aware of the importance of cybersecurity and speaks willingly about analytics. He wants to make sure Air Canada is not a laggard in the overall airline industry. In the past, Air Canada was not moving very aggressively in the area of cybersecurity, but under Mr. Rovinescu’s tenure this has shifted. Cybersecurity at Air Canada has traditionally been outsourced but recently it chose to repatriate some of the activities internally. The bulk of the cybersecurity budget goes to a number of external firms. Some are product

vendors such as Microsoft, Palo Alto Networks, Check Point Software Technologies (firewalls), some are perimeter protection providers such as Akamai Technologies or Agari Data (e-mail protection) and there are also large service companies such as IBM and Deloitte. Occasionally, Air Canada organizes a tender to challenge its providers. The core of Air Canada’s cybersecurity is a Systems Operation Control (SOC) operated by Deloitte 24/7. Even though its performance is good, the airline industry has several unique needs. The new model to be implemented in 2019 will be an internal SOC, augmented by contributions from main vendors. Mr. Crocker explains the reasons for this solution: “We bring in-house the focus area we believe is unique to Air Canada, we keep in the industry the focus areas where they will always be stronger than ourselves, but we put them all under the same physical location very close to the operation centre for the airline.”

Cybersecurity strategy

Air Canada is currently in the process of reworking its cybersecurity strategy. One of the reasons is to respond to incidents more quickly. Until now cybersecurity was tactical in nature: a series of projects and list of operations to reduce risks in the short term. In the new strategy, there will be many established principles, as well as evolutionary paths that have been adopted by other airline companies. Biometrics becomes more important, as does user behavior analytics, and fraud detection. The aim of the new strategy is to minimize the overall risk that Air Canada faces. At its core are the three pillars mentioned above: integrity of the aircraft, protection of customer privacy and business continuity. Furthermore, all new investment in


cybersecurity will be allocated in a surgical way so as to make the customer’s life easier and more secure.

Cooperation

There are several national and international organizations specializing in cybersecurity, and Air Canada has a relationship with all of them. For instance, Air Canada participates in the Canadian Cyber Incident Response Centre (CCIRC) that is responsible for monitoring threats and coordinating the national response to any cybersecurity incident. It also participates in the Canadian Cyber Threat Exchange (CCTX) which collects, analyzes, and aggregates security information, to prepare and issue alerts to its members. Within the airline industry, cybersecurity is being addressed by the Aviation Information Sharing and Analysis Center (A-ISAC) that addresses relevant security information cooperation specifically for the airline industry. The A-ISAC helps the industry to prepare for and respond to threats, vulnerabilities, and incidents so that airlines can best mitigate their business risks. Air Canada is also part of the Star Alliance, which puts a lot of effort in cybersecurity.

Airline Industry Specific Challenges

The airline industry works on very tight profit margins and a very strong customer focus which means trying to minimize disruption or inconvenience to passengers. Cybersecurity is inevitably caught in a vice between these two principles. In the past, the general public has resisted the inconvenience resulting from safety measures. In recent years, though, this stance has changed. The public has a better understanding of what must be done to keep

their information safe. As a result, within the Air Canada organization, there is no tension between the cybersecurity team and the marketing department - nor with the other departments that have customer contact. Data security has even become a competitive advantage and a sales pitch. Nevertheless, Mr. Crocker declares without hesitation: “I am not satisfied with where we are at now. I work hard to get to a better spot. I know that a healthy fear is not a bad thing. I do not want to give the impression our customers should be worried, but there are things we want to do better to keep them safe. Within two years, I want to be able to say I am starting to feel comfortable at the right risk level.”

General Obstacles

A lot of cybersecurity attacks focus on the vulnerabilities in the software that may have originally had their origin in the desire to provide customers with convenience or speed of service. Mr. Crocker describes the process in detail: “The concept of minimum viable product leads to getting software out as quick as possible, whereas vendors protect themselves with terms and conditions that are insane. They basically waive their responsibility to keep their customers safe. If you want to run a business, you have to use Office 365. Likewise, in the passenger service system, Amadeus is the dominant player. As a result, there is not a healthy IT market.” The solution to this problem hinges on a decision on whether to hold software vendors legally accountable, or to establish new companies in particular areas with a more secure product. The government could play a role to make companies more accountable for their products. A good example of a beneficial government intervention is the GDPR


introduced by the EU.53¹ “It was a bold move in the privacy domain,” comments Mr. Crocker. Imagine a similar set of rules that would make software vendors responsible for cybersecurity breaches in their products. It is difficult to attribute blame when a significant incident occurs. But it is not impossible.” “I draw a comparison with the seat belt laws of the past,” adds Mr. Crocker. “For many years, cars did not have seat belts, then they had seat belts, but it was not mandatory to buckle up, and eventually they became mandatory. These changes took years, but now an automobile manufacturer would not even think of making an unsafe car.” Government intervention is indispensable in the software industry, but it is not sufficient. The market can play a role. As an example, starting in 2019, Air Canada is giving the choice to its employees between Microsoft and Apple computers. The main reason of this move towards Apple is cybersecurity. Although Microsoft has greatly improved the security of its applications, there still are codes in their products that are 15 years old. Apple does not need to issue many patches or upgrades to its applications because it does not have so many vulnerabilities and it has the benefits of a closed model where the hardware, the software and the operating system are developed together. As Mr. Crocker explains, “there have been other reasons to move towards Apple, such as usability, robustness, computers break less often, but a good chunk of the decision to go down this path is security.”

Air Canada is not the only company to send such a strong signal to the software industry. Surprisingly, the biggest company to have made the choice to adopt Apple is IBM itself. The program that started in 2015 also gives the employee the choice between a Microsoft product and an Apple product. At the end of 2018, Macs made up 25 percent of IBM's 537,000 active laptops, with 150,000 new laptops provisioned each year, the ratio is growing rapidly with a target of 60 to 70% of Mac adoption in sight. On its side, Air Canada expects that up to 50% of its employees will have chosen Apple within four years.

A Glimpse into the Future

One of the most significant improvements needed in cybersecurity is the identity of the user. Can proof be given that the user online is the one he or she pretends to be? The ability to provide such a guarantee would keep the attackers out because they would be identified. There are a variety of advances coming about in biometrics, analytics and big data that will be able to pull much greater confidence in the ability to identify somebody and also to watch for odd behaviors. For instance, analytics is great at finding the anomalies. For many years, scientists have been working on user identity behaviour analysis to recognize what is normal and what is an anomaly and use the results to drive investigations and resolve cases very rapidly. In Mr. Crocker’s opinion: “Cybersecurity will become much more efficient as we apply more mathematics to it. The merger of analytics and cybersecurity holds a lot of promise.”

53 General Data Protection Regulation (GDPR)


APN Global

2659 Parc Technologique Blvd. Québec City, QC G1P 4S5 418 266-1247 www.apnca.com/fr/

Contact Yves Proteau, copresident Data Founded


1969 Québec City 160 (120 in Québec, 40 in California) Precision machining Defence, aeronautics, high technology

Mission We believe that perfection is non-negotiable. The APN commitment of perfection is your assurance that each of the parts that are delivered is absolutely perfect and, in all respects, meets the requirements of the customers.

Strategy Integration of all company activities into a central Industry 4.0 system Means Automate manufacturing processes and management processes. Markets Exports 80% of its production to the United States, Mexico and Europe. Cyber Issue Security is not about making a one-time effort to meet certain criteria, but to

maintain a constant tension to deal with the full range of threats to the business.


Yves Proteau has a bachelor’s and a master’s degree in Administration. At the onset of his career, he worked for 4 years as a management consultant for the IT firm, DMR Group. During the next 14 years he specialized in ERP system implementation and in industrial production. He then joined his brother Jean in 2005 as co-owner and co-president of APN, a high-precision machine- making company with 2 plants in Québec and 2 in California. Mr. Proteau is also co-owner of Umbrella Technologies and Genetik Sports. He is very active in Québec's business community.

54 Perform is a non-profit organization whose board of directors is composed solely of industry representatives (employer and union).


APN Global was created in 1969 by Claude Proteau, who sold the company to his son Jean Proteau in 1998. His other son Yves Proteau joined the company in 2004 and today, both brothers co-chair. The company is a member of Québec’s Sectoral Manpower Committee in Industrial Metal Fabrication (Perform)54. Yves Proteau defines APN's approach as follows: “Automation is not just about robots. Our factories were automated before we introduced our first robot55. Automation means, on the one hand, to automate mechanical processes that were previously done manually and, on the other hand, to automate the management processes."

55 APN bought its first robot in 2016 and has now 10 robots.


APN’s automation cycle began more than 20 years ago with the acquisition of CNC machines. The first machines produced parts in several stages (set-ups). Everything changed in 2004 with the arrival at the helm of Yves Proteau who imposed a vision of total automation. APN thus adopted the "bar-stock to the finished part" method, which consists of taking raw material which, when it leaves the machine, is transformed into a finished product. In 2007, APN moved to the Québec City Technology Park. “We chose a technology park rather than an industrial park," says Yves Proteau, “and to further mark our difference, we built a research centre rather than a machine shop like any other.” In 2017, APN Global acquired the chromatographic valve manufacturer AFP Complex, in Thetford Mines, which was one of its customers. As a result, the pure machine shop APN became an Original Equipment Manufacturer (OEM). The next year, APN presented the beta version of a smart factory management software called Meta 4.0. at the Hannover Fair. This software integrates all of the organization's systems from ERP to computer-aided design and manufacturing (CAD/CAM) in order to generate an optimal data flow throughout the entire production process supply chain. The commercial launch of the software will take place in the course of 2019. Now, APN can add the title of software publisher to its long list of achievements.

IT Environment

Many companies want to switch to Industry 4.0, but few are willing to invest in IT infrastructure and software applications. The first two layers of the automation architecture belong precisely to infrastructure (routers, computers, cabling,

sensors), and to software (management, operation and security). APN Global has its own team of six computer specialists working on programming and system development. Similarly, APN has developed its own cloud computing with servers in Québec and California that exchange data in continuous mode. Each server is duplicated in real time on the other servers for security purposes. The workstations are completely virtual. Yves Proteau has five regular workstations: one in Québec, two in California, one at his home in Québec and one at his home in California. Everything is perfectly transparent. When he travels, he connects his computer to the APN network and a complete workstation is at his fingertips including the telephone.

Security Issue

The security of APN Global is assured by Umbrella Technology, a 12-person firm that is responsible for the hardware and operating systems (OS) of the computers – but not the company's management systems. Umbrella Technology is co-owned by the Proteau family and the Umbrella management team and it has a wide variety of clients (APN represents around 5% of Umbrella’s clients). Umbrella Technology is built to protect and share experiences. The day that APN went digital in 2004, management had security in mind. Their first step was to deploy a formal strategy. The challenge was to give access to the network and machine controls to employees while maintaining a very high level of security. Yves Proteau explains: "The old security reflex would have been to erect a protective wall around the perimeter to be protected. But instead we wanted to open the system to give


employees the ability to manage machines from their workstations." According to Yves Proteau, computer incidents are caused by obsolete equipment. One of the basic security measures adopted by APN is to update equipment regularly. Each operating system must be supported by the software publisher. APN will never work up with Windows XP when Windows 10 is the norm. Even if it means changing hardware, the workstation or server is immediately updated. At APN, the average age of a computer is two years. Not one computer is older than four years. The other major principle is to train personnel in cybersecurity. Most of the attacks are due to hackers taking advantage of human errors or negligence. The social-engineered attackers take advantage of the employee’s psychological weaknesses and extract from them confidential information or access to confidential information. APN has never conducted a proper audit because it believes that an audit only provides a snapshot of the situation. The company prefers to rely on Umbrella's ongoing analysis of its constantly evolving systems. As an example, if a suspicious email is spotted by one of the employees, it is compared with Kaspersky Lab's database which keeps a constantly updated global register of unwanted addresses. In this case, the suspect email address is added to the Kaspersky database. All the security of APN is treated in this dynamic way in constant redefinition.

Insurance

APN Global is in the process of negotiating insurance against the risk of cybercrime. The

problem is that this type of insurance is relatively expensive and only covers a limited part of the risk. The cyber insurance market is new, and experts have difficulty assessing the risk.

Barriers to cybersecurity

Cybersecurity is invisible. Too often, companies think that because they have done an audit or a simulation, their cybersecurity posture is fine and then they resume their "normal" habits. This is an illusory, a fake security. Yves Poteau states: "To ensure real security, we must maintain a constant approach, we must never lower our guard and, for this, always maintain a certain level of anxiety."

Future of Cybersecurity

Initially, cybersecurity was a marginal concern of computing. Today, it has become important and tomorrow it will be the core business of an organization. The safety aspect of a software or application will be of value as much as its technological performance. For example, when Canada is evaluating Huawei’s offer of 5G mobility, the government specialists question the security of Huawei’s infrastructure. When an organization deploys a new network, it requires that its suppliers are certified and that it can trust them. According to Yves Proteau, “Often, business leaders are not computer-literate, they do not know much about systems and networks and even less about security. In the near future, this knowledge will have to be part of the leaders’ thinking.”


ATCO Group

5302 Forand St. S.W. Calgary, AB T3E 8B4 403-292-7500 https://www.atco.com

Contact Steve Biswanger, Vice president, CISO President of the CISO division of the CIO Association of Canada (CIOCAN)

Data Founded Headquarters Number of employees Main Activity Clients

1947 Calgary 6,000 Engineering company. Electricity, construction, or logistics industries

Mission Build communities, energize industries and deliver customer-focused solutions like no other company in the world.

Strategy Innovation, growth, and financial strength Means - ATCO encourages its people to take a creative and innovative approach to

meeting customers' needs. - R&D allows ATCO to offer unique solutions that differentiate it from the

competition. - Atco expands geographically to meet the global needs of customers. It

develops value-creating greenfield projects and fosters continuous improvement through R&D. ATCO also continues to explore opportunities to acquire complementary assets that have future growth potential and provide long-term value.

- ATCO continuously reviews its holdings to evaluate opportunities to sell mature assets and redeploy the proceeds into growing areas of our company.

Markets Canada, Australia, Mexico and Chile. Cyber Issue The transition of computer systems and some OT systems (measurement data,

excluding control data) to the cloud requires the development of an identity authentication interface.


With a degree in economics and a minor in psychology at the University of Calgary, a career as a stockbroker was waiting for Steve Biswanger. But a friend unexpectedly asked him to run the operations of his software company. This was the step that made him discover the technology field. Since then, Steve Biswanger has always worked for IT and cybersecurity companies, including a giant

such as EDS. He also worked as a consultant for 10 years, until an oil and gas company called Encana hired him as director of cybersecurity. In February 2018, ATCO offered him the position of vice president, Chief Information Security Officer (CISO). As such he was the peer of the Chief Information Officer (CIO).


IT Perimeter

ATCO has major operations in Australia and Canada, with Mexico and Chile in the development stage. Most of its activities are electric generation and transmission. The company has more than 8,000 workstations. The great majority is dispersed in Australia and Canada which together account for 80% of ATCO’s workforce activities. The IT system is home grown, and it is moving towards an off-the shelf system as far as practicable. The IT department employs 60 specialists. It outsources to the Indian firm Wipro all the IT assets including the SOC which operates 24/7, and all special projects. ATCO’s perimeter is gradually changing. In 2018, it moved its ERP to the cloud and is currently in the process of moving all its data centers. The whole back office is in movement, and the front-office will follow. It is a major three-year project.

OT Assets

Physically, ATCO owns its operational control centre (OCC) – the OT equivalent of a SOC. However, an OCC focuses more on availability than confidentiality. The OT environment of the physical assets, SCADA and IoT are currently segregated from ATCO's computer network. There is no direct link between the IT system and the OT system, although some data is exchanged between the two networks. “ATCO has adopted the DMZ model,” says Steve Biswanger. “The measurement data from the OT system is transmitted to a secure server within the headquarters building via a demilitarized zone (DMZ). To minimize risks, it is impossible to access OT systems from the Internet.”

Cybersecurity Strategy

Separate from IT, the cybersecurity team has 11 specialists operating in Calgary, Edmonton and Perth, in Australia. The CISO reports to the CEO and acts as a peer of the CIO. The goal of the current transition to the cloud is to accelerate business operations. This implies a close partnership with a few big cloud providers such as Microsoft, IBM, and Oracle. This choice is not coincidental as Steve Biswanger makes clear: “We think that the very big cloud providers are security focused, so we know they are doing everything I would expect my internal team to do. While there are a bunch of small cloud providers which are quick to develop, quick to market, and not as focused on security. We may use them as a sandbox for developing a proof of concept, but not for our business and critical applications. We do not tolerate any security shortcuts.” As a result of its thorough cybersecurity approach, ATCO is slightly ahead of the utility sector on the IT side of the company and representative of the industry on the OT side. The performance of the IT infrastructure is due to the transition to the cloud that allows for faster security upgrades than those OT systems remaining on the premises. According to Steve Biswanger, “companies that manage their data internally and keep legacy equipment tends to lag 3-5 years behind, due to the capital cost requirements.”

Transition Management

Moving a company like ATCO to the cloud includes changing all working habits. Steve Biswanger explains: “Going to the cloud is like installing a brand-new network. Take, for example, my ERP that used to sit in a 20-year-old data centre with a 10-year-old firewall. Now I get all the newest capabilities on


updated equipment which are fresh and heavily secured.” As the OT side has not yet moved to the cloud, it still has to deal with the legacy’s issues. But the regulatory regime of the OT side is less stringent than on the IT side because it focuses more on resilience than confidentiality. OT cyber-regulation merely tries to keep all public utilities to a common minimum level of protection. As a result, OT security is more process-driven than technology-driven. ATCO is contemplating the prospect of moving the data measurement side of the SCADA systems into the cloud within 12 to 18 months. Once done, ATCO can start applying new security technologies such as data analytics, artificial intelligence and biometrics. However, there are some limits to the OT migration as Steve Biswanger cautions: “Bus control will never go to the cloud, probably not in my lifetime.” As Steve Biswanger puts it: “The advantage of SCADA systems is to remotely control all the assets, instead of having to send people on a truck when it is minus 30 Celsius to turn a handle on a pipeline. Remote control is faster and ensures worker safety. Indeed, SCADA systems produce big data, and now that we can handle large volumes of data, its value is much more than the simple savings from not having to drive around to fix valves. That is why, where SCADA used to be all about availability and integrity, it is starting to become about confidentiality because it collects the data from remote control.” The consequence of this gradual transformation of the OT environment is to create a new challenge that Steve Biswanger summarizes as such: “How do we reconcile the value of data and the confidentiality that comes with it in an environment that was

initially built for control? The solution would probably be the Internet of Things (IoT). SCADA would be exclusively dedicated to the control part of the system and then we would build a shadow or parallel network with IoT sensors to deal with the data.”

IT and OT Environments

ATCO is relying to an increasing degree on programmers and developers, which is a far cry from the traditional engineer’s company. Engineers have a very rigid quality assurance (QA) and engineering process, which was methodical and targeted at turning out very high-quality products. The world of software development is characterized by speed-to-market, and quality suffers as a result. Steve Biswanger describes the situation: “When developers code a new project that works smoothly, at low risk, everything is fine. The problem is when developers start getting involved in doing security controls. If they make a mistake, it has devastating consequences from the confidentiality perspective.” The challenge is to move the business quickly, to get access to information quickly – i.e. to give up a lot of engineering controls and to find other ways of supporting speed – while still being secure.

Attacks and Insurance Issues

ATCO is under attack every day, most of which is postponed and for the small number of incidents that still occur, they are all quickly controlled. No incidents required public disclosure, or even disclosure to the board of directors. ATCO did not take insurance even after carefully studying all the available insurance options. “Policies cover the remediation costs, i.e. they would cover the fees of a third


party that is called after the incident for investigation and remediation,” noted Steve Biswanger. “But the insurance does not address any of the company’s lost revenue flow or any of the physical assets’ replacement cost. Indeed, ATCO believes that the main damages would be those that insurers do not cover and therefore, the company self-ensures its total liability, including labour cost.”

Skill Shortage

“At the high end, the CISO level, it is hard to find people who have a deep understanding of cybersecurity and, in addition, of your industry,” observes Steve Biswanger. “At the low end, it is hard to find enough people to manage all the cybersecurity risks that exist on a day-to-day basis. Cybersecurity has become so broad: there is the technical aspect, the incidence response aspect, government regulations, and risk assessment, which all require a different skillset.” ATCO conducts a lot of work with universities building their academic program so they can graduate students who are better adapted to the workplace.

Partnership

This is why, in 2016, Steve Biswanger created a CISO division inside the CIO association of Canada (CIOCAN) in order to address the specific cybersecurity issues and at the same time maintaining tight links with the CIO community. In doing so, the CISO division is giving a lot of information about cybersecurity issues to the CIOs. Conversely, it allows the CIOs to train the CISOs into the technological management of the enterprise, and how to speak to the Board and how to catch their attention. This initiative paves the way for these two groups of professionals to

strengthen digital innovation and security within Canadian enterprises. CIOCAN is a not-for-profit organization whose mission is to facilitate networking, sharing of best practices and executive development, and to collaborate on issues facing CIOs. CIOCAN has 400 members who deal with issues facing CIOs and builds a vendor-neutral community for the safe exchange of ideas and best practices. In many cases these CIOs also have cybersecurity accountability. CIOCAN is organized by chapters: Vancouver, Calgary, Edmonton, Winnipeg, Toronto and Ottawa. Montréal is in the incubation phase. Only the CISO division is based on a function and not a geographical region.

Future of Cybersecurity

In the past, when all the systems were integrated in the corporate data centre and all the employees worked in the same building, it was easy to control everybody’s access to whatever they were allowed to work on. The future entails moving more and more to cloud computing. “The big difference,” suggests Steve Biswanger, “is there will be less need for a corporate network and as we don’t have a corporate network, there will be no need for a firewall, Intrusion Detection System (IDS) and all the traditional security tools. But we will still have to secure data, so identity will become a lot more important. Now, if an employee is sitting at a desk in an office of the company, I may not know who he is, but I know I can trust him because he is at his desk in his office. If tomorrow he is connecting from a computer in an airplane, I absolutely need to know who he is and what he should have access to. So, I have to use two-factor authentication or biometrics to know who he is, and if I can trust the computer he is using. As I won’t have any


network control available, I will have to put much more security at the application layer in the cloud. I will give this remote employee access to a specific part of the database if he

is on a trusted computer, but I will deny access to this same part of the database if he is on an untrustworthy computer.”


Business Development Bank (BDC)

5 Place Ville Marie, Suite 100 Montréal, QC H3B 5E7 514-223-3889 https://www.bdc.ca/

Contact Fred Bedrich, Vice President, IT, Internal Control and Cybersecurity Data Founded

Headquarters Number of employees Main activity Clients

1944 Montréal 2,200 Banking Canadian SMEs

Mission A Crown corporation providing financing and consulting services to Canadian businesses with a focus on the needs of small and medium-sized enterprises (SMEs).

Strategy BDC plays a complementary role in the market by offering loans and investments that complement the services of other financial institutions.

Means BDC supports entrepreneurs in all industries and at all stages of development from 123 business centres across Canada and online.

Markets Canadian SMEs. Cyber Issue Always stay upstream of the next wave of cybercrime.


Fred Bedrich has about 40 years’ experience in information technology. He specializes in cybersecurity, analyzing technology strategies with business strategies, and applies quantitative information risk principles to achieve Board level understanding of the valuation of information risk. He has served as CISO for the BDC since May 2018. He oversees cybersecurity, compliance, cyber Incidents, SOC, threat hunting, and cyber-forensics. Prior to his current position, he was CN’s CISO in charge of cybersecurity for all IS/IT, Operational Technologies and Rail Operations. He also served in some of Canada’s most prominent organizations such as Bell Canada, PWC, and CGI, delivering cybersecurity services for Canadian

governments, law enforcement agencies and private sector financial services.


BDC operates on a regional basis as a SME that is managed with the mindset of a large company. The bank has about 2,500 employees, which is relatively small when compared to the size and diversity of its activities. Everyone is very motivated by the institution’s mission to contribute to the Canadian economy. When you walk through the corridors of the Montréal head office, you feel a continual effervescence. Projects are born every day and are carried out with a single priority: the success of the client, that is to say the entrepreneur.


Organizational Structure

At the BDC, the CISO reports to the CIO. The IT security team includes a group assigned to cloud computing, an Internal Control and Certification (ICC) group, and a cybersecurity group itself. In total, the team includes 20 people and is expected to grow to follow the evolution of the bank in its digital transition. This is a relatively small team because it has to manage the Security Operations Centre (SOC) which operates 24/7. The generalization of Big Data results in the merge of databases that, independently, did not matter much, but once pieced together, become highly desirable to potential perpetrators. The main challenge of cybersecurity at the BDC is really this rising power of Big Data.

Digital Transition

A major transformation is occurring at BDC, as in the banking world as a whole. All sectoral stakeholders are studying how to adopt financial technology or fintech: online banking, mobile payments, cryptocurrencies, crowdfunding, etc. It is essential to adapt to the needs of customers who do not want to wait three or four weeks to know if their loan application has been accepted. For the SME, it is sometimes a question of life or death: a company can be forced to close its doors if it does not have its money. Suppliers and staff must be paid. The advantage of an SME is its ability to respond instantly to the needs of the market, but this in turn implies almost instantaneous access to liquidity. Entrepreneurs need a bank that can support day-to-day the evolution of the SME. BDC is redefining its operations to become more agile, which means being fully digitized. The entire funding process is analyzed, step by step, with the goal of assessing whether there is a more efficient way to proceed. All

computer systems are revised accordingly. When a bank embarks on a transition of this magnitude, the question of security arises. There is a risk associated with gaining speed. When a financial institution speeds up the workflow, is it still able to control the risk? As Fred Bedrich explains, “We are doing systematic risk assessments of all of our business processes from the time a client files a loan application to the day he receives it, the terms of the disbursement, including the specificities of each financial institution he contracted a loan from. We are in the process of reviewing the entire supply chain according to the security. It is an ubiquitous issue.” The BDC must take into account the intellectual property of its clientele as well as its own intellectual property and make a clear demarcation between the two. There is also the regulation of privacy that must be followed scrupulously. Finally, the bank is subject to the obligation to report in the event of an incident whether it concerns an intrusion or a breakdown. All these series of constraints come from the fact that today’s systems are open. Fred Bedrich summarizes the dominant trend in the financial sector: “We are now talking about the rise of computer data. Our focus is on the data and that is what needs to be protected.”

New Cybersecurity Trend

To protect this new virtual world in real time, you must switch from a reactive mode to a proactive or predictive mode. Tools must be able to detect anomalies and predict from their occurrence the type of threat that is lurking. Previously, one had to turn to boxes of use cases all printed on paper and it took days and even weeks to check to see if an organization was under attack or not. Today, a large number of use cases have been automated that provide for a series of special


circumstances. BDC has launched an artificial intelligence (AI) and machine learning (ML) program that identifies threats from the identification of simple anomalies. This is also part of the three-year strategic plan currently underway to keep the bank upstream of the next generation of cybercrime. The plan is based on a series of hypothetical and predictive scenarios (what if and what next scenarios). Several avenues for optimizing talent are being considered because shortage of human resources is critical. It is a global phenomenon affecting the financial sector, just like transport, energy, etc. The entire economy suffers from the same lack of qualified personnel. This brings with it another challenge to retain the most critical talent and how to attract the next generation of students. BDC is working with universities and colleges and plans to expand this collaboration with the Canadian Army Reservists as early as next year. They have an incredible expertise. The army is one of the best schools in terms of security.

Networked Nature of Cybersecurity

A simple business lunch can become an opportunity to discuss the best practices of awareness between two organizations. This type of exchange is formalized by several groups such as, for example, the CIO Association of Canada (CIOCAN) or the Canadian Cyber Threat Exchange (CCTX). The associative network has an important role to play in experience sharing, not only in terms of best practices, but also mistakes to avoid, false leads, unnecessary waste. It must always be borne in mind that cybercriminals conspire with each other to commit their misdeeds, share tools, processes and personal data that they have stolen. Everything is on the “dark web” where

millions of dollars circulate permanently. To stay ahead of this ever-changing threat, you have to do the same thing! Fred Bedrich insists “that cybersecurity cannot be provided by a team of 20 or 30 people, no matter how talented, but by creating constant exchange of best practices among the entire expert community.” BDC has established a Joint Risk Analytic Centre (J-RAC) that brings together scientists, data analysts, account executives to share experiences on trends, new policies or regulations in Canada and the United States, in Europe and elsewhere, or new threats on a global scale. BDC tries to identify the main trends that could have an impact on the bank.

Need for Simulation Games

BDC conducts regular safety audits and to Red Team vs. Blue Team exercises where the red team exploits the vulnerabilities and the backdoors of the information systems to simulate an intrusion. Attackers try all the tricks available to them including phishing and pre-texting to gain access to the bank’s data. On the flip side, the mission of the Blue Team is to devise ways to defend, vary and consolidate defence mechanisms in order to strengthen the response to incidents. To this end, BDC is currently seeking an expert with military experience to beef up the scenarios of the Red team. Fred Bedrich explains, "I want him to develop by the end of 2020 twisted models (playbooks) that exploit avenues of attack that we did not even think were possible. The goal is to push people to their limits." People from various backgrounds participate in these simulation games: operations employees, developers, architects, etc. Cybersecurity people are exploring so-called unconventional attacks because the threats


that can hurt are not traditional. What is important is what one does not know yet. Everything is then studied, from the time response to the most advanced parry techniques. In general, the Red team will play an increasingly important role for BDC’s defence strategy. For this purpose, external resources (consultants, specialized firms) are used to develop penetration testing that is highly effective.

Role of AI

In the opposite direction, BDC automated computer code testing because programmers could not track the development of the threat quickly enough to maintain acceptable cyber hygiene. Each program has three to five million lines of code. This is where AI comes in. Even before the new program is developed, as soon as a computer scientist develops some procedures and functions, they are analyzed and tested almost in real time to check if they do not include backdoors or buffer overflow. Cybersecurity is integrated into new programs from the design stage. There is nothing more dreadful for a programming team than to work for months and be told at the end that their product is not compliant: it’s hard to change and, more importantly, it’s is bad for business: programmers have the impression that they are not being heard and customers see the delay as punitive. For a long time, the industry has considered cybersecurity experts as police officers, the challenge is to change this perception so that they are seen as catalysts that facilitate business, development and creativity for the delivery of new products. For this, it takes constant consultation that alleviates the binding nature of cybersecurity and, on the contrary, helps in the development of the product.

BDC has initiated a process to change its training/awareness program for employees. The principle is to switch from “shamification” mode to “gamification” mode. In the past, people were constantly disturbed by exercises such as phishing simulations to identify who was lurking. The new program reverses the scenario. Thus, employees are warned that the following Friday, at a given time, a phishing attempt will take place. The first three to identify what is the suspicious e-mail wins a prize. This is just one example, but it illustrates the new approach of focusing on employee strengths rather than gaps. The training/awareness scenarios are not limited to the work environment, but they also include personal life, including social networks. Cyber criminals do not distinguish between the individual at work and the individual at home. The cybersecurity response must also be global. All venues are used to mobilize the employees: luncheons, webcasting, guest speakers, press releases, etc. Conversely, BDC employees are invited to speak in the industry. It should not be forgotten that SMEs are often poorly equipped for cybersecurity. Indeed, specialists are rare and require high salaries. SMEs cannot afford to hire people of this calibre. In the best of cases, it uses the services of cybersecurity firms – there are some excellent ones in Québec.

Risk Management

BDC has not experienced major incidents. But it is continually under attack – like all financial institutions. To this end, the bank has put in place a crisis management program. When a crisis breaks out, everything happens very quickly. The future of the institution depends on how the crisis is managed in the first five minutes. No time to convene a committee to decide on the shutdown of the compromised


servers and, consequently on the suspension of services rendered to clients. Every action to be taken must be planned in advance and validated with the bank’s lawyers. BDC has therefore created a series of scenarios that are ready for use in the event of a computer incident. Everything is recorded in advance, including internal or external press releases, calls to be made, messages to be transmitted, etc. Each scenario was subjected to a general simulation so that everyone knows his role.

Attacks are becoming more sophisticated as hackers are also using Big Data and ML to orchestrate automated attacks. In the near future, the criminals’ robots will be able to study how the bank reacts to an attack, learn in real time and modify its behaviour accordingly. The BDC does not have an ATM service and a mass clientele, but that does not put it in a less risky situation. Hackers use browser robots that are constantly looking for information of any value. As such, the bank is a target of choice.


Canadian Broadcasting Corporation (CBC)

Media Technology and Infrastructure Services (MTIS) 400 René-Lévesque Blvd. East, suite 1732 Montréal, QC H2L 2M2 514 -597-6000 www.radio-canada.ca

Contact Michel Arredondo, Information Security Senior Director Data Founded

Headquarters No of employees Core activity Clients

1936 Ottawa 7,000 Radio, television and web broadcasting Canada and the world

Mission Provide Canadians with honest information. Strategy To become much more local, more digital and more ambitious in our

programming. Means To successfully transform the way it engages with Canadians, the CBC needs to:

- develop more Canadian content and expanded it to new platforms; - form new industry partnerships to further opportunities for telling Canadian

stories; - reduce its physical footprint to put money where it best serves Canadians,

that is the programming; - bring more great Canadian content to its audiences.

Markets Canadians at home and Canadians abroad Cyber Issue Evolution of the governance of the organizations to upgrade the position of CISO

and make it a vice-president or equivalent directly related to the CEO.


Michel Arredondo has worked at the CBC for five years and has nearly 30 years of experience in cybersecurity. He chose this career through a combination of circumstances. He was a telecommunications analyst at the food retailer Métro-Richelieu when, following the departure of a co-worker, he was offered to take charge of the recovery. He was subsequently recruited by the French pharmaceutical Sanofi where he was given overall responsibility for the security of websites. The function pleased him so much that he returned to university to earn two certificates. It was during the "Year 2000 bug"

preparation that Sanofi's management asked him to take charge of the actual cybersecurity of information systems. Michel Arredondo holds a master’s degree in IT Security and Security Governance from Sherbrooke University, two certificates from UQAM, as well as multiple IT certifications, the latest being Cloud Certified Security Professional (CCSP).



At the CBC, the position of Chief Information Security Officer or CISO was created five years ago. He reports to the Senior Vice President, Infrastructure and Technology Services. The cybersecurity team has 18 specialists shared between Montréal and Toronto and has strong support from senior management. There is no IT division per se, as development, operations and cybersecurity IT specialists are integrated into the Technology Services division. Purely IT positions include approximately 300 people. The CBC has close to 7,000 employees and 10,000 workstations because many contractors, artists and freelancers come to work in the crown corporation. There are also about 2,000 servers that are in the process of progressive virtualization. They have geographical or functional roles (support for ERP for example). These servers meet the needs of a complex structure that includes 27 television stations, 88 radio stations and a digital station. It is extended by seven permanent offices abroad – in Washington, New York, Los Angeles, London, Moscow, Jerusalem and Beijing. In total, the CBC has the largest distribution network in the world: 400 physical sites are equipped with satellite-linked antennas strategically located in the provinces and territories. Other broadcasters serve a large territory, but they do not own their distribution networks. “We need these infrastructures,” says Michel Arredondo, “because nobody else would install them. Our mandate requires us to serve communities of a few hundred people in the far north. This is part of the ethical values of the CBC.” The big change happening at the CBC is the complete digitization of all production and processes. In the past, TV journalists recorded

an interview on a tape, took it to a video player for viewing, and then to an editing table where a new tape was produced that was eventually sent to a projector for broadcasting – not to mention parallel archiving of the cassette or a copy. Today, a digital broadcast can be produced, edited and distributed from one computer.

Cloud Transition

Whenever possible, applications are sent to the cloud. However, the latency constraints of radio or television broadcasting prohibit the CBC from processing everything in the cloud. Arredondo explains: “If you see someone on television whose voice does not synchronize with the picture, you have a problem. That's why some workflows will never go into the cloud. Maybe 30 or 50 years from now, will it be possible to have the whole broadcasting and broadcasting process in the cloud, but I don't think I see that in my lifetime.” Since the CBC is too large, and above all too diverse to outsource all its applications and data to a single cloud Service Provider (CSP), it does business with several companies: Microsoft Azure, Google, Amazon, etc. Michel Arredondo does not think that hosting CBC content in US cloud computing solutions poses a problem: “Agreements with these companies do not allow any third party to access our data. We often talk about the powers granted to the American Government by the Patriot Act, but it is a threat that is more theoretical than real. In fact, most US providers are installing server centres in Canada: Microsoft has deployed two server centres, Amazon already has a server centre and will soon open a second one to have the necessary redundancy.”



The CBC's cybersecurity strategy is deployed over a three to five-year cycle. The cyberteam re-evaluates its technological relevance every year. Equally important, cybersecurity goals must be aligned with those of the development of the entire organization. In practice, things can vary somewhat, says Michel Arredondo: “We completed earlier than planned the cybersecurity work that was to be completed next year, as part of the CBC's Strategy 2020, which focuses specifically on digitization. We have been diligent, so we plan the strategy from 2021 to 2026 with one year in advance.” In general, the cybersecurity strategy aims to improve the level of maturity of operations, which means protecting the confidentiality and integrity of information assets by increasing the incident detection capability as well as its reduction. It is a layered defence that is dedicated to a particular function such as early detection and early protection. Although the Crown Corporation is not subject to PCI-DSS or SOC2, it routinely conducts audits, attack simulations, or risk assessments, but it is not covered by specific cybersecurity insurance, although it is studying the possibility of doing it. Some of the general insurance clauses in effect at the CBC cover certain elements of cybersecurity, but there is still a need to negotiate insurance that covers the cost of the impact related to an incident and the response plan. To do this, it is necessary to determine the levels of control, to proceed to the classification of the risks according to the categories of impacts and then to quantify the coverage accordingly. Each type of attack must be measured against possible scenarios. Says Arredondo: “This exercise is all the more complex, because the insurance offer is still

underdeveloped. There are coverages, but they are often incomplete.” The CBC has a Network Operation Centre (NOC) operating 24/7. The NOC ensures the proper functioning of the network and its availability. As such, it generates alerts in case of problems. Its Security Operating Centre (SOC) is still embryonic because it only works during the day. However, it provides real-time security incident detection services that are very advanced. Michel Arredondo explains: “Our goal is to bring it to the 24/7 stage as well, but to manage such a SOC, it takes at least seven people and the team is still too immature. Another solution is to match the SOC with the NOC for the security function.”

Attacks

The CBC faces daily attacks that the cybersecurity officer describes as “minor, but irritating,” that is, they do not cause significant material damage. Michel Arredondo recalls “that the average time for an attack to occur on an unprotected Internet point of presence is 15 to 20 minutes. It is also the time we need to recover from an incident and the damage we suffer is minor because we are protected by multiple layers of protection. But I like the expression which says that in technology, one thing is sure: it will happen one day!” The broadcast industry has been particularly vulnerable to cyber-attacks since the incidents of Sony Pictures Entertainment (SPE) and TV5 Monde. In November 2014, SPE employees saw a skeleton image on their computers, accompanied by a blackmail message. The hackers threatened to make public the movie "The Interview" which parodied the North Korean regime, recently shot in Sony studios, but not yet released. The company gave in to the blackmail and


removed from the program a film that had already cost $80 million in production and promotion. The personal data of the employees of the Sony group were nevertheless transmitted by the hackers to the Wikileaks site which broadcasted them. The FBI suspects the North Korean secret service to have been responsible for the operation56. In April 2015, it's the turn of TV5 Monde to be the target of a cyber-attack. The broadcasting infrastructure of this French international television channel was neutralized at the same time as its backup infrastructure. The channel, which broadcasts in 200 countries for 50 million viewers, displayed a black screen. The management initially believed in a technical failure, but soon after, the internal mail server was destroyed in turn. To stop the attack, the technical teams then isolated the entire computer network. The signal was gradually re-established the day after the incident, but the entire contingency plan costed about €20 million over five years to replace the infected equipment and invest in new cyber security systems. The investigation will show that the attack was made possible by a phishing operation sent several weeks before to all TV5 Monde journalists57.

Awareness

The Radio-Canada’s 7,000-employee awareness program is designed to address the various groups of employees and their interests. Awareness aims to identify and reduce misconduct by informing the target population of the problem and explaining where to find appropriate resources. Unlike training, there is no learning as such or practical work. “Indeed,” notes Michel

56 Antonio DeSimone & Nicholas Horton, "Sony's nightmare before Christmas", (The 2014 North Korean Cyber Attack on Sony and Lessons for US Government Actions in Cyberspace),

Arredondo, “when a person inadvertently makes a mistake, he or she inevitably justifies it by saying: Ah, I didn't know! Our goal is to show (1) that this happens and (2) this is how you can get yourself trapped by phishing, viruses, etc. If the person wants to know more, he or she has to take a training course and, in principle, it’s only for IT people.” Michel Arredondo continues: “Typically, an awareness campaign lasts three years and uses different means depending on the group: classroom courses, video clips, newsletters, posters, etc. Everyone is targeted: journalists, artists, senior management and costumers.” The details of the campaign remain confidential to prevent hackers from being too familiar with the practices of the crown corporation, its vulnerabilities, or simply its approach to security.

Cooperation

Michel Arredondo works with various professional associations specialized in cybersecurity to share information – often confidential information that does not fall outside the narrow circle of cybersecurity officials. This allows the assessment of the maturity of cybersecurity in participating organizations and the exchange of best practices of protection. These specialized clusters include: North American Broadcasters Association (NABA), the OTSI Network of Action TI and the new Canadian Center for Cyber Security. However, there is no contractual cooperation between the CBC and universities in the area of cybersecurity. In terms of benchmarking of cybersecurity in the broadcasting sector, the CBC is ahead of

Johns Hopkins University Applied Physics Laboratory, 2017, 31 pages. 57 Martin Untersinger, "Le piratage de TV5 Monde vu de l’intérieur", Le Monde, 10 June 2017.


comparable companies in Europe, but behind US companies. “I was recently discussing with the CISO of Home Box Office,” says Michel Arredondo. “HBO’s budgets are out of proportion to ours, so it has a much higher level of maturity, much larger teams and much depth across the entire safety ecosystem. But the value of the assets to be protected is not the same: every Game of Thrones episode costs $15 million to produce.”

Barriers to Cybersecurity

“The biggest obstacle to robust cybersecurity is money,” says Michel Arredondo. “It is not only necessary to acquire new technologies, but also to organize cultural changes in order to adopt new ways of operating. The bulk of cybersecurity spending is therefore not on the capital investment side, but on the operational expenditure side. In terms of funding that means you cannot capitalize; you have to put in operational money. All companies face the same problem that greatly limits the development of cybersecurity programs.” The shortage of cybersecurity specialists is another obstacle to cybersecurity. According to Arredondo, “the most recent studies agree that there are about 30% incompetent specialists in the labour market. If we look at the case of Montréal, the situation is further aggravated by the presence of major cybersecurity projects that monopolize the best resources. The few quality resources that remain require astronomical wages. This results in a very difficult recruitment.”

The Future of Cybersecurity

The cybersecurity situation will not improve. The criminals have understood in recent years

that they no longer need to attack passers-by with a revolver to extort money. It is more profitable to do it electronically and anonymously. Several countries are doing the same and are extending their armies with teams of hackers who have first-rate skills. Moreover, all these criminal or state activities can be funded from the exploitation of victims through social engineering. This is relatively easy because all applications have vulnerabilities. The result is that everyone can get their identity stolen. On the dark web, one can buy fictitious identities in whole lots that will include credit card numbers, passports, driving licenses, etc. for a few dollars per person. The threat will therefore continue to grow. The use of artificial intelligence (AI) and machine learning (ML) will partly counter this trend, but it will require major efforts on the part of human resources. “These efforts will be even more difficult,” predicts Arredondo, “given that these new technologies are still embryonic and unfriendly. Yet, it is necessary to adopt them as is because it is humanly impossible to cope with all the incidents that can occur in an average company.” “Governance will have to evolve rapidly,” says Michel Arredondo, “because today most of the CISOs are middle or, at best, senior managers, whereas they should be vice-presidents and report directly to the president and CEO. Alcan and Bombardier have already upgraded the CISO function and have merged all physical as well as cyber risks in one position. It is essential to have a single risk discourse and a single decision point to organize the countermeasures. At the CBC, the situation is moving in the right direction, as I have already been asked twice to submit a report on cybersecurity to the Board of Directors.”


Canadian Nuclear Laboratories (CNL)

286 Plant Rd. Chalk River, ON K0J 1J0 866-513-2325 www.cnl.ca

Contact Tom Vaughan, Manager, IT Security & Compliance Data Founded


2014 Chalk River 3,000 R&D Canada and the world in various sectors

Mission Advancing nuclear science and technology for a clean and secure world and be a world leader by offering unique nuclear capabilities and solutions across a wide range of industries.

Strategy - Restore and protect Canada’s environment by reducing and effectively managing nuclear liabilities.

- Provide the world with sustainable energy solutions including the extension of reactor operating lifetimes, hydrogen energy technologies, and fuel development for the reactor designs of tomorrow.

- Demonstrate (with various partners) the commercial viability of advanced reactor designs including Small Modular Reactor (SMR).

- Work collaboratively with medical/educational institutions and pharmaceutical companies to pioneer new alpha therapies for cancer treatments that save countless lives.

- Leverage all of CNL capabilities for commercial success in Canadian and international markets.

Means - Leverage the most effective industrial partnerships of any national laboratory.

- Gather the world’s brightest innovators on CNL campuses and create a vibrant community.

Markets Nuclear industry and healthcare. Cyber Issue - Chalk River’s remote location campus makes it difficult to recruit IT

specialists, engineers and technical staff. - Need to increase the level of government funding and the volume of

commercial sales to fund new projects and to provide employment in the community for many trades, suppliers, and supporting businesses in the coming years.


Tom Vaughan joined the Canadian Nuclear Laboratories (CNL) 13 years ago. Prior to that,

he worked for AECL for eight years. CNL’s official reporting structure is straightforward:


the IT security manager reports to the CIO who reports to the vice president of finance who informs the CEO. The uniqueness of the structure is its legacy component.


Canadian Nuclear Laboratories (CNL) do not produce electrical power, but they are Canada's largest private science and technology complex. CNL is a spin-off from Atomic Energy of Canada Limited (AECL) and acts as a contractor to operate the assets of its parent company. Following a call for tenders, AECL selected in 2015 a private consortium consisting of CH2M Hill, SNC Lavalin, WS Atkins and Fluor (Canadian Nuclear Energy Alliance) to manage and operate CNL. The selected private-sector contractor has received all necessary licenses to operate Chalk River Laboratories and two other campuses located in Manitoba (Whiteshell) and New Brunswick (University of New Brunswick). It also obtained the license to operate until 2028 the Chalk River reactor which produces about 50% of the world supply Tc99m isotope. However, CNL's physical infrastructure and intellectual property remains in the hands of AECL. In less than 5 years, CNL grew from a R&D lab acclaimed by the scientific community to become Canada’s enabler of nuclear innovation, technology transfers, R&D, and exports. In short, it is the world storefront of Canada’s expertise in the field in the nuclear industry.

Cybersecurity Management

CNL has 4,000 employees and contractors across Canada and 4,500 workstations. On staff, CNL has three security analysts to cover all grounds on cybersecurity. The small team can count on the support of over a hundred IT

professionals of which 40 are information managers and the remainder IT specialists for applications and desktop support. The SOC is operated by a third party. As Tom Vaughan explains, “We are a small agile IT group. Our teams work together. For example, our CIO is presently implementing a network access control on a Mac solution with the IT team and our security network specialist will supervise the IT work. We’ve become a sort of auditor of IT. But in the field of prevention and response to incidents, we are prime.” CNL stores some data and applications in the cloud but its contractual agreement with AECL slows down the modernization process. “It’s difficult for us to make a lot of traction given the contractual and legal obligations we have between AECL and us. Our data belongs to AECL. We need approval to put AECL’s information out into a cloud. That being said, we do have a cloud first strategy and we evaluate case by case if it is a viable option.”

Cyber-Physical Strategy

The Chalk River site is currently undergoing an important renewal and modernization that will transform it into a modern, world-class nuclear science and technology campus, thanks to an investment of $1.2 billion over ten years granted by the federal government, in 2016. Everything, the old and the new, needs to be protected. “We have high-wired gates and armed officers who patrol 24/7. The security specialists have top-of-the-line mobile equipment, software and applications.” The evolution of the physical security group into a hybrid physical and numeric team is impressive. Tom Vaughan is proud of his team: “Before the Internet era, security


technicians managed the protection of the physical perimeter and reported to the Vice President of Health and Safety. With the advent of virtualization, we thought that this team would more or less disappear, but that was without counting on their creativity and tenacity. Discreetly, this group, which now presents itself to me, has developed its own computer skills. They purchased digital equipment related to their mission and over time, their responsibilities were increased to include the work of physical site security and computer security.” The physical cybersecurity team has regular interoperability sessions where they often discuss the issue of traditional but efficient SCADA industrial controls. CNL is constantly building or renovating. Should SCADA software be maintained, or should it be increased? Software has vulnerabilities that can become conduits for attacks. “In the R&D world,” explains Tom Vaughan, “take for example, the scanning electron microscope. It is presently connected to our network. Does it really need to be networked? We find that these technologies have outgrown our ability to control our perimeter.” CNL has never suffered a major attack. Minor attacks included the website being compromised and disfigured by anti-nuclear activists; some computers being emptied as a result of malicious programs; and some phishing methods resulting in data loss. Tom Vaughan puts it all in perspective: “Immediately, the perimeters were reinforced, and the insecure websites eliminated. We are aware that we are targeted, nuclear energy is still the subject of prejudice.”

Development of Cybersecurity Top-of-Line Tools

CNL’s cybersecurity team built a multimillion capital project with the aim to develop among other things, a malware protection tool, an AI-based anti-virus, threat detection and data protection analysis in real time, prevention tools, security event management (SEM), a cyber framework for third-party access to help manage day-to-day operations and also a holistic identity and access management project which will be large and costly to implement, but needed on the facility. “With all those projects to complete, you understand why I often think of budgets. All these projects are still in the approval process, and our Board is satisfied to see that they meet their security objectives.”

Budgets

CNL’s cybersecurity principal obstacle is money. The team has plans: identity management, the cold and new technologies, but the resources are not abundant. “We need resources to do all of the things essential to protect and modernize Canada’s nuclear industry. We manage well the allotted resources and we meet AECL’s expectations. “But every year, we have to fight for new projects to be adopted. Security is viewed as an expense and not an investment. That’s an old-fashioned reasoning. Our budgets tend to decrease and not increase. CNL’s environment is increasingly becoming criminal: phishing attacks, ransomware, cyberpolitical attacks and all other types of attacks whose objective is to exfiltrate information from the company. Espionage is our high-risk area of concern given the type of work we do.”


Recruitment

“Recruitment of talent is the trick for us. Chalk River is two and half hours from Ottawa – the first “big town” in the area, and for city folks to migrate to Chalk River can be difficult. I grew up further north in the bush. I have the impression that I am in a city and I love being here. We have a 100% turnover of employees who have southern city experience. At the most, they stay 12 to 14 months before caving into home sickness. Those born or raised in this area are happy and would not want to work anywhere else.”

Small Nuclear Reactors

One of CNL’s objectives is to attract foreign companies specialized in nuclear, particularly in the building of small nuclear reactors. CNL’s killer argument to attract foreign business is cybersecurity, privacy and protection of the valued intellectual rights. In 2017-18, EACL issued a Request for Expression of Interest, which prompted input from small modular reactor technology developers, potential end users, and stakeholders. One of the challenges facing small modular reactors is the lack of uniformity as there are currently over 100 different designs. AECL believes that CNL’s expertise could be leveraged to advise both the government and commercial companies on the technology which will have strong cybersecurity built in.

Cooperation

In the critical infrastructure environment, information sharing is a necessity. CNL’s prime source of information is the CANDU Owners Group (COG) which brings together once a month, more frequently if necessary, the key players in the energy sector, the nuclear safety commissions, specialists from government and the private sectors. “We have been meeting for five years now and we

have built a solid trust-based network. At first, we primarily discussed industrial and nuclear security, SCADA issues. Over time, questions became more precise, answers more straightforward. That’s when issues like cybersecurity, privacy, the cloud, management and new technologies moved up on our agenda. In each of our respective organizations we made progress, but as we go along, we discover more and more challenges. Some are linked to the legacy systems and others to cybersecurity technological deployment.” Partners of the monthly meetings reach out for advice: “For example, very recently I had a conversation with Bruce Power’s CISO. We discussed our respective reporting systems. Thirty minutes later, we came up with ways to improve our management. We could have kept our little secrets like in the old times and our situation would have worsened. It makes so much sense to reach out. Think about it: hackers talk to each other and share best practices, so if we share amongst us, we will be much smarter.”

Insurance

Cooperation is a more efficient way to heighten security; maybe more so than insurance. CNL’s CIO signed on an insurance policy recently. Tom Vaughan at first was not thrilled and then changed his mind. “The insurance company provides breach coaching. In the event of a security or privacy breach, a specialist will help us work through the processes. If CNL has to deal with a ransomware situation that paralyzes a server, the insurance specialist coaches us on how to deal with the attacker. That’s what won me over.”


Employees as Partners

Insurance companies are morphing and becoming a cybersecurity third party. The best insurance is still the commitment to security of the employees. At CNL, every new

employee gets a security package where the measures are explained, from privacy to the management of e-mails. “Many have taken to cybersecurity first as a chore, then a game and now as a mission. They see and report.”


CIO Association of Canada (CIOCAN)

7270 Woodbine Avenue, Suite 305 Markham, ON L3R 4B9 (647) 627-7058 https://www.ciocan.ca

Contact Gary Davenport, Board director and former President Data Founded

Headquarters Membership Main activity Clients

2004 Markham, ON 420 members Association CIO individual member

Mission CIOCAN is a not-for-profit community of CIOs, CISO’s and IT leaders whose mission is to facilitate networking, sharing of best practices and executive development, and to collaborate on issues facing CIOs/IT Executives.

Strategy Growth. Influence. Impact. Means CIOCAN runs national e-seminars, leads advocacy initiatives, organizes a yearly

annual conference, and provides chapter support in marketing, public affairs, member relations and development.

Markets CIOs of private and public sectors. Cyber Issue Keeping abreast of the major changes in technology and creating means to

collect and transfer knowledge to the members.


Gary Davenport’s first degrees were in arts and history. After gaining a background in the humanities, he chose to study cybersecurity. He has a long track record of practice, moving up in a progression of positions from the Hudson’s Bay Company to Allstream in 2014. “At Allstream, security was paramount because we had to protect our business, but more so because cyber security was sold as a service to large clients,” says Mr. Davenport. Cybersecurity had become a visible topic at all levels of the company including the Board: “We worked within a cyber risk framework that was updated regularly.” From 2011 to 2015, Mr. Davenport was national president of the CIOCAN Association.

Creation of the CISO Division

Initially, CIOCAN was a non-profit organization of CIOs and IT managers. The association brings together 420 members in Canada who work in small and large private and public companies. Its objective is to create a space to network, to share lessons learned, best practices and to promote their profession. CIOCAN is organized by chapters: Vancouver, Calgary, Edmonton, Winnipeg, Toronto and Ottawa. Montréal is in the incubating phase. In recognition of the importance of cybersecurity, in 2016 CIOCAN formed a new division for CIS0s. The principal objective is to foster collaboration and cooperation between CIOs and CISOs in areas of mutual interest and allow CISOs to benefit from the


association infrastructure developed over the past 12 years. There are at present 20 members in the CISO division. Mr. Davenport notes that “If you think of all the varied subfields that a CIO must master – architecture, engineering, business processes, analytics and more - we believe that CISOs must have the opportunity to learn but also to promote the CISO’s profession.” The CISO division offers significant value-added benefits to its members through active engagement in knowledge transfers. Professional development opportunities are also available through the CISO Division. “The CISO division is very much interested in strategic initiatives such as common benchmarking and metrics definitions,” states Mr. Davenport. Among other things, CIOs teach CISOs how to interact with executives at the Board level. This knowledge transfer program will soon be expanded to include practices on dealing with governments and banks.

Advocacy

CIOCAN does not lobby governments but they do discuss issues among members and occasionally with the media. As Mr. Davenport explains: “Many of our members work in the public sector, so if they were to lobby, they would find themselves in potentially tight situations. CIOCAN briefs other associations with a mission to lobby and advocate.” Among the many issues being dealt with currently at CIOCAN there is the matter of overhauling digital transformation, with its technologies like blockchain, big data, artificial intelligence and digital mobility that are game-changers according to CIOCAN. “If

we don't lobby ourselves, our partners do it. We have a good relationship with IT World Canada which is a great source of news on cybersecurity. We also work with Gartner, IDC of Canada, ICTC, ITAC, CATA and with our sponsors. This chain voices our concerns.” Quite often, also, CIOCAN is invited to conferences organized by a third party. “We encourage our members to deliver our message and explain how companies must prepare now to face the future. We also encourage our members to share bad experiences with the media because it boosts awareness.” It also makes the invisible world of cybersecurity more visible.

Obstacle: Keeping up with technology

In his role as a consultant Mr. Davenport does much of his work with the Boards. “What I see is an increasing technology dependence in mid-size companies and organizations. The technology changes so fast that they are always in danger of being left behind. Also, more and more industries become dependent on third-party services like cloud computing. We, at CIOCAN promote efficient simplification.” For Mr. Davenport, small and medium companies whose budgets are limited should follow five simple steps: 1. Having good perimeters; 2. Practices that keep them up to date on

releases and security software; 3. Business environments that have safe

techniques; 4. Annual tests; 5. Disaster recovery plans. “The most strategic task of a security leader is defining risks and analyzing potentially critical breaches. It works for specialists only. Companies will come to understand that a


third party does a better security job than they can ever do. Relying on a third party is being adopted and it is a good thing.”

Obstacle: Skills

Cybersecurity is a very specialized technical field. Given the actual shortage of IT talents, compounded by the ever-increasing threats, cybersecurity managers must be quite imaginative to find market ready staff. “The market law of supply and demand will need to be adjusted. That means salaries must be adjusted.” Universities are overwhelmed with the pace of technologies. “I am on the Board of the Information and Communications Technology Council (ICTC) and we are working on the talent issue. Some of the solutions are to tap into immigration, women or disabled young students, to interest them in a career in IT and cybersecurity. I don’t believe in one solution. It will have to be a combination of means and the government will need to act.” The Canadian government is heavily invested in promoting and nurturing cybersecurity, yet Mr. Davenport thinks that a critical ingredient is missing. “At the moment, in the general field of cybersecurity, I don't see any cooperation between the public and private sectors. The Government published the ambitious 2018 cyber strategy and created the Canadian Centre for Cyber Security, but I have seen nothing trickling down to the market. I trust that action will follow at some point.”

Technology Trends

CEOs are very much interested in artificial intelligence and how it can be integrated in their cybersecurity plans. But they are also concerned that criminals will use artificial intelligence to attack before the former integrate and deploy that technology. CEOs are worried. At Board meetings, explains Gary Davenport, they often discuss the same three issues: “What if hackers use artificial intelligence? How can we get talented resources on board? When will we reach sustainability? Of course, those questions are difficult to answer,” concludes Mr. Davenport.


Cisco Canada

88 Queens Quay West, Suite 2700, Toronto, ON M5J 0B8 (416) 306-7000 www.cisco.com/c/en_ca/

Contact Robert Albach, Senior Product Manager for Industrial Security Data Founded

Global headquarters Canadian headquarters Location of the interviewee N. of employees Main activity Clients

1984 San Jose, CA Toronto, ON Austin, TX 74,200 (1,900 in Canada) Telecommunications manufacturer All types of businesses

Mission Shape the future of the Internet by creating unprecedented value and opportunity for our customers, employees, investors, and ecosystem partners.

Strategy Establish partnerships with experts in different fields of activity. Means 2,000 IT integrators to serve the SME. Markets 10,000 corporations in Canada. Cyber Issue “What we connect, we must protect.”


Robert Albach joined Cisco in 2010 after designing and developing three network security solutions, including Cisco's first industrial security device. Prior to Cisco, he led the Intrusion Prevention Solutions (IPS) portfolio for TippingPoint, the pioneering company in IT threat protection. Outside of network security, Robert Albach has lead product management teams at IBM/Tivoli; BMC; and Quest Software.

Canadian Background

Since Cisco started operating in Canada 26 years ago, it has invested over $1 billion in R&D, skills, training, innovation and venture capital. This includes: Cisco’s world-class

Kanata R&D Centre; the Toronto Innovation Centre; 13 university research chairs; direct and indirect venture capital funding; Cisco’s world-renowned Connected North program; a new mental health partnership with the Center for Addiction and Mental Health (CAMH); and 200,000 graduates from the Cisco Networking Academy program. This doesn’t include the billions of dollars of economic impact Cisco has in Canada each year through its 1,900 employees located at 12 offices, and Cisco’s network of roughly 2,000 partners, both large and small.

Cybersecurity at Cisco

Cisco was created to produce products for network connectivity (routers and Ethernet switches) but evolved and expanded over


time into a wide array of segments, becoming a dominant force in the technology industry. Over time, for instance, Cisco recognized that as things were getting connected, they also needed to be protected because they were subject to potential abuse. It began with the need to control who and what could access the network. To achieve this, Cisco built security directly into the network itself, from the endpoints to the communications channels. The concept of the “secured network” has been used by Cisco for over a decade. Robert Albach simply summarizes Cisco’s approach as follows: “Our obligation is that if we connect it, we must protect it.” Consequently, all equipment built by Cisco must be secure. At the core of the company is a group called the Security and Trust Organization: it is responsible for developing the processes by which all equipment built by Cisco is secure. The development life cycle is critical. It contains hardware elements and roots of trust that prevent network devices from executing tainted network software. Every switch and router produced by Cisco has the ability to deliver security functionality in the network. Furthermore, there are tools that provide dedicated security functions such as firewall, access control, or behaviour analytics, as well as specific items to do multifactor authentication, cloud security and deep packet inspection (DPI). The DPI technology examines the application payload of a packet or a traffic stream and makes decisions based on the content of the data. All these tools are the overlays that people use to add explicit security functions within the connected plant perimeter.

Market

Cisco provides connectivity to a wide range of customers, from large ones such as BC Hydro or Saskatchewan Power, to small manufacturing companies in remote areas. Cisco may work in partnership with the local telecommunications carriers, or directly with the client. For instance, when an automation process is being installed in a single facility, it does not require the involvement of a telecommunications carrier. But where Cisco deals with a geographically diverse, highly distributed system, such as an electric utility or an oil pipeline, there certainly is a role for the telecommunications carrier to play.

Organizational overview

There are several groups within Cisco that work on cybersecurity: some of them are dedicated exclusively to pure cybersecurity; some are dedicated to security products; some are dedicated to security research, and some others are specialized in industrial security products. Everybody at Cisco, though, must include security in the devices they build, even if they do not belong to a security group, and every employee must take security training. Robert Albach insists: “If you build Cisco products, you must take training on security development processes. If you want to create a new product, there are special steps you must go through to even define the product before getting the project approved. There are certain standards of security that must be incorporated.” Security is not only a technological issue: it is a process that encompasses all aspects of the industrial environment. Robert Albach summarizes the situation this way: “All in all, security is everybody’s job at Cisco.”


Manufacturing Needs and IT World

In the IT world, the need to protect communications has been ongoing for many years, but the adoption of cybersecurity within industrial environments has been lagging by almost a decade, and there is a structural cause for this delay. Robert Albach explains: “When a manufacturer purchases industrial equipment for a plant, it is expected to work for a long period of time, often with a 20-year minimum. Mechanical or electronic failures may occur from time to time in a

complex system, but proper attention to preventive maintenance minimizes down time. Even robots have an average lifespan of 15 years, which means that a large part of the robot park is operated for 20 years or more.” In comparison, Cisco changes employee laptops every two or three years. Time perception can be very different in the technology and industrial worlds. This difference is at the core of Cisco’s approach to securing industrial environments.

Bridging the Gap between Operational Technology and Information Technology

Cisco supply chain

Cisco has its own labs that design its own products, often down to its own silicon chips. All its switches, routers, firewalls, UCS servers, and various products are designed internally. However, Cisco does not have its own factories. Instead, it uses electronics manufacturing services (EMS) partners controlled by a highly focused supply chain security group. With the ever-present threat

of intelligence agencies and various criminal groups wishing to abuse industrial intellectual property, Cisco has developed a very strong practice to ensure that its products are secure. Cisco policy is to share its internal product development practices with other companies that do not have this expertise, so that they


can create secure products for themselves. One example, among others, is the World Manufacturing Summit that took place in Korea in 2018. Cisco went to explain to Asian manufacturers how to secure their supply chain, so that their final products be also secure. In Asia, a great part of the manufacturing production is based on electronics and this brings some challenges, such as ensuring that electronics components are valid and not counterfeit, or that backdoor code is not inserted into the firmware or the FPGA.

At a more general level, Cisco works with various organizations to help develop and define international standards about secure manufacturing. One of its major achievements is its participation in the Internet Engineering Task Force (IETF) to develop a Manufacturer Usage Description (MUD), which is an embedded software standard that allows Internet of Things (IoT) device makers to expose the identity and intended use of their products using an approved standard. According to Robert Albach, “The idea is to help define where cybersecurity should go by formalizing our experience and putting it at the disposal of the industry.”

The Evolving Threat Landscape for Manufacturers

IT/OT Evolution

Cisco also helps its customers to clean up “the sins from the past” which is a particularly important task in the manufacturing environment where the equipment lacks basic security functionality – and even the equipment bought last year is not secure.

“Often, though,” insists Robert Albach, “the biggest challenge in industrial environments is cultural. People with experience in security are often resisted by the industrial side of the organization.


This perception has an historical origin. At the beginning of the new century, the ISA-99 standard, which was the very first regulation about industrial security. But its approach was negative. It defined what security should not do instead of defining what security should do.” In this context, Cisco’s role is to incite IT professionals to adapt to the unique needs of the industry. There is an ever-present possibility of mechanical systems being negatively impacted by IT processes that are not altered to adjust the operational environment. Security experts must understand that the automation engineers wish to focus on automation and not on security. On the other hand, operational engineers must start inviting the people with security expertise – mostly with an IT background – to participate in the early stages of product development. Robert Albach sums up the situation as follows: “There is an absolute necessity to bring IT experts and operational engineers to learn how to work together.”

Industrial Systems are Everywhere

Robert Albach presents a fascinating description of the overall environment in which we live: “In the middle of the winter, you are working in a warm office heated by an electricity-powered central system with a back-up diesel fuel generator in the event of an unplanned outage. This is an industrial

system. What delivers the heating, ventilation, air conditioning, is another industrial system. There is a server room in your office building; it must have a fire suppression system in this data centre: that is another industrial system. There are small-scale industrial systems everywhere and one is not even aware of them, but somebody, most of the time outside your organization, somebody you do not even know, is reaching into your environment and controlling that. You have to ask the question: who has access to this? Who controls it? And what is the risk to me if the wrong people are able to take control?” “My perspective of security is that the environment we are trying to protect needs to be seen as a system and we need to understand all of its parts and touch points – meaning it is extremely wide. We must not limit ourselves to bad guys doing bad things. If I wish to secure a system, I must be as interested in errors and mistakes made by ordinary colleagues. How can I help the system to be resilient and not negatively impacted either by bad people or – also – by good people trying to do good things but doing them clumsily? The concept of security becomes much broader. As we interconnect objects, our dependence on these objects increases and is further removed from our own direct control. Our role is to understand these remote relationships and implement compensatory controls wherever we can.


Computer Research Institute of Montréal (CRIM)

405 Ogilvy Avenue Suite 101 Montréal, QC H3N 1M3 514-840-1246 www.crim.ca/en

Contact Fehmi Jaafar, Ph.D., Researcher Team: Advanced Software Modelling and Development

Data Founded Headquarters N. of employees Main activity Clients

1985 Montréal 65 Technologies and application development Businesses and governments

Mission CRIM is a centre for applied research and expertise in information technologies whose aim is to make organizations more efficient and competitive by developing innovative technologies and transferring cutting-edge know-how, while contributing to scientific advancement.

Strategy CRIM is a non-profit organization and its neutrality, and the strength of its network make it an essential resource.

Means CRIM has state-of-the-art IT expertise that it transfers to the industry through its collaborative research activities and is internationally recognized in-niche markets, such as human-machine interfaces. CRIM holds an ISO 9001: 2015 certification.

Markets Québec-based small and medium-sized businesses (SMBs). Cyber Issue Engage in applied research to support SMBs while pursuing fundamental

research.


Fehmi Jaafar holds a doctorate in computer science from the University of Montréal. His thesis topic was the analysis of the quality in information systems. Then, in 2018, he joined Queens University in Ontario where he taught and participated in cybersecurity research projects. Dr. Jaafar says: “Research at Queens made me realize that I wanted to work in cybersecurity, and since then I have been working in this branch of IT.” After a period of teaching at Concordia University of Edmonton, he joined the Computer Research Institute of Montréal (CRIM) team.

As soon as he joined CRIM, Dr. Jaafar shared his concept of cybersecurity with his colleagues. “Cybersecurity is an essential component of quality, and a system can only be complete if it is secure, just as it must be reliable, robust and fault-tolerant.”


The CRIM is a not-for-profit organization celebrating this year its 30th anniversary and recognized as one of the top centres for applied IT research in Canada. Its scientific


mission is coupled with a service commitment to SMEs in line with the policies and strategies led by the Ministry of Economy and Innovation, its main financial partner.

Anomaly detection

One of Dr. Jaafar's areas of interest is the detection of anomalies in a data set – a statistical method for determining the modification of a given measure in relation to previous data or in relation to global data. Dr. Jaafar explains his approach: “Intrusions are often difficult to detect and are discovered months after the incident. To detect the intrusion, one must search in sets of data the rare characteristic that stands out. To authenticate the rare characteristic, it is necessary to build pre-defined profiles of non-rare characteristics. Then, you compare the two data groups and you have an answer. In my opinion, anomaly analysis is the foundation of a sound cybersecurity approach.”

Cybersecurity through Voice

Like other biometric tools, the voice can be counterfeit. However, signal analysis allows to check if a signal is a copy of an original source, even if the copy has been significantly altered: quality corruption, addition of sounds, picture-in-picture inclusion in another video, etc. CRIM’s achievements have been the subject of a strategic R&D agreement with Voice Trust, which recently increased its presence in North America through the acquisition of Perceive Solutions Inc. This company is based on CRIM's voice biometric technology platform that allows users to authenticate speakers of all languages and accent types.

Voice Trust is partnering with CRIM to optimize its voice biometric technology. CRIM applications achieved the best results in audio and video detection in the international TRECVID2009 evaluation and the 2nd best result in TRECVID 2011 - the international TRECVID evaluations in copy detection are part of a series of specialized workshops in the field of Information Research (IR). This program is jointly supported by the National Institute of Standards and Technology (NIST) and the Advanced Research and Development Activity (ARDA) Center of the United States Department of Defense. Always in the field of audio, CRIM has developed a forensic investigation tool, relates Dr. Jaafar: “Keyword detection is an analytical technique that identifies the presence of certain words in recordings or even themes during a conversation.” To accurately determine the position of each word or phoneme in a recording, one refers to text/audio synchronization. To this type of lexical analysis is prolonged by the analysis of emotions. The CRIM researcher adds: “We have also developed algorithms that can detect a person's emotions from an audio recording.” These technologies have not necessarily been developed to ensure cyber security, but they are now part of the arsenal of intelligence services and are used to decode massive data streams, such as, for example, telephone conversations.

The Cyber-Attribution Project

CRIM is committed to ever more ambitious cybersecurity projects, for example on the cyber-attribution project in collaboration with the IDS project of National Defence. Cyber-attribution is a process of finding and


identifying the author of an attack or piracy. Dr. Jaafar explains: “The goal is to identify the origin and the modus operandi of the attackers. We proceed initially with the analysis of the data; then we isolate and list the models of attacks, to establish occurrences. Attackers are doing everything to erase their tracks. Cyber-attribution is a complicated and long-term investigation work, and right now we're in the prototyping phase of a new type of solution.” When working on attribution (who attacked), Dr. Jaafar uses an approach similar to the anomaly detection. First, he creates user profiles of an organization (control users), then he studies the behaviour of the employees’ computers of the target group (sites visited, frequency of entries and exits of e-mails, use of the keyboard, presence of other peripheral equipment, etc.). Using this information, he creates profiles of “normality” that can be modulated according to the different departments in the organization. Dr. Jaafar explains what he wants to find: “For example, if suddenly, a computer under surveillance transfers hundreds of documents, while the employee does not communicate with the public, according to his job description, we block the account and then investigate the case: Did the employee transmit the documents, or was it wrong hands that took control of the employee's computer? Another example, if an employee uses his corporate account late into the night and visits sites that do not fit his business profile, again, we investigate.”

Cooperation

CRIM contributed to the creation of In-Sec-M, a not-for-profit centre of excellence in cybersecurity, located in the Outaouais region. Françoys Labonté, General Manager of the CRIM, is a member of the Board of

In-Sec-M. Also, the first meeting of the Board of Directors of the new organization was held in 2019 during the last CRIM Techno Day. Dr. Jaafar explains the importance of creating this type of organization. “There are no organizations in Canada that ensure that Canadians, regardless of their background, have the knowledge they need to protect themselves. Critical infrastructure is well managed, but SMEs, as well as the education and health systems, are left behind.”

Sovereignty and Industrial Development

Dr. Jaafar believes that Canada lags behind in cybersecurity and that there is virtually no national industry in this domain. He explains his judgment: “Malaysia is ahead of Canada, and instead of reacting, Ottawa is doing nothing and is giving away our market to Americans and Europeans; yet in Québec we know how to create industrial sovereignty. For example, take the video game industry. Three successive Québec governments have mobilized to create an international video game industry with resounding success because they had a global vision. For more than 20 years, all our creators had Hollywood in their sights. The result of this perseverance is that today almost all the animation work required in Hollywood is done here in Québec. So, why not do the same for cybersecurity?”

Inequality of Cybersecurity Resources

What is just as important to the CRIM researcher is the inequality of cybersecurity resources available to Canadians. According to him, some Canadians are more pampered than others. “SMEs do not have the means. Cybersecurity costs are putting a strain on their budget. They innovate less. The same goes for primary and secondary schools, and


university institutions, as well as for the health network.”

The Example of New Brunswick

Dr. Jaafar likes to quote the example of New Brunswick: “New Brunswick has a global and systemic view of IT and cybersecurity. Its

political leaders develop the sector along four axes: research, education, public services and the private sector. They are giving themselves collective means, as Québec did with the video game industry. And, at each election, the new government continues the mission begun by its predecessor. It has become a patriotic cause.”


Concordia University

1455 De Maisonneuve Blvd. West Montréal, QC H3G 1M8 514-848-2424 ext. 3166 www.concordia.ca/

Contact

Mourad Debbabi, Professor at the Concordia Institute for Information Systems Engineering (CIISE); Honorary Concordia University Research Chair in Information Systems Security; Senior Fellow of the NSERC/Hydro-Québec/Thales Industrial Research Chair in smart grid security; and Associate Dean, Research and Graduate Studies at the Gina Cody School of Engineering and Computer Science.

Basic data Establishment of the institution The head office Number of professors and lecturers Number of employees (non-teachers) Activity Number of students

1974 Montréal 4,500 1,450 Academic teaching 46,100

Mission Aligning learning opportunities with the significant challenges facing society. Strategy As a next-generation university, Concordia sets its sights further and more

broadly than others. We align the quality of learning opportunities to larger trends and substantial challenges facing society. We pursue technology without losing sight of our humanity. We find inspiration through narrative and dialogue.

Means 1) Double our research. 2) Teach for tomorrow. 3) Get your hands dirty. 4) Mix it up. 5) Experiment boldly. 6) Grow smartly. 7) Embrace the city, embrace the world. 8) Go beyond. 9) Take pride.

Markets Students and research partnerships Cyber Issue Take on the challenge of the convergence of IT and OT in matters of security.


Mourad Debbabi holds a Ph.D. and a master’s degree in computer science from Université Paris-XI (Orsay). After his studies in computer science, he developed a particular interest in cybersecurity. In 1993, he worked at Bull's research centre under the direction of Dominique Bolignano58, who headed the group of formal verification methods then. He was introduced to the use of the mathematical concept of “formal proof” in

58 Dominique Bolignano, “An approach to the verification of concurrent systems: an application to security protocols”, doctoral thesis in Applied Sciences, 1995. Dominique Bolignano

computer security and never left this field afterwards. During his academic career he has published three books, more than 300 research papers, and he has given a plethora of lectures on the different aspects of applied and fundamental cybersecurity. During his career Dr. Debbabi has been a research associate in the Computer Science department at Stanford University, California,

left Bull in 1996 and created several companies in the field of cybersecurity.


and an associate professor in the Computer Science department at Laval University in Québec City. He has also worked in the private sector as a senior researcher at the General Electric Research Center in New York, and as senior researcher at the Panasonic Information and Networking Technologies Laboratory (PINTL) Laboratory in Princeton, as well as permanent researcher at the Bull Group's research centre in Paris. His main research interests are computer security, network and software security, malware and program analysis, and systems and software engineering. Dr. Debbabi is also President of the National Cyber-Forensics and Training Alliance (NCFTA) of Canada.

Rise of Cybersecurity at Concordia University

In 2003, Concordia University did not have one single cybersecurity course. A group of experts took the initiative of writing a training program for all cybersecurity practices (encryption, risk evaluation, anomaly detection, communication security, etc.). The need to create a laboratory was a logical next step to take and a formal request for a chair was presented to the NSERC. At that time, Concordia University was one of the first institutions of higher learning to begin developing a cybersecurity curriculum from the Bachelor’s to the Doctorate. It was also among the first universities to pair a lab with classrooms. “Recruiting teachers has been difficult,” says Dr. Debbabi. “On the one hand, we wanted researchers with advanced knowledge, and, on the other hand, these same people had to teach a multitude of topics often unrelated to their area of excellence.” In 2005, the graduate program officially opened its doors. Ten years later, the record is surprising: 800 experts have been trained today who are now at the service of the government, Internet

providers, large companies such as Google, Microsoft, Bell, or self-employed consultants. In short, Concordia University has become a nursery for talent in cybersecurity. The Concordia University Computer Security Centre has just over 60 full-time staff, nine faculty tenure track professors, 25 Master's and 30 Doctoral students. The information generated by the research done is distributed among the partners. The centre is divided into two chairs: the Concordia University Research Chair in Information Systems Security and the NSERC-Hydro-Québec-Thales Chair on Smart Grid Security.

Concordia Research Chair in Information Systems Security

The Concordia Research Chair in Information Systems Security is still a generalist, but since 2010 has been prioritizing certain aspects such as cyber-statistical intelligence or cyber-intelligence, i.e. all relevant information generated in real time, for the purpose of detection, prevention, investigation and attribution of attacks. A second file retains the attention of the centre: i.e., the techniques of tracking by digital fingerprint of a malicious code or feature. “We have been studying this issue in collaboration with National Defence and Google since 2013,” says Dr. Debbabi. “We seek to automatically recover the fingerprint of a virus, an attack, or the developer who wrote an attack in particular, to register it in real time and analyze it before it even arrives at the SOC.” The third research theme is Information Technology related to Physical Cybersecurity (IT/OT). It is addressed in the framework of the Hydro-Québec/Thales Canada Chair and NSERC (see below). The Laboratory covers two additional themes: virtual platforms and blockchains:


- The Concordia University team is working with the Ericsson Research and Development Centre on a security program for virtual platforms. These cover everything that is related to cloud computing and virtual network of the type Software Defined Networking (SDN).

- Blockchain technology enables distributed public ledgers that hold immutable data in a secure and encrypted way and ensure that transactions can never be altered. Several researchers are working to create consensus protocols that consume much less energy.

The NSERC-Hydro-Québec-Thales Chair

Research into cybersecurity of smart grids associated with cyberphysics began around 2013. But it was not until October 2016 that the NSERC/Hydro-Québec/Thales Industrial Research Chair in Smart Grid Security was formally created. When intelligence is introduced into the electrical grid, a variety of functions, such as real-time information collection, fault localization and, in general, control of generation, transmission and the distribution of electric power are automated. This is what allows the integration of renewable and intermittent energies in the electrical grid. From now on, a subscriber can emit energy using solar panels and sell it to Hydro-Québec.

Smart Grid: Electrical Transmission & Distribution Services

The clearest sign of this deployment of the smart grid is without a doubt the smart meters that are installed in private homes. For every meter that is clearly visible to everyone, there are hundreds of intelligent electronic

devices (IEDs) and phasor measurement units (PMU) that monitor real-time network operating conditions. All of this results in increasing flows of computer data that measure and control physical devices to


ensure network reliability and security. Network reliability is all about the ability to provide adequate electrical service over the long term. Security refers to the ability of the network to survive potential or actual disruptions without service interruption. Both concepts are related because, to be reliable, security must be guaranteed at all times. It goes without saying that the deployment of this new smart grid is creating a growing need for cybersecurity. Indeed, if the electricity grid is increasingly dependent on information, it must be ensured that the communications that transmit the data are safe. For instance, Dr. Debbabi asks the following question: “Is this information correct that signals a normal state of the network, or was there an attack that overshadows the truth? I need to be able to guarantee the integrity of the data in real time. Any attack on the communications network will have an impact on the physical infrastructure. That's why cyber-physical security becomes of utmost importance.” The NSERC-Hydro-Québec-Thales Chair works more specifically on four pillars of the electricity system: - Safety of the electrical substation: In an

electrical grid, a substation has the task of regulating the voltage. To this end, it is structured around a transformer which is surrounded by a whole set of equipment for synchronization, control and communications. When the grid becomes intelligent, it is called a digital substation. The role of the NSERC-Hydro-Québec-Thales Chair is to define the security of digital substations.

- Safety of microgrids: These systems are used to connect distributed power sources, such as micro-turbines, fuel cells, photovoltaic systems, etc.

- Safety of IEDs that are installed in the network to measure currents or to emit commands.

- Technological safety of Wide Area Measurement Systems (WAMS): These are networks of sensors that collect information in real time to efficiently transmit and distribute energy – or for anomaly detection. According to Dr. Debbabi, “These sensors are the eyes and ears of the smart grid.”

The applications that the NSERC-Hydro-Québec-Thales Chair develops for energy apply to all types of networks, such as transportation, water management and even the assembly-line of the manufacturing enterprise. The principle is the same and many technologies apply to all physical sets. To transform a network, smart boxes are installed in critical locations and their mission is to take measurements and send them to a second network that activates controls to indicate that the situation is at risk and that one needs to stabilize the network.

The BlackEnergy Attack

The first successful cyberattack against a power grid took place in December 2015 when the Ukrainian power distributor Prykarpattya Oblenergo was attacked by a mysterious malware that plunged more than one million people in the Ivano-Frankivsk region into the dark. For specialists, this attack has become a textbook-example taught in all cybersecurity programs. The hackers had developed a malware technology specifically tailored to cyberphysics networks that was named BlackEnergy. This was an update of a Trojan horse created in 2007 to serve as a relay in distributed denial of service (DDoS) attacks. The malware had two components: a function that could compile in an advanced way the know-how in the field of virology or the technique of identifying the various elements


of the network, how to spread, how to infect, etc. The other function of this software is its ability to “talk” with IEDs in the power grid. However, to communicate with an IED, it is necessary to send precise commands in the specific protocols that are used in an electrical grid – like DNP3 or Modbus. This is exactly what the attackers did, which testifies to their know-how in the field of operational technologies (OT). Moreover, they had perfected the BlackEnergy software by tagging it with a ‘KillDisk’ utility that turns it into a formidable weapon that can deeply damage sensitive digital equipment and also erase all traces of its passage. The award investigation established that the attack had been prepared well in advance. This is a new generation of malware that contains a great technological capability in both IT and OT which is exceptional in terms of cybercrime. What is surprising about these programs is that they are able to hit both traditional power grids, as happened in the Ukraine, as well as the most advanced smart grids that are just beginning to be deployed. This is a very current threat that is difficult to fight against. Indeed, it is possible to set the activation date of the software from the command line. Thus, BlackEnergy was introduced in March 2015 and remained discreet for nine months, just watching the operation of the electricity network during this period. Dr. Debbabi concludes as follows: “The Ukrainian precedent demonstrates the feasibility of a cyber-physical attack, its impact, the severity and the underlying technology. One must never forget the very real impact of such an attack: in Ukraine, people and businesses lost electricity for long hours. An entire region was paralyzed. Then, we enter the arduous process of computer forensics, from the capture of evidence to its

analysis, the cleaning of servers and rebooting the system.”

Responding to Attacks

To respond to such an attack, one must first be aware of the presence of malicious software. Then you have to ‘customize’ the power grid to make it resilient to threats. Dr. Debbabi illustrates this method with a vivid anecdote: “Suppose you have a very precious secret, and you put it on a server. To get to your server, you need two other network elements like routers or switches. If your equipment comes from the same supplier and you face a zero-day attack, all the equipment will be compromised one after the other and your secret will be disclosed. On the other hand, if each piece of equipment comes from a different supplier, the attacker will have to start again each time at zero, over and over again.” A resilient network architecture must therefore focus on hardware diversification and redundancy of systems. Then, when deploying the architecture, it is necessary to provide conventional defence lines– antivirus, intrusion detectors, firewalls – and this requires real-time monitoring of security. It involves collecting and analyzing relevant information on measurements, connections, data, including equipment reliability. An intelligent network must be able to collect and process this information even before it is routed to a SOC. Indeed, it is possible to deploy a first line of protection inside the substation. The SOC only intervenes if an anomaly is detected. Then we have to correlate what happens in the monitored infrastructure so that we can see on the screen what is happening elsewhere. This is where cyber intelligence comes in. A company like Hydro-Québec is in


constant contact with other utilities and with various research centres. For instance, Concordia University's cyber intelligence team spends a lot of time analyzing the raw information from IT-OT networks around the world. Dr. Debbabi specifies: “We can tell by the second which infrastructure was attacked, what is the duration and the type of the attack. Then, we draw up a fact sheet that we transmit to our partners.”

Cybersecurity Issues

IT-OT cybersecurity is a still largely unexplored field. It is at the stage of IT cybersecurity in the 1990s. Since then, IT cybersecurity has made spectacular progress in a very short time. This does not mean that all IT cybersecurity problems are solved, far from it! The cyber world is constantly evolving: think about smartphones, interconnected cars, home automation, the Internet of Things and the deployment of the 5G network – not to mention cloud computing. The challenges faced by the IT cyber universe are innumerable, but they can rely on a solid research base. “Everything else is at stake in the IT-OT universe,” says Dr. Debbabi. “First of all, it refers to an infinitely more complex problem. Secondly, it often concerns critical infrastructure where the tolerance level with respect to an attack is zero. We cannot tolerate the loss of electric power for instance: people depend too much on electricity to live, likewise in the field of air transport. We cannot tolerate the loss of an airliner. Similarly, a smart city must not be hijacked. However, the convergence of IT and OT creates an explosive mix.” Previously, IT and OT universes were not only distinct, but they were also closed, especially

for OTs that were limited to the perimeter of a plant or isolated system. This resulted in two completely different cultures. In the IT universe, the priority is confidentiality, data integrity and, secondarily, availability. If an IT server is attacked, it stops and, immediately, it is isolated, cleaned and put back into service when possible. There is no impact on the physical world with the consequences on the lives of human beings that this entails. When it comes to the world of OTs however, the top priority is availability; the service must be kept operational at all cost as any interruption can cause a disaster. Moreover, the management of an IT system is mono-disciplinary, while the OT requires the collaboration of as many experts as there are components in the system. “In the case of Hydro-Québec,” says Dr. Debbabi, “this means that we need to gather around a table, specialists in generation, transportation and electrical distribution, air and underground maintenance, control and protection, etc. You have to put together all the pieces of the puzzle. As part of our research, we had to create in the laboratory a replica of the smart grid with all its layers of control and protection.” Based on this expertise and network replication, Dr. Debbabi's team is able to simulate attacks, analyze impacts, design detection and prevention mechanisms, and evaluate their effectiveness. It took two years to get this result. This is an illustration of the issues raised by the IT-OT convergence, but also of how to solve it. “The big challenge for the next few years is the IT-OT convergence because the challenge will be accentuated by the deployment of the Internet of Things (IoT). We will have to invest in R&D and training.”


CyberNB

40 Crowther Lane, Suite 220 Fredericton, NB E3C 0J1 506-453-5628 www.CyberNB.ca

Contact Tyson Johnson, Chief Operating Officer Data Founded


2016 Fredericton 16 Coordination of the cybersecurity ecosystem in NB Private and public sectors, academia

Mission Position New Brunswick as Canada’s epicentre for cybersecurity. Strategy CyberNB strategy is the provision of infrastructure to support site selection and

investment attraction in New Brunswick. Means - Workforce and skill development

- Innovation and infrastructure - Growth and commercialization - Standards compliance (Cyber Essentials certification)

Markets Critical infrastructure, education system and SMEs. Cyber Issue CyberNB has become the national leader of cybersecurity by designing on a

vision, turning this vision in a strategy and turning the strategy into an operational program.


Tyson Johnson worked in the Government of Canada intelligence services before entering the private sector. He developed enterprise risk management programs with the TD Bank Financial Group. He then joined Celestica, a global electronics manufacturing services (EMS) provider, where he learned the synergy between interoperability, digital technologies, and the concerns with cybersecurity, in particular data management and data risk. Thereafter he joined BrightPlanet, a big software-as-a-service company which supports risk management decision-making by leveraging open source intelligence and using advanced data analytics and different machine learning tools

Opportunities New Brunswick (ONB) recruited Tyson Johnson to lead the cyber initiative in New Brunswick. This involved setting up an opportunity to create a space for collaboration between academia, industry and government and to have a major impact on the economic development of an entire province. In particular, it also influenced cybersecurity in critical infrastructure. As Tyson Johnson puts it: “It was the chance in a lifetime.”


CyberNB – a new Type of Organization

CyberNB is a provincial agency entirely supported by the province. However, CyberNB shares and cooperates very closely with federal partners such as Communications Security Establishment (CSE), Innovation, Science and Economic Development (ISED), Public Safety, the Department of National Defence (DND) and the Canadian Armed Forces. CyberNB and its federal partners jointly fund larger projects through Atlantic Canada Opportunities Agency (ACOA). CyberNB and ACOA are developing a new cooperation model and a new maturity model around security operations between critical infrastructure partners in different sectors – telecommunications, energy and nuclear power, healthcare and hospitals, financial services – sharing their data about threat detection. CyberNB is located in an industrial district known as the "Knowledge Park", home to five architecturally advanced, secure buildings housing research and technology companies – future plans include an additional 10 buildings. Cyber NB is located in building number 4 but it will move in the fall of 2019 into the new Cyber Park which will be a level-2 secure facility. As a disaster resilient building, it will have backup power and Internet, and more steel and concrete to protect the infrastructure inside. One tends too often to neglect that cybersecurity companies need to be physically as well as digitally protected59. Tyson Johnson specifies: “It will be the only level-2 secure building outside of government, with diverse tenants from both public and private sectors that will

59. “The new building will be comprised of two towers. It will be a total of four storeys with the ground floor containing the central core and common support area, totalling about 3,410 sq. metres; and three floors of about 3,150 sq. metres each, containing leasable space and central core. The building will be

be able to collaborate in a secure environment.” The original concept of CyberNB was introduced two and half years ago when Opportunities NB was created. Its founders studied the comparative development advantages of the Province of New Brunswick – what was in place, what worked and what did not work. They also visited and studied Israel’s cybersecurity ecosystem and clusters. The outcome was that there was a wealth of critical infrastructure to protect in the province – electricity based on nuclear power plants, airports and seaports, logistics and supplies of oil and gas, refineries, mining and telecommunications organizations. There also were tier-1 computer security programs offered in colleges and universities. These studies have highlighted the need to create an organization that actively coordinates all cybersecurity-related activities in industry, government and the educational community, from kindergarten to post-secondary institutions, to stimulate innovation and increase the efficiency of the cybersecurity ecosystem. The mission of CyberNB evolves rapidly. The first year it was more about conceptual ideas that needed to be operationalized; then things just fell into place. In 2019, the ecosystem is thriving with many companies – some multinationals, some home-grown, some scale-up companies – with active strategies, workforce recruitment, innovation and infrastructure creation, growth and commercialization. All these companies have trust and compliance needs

designed to be energy-efficient and is intended to be occupied by high-technology users.” News release, Opportunities NB, “Building to be constructed at Fredericton’s Knowledge Park for cybersecurity companies”, Fredericton, August 17, 2018


that CyberNB can help by creating standards and certifications.

The Cybersecurity Team

CyberNB creates a feverish atmosphere of creativity and entrepreneurship. Tyson Johnson describes it as follows: “The team at CyberNB has a lot of fun. People are passionate about what they do, they believe in the mission, and every day when they get up, they come to work with the conviction of adding value to the province, of helping to shape policies that have an impact in other provinces and even in the federal government. They know they are making a difference.” This enthusiasm comes from CyberNB’s very mission which is to help everyone else succeed in cybersecurity. If it achieves that, by outcome, the economy of the province will grow, the GDP will increase and there will be a critical mass of operations throughout the province that will in turn continue to grow. Any company that belongs to the critical infrastructure community – whatever the size of the company - can become a member of CyberNB. No fees are required – only participation in the creation and development of the ecosystem. Foreign companies are invited to move to Canada. There are many virtual members from the United States, Canada, Europe and Asia, and many do come to actually settle in New Brunswick and open facilities in the province. CyberNB’s role is to align the short-term and long-term talent requirements of these companies to the curriculum education system and ultimately to the students coming out of these programs. CyberNB works with the universities and colleges as well as with the partners in infrastructures in order to make sure it has access to R&D laboratories.

Talent and R&D Initiatives

The cooperation between CyberNB and the education system is not limited to New Brunswick. It also covers universities and colleges from other provinces and from abroad. It involves coop work terms and R&D programs with college, undergraduate, graduate and postgraduate students. There are even grade 12 students who are highly successful in the national CyberTitan program. Some high school students are hired just after their graduation by major institutions like NB Power who previously had identified the best candidates through mentorship activities. Beyond Master and PhD graduates, there is a need for cyber trade graduates coming out of college programs that are immediately employable and fill this much-needed growth in the talent pipeline. Tyson Johnson emphasizes the success of New Brunswick’s dynamic education environment: “CyberTitan is a national program, but 120 teams out of 190 teams that compete every year for adolescents in the country come from New Brunswick.” CyberTitan operates in affiliation with the US Air Force Association's CyberPatriot Program. It is focused on preparing middle and secondary school students with skills for the digital economy by creating learning opportunities for students to engage in hands-on simulated environments where they develop skills necessary to secure Canada’s systems. CyberNB strongly supports the CyberTitan program and has taken major steps to find new industries willing to become mentors for the students. IBM, Bulletproof, NB Power and many others mentor and train the CyberTitan teams from middle schools to high schools. “We have hundreds of students that participate every year in the CyberTitan program,” says Johnson, “and we have


thousands of students who are introduced in the cyber curriculum every year and who are also active in our CyberDefence League, here in New Brunswick, leading the way in the country in the production of graduates who are pursuing careers in cybersecurity.”

Innovative Project

A major multi-industry project under way focuses on threat detection data sharing, as mentioned above. It is located in Fredericton and is called the Critical Infrastructure Security Operating Centre (CISOC) initiative. It uses machine-learning (ML) techniques and advanced artificial intelligence (AI) to identify new threat indicators across various sets of data. Johnson says: “We were fortunate to have Gartner shadowing the project. Its investigators were curious to see how the project would evolve and to verify if this could be used as a test model for innovation. We are now three to four months into this project and gaining steam with a great number of partners.” The CISOC initiative is already so promising that CyberNB is actually looking to replicate the project in Saint John, New Brunswick, and connect virtually the two operations to share more data. The second project will focus on supply chain logistics, oil and gas and natural resources. This new group of companies will set up a type of collaborative operations environment similar to the one in Fredericton, where they can develop new insights and share best practices.

Promoting a Canadian Standard

CyberNB has pioneered this field by bringing Cyber Essentials to Canada (CEC). Initially, Cyber Essentials is a UK government information assurance initiative that encourages organisations to adopt good

practice in information security. The Canadianized version of Cyber Essentials includes an assurance framework and a simple set of security controls to protect information from threats coming from the Internet. In the short term, the main effort will be on business certification to ensure that SMEs have taken all necessary measures to ensure their cybersecurity. The federal government has already indicated its intention to promote the norm. The CEC certification focuses on compliance with the following essential five key controls, which can prevent approximately 80% of common Internet attacks. The five key controls are as follows: - Boundary firewalls and Internet gateways

– devices designed to prevent unauthorized access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.

- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organization.

- Access control – ensuring only those who should have access to systems to have access and at the appropriate level.

- Malware protection – ensuring that virus and malware protection is installed and is up to date.

- Patch management – ensuring the latest supported version of applications is used and all necessary patches supplied by the vendor have been applied.

Right now, the CEC is the only government-backed and accredited cybersecurity certification standard in Canada. Cyber Essentials is cost-effective, and offers an easy-to-use toolset to monitor, verify, and measure any given company’s online security. Through CyberNB one-of-a-kind online platform, a company can monitor its progress, verify compliance, and measure its cyber risk levels.


CyberNB thinks the “cyber-certification” move will mature quickly and extend fairly quickly around the country to all sizes of business. On a longer term, digital standards will cover all sorts of products – such as electrical devices in private homes. There will be a development of the certification and standardization process that will go as far as defining what type of software and firmware can be used in these products. This will include a requirement for incorporating a rigorous level of cybersecurity in product design. Tyson Johnson sums up the trend as follows: “Security by design will be perceived as a matter of course and present in all components of innovation. If we can get there in the next five to ten years, we are off to a fairly good pace.”

Fighting Flawed Software

In the more distant future, the focus will be on digital law that will address the issue of flawed software requiring relentless updates and patching. For decades, the industry promoted the idea that software cannot be completely error and vulnerability free given the fact that these are complex systems designed and developed by people. Vendors use disclaimers that consumers rarely read, to excuse and exempt themselves from any responsibility or damage caused from the use of their products. The US has the Vulnerabilities Equities Process (VEP) which allows the federal government to determine on a case-by-case basis how it should treat zero-day computer security vulnerabilities; whether to disclose them to the public to help improve general computer security, or to keep them secret for military reasons. This is certainly not perfect, but it has the merit of existing already. The European Union has recently published a report that defines a

60. Erik Silfversten, William Phillips, Giacomo Persi Paoli and Cosmin Ciobanu, "Economics of vulnerability disclosure,"

framework for disclosing vulnerabilities that can cause significant damage60. Canada is moving in this direction also. To reduce (and ideally prevent) security vulnerabilities from being used in such attacks, new policies are required to manage processes by which the Canadian government would report flaws it discovers directly to vendors. In addition, the government should exclude from its tenders all companies that have been blacklisted for non-compliance and flawed technologies. “Responsibility is a word that needs to be more present in our cyberworld”, tells Tyson Johnson. “Insurance cannot work without strict legal rules. For example, if an energy infrastructure had caused an oil spill because of the failure of a software that was unpatched because the oil company did not receive the patch in time: should the oil company be held responsible for the recovery costs, or the software manufacturer or the third-party patch firm?” To avoid that these types of problems hold up Canadian courts already overbooked, the federal government must put in place and enforce the new articles of the law.

Convert SMEs to Cybersecurity

The security environment for SMEs is becoming a priority. Tyson Johnson explains: “The incentives to support SMEs to become secure are essential. The means are diverse: tax credit, rebates on products and solutions, more favourable insurance premiums, better opportunity to compete on procurement bids for government contracts… Those means and many others are discussed at the government level. People are still trying to find out what is the right mix that would motivate the SMEs to become cybersecure.”

European Union Agency for Network and Information Security (ENISA), December 2018, 73 pages.


In general, cybersecurity must be forced on SMEs. The track record on cybersecurity adoption shows that profit-driven companies do not want to spend money if they do not need to. Tyson Johnson sees two ways to convince companies to be cybersecure: “Compliance to a certification regime is the preferred solution. Companies should be told they are not going to be allowed to do business anymore unless they are compliant to a recognized standard. The alternative is to wait for an incident to happen and have a major financial impact on the SME.” Critical infrastructure organizations are very different. They are already compliant on data management, identification authentication, privacy, etc. A lot of these organizations are already spending significant funds on cybersecurity because they understood from the start that an attack would have a potential major impact on their operations, their bottom line, stakeholders’ engagement, and shareholders confidence. More importantly, from a government perspective critical infrastructure is a societal requirement that the country needs to operate. This is why the government of New Brunswick focuses on critical infrastructure organizations: they are early adopters and innovators in cybersecurity.

The Sovereignty Issue

According to Tyson Johnson, “the long-term issue that critical infrastructure will face has less to do with skill shortages than with larger questions to be asked around sovereignty. What is the level of sovereignty in critical infrastructure that each country needs to have? This covers digital sovereignty as well. So, how do we ensure that the products and devices being installed and used in Canadian critical infrastructure are ultimately under the jurisdiction of the country? And is that

feasible? Can we create enough Canadian technologies to fulfill the needs of our critical infrastructure? This also requires interoperability in communications between technologies. This is the kind of incredibly large issues we need to tackle.” The old NATO alliance was created to make sure that like-minded countries did not have to build everything on their own and could leverage and work with each other. “Do we take the same approach on cybersecurity?” asks Johnson. “Or are we looking at a place where cybersecurity is so industry-driven and not government-owned that there are no borders anymore. In this case, what becomes digital sovereignty?” If these issues are figured out by Canada along with a group of allied nations, this will necessarily have an impact on the manufacturing of products and technologies, testing and standards around them and how it all fits and works together to protect critical infrastructure. A lot of the physical products being installed in manufacturing companies are digitally enabled. These companies want products made with components which are sourced at the lowest possible price from anywhere around the world. If they agree to give up the procurement model, the price structure for consumers will be affected. But if they do not change the model, how will Canada ensure the long-term security of critical infrastructure? This is a difficult challenge that starts with a high-level strategy negotiation between countries and then would trickle down into the commercial world for execution and implementation. Most of the equipment installed in Canadian utilities has an inventory of spare parts from all countries around the world. Tyson Johnson asks: “Have we run standards and Q/A on all of those products? How do we negotiate a supply chain security program that ensures


that we trust and understand everything that is behind the covers, at the very least in our critical infrastructure? Getting even further into the weeds, if today a technology is trusted and tomorrow it becomes majority owned by an equity partner that is in an hostile country, do I have the ability to replace that product, is it a threat that I have to pay attention to, or can I carry on? The challenge is to adjust Canada’s critical infrastructure to that dynamic environment.” CyberNB does not shy away from a complex issue. If Canada does not address these issues, they are going to show up and impact companies one way or the other. People can either face up to it and try to address the challenge now, or they become basically a bystander and they will then have the decisions and policies that other nations and technologies thrust upon them. Johnson concludes the reasoning in this way: “There is a lot of hard work and unique math that nobody has done before and we need to figure out.”

International Cooperation

“Unfortunately,” says Johnson, “information sharing across governments and industries is not as strong as it is in the world of perpetrators who collaborate for economic benefit and share their insights for mutual gains. In the government world as well as in the commercial world, we tend to operate in silos and that cannot continue. If ever there was a reason to collaborate, the protection of infrastructure and cybersecurity across digital initiatives is probably the one area where even competing organizations can agree that they share a common goal of cybersecurity.” This is why CyberNB is involved in exchanges with several countries to provide a growing support to start-ups. So, it collaborates with the NIST program which is the framework for cybersecurity technology and curriculum of the Department of Homeland Security in the US. It also works with the Pôle d’excellence cybernétique in Rennes (France) and the National Cyber Security Centre (NCSC) in The Hague (Netherlands). There are tight links with AusCERT which is based at the University of Queensland in Brisbane, Australia. The common thread in all these initiatives is a common understanding of cybersecurity and a will to work cooperatively.


Desjardins Group

1 Complexe Desjardins P.O. Box 7, Station Desjardins, Montréal, QC H5B 1B2 514-607-7459 www.desjardins.com

Contact Jean-Sébastien Pilon, Senior Director, Information Security Company established in

Headquarters Number of employees Main activity Clients

1900 Québec City 46,200 Banking Members, consumers and companies

Mission To contribute to improving the economic and social well-being of people and communities within the compatible limits of its field of activity.

Strategy Desjardins’s strategic priorities are to always do what’s best for its members and clients, show its cooperative difference, and harness the full potential of its cooperative group.

Means Desjardins relies on a set of proven or new technologies to guide its growth towards full digitization and open banking.

Markets Québec and other provinces in the insurance sector. Cyber Issue Facilitate the conversion of membership to virtual credit unions, on-line services

and the use of the mobile phone applied to banking transactions.


The role of creating a robust, agile virtual financial superstructure open to an ever-increasing number of members was entrusted to Jean-Sébastien Pilon. He holds a master’s degree in electrical engineering from the École Polytechnique de Montréal and has been working in the IT field for more than 20 years. At the beginning of his career, he started working in application architecture. With IBM and Desjardins, he acquired experience in technology exploitation, information security management and innovation enhancements. In 2015, he launched Desjardins Lab, an IT project born of collaboration between several business sectors and Desjardins.

In 2018, he founded CyberEco with Desjardins, the National Bank, Deloitte and the Rhea Group. Shortly thereafter, Université de Sherbrooke, Polytechnique de Montréal, Industrial Alliance and IBM joined forces. Mr. Pilon, founder and moderator, explains the objective: “CyberEco aims to bring together our major organizations in order to develop cybersecurity solutions, and thus ensure the development of a prosperous and secure economy”. This project is part of the Desjardins tradition of being a national technology showcase in Québec.


Organization of the Largest Canadian Financial Cooperative

Desjardins Group is the largest cooperative financial group in Canada and, with more than 45,000 employees, is the largest private employer in Québec. The financial cooperative can, in many respects, compete with the major Canadian banks. It has total assets of $ 295.5 billion and generates total revenues of $ 17.3 billion, including surpluses of $ 2,326 million after tax. The volume of its transactions is over $ 2.5 billion a year. It has 271 “caisses” and just under 2,000 ATMs. Its presence in the region is strong compared to that of historically urban banks. Mr. Pilon says: "The shift towards the virtual financial cooperative has been going on for ten years and is accelerating." Every year, the number of ATMs decreases, and it is expected that this expensive technology will disappear by 2028 and will be replaced by applications on the mobile phone61. Desjardins is all about digital and mobility innovation. It is even said that Desjardins is an "early adopter", its goal is to attract millennials fond of technology by developing financial and banking solutions on several platforms: web, mobile, tablets and Apple Watch. Today, at Desjardins, this clientele is growing by 10% per year and now represents 25% of its clients. A survey in 2019 confirms Desjardins' progress with young people62.

An IT Organization

Desjardins’ cross-platform and digitization leap is no surprise to anyone. In 1967, the company was the first in Canada to experiment with real-time remote data

61 Peter Rakobowchuk, "Québec small-town mayors upset over plans by Desjardins to close ATMs", The Canadian Press, 27 February 2018. - Jean-Michel Genois Gagnon, "Quand les

processing. Then, the cooperative invented the inter-cash register, the ancestor of mobility. Remarkably, Desjardins was the first in Canada to introduce the smart card. The IT division has 4,000 employees who manage the 1,300 specialized applications, as well as voice and data networks, software and cybersecurity. For its voice and data communications, Desjardins manages more than 5,000 kilometres of optical fibre across Canada, which allows it to operate its own office automation environment and a portion of its mainframe computers serving more than 45,000 workstations in hundreds of sites. All the efforts of Desjardins’ cybersecurity department are designed to both protect assets and develop reliable solutions to reduce the number of incidents. Mr. Pilon explains: “Our digitization strategy foresees that all previously written documents will be simplified and virtualized. Clients will be able to complete the forms when they want and, if they want, they can chat with an online representative. Desjardins does not enter the virtual world simply for economies of scale. Rather, it is to give the client more power in operations.” Desjardins wants to go further: “Everything physical must be virtualized. It means ATMs, cash registers and also money.” To achieve the goal of becoming all-digital, banks need the “fintech,” these small technology companies that innovate in virtual finance. Contrary to what one might think, these new competitors do not threaten the banks. Mr. Pilon explains: “The fintech are experimental spaces. Banks innovate but not like fintech do. For instance, a bank cannot transform itself into a financial laboratory. But, if fintech develops a core transactional

guichets tombent chez Desjardins", Le Nouvelliste, 27 February 2018. 62 "Desjardins: 2028, la fin des guichets automatiques", Journal de Montréal, 22 March 2018.


technology, rest assured that all banks will be on the line to buy it, Desjardins also.”

Information Network

“Canadian banks meet once a month, reveals Mr. Pilon. At this briefing, we leave our competitive reflexes at the door. We exchange on current and foreseeable threats, on ways to circumvent them, and on correspondence with governments and regulators. Each of us wants everyone in the group to be safe. This is the best strategy to ensure our own safety.”

Benchmarking

When it comes to comparing the progress of banks in cybersecurity, Mr. Pilon states: “We are all at a good level, I know everything on the other banks’ IT, and they know about me thoroughly. We also measure ourselves regularly, we exchange our cybersecurity strategies, we borrow concepts or know-how. In short, the only difference between us lies in the choice of technologies purchased and the speed of their deployment.”

Partnerships

Desjardins recently announced a $1.25 million investment over five years for a research program in the field of cybersecurity and artificial intelligence (AI) at Polytechnique Montréal. Guy Cormier, President of Desjardins comments on the partnership. “Cybersecurity has become a strategically important area of activity today, one that draws on our ability to innovate… By joining forces with Polytechnique, we will be helping our members and customers, both personal and business, manage their financial affairs in a secure environment. At the same time, we

63 "Desjardins and Polytechnique Montréal join forces for a cybersecurity research program", Polytechnique Montréal, 14 February 2019.

will contribute to the strengthening of a high-calibre Québec centre of expertise in cybersecurity and artificial intelligence.63”

CyberEco

The imagination of fraudsters and hackers has no limits, cybersecurity has become a sphere of economic activity with strategic importance, which requires the cooperation of a large number of stakeholders. It is in that spirit that a group of dynamic companies founded CyberEco. Mr. Pilon characterizes the project as follows: “The expertise we bring together within CyberEco will allow us to strengthen the pillars of the fight against cybercrime as well as initiatives in prevention.” CyberEco’s experts will focus on developing cybersecurity solutions. The new organization will also work on human behaviour, focusing on projects for the general public. Recently, CyberEco launched an application under the name of Protection “which allows the user to secure even better his mobile, which will be able to detect questionable e-mails or text messages. Louis Vachon, President and CEO of the National Bank and Founder of CyberEco summed up CyberEco’s rationale: “A number of economic sectors are currently undergoing a digital revolution. To take full advantage of it, organizations need high-performing cybersecurity solutions. Whether to support business activities or create an environment that's conducive to business development, the benefits are numerous. Cybersecurity has also become a matter of national security, and this situation could become even more acute in years to come.64” At the launch of CyberEco, Desjardins and National Bank also

64 "Creation of a talent and expertise collective in cybersecurity" National Bank Press Release, Montréal, 12 September 2018.


announced the creation of a Research Chair in Cybercrime Prevention at the Université de Montréal.

Lack of Talents

For Desjardins, the main obstacle in cybersecurity is human capital. “We are

already lacking young specialists and in the coming years, the situation will get worse,” predicts Mr. Pilon. “At the same time, attacks are growing in number and complexity. There will be no truce. The problem is that cybersecurity does not seduce teens from the outset as the job of pilot or presenter on television. It is difficult to get them to choose to make their studies in cybersecurity.”


Difenda

1375 North Service Rd E Suite 102 Oakville, ON L6H 1A7 1-866-252-2103 www.difenda.com

Contact Frank Post, Senior Director, Cloud Security Data Founded


2018 Oakville 45 Cybersecurity services All types of industries, the government and police

Mission To help our clients improve their security position. Strategy Guaranteed innovation services and innovation. Means Develop creative projects to better serve clients. Markets Canada Cyber Issue Skill shortage. R&D time and resources.


Frank Post studied computer systems and started his career as a programmer in the insurance company Markel International and discovered ERP systems, networks, client service and management. Then he moved on to Southam Newspapers who at the time had dailies and weeklies across Canada where he had the same responsibilities, networks and desktop management. After a year, he decided that network design, architecture and management were what he liked best. Consequently, after integrating the corporate law firm Torys LLP, Frank Post moved up the ranks to global management of IT, not only of the Toronto headquarters but also the offices in New York, Hong Kong and London. During his 10 years’ stay, he developed a keen interest in cybersecurity. As he explains, “Law firms are all about intellectual property. Some cynics say it’s all about the price of the page. The dangers come as much from the outside

as the inside. Sometimes the same law firm can represent both sides of the same legal case. Ethical walls are put up to protect both in-house teams against tampering and loss of data. That was not really efficient and when the Internet became a business norm, things got even more difficult.” In and around 2000, Frank Post moved to professional managed services in the telecommunications industry, ultimately working in Rogers’ data centre. “Data centers at the time were ideal physical places for criminals to operate in. Thousands of clients shared the same network and we were asking ourselves: how do we keep it secure? How do you convince clients that no one will access their systems? Those were questions asked 15 years ago, long before malicious attacks had started.”


In 2015, working with the IT solutions provider Scalar Decision, Frank Post participated in one of the most exciting projects of his career, the Pan-Am games held in Toronto. “From July 10 to July 26, we were responsible for the protection of the networks and data centres. It was an intense positive experience, lots of camaraderie, but when suddenly everyone packs up and leaves, you’re left with your memories.”

Difenda's service offer

In 2008, Manoj Arora, a young Indian immigrant, created the company Difenda and with former military professionals created a varied clientele. Frank Post joined them in 2017. After ten years of operation, Difenda has 45 employees, and will soon open a second office in New Brunswick, in collaboration with CyberNB. Difenda's portfolio of services is very varied and, in addition, includes a SOC and two laboratories. However, Difenda does not offer network construction and infrastructure management services. If a client needs such services, Difenda refers them to specialized companies. Difenda is one of the few Canadian companies that offer the complete spectrum of cybersecurity services from security awareness programs, to consulting on incidents, security technology implementation, and 365 data, management, forensic and in-court representation. Frank Post explains that “For a company to build a SOC, the investment represents one million dollars. To run a SOC 24/7, you need 8 people, plus management and overhead. You must also buy the technology associated with the SOC. Whereas when a company imparts the service, it will pay according to the size of its organization: $3000 a month, $30,000 a month or $300,000 a month. The client has a

warranty on the quality of the service.” Still according to Frank Post, “Our number one goal is to prevent breach. That’s what we promise our clients, but we also advise on the possibility of internal tampering." Difenda transfers all of its client’s data to the cloud. Its specialists are familiar with almost all clouds, but its strategic partner is Microsoft.

Clientele

The young firm has a wide array of clients: banks, health care, manufacturers, service companies, mining, engineering, large transport infrastructure and also occasionally police forces. Difenda has chosen not to specialize in a specific vertical market. “Everyone needs protection," Frank Post says, "even the big players in the cannabis industry are trying to protect themselves. But our most motivated customers are undoubtedly those regulated industries, like health, for example. They urgently need to protect the records of their patients. The second motivation is the fear of incidents. Highly motivated customers are those who have already been attacked and who have difficulty assessing the extent of the losses as well as the cost of the upgrade. They do not want to relive this traumatic experience.”

Difenda’s Forensic Laboratory

Difenda's laboratory is primarily based in the cloud. But the company also conducts physical examinations. Its services are required when a company that is the victim of an incident has to explain the situation to a regulator, be it a payment card industry (PCI) or a government agency. Unlike criminal law, the victim must prove that he has taken all necessary protective measures.


As an official incident responder, Difenda has the obligation to process evidence in a secure physical facility. Frank Post explains: “In our lab we have a cordoned-off physical space that we named the forensic lab where we process evidence. When a client has been breached – we call it patient zero. We examine the impacted systems and duplicate the machines so that they are admissible as evidence in a litigation case. We need to maintain a chain of custody. You must prove to the Court that the system was not tampered with, that it was handled by professionals and that the duplicate did not alter the evidence contained in the original breached system. Generally, police security specialists are presents at the forensic examination.”

Crisis Management

The reporting of a breach procedure is the same for most companies. First, they call their insurance company, then the police, then if needed the regulators and finally the IT experts. Today, almost all large and medium-size companies have a crisis management procedure plan.

Academic Cooperation

Difenda works actively with some community colleges from a resourcing perspective. Colleges have more readily embraced the practical nature of cybersecurity than universities have. They created curriculum and offer a two-year cybersecurity certificate. Frank Post states: “That is why we are working with Sheridan, Georges Brown, and Seneca who have developed coop programs. We hire interns and that gives the students a practical experience and for our part we gain a lot from them. We also have relations with the University of Waterloo (Ontario), Concordia University (Québec) and UNB (New

Brunswick), and we engage in projects with leaders from the community sector like CyberNB.”

Difenda’s Projects: Orchestration and Automation

Difenda’s first large project is code named Orchestration and Automation. The basic idea is that cybersecurity issues will grow exponentially with the arrival of IoT. According to Difenda, the only solution is automation, artificial intelligence (AI), machine learning (ML) and other advanced technologies. Also, automation will lower the needs of specialists in the Control room by more than half. Therefore, Difenda has reallocated its resources to pursue that project.

Difenda’s Projects: Information and Security as a Service

Information and Security or InfoSec is a subset of the Orchestration and Automation project. Frank Post’s vision is to offer his clients a virtual state-of-the-art Command Centre with varied services – risk management, governance, compliance, HR, supply chain, financial risks management, and growing responsibilities. “In other words, all of our clients’ systems would converge on one platform and protection services would be automated. Data in the cloud and all protection services would be automated. Economies of scale and the automated nature of the service would directly benefit the customer. Difenda would then become the CIO and the CISO of its clients.”

Difenda’s Projects: New Brunswick Command Centre

The third project is related to CyberNB's mission to secure critical infrastructure.


Difenda will act as a hands-on partner in the creation of a SOC model and will open a command centre in Fredericton – five new high-level jobs will be created. The provincial government considers the project a strategic investment in the New Brunswick Economic Growth Plan. Like many senior CISOs, Frank Post estimates that New Brunswick has done everything right for the development of a sustainable IT environment. He believes that infrastructure can take advantage of this favorable economic and technological space: “An infrastructure that is connected can be breached. Infrastructures have legacy issues. They have management and HR issues. The smart grid Kiev attack has not yet sunken in people’s mind. It’s normal because most critical infrastructure wrap themselves in a shield of secrecy, for ‘security reasons’, they say. Of course, critical infrastructure is regulated but the security standards are minimal. These problems must be fixed. We owe it to further generations."

Fixing the Skills Shortage

At the moment, there is an inflationary spiral on talents in the marketplace, says Difenda’s Senior Director: “I pay my skilled staff more and more to retain them. SMEs cannot pay those types of salaries, but they can create an internship. Why doesn’t the government

reward the companies that are taking time and money to train the future CISOs? Why are companies and start-ups not encouraged?” Frank Post has four more recommendations: - The governments should entice and fund

colleges to create a fast-track certificate in cybersecurity. Tuition credits and internships are practical and fruitful actions.

- The critical infrastructure ecosystem could assume the role of a college, train young people to the level of the Cybersecurity Essentials Certificate and give tuition credits in collaboration with an accredited college.

- The government has a tremendous responsibility to improve security in Canada. It can do it in a number of ways, but the PCI model is inspiring. How it works: Retailers cannot obtain a credit card service if they are not compliant to a set of strict rules defined by the Data Security Standard (DSS). PCI is thus an enabler to robust cybersecurity. Critical infrastructure can play that role if they are given the resources to do so and as a result the perimeter of their ecosystem is strengthened.

- The Cybersecurity Economic Development Plan of New Brunswick should be read by all provinces and the federal government.


In-Sec-M

283 Alexandre Taché Blvd. Suite F3006 Gatineau, QC J9A 1L8 819-743-8987 https://securityinnovationmarketplace.com

Contact Antoine Normand, President Data Founded

Headquarters No. employees Principal activity Members

2017 Gatineau 4 Monitoring and animation of a network of SMEs in cybersecurity + 40

Mission Support cybersecurity SMEs on their way to growth by developing projects in Canada and abroad.

Strategy In-Sec-M intends to increase Canada's level of security by leveraging the ability of its SME members to increase their strength and influence.

Means - Inform companies of development programs at each level of government. - Establish channels of collaboration with infrastructures and

universities/research centres. - Create business opportunities. - Create a participatory space for alert notification and resolution. - Develop international markets.

Markets Québec, Canada, the world Cyber Issue Reclaim Canada’s national digital space.


When he finished his law studies in 1995, Antoine Normand did not pursue a legal career, but rather he created Cactus, a website design company. In 2010, after selling it, he entered the world of cybersecurity and bought Bluebear, a company specializing in the development of data management software for police forces. Antoine Normand explains: “From the beginning of my career in data management, I was made aware of the criminal use of data. As soon as the Internet started to be commercialized in 1995, I realized that there could be no Internet without cybersecurity.”

Antoine Normand's commitment to cybersecurity led him to accept the presidency of In-Sec-M, the first digital centre of excellence in cybersecurity, as a volunteer. “I work double time. I am still President of Bluebear and I contribute to the growth of In-Sec-M.”


In-Sec-M is a non-profit organization with a national mandate to promote the cybersecurity industry in Canada. The organization has four full-time employees.


The main objective of the new organization is to find all possible ways to accelerate the growth and innovation of small and medium-sized cybersecurity companies. Antoine Normand looks even further ahead: “The aim is also to help SMEs to forge strategic alliances between themselves, so that they can bid on large security contracts.” With a start-up capital of one and a half million dollars, In-Sec-M plans to offer many services. For example, it will allow SMEs to have access to key players in the cybersecurity industry, which will be grouped in one place; to support cybersecurity companies in their start-up; to create links between solutions-oriented companies, cybersecurity experts and workers; to organize exhibitions and conferences to define industry issues and innovate possible solutions; to support various R&D sectors to better secure emerging technologies; to encourage foreign companies specializing in cybersecurity to establish themselves in Canada and to promote the establishment of data protection centres. In-Sec-M innovates. NRC will contact In-Sec-M when companies hosted by the R&D organization need advice. Each contract represents approximately 20 hours of technical advice in any cybersecurity field of application. Public Safety Canada authorizes these collaborations and pays for them.

An NRC Initiative

The history of In-Sec-M is only a year and a half old, but the organization already has a

65 MaRS Fintech is part of MaRS Discovery District, a not-for-profit corporation founded in Toronto in 2000. Its initial goal was to commercialize publicly funded medical research, hence its name Medical and Related Sciences (MaRS). It has since abandoned this focus and expanded its activities to four sectors — cleantech, health, fintech and enterprise software — where the potential is greatest to build high-impact companies that

history, as Antoine Normand explains: “It was NRC's Manon Gaudet who asked me to create the In-Sec-M organization after she completed a Canadian consultation tour of cybersecurity companies. From east to west, people said that Canada's cybersecurity is in the hands of foreign companies. In addition to the billions of dollars leaving the country, there is the thorny question of our sovereignty in the event of conflict. The solution to this problem is not easy because the Canadian cybersecurity industry lacks experience. We have to make a move in the hope of creating champions in a few years' time. In-Sec-M is part of the answer and, in the long run, we would like In-Sec-M to shine and innovate as does well established clusters such as MaRS Fintech or Aéro-Montréal and CRIAQ.”65 In-Sec-M is part of the movement of digital centres of excellence created as part of the Digital Economy Action Plan of the provincial Ministry of Economy and Innovation. They are intended to foster the development of promising areas associated with the Québec ICT sector in order to facilitate the creation and commercialization of digital business solutions and to accelerate the development of SMEs and start-ups in these areas. In addition to companies, In-Sec-M members maintain close ties with the Centre de recherche informatique de Montréal (CRIM), the Polytechnique, the Université de l'Outaouais, and several colleges, of which specifically the Cégep de l'Outaouais, not to mention associations such as Prompt. “We have very close ties with Prompt,” says the president. “Recently, we have assisted them

strengthen the economy. The Consortium for Aerospace Research and Innovation in Québec (CRIAQ) is a non-profit organization (NPO) created in 2002 with the financial support of the Government of Québec. Its mission is to increase the competitiveness of the aerospace industry and improve the collective knowledge base in this sector through better student training.


in identifying companies that have a promising project to develop. Prompt makes the link with the academic community and our objective is to ensure that cybersecurity is up to the challenge rather than slowing it down.” In-Sec-M also helps universities and research centres to promote their research projects. Conversely, many of them are present on the In-Sec-M Board of Directors. Antoine

Normand notes: “Although the cybersecurity industry is still weak, our research centres are renowned throughout the world. Take researcher Gilles Brassard from the Université de Montréal who has distinguished himself in quantum cryptography. His theory uses the laws of quantum mechanics to generate a "secret key" to decipher coded messages. This is a real revolution in the world of data protection.”66

In-SEC-M was first funded by the new Digital Centres of Excellence program of the Government of Québec, as well as the federal government. Antoine Normand’s first step was to organize meetings with Canada's cybersecurity leaders. As a result, innovative companies were able to present their products and services to the Canada Centre for Cyber Security, National Defence and Shared Services Canada. At the same time, SMEs were invited to apply to vertical

66. Russell Brandom, "Chinese scientists have built the first quantum satellite network," The Verge, 15 June 2017. Mathieu-Robert Sauvé, "La Chine récompense Gilles Brassard pour son rôle dans la révolution quantique," Le Devoir, 3 May 2019.

industry associations, such as finance or aerospace. Antoine Normand explains the action plan: “In addition to the support work, we also make representations to organizations mandated to manage government procurement. For example, we would like Shared Services Canada to promote SMEs with fewer than 150 employees in its calls for tenders and cybersecurity procurement policies. It should never be forgotten that cybersecurity and the

Press release, "Advanced encryption technology to secure online communications on Earth to be tested in space," Canadian Space Agency, 14 June 2019.

Canada's amazing technological adventure in cryptography How to transmit an encryption key between two remote interlocutors with demonstrable security? Currently, it is necessary to use a physically secure transmission, such as a diplomatic bag... Quantum cryptography transmits information between the two interlocutors using quantum objects and using the laws of quantum physics and information theory. This key, known only to the sender and receiver, is impossible to crack. The complex technique uses the quantum properties of photons travelling in laser beams. Anyone who tries to intercept such a key, leaves a trace and betrays himself. As this key does not travel well in optical telecommunications networks, it is preferable to keep it in a satellite. The quantum key is generated on earth and then sent to a satellite, from where it can be used from any place on earth. To everyone's surprise, this Canadian discovery is already being exploited in China, where a satellite was launched in 2017 to establish secure quantum cryptography communications in the banking and insurance industries. Theft of scientific data or legitimate scientific exchanges? In any case, the Chinese acknowledged their debt to Professor Brassard by awarding him the Micius Prize in May 2019 – jointly with American researcher Charles Bennett. Canada responded by announcing the Quantum Encryption and Science Satellite (QEYSSat) project. Honeywell has just been awarded a contract from the Canadian Space Agency to launch this cryptography satellite in 2022.


field of artificial intelligence (AI) have the highest multiplier rate of all industries.”

Future Projects

To help cybersecurity SMEs grow, In-Sec-M has launched an international marketing assistance program. Says Antoine Normand: “When you group SMEs together, the costs of a trade mission are lower. Opening doors is easier for us. In addition, entrepreneurs who join these trips can benefit from interactions within the group.” The other major In-Sec-M project aims to create in solution mode the equivalent of what the Canadian Cyber Threat Exchange (CCTX) does in alert mode. Indeed, the CCTX offers a threat or attack alert service for critical infrastructure. Antoine Normand states: “The CCTX has no equal in detecting threats and transmitting information. We want to add a solution component to this business model. We want to explain to SMEs the measures to be taken and, if necessary, refer them to a member of In-Sec-M. We are in the process of discussing with Public Safety Canada to create a solution for SMEs across Canada. In short, the CCTX deals with problems and we deal with solutions.”

The Future of Cybersecurity In-Sec-M considers two futures. The first, in the short term, is to correct and reverse the brain drain, money drain and sovereignty drain. “The days when Canada could hide behind its ethical image are over,” says Antoine Normand. “We are a privileged target just like the United States. At the same time, we are placing our security in the hands of foreign companies that do not always have Canada's best interests at heart. In short, the future is about the urgent need to reclaim our national digital space. Otherwise, there might be no future at all.” Antoine Normand points to possible solutions: “We must invest more to secure our research centres, our universities and our SMEs. There are many ways to do this. For example, SMEs should be able to write off the full cost of Canadian-based cybersecurity products and services. This would achieve three goals: to increase their security, to increase the security of the Canadian economy and to increase our national capital and assets in this area.”


Industrial Alliance

1080 Grande Allée W PO Box 1907, Station Terminus Québec, QC G1K7M3 418-684-5000, #101827 https://ia.ca

Interview Olivier Caré, Head of Digital Information Security Basic data Founded

Headquarters No. of employees Principal activity Clients

1892 Québec City 5,000 employees et 25,000 representatives Financial services and insurance 3 to 4 million consumers and companies

Mission Industrial Alliance Financial Group wishes to support its clients and help them understand the world of insurance and financial services so that they can make the right choices in achieving their objectives at every stage of their lives.

Strategy More than an insurance company, Industrial Alliance is also a key player in the industry by offering a wide range of financial services.

Means Meet the financial and insurance needs of its customers in North America. Markets Canada and the United States Cyber Issue The complexity of bringing together legacy and new technologies as well

as the upgrading and integration of newly acquired business systems.


Olivier Caré graduated at the French engineering school ESTACA as an aeronautical mechanical engineer, but he has never built an aircraft because his career path led him to IT. While he was finishing his studies, a friend convinced him to set up an IT service company for SMEs. Ten years later, Québec International organized meetings in Paris to recruit engineers for companies located in Québec. Olivier Caré had the right profile. He agreed to immigrate on condition that he had a secure job upon arrival. Industrial Alliance, headquartered in Québec City, hired him. Shortly afterwards, he left France with his wife and two sons.

Olivier Caré sums up his career in Canada as follows: “I started at Industrial Alliance at the bottom of the ladder in 2014, whereas in Paris I held management positions. In the first few months, I was working as a project manager. I didn't experience it as a demotion though. Quite the contrary, this allowed me to adapt smoothly to both the company and Canada. Industrial Alliance had already made the transition to process digitization and Big Data bank management. There were many challenges. I was quickly promoted to RSIN.”


Industrial Alliance offers life and health insurance products, mutual and segregated funds, savings and retirement plans,


securities, auto and home insurance, mortgages and auto loans, as well as other financial products and services for individuals, businesses and groups. Industrial Alliance is one of the four largest life and health insurance companies in Canada and one of the largest public financial companies in the country. Its shares are listed on the Toronto Stock Exchange under the symbol IAG. Overall, Industrial Alliance's portfolio of services includes more than 100 applications, some of which are more than 40 years old or even more. IT management is complex because of the multiplicity of systems acquired decades ago, the diversity of products, the multiplicity of physical sites in Canada and the United States, as well as the number of people who have access to the network and the financial and technological regulations of the various markets served.

Company Profile

Industrial Alliance has more than 4,000 servers coupled in redundancy and located on several Industrial Alliance sites. There are also outsourced servers. The superposition of protective layers and the multiplicity of different actors favour a strategy for the development of a hybrid SOC. Some functions are managed internally, and others are outsourced. Data that could lead to conflicts of interest are outsourced to SecureWorks, a Dell subsidiary. Olivier Caré explains the outsourcing process: “We want to favour local partners, but some tasks are better performed by large firms with a lot of experience, such as CGI, KPMG, PWC and others.” The trend today in the service industry is to create an enriched customer experience. This translates into open networks and easy, almost intuitive ergonomics. Caré underlines

the difficulties of the operation: “It is a great objective, but we must not forget that we are dragging legacy equipment. If we erased everything that exists and started over, it would be easier. At Industrial Alliance, the issue is the forced marriage of the old and the new.” Industrial Alliance has 1,200 IT experts located across Canada and the United States. Their task is to ensure the proper functioning of the systems while modernizing management through the use of robots and artificial intelligence. As Industrial Alliance pursues an expansion strategy through acquisitions, one of the major IT challenges is to integrate the systems of the various companies. The goal is to automate as many functions as possible. Olivier Caré adds: “We need to integrate very quickly to accelerate the amortization of new acquisitions.”

Cybersecurity Team

In 2016, the cybersecurity issues were such that senior management decided to create a separate cybersecurity entity, but without changing complementarity practices with the IT division. Industrial Alliance's cybersecurity team is the largest in Québec City: nearly 100 specialists are responsible for the integrity of the company's data, employee data and representatives. Olivier Caré explains this number: “We have about 35,000 workstations to monitor. In addition, there are third parties, Industrial Alliance's partner companies that have the freedom to access the data and the nearly four million customers who access it in real time. Industrial Alliance's ecosystem is vast to manage, monitor and protect.” Industrial Alliance does not sell cybersecurity insurance coverage. However, it protects its clients by providing training, advice and even


helping them when they are in danger. Paradoxically, Industrial Alliance itself has been covered by cybersecurity insurance for the past ten years or so. The CISO explains what appears to be an anomaly: “Cyberinsurance is not new to the market even if many suddenly discover it. Some companies were already selling them in 2000. We don't sell it yet, but I believe that anyone doing business on the Web should take out insurance and protect themselves. And we are no exception.”

Attacks

Industrial Alliance has never suffered any serious attacks. As a financial institution, in the event of a crisis, the list of stakeholders to whom we would be accountable is long. Olivier Caré comments: “Some of our customers, such as Bombardier, for example, require their IT team to work with us to assess the damage, if any. Then you have to report to the Autorité des marchés financiers (AMF), as well as to the Office of the Superintendent of Financial Institutions (OSFI), the Privacy Commissioner, not to mention the Investment Industry Regulatory Organization of Canada (IIROC), all the institutions that oversee the distribution of financial products and also to a large number of regulators in the United States. That's a lot of people. If only for that reason, it is better not to have any incidents!”

Information Sharing

In the world of financial services and insurance, there have always been associations dedicated to sharing information. These networks are evolving. They become places for sharing joint projects. Says Caré: "We pool our resources and carry out projects together. For example, Industrial Alliance has just joined CyberÉco and we will

probably carry out cybersecurity projects with them.” Every year, Industrial Alliance welcomes university interns. In 2019, it hosted eight cybersecurity interns. For many years, Industrial Alliance has been working closely with the University of Chicoutimi. “That's not all,” adds Olivier Caré, “we're looking for young companies that are working in the field of Big Data processing solutions or process automation to explore what we could achieve together.”

Lack of Standards

Olivier Caré worked for several years in France as head of industrial quality. This concern for quality has not left him. He notes that “In Canada, as in most countries, there are no established standards on minimum data protection requirements. In addition to the lack of standards, the market produces software that has flaws, and these companies are not being prosecuted.”

Labour Shortage

The shortage of skilled labour is permanent. Olivier Caré talks about his experience in this area: “I have positions open in Montréal since 2016 that are still unfilled. There is a critical shortage of IT experts. Competition in recruitment is intense. Of course, artificial intelligence and robots will be a valuable contribution, but in the end, it is a human being who must make the decision.” Finally, there is the issue of the lack of skills of some CISOs. Olivier Caré has an explanation: “University degrees in cybersecurity are recent. The majority of cybersecurity experts already on the market do not have any theoretical training. They learned on the job. They parasitize the market and cost


companies millions of dollars. Sending them back to school when they are 50 or 60 is not an option. But the obligation to pass a professional certification should be required.” Still in the area of human resources, Industrial Alliance believes that it must do its utmost to avoid mistakes and prevent deviant behaviour internally. Caré explains: “The great vulnerability in cybersecurity today lies in the human element. More than 80% of attacks come from phishing e-mails. Normally the employee should have stopped the e-mail and not opened it. After years of training campaigns, we are seeing progress. Today, if an employee doubts an e-mail, he or she sends it to the cybersecurity department for processing. We distribute awards to employees to highlight the importance of cybersecurity.”

Evolution of Cybersecurity There are many possible futures. “For me,” concludes Olivier Caré, “it is the customers, employees and representatives, who define the future. Our role is to serve them. Technology must make their lives easier. At the same time, our systems are becoming more open and in demand, attacks are accelerating, and solutions are multiplying without any assessment of their quality. So, we aim for a balance between the open and the protected. The trend today is to digitize processes, open platforms as much as possible, enrich the customer experience and protect everything. A balance must be found among these contradictory forces.”


Kryptera Technologies

233 Corrie Cres Waterloo, ON N2L5W (519) 725-1590 https://kryptera.ca

Contact Richard Evers, President and Alastair Sweeny PhD, VP, Business Development Data Founded


1987 Waterloo <10 Cryptography and security consulting Medium to large organizations

Mission To rapidly minimize the risk of stolen files resulting in leaks and improper use. Strategy Kryptera cannot guarantee freedom from hacking and theft but will guarantee

that stolen encrypted files are secure from breakage and useless once outside of the environment they were stolen from.

Means Kryptera self-manages private keys in a manner that fully protects private keys, processing many files at the same time. It supports a queuing system where files, including directories containing files, can be continually added and processed as internal resources are made available.

Markets Critical infrastructure and medium-size companies Cyber Issue The company has two new high-speed mass encryption servers ready for market.


Kryptera CEO Richard Evers has been a technology developer since his teens. He edited and then published Transactor and Transactor for the Amiga magazines (Bill Gates was a subscriber). Richard has extensive experience as a software architect and developer, network architect, server administrator and database architect and administrator. He owns several technological patents and is the author of several books. Alastair Sweeny has worked for Apple, Microsoft, and many Canadian governments and private sector organizations. He is the author of several business histories, including “BlackBerry Planet” (Wiley 2009), the first book on Research in Motion.

Richard Evers and Alastair Sweeny have worked together since the late 1980s. They met while Richard was editor of Computers in Education magazine. Richard and Alastair jointly developed Canadisk, Canada’s first multimedia CD-ROM, for the Ontario Ministry of Education and Britannica Learning Materials. They followed this up by developing Canada’s first digital textbooks. Richard developed the Termium terminological database for the Secretary of State for Canada, which has become a global standard. He also produced the leading edge ArtyArt platform for artists.



Kryptera Technologies was founded in 2015 to market Kryptera products. The original company, Northern Blue Marketing Inc. was founded in 1987 to market Richard Evers' software and services. Kryptera's technological innovation significantly improves the encryption/decryption process, which is so crucial to protecting digital assets. Being able to encrypt entire directories at once, in which each file is encrypted separately, is a huge time saving.

Why Encrypt?

Robert Masse, partner at Deloitte’s Enterprise Risk Services, recently commented that cyber-attacks “are always happening and the relentless of each break-in becomes greater. We have to swallow our pride and say to ourselves: we will be hacked, no matter what we do.” Alastair Sweeny shares this view: “Companies can spend millions of dollars to secure their servers, but they are still at risk of using software that can be infected. Risk factors are changing. Recent studies also show that over 60% of attacks now come from internal actors.” Attackers will introduce errors into the source code or discover errors that already exist. Once this happens, sites are quickly compromised. And because most sites use client and server-side scripts, the attackers have the privilege to run commands on the client that could fully compromise the server, and all servers that are connected. Most sites fail to safeguard command line extraction of their site software and resources. Many also rely on open-source products that attackers also used to determine weaknesses to use for attacks.

67. Liam Tung, "Details on 80 million US households exposed by unprotected Cloud database," ZDNet, April 30, 2019. Noam

There are no safe havens. Some seek refuge in the public cloud. In April 2019, researchers Ran Locar and Noam Rotem discovered an unguarded 24-gigabyte database hosted on a Microsoft cloud server, which included the names, addresses, and income for more than 80 million US households67. Others see salvation in blockchain technologies or in AI and machine learning, but these also show major vulnerabilities, as cyber criminals are also using AI. Some believe that future quantum computing will protect organizations from cybercrime, but salvation is a long way off. Kryptera founders argue that foolproof protection can ONLY be accomplished by the use of unbreakable mass encryption, combined with ongoing backup of encrypted files in an off-network storage space, all carefully protected by a firewall and rigorous protocols.

Products

Kryptera Technologies has recently developed two products under the names Enterprise and Mirage, which, unlike traditional key management systems, offer high-speed encryption of one or more files at a time. Both product lines have several common features and can be configured to automatically encrypt and decrypt online files. The Enterprise solution is highly customizable, while the Mirage solution is faster. The latter is designed to encrypt extremely large files such as post-production videos, CCTV streams or database backups. It is possible to create secure nodes and a document control system that can eventually manage backups and unsecured workstations. File backups must always be encrypted,

Rotem and Ran Locar, security researchers at vpnMentor, an Israel-based site that reviews VPN products.


because backups can also be stolen. In addition, with the company’s technology, continuous mode encryption of all desktops becomes possible. Enterprise and Mirage solutions are ready for commercialization and are custom-built. The consumer and IoT versions are under development and will be launched by 2020.

Potential Market

Kryptera is targeting medium to large organizations who are unable, unwilling, or can’t afford, to encrypt all their digital data because of the difficulties associated with existing encryption solutions. Some large companies manage millions of keys configured in multiple formats. Lifecycle management of the key management system (KMS) is costly and even dangerous, as some keywords are sometimes transmitted in plain text. Financial institutions are one potential market where the enterprises can not only better safeguard their digital assets by encrypting before backing them up to the public cloud, but also provide customer-centric encryption services – digital safety boxes – as a way to engage and retain brand loyalty. Kryptera IoT and consumer versions will be available in 2020 and include many proprietary and patentable features.

Kryptera Current Situation

During the month of August 2018, Kryptera’s new Mirage technology was tested and validated with the help of CENGN – Canada’s Centre of Excellence in Next Generation Networks. Kryptera Mirage validated its blazing speed and efficiency in operating with directories and masses of very large files. The fastest server-side processing time for Kryptera Mirage was 1.63 billion bytes/second when decrypting 12 files of 25 GB each. Since

then, the entire code base has been refactored, making our products far faster, more secure, far more efficient, and capable of passing a security audit without difficulty. Kryptera just ranked very highly as a participant in the Department of National Defence IDEaS program, with its proposal to use Mirage for “Mass encryption and verification of full-motion video integrity.”

Vendor’s responsibility

Many corporations use old versions of Windows, or customized versions of Linux, because they want to keep their costs as low as possible. According to Richard Evers, “Old versions of Windows are plagued with security holes, and Microsoft will not provide security patches. Worse yet, every Windows update requires rebooting the hardware, which results in downtime, and can also result in the underlying hardware no longer working because Microsoft failed to test their updates – they fired their QA staff long ago... In addition, custom versions of Linux cannot generally be updated, as a security update must be performed using a known operating system. Almost all IoT devices have major safety problems when they are released. But software vendors are not the only ones responsible. The current transition towards a connected environment aggravates the situation since the OT providers are generally not inclined to inject security features into their products. Richard Evers explains: “IoT hardware that is sourced from cheap sources such as China have major problems with default accounts and passwords being hard-coded into the boards. I don't know of any IoT devices that have properly configured or even installed firewalls. Taken as a whole, this has led to an endless series of cyber-attacks that use compromised IoT devices.


Ontario Provincial Police (OPP)

Lincoln M. Alexander Building 777 Memorial Avenue Orillia, ON L3V 7V3 (705) 329-6111 www.opp.ca

Contact Dave Quigley, Bureau Commander at Ontario Provincial Police Data Founded


1792 (First Parliament – Upper Canada) Orillia, ON 5,700 uniformed officers, 700 auxiliary officers, and 2,600 civilian employees Policing Provincial, Canadian and international policing communities

Mission Committed to public safety, delivering proactive and innovative policing in partnership with our communities.

Strategy Continuous learning / Respectful relations / Accountability/ Fairness, courage and caring / Diversity

Means

Training employees, exercises, cooperation with national organizations such as the RCMP and Defence Canada and development of key technologies such as artificial intelligence and enhanced database solutions.

Markets Provincial, Canadian and international policing communities. Cyber Issue Mobilizing all employees to participate in the cybersecurity effort and

detect amongst the different internal police groups deviant intentions and acts.

Professional Profile

Dave Quigley graduated from Nipissing University in 1998 and a few years later from Waterloo University. His first job was to teach forensic investigation at Seneca College. Then he joined the Ontario Provincial police (OPP) in the Criminal Investigation Branch. In 2016, after a passage of 3 years in the Human Resources Bureau, he was promoted to Chief Security Officer, in the Security Bureau. In 2018, he received the Governor General's Medal of Merit in recognition of his contributions to Canadian public services.

Organization

The OPP is the largest police force in Ontario and the second largest in Canada. It is responsible for providing policing services throughout the province in areas lacking local police forces. It also provides specialized support to smaller municipal police forces, investigates province-wide and cross-jurisdictional crimes, patrols the provincial highways, and is responsible for law enforcement on many of the province's waterways. The OPP has 330 facilities, 9,000 employees, plus a group of 1,000 active


volunteers. All the workstations are equipped with digital capabilities. The vehicle fleet consists of 2,290 vehicles that are now advanced workstations with mobile equipment and cameras all connected to headquarters and to the RCMP. The OPP also has to manage the upkeep of 114 marine vessels, 286 snow and all-terrain vehicles, two helicopters, and two fixed-wing aircraft. Administratively, the Ontario Provincial Police belongs to the Ontario public service network but given the uniqueness of OPP’s mission, the service is segregated. The OPP is responsible for providing policing services over one million square kilometres (390,000 sq. mi) of land and 174,000 km² (67,200 sq.mi) of water, to a population of 14,446,515 million people.68

IT and Cybersecurity Organization

The Commander Dave Quigley manages the Communications and Technology Services Bureau of the OPP (position equivalent to that of CIO) which means: 200 IT specialists, the communications bureau (dispatch), the recently transferred data group, the communication centres, the large police database, and other specialized services. In total, this represents 1,100 people, all working in IT in one way or another. The CIO and CISO functions are separated and both report directly to the Deputy Commissioner – Traffic Safety and Operational Support. One must not rely on organizational figures. Indeed, the number of specialists in the cybersecurity unit may seem small for an organization as important as the OPP. In practice, the rules of the division of labour rely on cooperation. Thus, depending on the nature of the incident, the CISO may call upon

68. OPP’s website: https://www.opp.ca/index.php (last consulted on 30 October 2019).

the IT specialists in the Office of Communications and Technology Services or other specialized digital units, while remaining primarily responsible for operations. The IT Investigation Unit have the skillset to respond to an incident and using forensic practices they often succeed in identifying hackers. The OPP cybercrime unit is the service to which companies or individuals turn when they encounter a major breach. The matter is then brought to the high-level Security Committee of which Dave Quigley is a member. “In fact, our organization is quite simple to decrypt. The Security Bureau is inward-looking and takes care of the OPP’s daily operations. The Investigation Bureau is outward-looking. They deal with crime and have forensic capabilities which my team does not have.”

Cloud Computing Migration

Dave Quigley lobbied senior management to modernize the IT posture of the OPP. He won a first battle with the migration of some of OPP’s data to the cloud. Then the cloud began to be the object of intense discussions in the force. Dave Quigley explains the OPP culture: “My predecessors would never have accepted to give the organization’s data to non-police or non-military third parties. Even now, some are still opposed to the cloud but we’re going forward.” According to estimates, the data overhaul to the cloud would take more than a year to complete.

Partnerships

When possible, the OPP prefers partnerships. For example, after evaluation, the OPP decided not to build its own SOC but to


partner with the Ontario Government to share the equipment and facilities of the province’s mature SOC. As a result, every day, a team of OPP IT specialists show up for work in the government premises that house the SOC. The benefits for both parties are important: hardly any overlapping in equipment, software and applications and lots of information and know-how shared between the groups. The OPP is also connected to many executive groups like the National Police Information Systems (NPIS) which interacts with police forces across Canada. The NPIS host the National Advisory Committee whose mission is to set standards in regard to police databases. A third national committee works on cybercrime investigations. The OPP is present on all national committees and is also linked to National Defence which offers special training to police executives.

Attacks

The OPP has suffered many disagreeable cyber-attacks (loss of data, defacing, etc.) but “none massive to the point where it would interest the media,” says the Commander. When an incident occurs, OPP follows best practices: a contaminated desktop is isolated, cleaned and rebuilt. Dave Quigley reviews frequently the OPP’s security risks and the result of his work is surprising. “Our biggest risk is not the hacker working on the outside, it is the insiders who have criminal tendencies and can access our networks with impunity. The shift to cloud computing is not going to help me resolve this issue.”

R&D

Besides the cloud migration project, the OPP wants to add intelligence to its Big Data database. Talks with the RCMP and DND are ongoing to share an R&D program on the analysis of Industry 4.0 databases.

The Future of Cybersecurity

Dave Quigley is optimistic about the evolution of cybersecurity: “Remember that 10 years ago, the public and private sectors gave little credit to this activity. Many people said that this was a source of unnecessary expense. Cybersecurity will become increasingly important in the coming years. Each institution will use it to protect itself, but also as an argument to gain the public's trust. My colleagues from the CIOCAN Ontario Chapter say that until not so long ago, a CISO could not sit on the executive committee. At present, many CISOs are senior managers. You no longer need to promote cybersecurity. Senior management is aware of the issues.”


Public Safety Canada

340 Laurier Avenue West Ottawa, ON K1A 0P8 613-949-7838 www.publicsafety.gc.ca/

Contact Colleen Merchant, Director General, National Cyber Security & Craig Oldham, Director General, Critical Infrastructure and Strategic Coordination


2003 Ottawa 66,000 Safety and security Canadians both at home and abroad

Mission To build a safe and resilient Canada. Strategy To keep Canadians safe from a range of risks such as natural disasters,

crime and terrorism. Means Public Safety Canada (PSC) works in sync with five agencies and three

review bodies who all report to the Minister of Public Safety. These agencies are: - Canada Border Services Agency (CBSA) - Canadian Security Intelligence Service (CSIS) - Correctional Service of Canada (CSC) - Parole Board of Canada (PBC) - Royal Canadian Mounted Police (RCMP) In the course of its mission, Public Safety Canada interacts with other federal, provincial, municipal and First Nations organizations, first responders, community groups and the private sector. PSC also works on the international level namely with the National Information Exchange Model (NIEM).

Markets Canada Cyber Issue Centralization of all cybersecurity operational responsibilities under the

umbrella of one agency – the Canadian Centre for Cyber Security.

Professional Experiences

Colleen Merchant has a BS in Aerospace Engineering from the University of Florida and a Master’s in Theoretical Physics from the University of Utrecht. Her Professional experience began at the National Defence. She later joined the Canadian Space Agency

where she became Director General, Space Programs and Planning. Craig Oldham spent 27 years in the Army, served on operations in North America, Europe, Africa and the Middle East, became a


Squadron Commander within Canada’s Counterterrorism and Special Operations unit, Joint Task Force 2 and served in the Directorate of Counter-Terrorism and Special Operations in National Defence HQ. Subsequently, he was seconded to the Counter-Terrorism Division of the National Security Directorate with the former federal Department of the Solicitor General in June of 2003. When the National Security Policy established the Government Operations Centre (GOC) in April of 2004, Craig was seconded to Public Safety Canada and assumed the duties of the Director of Operations. In November of 2006, Craig transferred from the Canadian Forces to continue work in the GOC. Currently he is the Director General of the Critical Infrastructure and Strategic Coordination, Public Safety Canada.

Definition of critical infrastructure

Public Safety’s objective is to ensure the uninterrupted functioning of its critical infrastructure, disruptions of which can have a serious impact on lives, the safety of communities and the economy. While there is no globally acknowledged list of industries classified as critical infrastructure, Public Safety has defined 10 critical infrastructure sectors within Canada: energy, finance, food, transportation, government, information and communication, health, water, safety and strategic manufacturing. Craig Oldham explains: “During World War II it was easy to classify a bridge or a dam as critical infrastructure. The modern world is so complicated that no list would be valid more than a couple of hours. First, threats change too quickly, and then, what is critical today may not be critical tomorrow. This is why our objective today is to rapidly assess what is important now and to activate immediately a

network of contacts. Otherwise you may end up protecting this bridge somewhere while you lose your power grid!” Public Safety runs a close loop information sharing network where it invites businesses, associations and not-for-profit organizations to join a common voluntary environment where they can learn what is happening, what is going on, and what is emerging. The entire process is free. The networking extends to virtually all sectors; even a remote dairy farm in the Prairie is part of the food sector of critical infrastructure through the Dairy Farmers of Canada or the Dairy Processors Association of Canada. Craig Oldham says: “The farm in the Prairies will not be part of our network, but its association will be, which is important because farming is now heavily dependent on automated feeding, milking machinery, supply chain, transportation, etc.” “In short,” adds Craig Oldham, “the concept of critical infrastructure depends on the nature of the threat we are encountering or expect to encounter. You pick up what seems to be best for what you want to achieve.” This definition of critical infrastructure with variable geometry scope was signed and agreed to by all the provinces and territories.

Cybercrime and Cybersecurity

According to Public Safety, there is a distinction to be made between cybercrime and cybersecurity. Cybercrime is about using technology as a tool to commit an illegal act that falls under the criminal code, whether it is fraud or deception. Cybersecurity incidents, by contrast, are those that specifically target technology. The RCMP typically deals with cybercrime while Public Safety and the new Canadian Centre for Cyber Security focuses on cybersecurity.


It is sometimes difficult to draw the line between cybercrime and cybersecurity. So, within the new Canadian Centre for Cyber Security there is a Cyber Operations Group which works closely with the RCMP to evaluate the nature of any given incident. This intelligence group includes experts from Public Safety, Global Affairs, CSIS, CSE and PCO.

Who Does What at the Government of Canada?

- Cyber Security Directorate Within Public Safety Canada, the role of the Cyber Security Directorate is to lead the cyber strategic policy development and implementation at the national level. This means pulling together the national cybersecurity strategy and then overseeing the implementation of all the initiatives that are funded under that strategy. This strategy involves a $507.7 million cybersecurity plan spread over five years, announced in the Government’s 2018 budget. Another responsibility of the Cyber Security team is to coordinate the Government’s approach to cyber policy issues. This means it has to take into account the various perspectives of the 14 departments and agencies with a direct influence in cyber policies and operations, wrap them up and build them into a unified advice to the Government. - Critical Infrastructure Directorate Also, within Public Safety, the Critical Infrastructure Directorate conducts a program to provide assistance to private companies and to assess what the risk is to their critical infrastructure. It then offers them several options on how to mitigate different risks and provides a tool that allows them to go to their cyber consultant with a thorough description of the risks, the

69 https://www.getcybersafe.gc.ca/index-en.aspx

remedies and the approximate costs. On average each single company visited by the experts of Public Safety has invested $60,000 to improve its resilience, with the amount reaching as high as several million dollars. The return on investment of this program is 13:1, i.e., whenever Public Safety invests one dollar to run the program, it generates 13 dollars in investment from the private sector in cybersecurity measures. - Canadian Centre for Cyber Security The Canadian Centre for Cyber Security was established in October of 2018 with approximately 750 employees coming from existing cybersecurity operations units at various departments and agencies: - From Public Safety Canada, the Cyber

Centre inherits all functions of the Canadian Cyber Incident Response Centre (CCIRC) and the Get Cyber Safe public awareness campaign69.

- From Shared Services Canada, the Cyber Centre inherits some of the functions of the Security Operations Centre.

- From the Communications Security Establishment (CSE), the Cyber Centre inherits the entire IT Security branch.

In the event of an infrastructure crisis, the Cyber Centre is responsible for operations. It takes charge of all defence operations until the situation returns to normal. It plays a preventive role with critical infrastructure by sharing information on indicators of compromise and vulnerability. It assists them in defining their risks. On the public side, the Cyber Centre maintains a public awareness website and conducts numerous outreach activities. The Cyber Centre is also responsible for the protection of the Canadian Government systems. Each department or agency has its


own chief information security officer (CISO) who deals with incidents. When under attack, the CISO immediately alerts the Cyber Centre which immediately examines the entire government network to see if other entities are not also contaminated. It dictates the government's course of action. Finally, the Cyber Centre is also responsible for all the cryptography needs of the Government. National Cross Sector Forum The National Cross Sector Forum (NCSF) on critical infrastructure is made up of representatives across the 10 sectors at the deputy ministers/chief executive/chief operating level, plus the representatives of the provinces and territories. The role of the NCSF is to address emerging and ongoing infrastructures issues. These issues, as they relate, for example, to terrorism, natural disasters, and cyberattacks, can compromise the safety and security of communities and critical infrastructure, and by extension, have a significant impact on the well-being of Canadians. The NCSF representatives meet face-to-face and participate in ad-hoc teleconferences. Other organizations The Multi-Sector Network (MSN) is a broader group that supports the NCSF at the operational level. Its representatives meet in person annually every time in a different part of the country so it can interact with regional communities. There is as well a Federal, Provincial, Territorial Senior Official Responsible for Emergency Management (SOREM) forum whereby recommendations are formulated and proposed to Deputy Ministers. SOREM is assisted at the operational level by a working group on critical infrastructure.

How this structure works The different layers of this structure converge ultimately on the NCSF which facilitates and coordinates the issues brought to its attention. When appropriate, they are transformed into national policies. The NCSF also delivers some programs such as national level critical infrastructure and cyber exercises, regional risk assessments and as well bi-national physical and cyber risk assessments, training on industrial control systems at no cost for the private sector, etc.

Declaration is Not Compulsory

If a private company comes under cyberattack, it is not obliged to declare the incident, but it is highly advisable that it should contact the Cyber Centre – unless there is a criminal component, hence it should contact the police.

Cooperation with Foreign Governments

The "Five Eyes" (FVEY) refers to an alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States. These countries are bound by the multilateral UKUSA Agreement for joint cooperation in signals intelligence, military intelligence, and human intelligence. The Five Eyes partners look to Canada as a model because it has succeeded to consolidate all the government’s cybersecurity organizations under the sole leadership of the Cyber Centre that is both monitoring and protecting. In many countries, cyber agencies and departments compete with each other. Canada now has one place for people to go for all cyber events – except for the cybercriminal events that remain in the hands of the RCMP. This centralization of cybersecurity is a strategic advantage for Canada.


Royal Bank of Canada (RBC)

200 Bay Street Toronto, ON M5J 2J5 888-212-5533 www.rbcroyalbank.com

Contact Adam Evans, Vice President Cyber Operations and Chief Information Security Officer (CISO)


1864 Toronto 86,000 Finance Consumers and businesses

Mission To be among the world’s most trusted and successful financial institutions. Strategy - In Canada: To be the undisputed leader in financial services.

- In the US: To be the preferred partner to corporate, institutional and high net worth clients and their businesses.

- In select global financial centres: To be a leading financial services partner valued for our expertise.

Means - Long history of innovation and proven ability to adapt to industry trends. - Investments in technology allow us to drive efficiencies and deliver an

exceptional client experience. - Focused on simplifying, digitizing and personalizing our products to make it

easier for clients and employees to do business and lower costs. Markets 16 million residential and business clients in Canada, the U.S. and 35 other

countries. Cyber Issue Manage cybersecurity during the transition towards open banking.


Adam Evans is the Global CISO for RBC responsible for the execution of the Enterprise Cyber Strategy. As an information security professional with over 19 years of experience he manages a team of security and risk professionals that provide Security Operations Centre, Threat Intelligence, Security Analytics, Incident Response, Risk Management, Supplier Management, Security Tooling and Identity Administration services for RBC globally. Prior to that, he

worked at Scotia Bank as Director Cyber Security & CSIRT. From 2002 to 2006, he acted as an IT professional at Investment Industry Regulatory Organization of Canada (IIROC).

RBC Perimeter

RBC’s perimeter includes 140,000 machines (workstations and servers) operating in different environments and continents which manage 400 million transactions a day. This infrastructure is supported by geo-diverse


data centres to better serve its clients across the globe. In 2018, RBC decided to go digital. The bank had then 6.5 million digital users and was determined to attract 2.5 million new customers by 2023, a threefold increase on its traditional rate of customer acquisition. To achieve that goal, the bank announced a $3.2 billion investment in fintech, i.e. new companies that are developing financial technologies including artificial intelligence, digital products and social media.70

RBC’s Cybersecurity Team

RBC’s cybersecurity team has 550 employees and is headed by Laurie Pezzente who is Senior Vice President and Chief Strategy Officer, Global Cyber Security Technology & Operations. As a senior executive, she represents the bank’s security position to the Board, business stakeholders and government agencies on issues regarding IT security and overall IT risk. The cybersecurity policies are implemented by Adam Evans, Vice President Cyber Operations and Chief Information Security Officer (CISO). The role of Adam Evans at the RBC is dual. The first side is operational: - security of traditional operations that

include monitoring, detecting, alerting and response as well as endpoint security, vulnerability management;

- penetration testing, red teaming, and all insurance activities that make sure that defence is operating effectively;

- defensive threat operations that are responsible for the configuration of all security technologies;

- data protection from data theft to data destruction;

70. "RBC unveils $3.2bn tech budget in digital push," Finextra, 14 June 2018.

- encryption technologies; - financial crimes that tend to become a

hybrid operating model encompassing cybersecurity and money laundering or fraud in general.

The second side of Adam Evans’ responsibility is the CISO mandate. This covers the compliance with regulatory obligations from a cybersecurity perspective in all the jurisdictions where the RBC conducts business such as the GDPR in the European Union or the California Consumer Privacy Act. This means cooperating tightly with the chief privacy officer to protect all data related with personal information. The CISO role also involves building and executing the cybersecurity strategy for the enterprise. This strategy is then taken to the independent lines of business where RBC operates: Personal & Commercial Banking, Wealth Management, Insurance, Investor & Treasury Services, and Capital Markets. This is particularly important since these lines of business are in full transition process: they increasingly offer their services in digital form. The CISO ensures that the cyber security strategy enables the transformation and delivery of new digital services in a secure and secure manner.

Nature of Cybersecurity

“Thirty years ago, when a bank wanted to open a branch in a high crime environment, it was deploying on an ad hoc basis a few security guards and one or two cameras to protect its assets properly,” says Mr. Evans. “Today, as financial services go online one after the other, it is the organization as a whole that is suddenly immersed in a highly volatile environment. We need to be


innovative. That is why amongst other things, we have in-house ethical hacking capabilities and we fund R&D advanced tech projects.” Historically, cybersecurity was viewed as a separate problem. Today, as RBC enters into the new digital environment that can be characterized as open banking, cybersecurity becomes just another risk that the bank takes on, like market risk, equity risk, safety risk, etc. Its job is to understand what those risks look like and make sure it manages the capabilities provided by the IT people to mitigate the new environment. This evolution is not limited to the financial sector. Most of the other sectors of the economy must go through a similar transition: they must transform their business services and deliver them in a digital way. Mr. Evans sums up the situation as follows: “If you want to stay relevant to your customers, you have to transform, but as you transform that digital footprint, your threat surface continues to grow. It is about managing this new risk like all other risks facing the organization.”

Cybersecurity R&D

One of the key actions to manage this transition is R&D. RBC invested $1.78 million in 2018 in a new cybersecurity lab at the University of Waterloo. The projects that will receive funding will be those that focus on advanced cybersecurity and privacy tools. RBC staff will work on-site with the newly created lab’s researchers for a long-term collaboration71. The same year, RBC invested $2M investment on research into AI-based cybersecurity with partner BGN Technologies, a spin-off of Ben Gurion University in Israel. The research aims to further develop

71 Lyle Adriano, "RBC invests in new cybersecurity lab," Insurance Business Canada, 05 February 2018. 72 "RBC invests $2M into cybersecurity research in Israel," Financial Post, 26 June 2018.

protection methods, including machine learning-based techniques to ward off threats72. RBC also invests heavily in blockchain technology. In 2017, the bank invested over $30 million along with other Canadian banks into SecureKey’s blockchain identification system. SecureKey’s ID system helps customers verify their credit information through mobile and desktop applications. The following year, RBC filed a patent for a technology that uses blockchain. The patent defines a credit scoring process that stores historical and predictive information about borrowers73.

Cybersecurity Cooperation

In the financial sector, the cybersecurity degree of maturity depends on the size of the organization. Canada’s large banks such as RBC, BMO, TD, Scotia or National Bank, are part of the country’s critical infrastructure. A small credit union with scarce human resources is obviously in a very different position. On the other hand, the level of risk is much higher for the major banks: they are a prime target for all hackers over the world. Financial institutions close ranks and work very closely on cybersecurity. Once a month, all Canadian banks cybersecurity officers meet within the framework of the Canadian Bankers Association (CBA) to exchange about emerging threats. This complements ongoing informal concertation between the banks. As Mr. Evans puts it, “It is obvious that if hackers target RBC, chances are very high that they will keep knocking on all the financial doors as they move down Bay Street. We want to make sure our partners are aware

73. Melanie Clay, "Royal Bank of Canada Files Patent for a Credit Score Platform Using Blockchain Technology," Coinsquare, 20 March 2018.


about what is going on to give as much time as possible to close up any potential vulnerability.” RBC also coordinates with the federal government, in particular with the new Canadian Centre for Cyber Security. Furthermore, it has invested in national organizations such as the Canadian Centre for Threat Exchange (CCTX), a membership organization launched in February 2017 to share cyber threat information across business sectors and from other Canadian and international cyber threat sharing hubs. The CCTX is chaired by Marc Duchesne, vice-president of corporate security and responsibility at Bell Canada, and its vice-chair is Adam Evans, RBC’s President & Chief Executive Officer. The other Board members are Air Canada, the CN, Telus, Hydro One Networks, Manulife Financial, TD Bank and TransCanada Corporation. CCTX’s goal is to spread actionable intelligence. When an attack looms out, the Centre immediately puts out a situation report, followed up in the next few hours with a conference call with members. Updates are issued as often as necessary. CCTX offers not only a data exchange but also a forum where infosec pros can share experiences and knowledge.74

74. Howard Solomon, “Ottawa about to join cyber threat exchange,” IT World Canada, August 8, 2017.

Talent Shortage As the general economy is going everyday more digital, cybercriminals are developing increasing capacities. Faced with this rising threat, there is a talent shortage for 3.5 million cybersecurity jobs worldwide over the next two to three years. Prospective reports predict a zero percent unemployment in cybersecurity for the next decade. Mr. Evans concludes: “The fundamental problem is that the technological footprint is increasing, and at the same time, the industries are changing faster than expected and are stopped in their tracks by the lack of talent. Under those circumstances, how can they put in place the appropriate security capabilities to protect these new business services? RBC has chosen to address the issue by multiplying the initiatives to attract women into its IT and cybersecurity services at the beginning of 2010. An employee resource group focused on developing and advancing women into IT leadership positions was created. As a result of this far-reaching policy, 44 % of RBC’s IT employee population is made up of women75.

75. "RBC and CanWIT join forces to develop women leaders in IT," RBC news release, Ottawa and Toronto, September 29, 2014.


Secrétariat du Conseil du Trésor (SCT)

Sector 400, 4th Floor 875 Grande Allée East Québec, QC G1R 5R8 418-643-0875, ext. 5001 www.tresor.gouv.qc.ca/

Contact Benoît Boivin, Associate Secretary and Chief Information Officer (CIO) Data Creation

Headquarters No of employees Activity Clients

1971 Québec 2,325 Public Service Resource Management Ministries and public agencies

Mission The Secretariat supports the activities of the Treasury Board. Through its analyses and recommendations, it ensures the allocation and the optimal and fair management of resources.

Strategy The Secretariat puts its expertise at the service of the Government Administration which serves the citizen, efficiently and effectively.

Means The Secretariat supports the Treasury Board in several areas, including the preparation of the Government's annual budget, the submission of the multi-year public infrastructure investment budget, and the supervision of the management of human resources, material, informational and financial resources etc.

Markets Ministries and agencies of the Government of Québec. Cyber Issue Improve cybersecurity in small government organizations through the

systematic use of cloud computing outsourcing (ITC).


Benoit Boivin joined the Government of Québec in 2010 as Associate Secretary to the CIO of the Secrétariat du Conseil du Trésor (SCT) before being promoted to the post of CIO in 2013. Prior, he concurrently worked on the Board of the CEFRIO (an IT research organization) and as President of Action TI (an association of IT professionals). He also worked at Desjardins as a Business Intelligence manager.

Organizational Context

Québec's public administration, that is, the departments and agencies with the exception of the Education and Health Networks, has 65,000 employees, including approximately 10,000 information technology (IT) specialists. If networks are added, the volume of the IT talent pool increases to 14,000. The Québec Government spends some $3.2 billion annually for its information resources, which are managed on a decentralized basis within each department and agency. Each of the 20 ministries has its own information


technology team which is administered by an information director. Some of the larger agencies also have their own information directors, such as Revenu Québec, Retraite Québec, Société de l'assurance automobile du Québec (SAAQ), etc. In total, the Government of Québec has 26 high-level information directors coordinated by the Chief Information Officer (CIO) who sets the orientations and the priorities. Each department and agency can also count on a cybersecurity officer who manages the security and secrecy levels of each employee, the removal of security rights, the arrival and departure of employees, and so on. This is the day-to-day operational security that ensures that each person has the appropriate rights. The mission of the treasury board secretariat CIO is to ensure that each department and agency employs competent security specialists, implements the security policies and, most importantly, integrates a security dimension in each of the departments, projects or services. The CIO's mission is to ensure the governance of cybersecurity and risk management: each department and agency must have competent security officials, security policies and, most importantly, an integrated security dimension in each of its projects or services.

Outsourcing Movement

There are approximately 457 data centres where physical servers stock information on all Quebecers. Within three years, at least 80% of the digital information stored in the public administration will be transferred to virtual servers in the cloud. The rest, less than 20% of all the data, will remain stored in two data centres. This major outsourcing movement is motivated not only by cost considerations, but also by security concerns. Companies specializing in cloud management

have higher levels of security than can be achieved by an administration whose primary mission is not IT. Maintaining an up-to-date technological environment for real-time risk management, in the context of global threats, has become a business reserved for specialized organizations.

Digital Transition

The Government's primary mission is to know and respond to the needs of its citizens, not to manage servers. In a near future, public administration IT specialists will focus on the digital transformation of the state, i.e., delivering digital services to citizens based on the policies and programs that the Government puts in place. At the moment, the link between the Government and the citizens is through the 104 physical offices of Services Québec which are located all over the territory and, increasingly, via the Internet. For example, over 90% of personal income tax returns are filed electronically.

Cybersecurity Structure

Cybersecurity in public administration is defined by a few basic documents. The first is the Government Information Security Directive, in effect since January 2014, which defines the function and role to be performed by each ministry and agency. This directive requires each ministry and agency to appoint an organizational information security officer who is responsible for identifying risks and managing incidents. There is also a Governmental Framework for Managing Information Security, also issued in 2014, that defines the security obligations of ministries and agencies. Thus, each ministry and agency must produce a periodic report on their risks for the SCT. They must conduct exercises to identify the greatest threats,


following which they develop the methods of mitigation intended to manage them well. This same document also establishes the obligation to report incidents centrally. With this reporting requirement, whenever an attack occurs in a ministry or agency, the CIO can alert other parts of the public administration to the emergence of a new risk and the ways in which to protect them. As Benoît Boivin sees it, “Security is first and foremost about transparency and communication.” There is also the CERT/AQ, the Computer Emergency Response Team/Administration Québec, which reports to Public Safety. Created in 2002, CERT/AQ is an organization that monitors the dark web and networks in general to identify threats. Its experts are very familiar with technological solutions and deploy government-wide incident management processes for all incidents. They specialize in cybersecurity operations and not governance. There is close collaboration between CERT/QA and the secretariat of the treasury board. Rather, the CIO's mission is to ensure the governance of cybersecurity and risk management: each ministry and agency must have competent security officials, security policies and, most importantly, an integrated security dimension in each of its projects or services.

Training / Education

When a ministry or agency sends its risk assessment to the SCT, it goes through an internal approval mechanism that also integrates the ministry or agency that sent the assessment. This in itself is a kind of

76 Nicolas Lachance, “Des ministères québécois bombardés d’attaques informatiques”, Le Journal de Québec, 20 November 2018.

awareness-raising exercise by default. Second, each ministry and agency has its own training and awareness programs. The SCT board insists that these programs must be multiplied and more in-depth.

Attacks

Computer threats explode in Québec ministries and agencies: International cyber-attack, ransom demand, vulnerabilities, privacy violation. Most of the time, viruses or Trojans that manage to penetrate the security perimeter infect the workstations or servers so as to render them inoperable. This is the work of isolated hackers rather than organized crime or spying services of foreign states. There have nevertheless been ransom demands. In this regard, Benoît Boivin says, “the policy of the Government of Québec, as defined by the SCT, is very clear: we never pay. The infected post or server is immediately uninstalled and replaced by a new one. The loss of availability means loss of time and therefore money. Each attack on a department or agency must be reported to the SCT, but the secretariat does not make them public. However, whenever the number of employees affected by an attack is significant, a leak is inevitable, and the media is alerted. It was reported that between March and October 2018, during the pre-election and election campaign, the Ministry of the Executive Council blocked more than 6,842 malicious intrusions. In the previous year, at this date, only 1,402 attempts had been detected. 76


Intergovernmental Exchanges

Ottawa and the provinces cooperate in matters of cybersecurity and the CERTs are the privileged channel of communication concerning risks and ways to manage them. All Canadian CERTs are connected to each other and whenever a threat arises, the concerned CERT informs the network indicating which corrective to take. Often, an incident occurs because not all of the security routines have been applied. CERT’s provincial and federal CIOs hold monthly conference calls and meet twice a year. These meetings address cybersecurity but also IT issues (cloud computing, digital transformation, digital ID, digital services, etc.). In general, interprovincial and international cooperation on cybersecurity is considered insufficient.

Obstacles

The availability of talent is the number one barrier to cybersecurity. Cybersecurity specialists are very rare and highly coveted by the various players in the information market. In addition, public sector wages are lower than those in the private sector. According to Benoît Boivin, “what drives people to work in public administration is the scale of the cybersecurity challenge.” A second major challenge is to incite senior authorities – deputy ministers and executive directors of organizations – to understand risks. In some organizations, cybersecurity is recorded in the regulations of the executive committee or the Board of Directors, while in others, security is brought up only when an incident occurs. The third major challenge is the structural inequality between large ministries and agencies and small ones. Thus, the big ones

are endowed with a SOCs that monitors their systems 24/7, while the smaller organizations are much less equipped. Most of the security incidents faced by the Québec Government have occurred in small organizations that do not have all the technological infrastructure and skills to deal with the risk.

A Look at the Future

Benoît Boivin knows very well what is needed to ensure greater protection of the government's information assets. Quality is at the heart of his commitment: “The role of the SCT board is to ensure that security becomes an ongoing concern in all ministries and agencies,” says Benoît Boivin. “Ongoing work is being done to shorten the cycle of responsiveness: as soon as a threat is identified, the action must be immediate. But to be more efficient, a single cybersecurity structure should be created that would include the specialized resources of the Secretariat and CERT / QA, a carbon copy of the new Canadian Centre for Cyber Security that was created in October 2018.”


Siemens Canada

1577 North Service Road East Oakville, ON L6H 0H6 905-465-8100 https://new.siemens.com/ca/en.html

Contact Oliver Winkler, Director, Business Development and Technology Data Founded

Headquarters World Headquarters Canada N. of employees Main activity Clients

1847 Munich Oakville 379,000 (Canada: 4,000) Engineering, manufacturing, cybersecurity and R&D Critical infrastructure, governments, manufacturers

Mission We make real what matters by setting the benchmark in the way we electrify, automate and digitalize the world around us. Ingenuity drives us.

Strategy Serving society while doing successful and sustainable business is at the heart of Siemens strategy.

Means With its digitalization portfolio—unique in its combination of Siemens software, digital services, and MindSphere, the Cloud-based open operating system for the Internet of Things—we offer our customers a full range of digital options in our core business areas of electrification, automation, and digitalization.

Markets Canada and world Cyber issue Cybersecurity convergence of IT and OT systems in a unique point of service.

The global organization

Siemens has been in the industrial technology business since it was founded as a telegraph company in Berlin in 1847. It has evolved into a leading supplier of power generation, power transmission and infrastructure solutions as well as automation, drive and software solutions for industry and of medical diagnostics solutions. At the core of Siemens positioning is its innovation strategy which is based on a whole ecosystem including R&D, mergers and acquisitions and partnering with startups, municipalities, governments and large utilities. The aim of this global innovation

77 Siemens Annual Report 2018.

effort is to connect the physical and virtual worlds in a more fluid and intuitive manner in order for both Siemens and its customers to leverage digital technologies to optimize their operations. In 2018, the central R&D department employed 41,800 R&D employees and had an $8.4 billion budget.77 Siemens, as the owner and operator of nearly 300 factories, heavily leverages digitalizing for efficiency gains. Since responsible digitalization must go hand in hand with cybersecurity, the company implemented a defence in-depth security concept in its factories. It then created the Vulnerability


Handling and Disclosure Process to address safety and security vulnerabilities identified in its product portfolio and IT infrastructure. Siemens asks its clients to come forward if they have found a vulnerability. The company even created a Hall of Fame to thank those clients that report vulnerabilities.

Canadian Footprint

Siemens has been in operation in Canada for over 100 years, incorporating as Siemens Canada in 1912.Over the years, Siemens has grown throughout Canada with 4,500 employees located in 16 offices and 13 manufacturing plants including the 110,000-square-foot headquarters in Oakville, Ontario built in 2012 to celebrate the 100-year anniversary of Siemens’s presence in Canada. In the year of its centennial, Siemens also selected New Brunswick as a hub for its innovative projects both in smart grid and in cybersecurity.

The New Brunswick global venture

Siemens’s involvement in New Brunswick proved so successful that in 2018 its CEO Joe Kaeser and the then Premier Brian Gallant announced the opening of a global Cybersecurity Centre in Fredericton. This new Centre, in collaboration with NB Power, will showcase the company’s critical infrastructure solutions. The Centre will work on software development, cyber analysis and consulting. The Centre is housed in Fredericton’s secure Knowledge Park, a 26-acre campus. At the same time, Siemens announced it joined the Smart Grid Innovation Network for

78 The Canadian Institute for Cybersecurity – www.unb.ca/cic/

Atlantic Smart Energy Communities a pilot project to invent the power plant of the future. This ambitious project will make it easier to incorporate renewable energy onto the electricity grid. Usually, partnerships take time to foster. “Things just happened naturally,” says Oliver Winkler. “We had noticed that New Brunswick was creating a cybersecurity ecosystem to create its own homegrown cybersecurity industry. They had established CyberNB as part of the Province’s economic development agency, Opportunities NB. Simultaneously, the University of New Brunswick had created the Canadian Institute for Cybersecurity (CIC) that has developed R&D capabilities and a talent pipeline.78 Our partner, Opportunities NB and us shared the same objective: ensure cybersecurity to all of Canada’s digital infrastructure.” Oliver Winkler goes on explaining that the new global Cybersecurity Center is an evolving project. “We need to secure the critical assets of infrastructure, whether it is a power plant, a power grid or a windmill manufacturer. This Security Operations Center (SOC) will integrate the most advanced hardware and software cybersecurity solutions.79 The Centre will become the hub of its worldwide operations in cybersecurity. With time the OT-SOC could be open to companies that are not presently clients of Siemens. One thing is sure, we will share our expertise.”

Committed to Security

Siemens has been active in the field of cybersecurity for about 30 years. Its first cybersecurity team was established back in

79 Rugged.com - https://w3.siemens.com/mcms/industrial-communication/en/rugged-communication/pages/ruggedcom.aspx


1986. “At the time, it was all about IT corporate security,” recalls Oliver Winkler, “we were focusing then on communications. Not on the production lines or infrastructure. Nobody did that at the time. Today, the digitization of the production is the watchword of all industries. By putting all the production processes online, we can help manufacturers and critical infrastructure to conduct their digital transition efficiently without production loss, but it comes with new types of vulnerabilities.” As hackers increasingly targeted infrastructure, Siemens opened in 2016 a Cyber Security Operation Center (CSOC) for the protection of industrial facilities, with locations in Lisbon and Munich and one in Milford (Ohio) in the USA. Siemens industrial security specialists based at these sites monitor industrial facilities all around the world for cyber threats, warn companies in the event of security incidents and coordinate proactive countermeasures. It also multiplied the creation of elite R&D centers that feed the product and implementation divisions. Siemens has rapidly become an OT cybersecurity powerhouse because it aggressively transformed is 300 own manufacturing 4.0 plants into a ready sandbox to test its products and processes. “First, we integrated security in all of our own manufacturing assets. Then we further strengthened our internal capacities by restructuring our cyberorganization through the merge of our IT and OT security management – a first in large world corporations - and now we are implementing a cloud-based defence in-depth security concept that we will share with our clients.”

80 Other members rapidly joined: AES Corporation, Dell Technologies, Cisco, the petroleum company Total, TÜV Süd, the semiconductor manufacturer NXP, the energy supply

In many ways Siemens is inventing cybersecurity for advanced digital organizations. Today, it is the first major company to offer a tested and proven holistic approach to converged IT and OT cybersecurity. “Siemens can assist IT-OT organizations in many ways: we help companies assess their situation. Are they safe enough? Then we offer patching services. OT patching is a delicate operation that only people who know the domain can handle. Finally, we will soon offer SOC services, as I mentioned earlier.”

Siemens Strength: Sharing

Globally, Siemens works hard to advance the world cybersecurity agenda. It participates actively in international standardization bodies and cooperates with leading organizations such as the European Energy — Information Sharing & Analysis Center (EE-ISAC) and the NATO Cooperative Cyber Defence Center of Excellence (NATO CCDCOE) to improve security standards for energy infrastructure. But its most dynamic information sharing project is the Charter of Trust created in 2018 by Siemens, along with other founding members, Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom.80 “The Charter of Trust represents an unprecedented cybersecurity initiative that establishes three primary goals: to protect the data of individuals and businesses; to prevent harm to people, businesses, and infrastructure; and to establish a reliable basis where confidence in a networked, digital world can take root and grow.

utilities Enel, and the IT group Atos. And the list does not include associate members.


One of the Charter’s specific aim is to set minimum general standards for cybersecurity that are in keeping with the requirements of state-of-the-art technology. The standards have to be developed and implemented by the companies that are at the forefront of visualizing and shaping the future of cyberspace. According to the Charter, this includes mandatory cyber security certifications for critical infrastructure and devices that might pose a danger, defined areas of responsibility and contacts for cyber security companies, governments, and authorities. A year after the Charter of Trust’s creation, the number of members has grown to 16 and

more importantly, the group of industrialists launched both an associative members program and a roadshow to present the principles and the recommendations of the Charter. Oliver Winkler concludes: ‘Nowadays, more than ever, relations between operators, suppliers and clients are a question of trust. Attacks on infrastructure are relentless and at the same time, infrastructure must rely more and more on digital systems who in turn create vulnerabilities that attackers of all sorts could take advantage. More and more organizations in the world see an advantage in searching jointly a global solution to the present toxic situation.’


CHARTER OF TRUST (FOR A SECURE DIGITAL WORLD)


1 - Ownership of cyber and IT security

Anchor the responsibility for cybersecurity at the highest governmental and business levels by designating specific ministries and CISOs. Establish clear measures and targets as well as the right mindset throughout organizations — ‘It is everyone’s task.’

2 - Responsibility throughout the digital supply chain

Companies—and if necessary—governments must establish risk-based rules that ensure adequate protection across all IoT layers with clearly defined and mandatory requirements. Ensure confidentiality, authenticity, integrity and availability by setting baseline standards, such as - identity and access management: Connected

devices must have secure identities and safeguarding measures that only allow authorized users and devices to use them.

- Encryption: Connected devices must ensure confidentiality for data storage and transmission purposes wherever appropriate.

- Continuous protection: Companies must offer updates, upgrades and patches throughout a reasonable lifecycle for their products, systems and services via a secure update mechanism.

3 - Security by default

Adopt the highest appropriate level of security and data protection and ensure that it’s preconfigured into the design of products, functionalities, processes, technologies, operations, architectures and business models.

4 - User-centricity

Serve as a trusted partner throughout a reasonable lifecycle, providing products, systems and services as well as guidance based on the customer’s cybersecurity needs, impacts and risks.

5 - Innovation and co-creation

Combine domain know-how and deepen a joint understanding between firms and policymakers of cybersecurity requirements and rules in order to continuously innovate and adopt cybersecurity measures to new threats; drive and encourage i.a. contractual Public-Private Partnerships.

6 - Education

Include dedicated cybersecurity courses in school curricula—as degree courses in universities, professional education and training—in order to lead the transformation of skills and job profiles needed for the future.

7 - Certification for critical infrastructure and solutions

Companies—and if necessary—governments establish mandatory independent third-party certifications (based on future-proof definitions, where life and limb are at risk in particular) for critical infrastructure as well as critical IoT solutions.

8 - Transparency and response

Participate in an industrial cybersecurity network in order to share new insights, information on incidents et al.; report incidents beyond today’s practice which is focusing on critical infrastructure.

9 - Regulatory framework

Promote multilateral collaborations in regulation and standardization to set a level playing field matching the global reach of the WTO; inclusion of rules for cybersecurity into Free Trade Agreements (FTAs).

10 - Joint initiatives

Drive joint initiatives including all relevant stakeholders, in order to implement the above


principles in the various parts of the digital world without undue delay.

Unrestricted © Siemens AG 2018


Sobeys

123 Foord Street, Stellarton, NS B0K 1S0 902-752-8371, ext. 4460 www.sobeys.com/

Contact Kevin McDonald, Vice President Infrastructure and Information Technology Data Founded


1907 Stellarton, NS 125,000 Food retailer General consumers

Mission Always place the customer first, stay real, get it done with passion and integrity and proudly serving our communities.

Strategy Providing the right offerings, in the right-sized stores, for each individual market. Means Sobeys serves the food shopping needs of Canadians with approximately 1,500

stores in all ten provinces under retail banners that include Sobeys, Safeway, IGA, Foodland, FreshCo, Thrifty Foods and Lawtons Drugs, as well as more than 350 retail fuel locations.

Markets Canada Cyber Issue Maintaining a quality continuity chain from the producers to the consumers and

deliver e-services to clients.


Sobeys has been in a growth mode since 1998 when it made the decision to acquire the Oshawa Group, followed by Thrifty Foods in British Columbia and then Safeway in Alberta. These organizations had to be brought over into the SAP platform. This initiated a long series of transformation inside the organization, which jumped from being the fifth retailer in Canada to number two (behind Loblaws)

Sobeys Perimeter

Back Office Environment Sobeys information systems are run from two main data centres located in Stellarton, Nova Scotia and Mississauga, Ontario. Each one is active and has enough additional capacity to

handle the activities of the other, providing necessary redundancy in the event of a datacentre outage. There are approximately 300 applications running on 1,500 servers across the two data centres, mostly on Windows, AIX, or Linux. Almost all of Sobeys critical systems run on an SAP (sales, inventory, procurement, etc.). The only critical system that is not on SAP is the warehouse management system. Thirty semi-automated warehouses throughout the country rely on Infor software, and three fully automated facilities utilize a Witron solution. Retail Environment Every store has a Windows server and a point-of-sale system, so there are approximately 1,500 of them. In addition, there are also


20,000 workstations. Most of the critical applications used are hosted in the Sobeys data centres, with the exception of some applications that are only accessible through the cloud, such as SAP SuccessFactors, which is a human resource management solution. In addition, some non-critical applications are hosted on the Microsoft public cloud.


After the many acquisitions during the growth phase, Sobeys was concerned about potential delays with a proper cybersecurity solution. In 2016, it brought in Deloitte to undertake a general assessment of its cybersecurity position. A three-year roadmap was put together – to be subsequently refreshed every year. It defined key strategic areas where Sobeys needed to improve its security posture. In 2018, Sobeys made the strategic decision to bring on a managed security service provider, mainly due to the difficulty with recruiting the properly qualified personnel in the cybersecurity field. Sobeys organized a request for proposal (RFP) to outsource all the operational aspects of their cybersecurity plan (virus, spyware, firewall, etc.) with the exception of user access provisioning, which was kept within Sobeys’ IT Department. Deloitte, PwC, IBM, Bell, CGI were among the many parties that participated in the RFP, and Deloitte was selected. Since then, it has been providing a 24/7 protection service driven by a dedicated Network Operations Centre (NOC). All the monitoring is performed there. If Sobeys has specific needs, Deloitte would utilize third-party provisioning to bring in a specialized vendor. The Director of IT Security reports to the CIO. Every quarter, a complete assessment of the security posture is provided to the Board of

Directors. Twice a year, Deloitte presents a “state of the union” comprehensive report concerning cybersecurity to the executives, giving considerable visibility to any issues. Sobeys' IT department has 340 employees and the security team has 20 employees divided into two specific areas: - 15 are responsible for providing new

employees with the right level of access to relevant systems to the exclusion of all others. If an employee is dismissed, there is another process to conclude his or her digital presence.

- 5 analysts work closely with the cybersecurity service provider and assist it in any investigation (virus or malware outbreak). They are also involved in any new project that may affect the IT environment (project governance, security assessment, defining a solution, etc.)

Cyberattacks

As with many other corporations, Sobeys has suffered ransomware attacks and each time it was able to contain them, so they did not spread. As soon as an incident is identified, the infected workstation is immediately disconnected from all networks and cleaned. After the cause has been determined and barred from further entry, the whole workstation is rebuilt based on the backup with new passwords and all available updates. Typically, the whole process takes a day. To protect e-mail, two levels of spam filters were implemented. Microsoft Exchange Online Protection (EOP) is used at the first level and a proprietary solution is used at the second. When the occasional virus attack occurs, it is easily contained... Every time such an incident occurs, the cybersecurity experts conduct a root cause analysis, essentially a post-mortem type of report. Altogether,


Kevin McDonald considers that Sobeys has been able to avert a serious attack causing material damage.

Awareness

Each new employee must sign a code of conduct which contains a section on cybersecurity. There are regular security awareness campaigns for the general workforce focusing on e-mails, stories on the intranet and advertisement of the digital boards. In addition to this, employees who use laptops or smartphones at work must attend a number of training courses. Once a year, Sobeys conducts a phishing simulation where approximately 25% of the workforce is targeted. This testing allows the company to gauge the employees’ response. Whenever there are too many people deemed to “take the bait” and fall for the phishing attempt, the company modifies its approach to raise employees’ attention.

Obstacles

The real challenge is finding the right balance between business-driven initiatives and

cybersecurity. Kevin McDonald puts it as follows: “There are some fundamentals that are unavoidable if you want to make sure your environment is secure and up to date. All projects are designed with a security component and a thin line must be drawn between what is feasible and what is not feasible for the initiative to be viable and reliable.” Recruitment remains an issue even after outsourcing the bulk of cybersecurity. At the beginning of 2019, it took more than two months to replace an analyst. Kevin McDonald explains: “The technology is changing so quickly that it is difficult to find the people with the skillset that you need. It is an ongoing effort, and in some cases, we had to work with head-hunters to find the right people.” Even then, Sobeys faces a two-pronged challenge: the general scarcity of available skilled manpower, as well as the difficulty in attracting people to locate in Stellarton, which is more than 150 kilometres from Halifax. Approximately 80% of the cybersecurity people are located in Stellarton, with a small team being recently formed in Toronto.


Société de transport de Montréal (STM)

800 De la Gauchetière St. West Montréal, QC H5A 1J6 514-350-0800, ext. 85842 http://stm.info/en

Contact Sébastien Lapointe, Chief Technology Risk, Security and Compliance (CISO) Data Founded


1952 Montréal 10,000 Public transport General public

Mission Make the STM an organization that will excel in the mobility of people. Strategy To impose even more collective and active transport as alternatives to solo

driving. Means The STM will carry out or contribute to major development projects such as the

extension of the blue metro line, the Pie-IX Boulevard bus rapid transit service (BRT) and the commissioning of the Réseau électrique métropolitain (REM). These structural projects will redefine the travel habits of hundreds of thousands of people. Combined with an improved level of service and experience within the STM network, public transit will be more than ever a strong alternative to solo driving.

Markets General public of Montréal and the metropolitan area. Cyber Issue Protection of the continuity of the Montréal metro by partitioning computer

systems.


Sébastien Lapointe acts as Chief Technology Risk, Security and Compliance (CISO) at the Société de Transports de Montréal (STM) since 2015, after having held the position of Chief IT and Security Compliance. Earlier in his career, he worked for the National Bank as Senior Director of IT Security and Risk Management. He has also worked for Desjardins, IBM, CGI, the Government of Canada (Service Canada) and Bell Canada, always in the field of cybersecurity.


The STM is a critical infrastructure with escalating effect. If public transit does not work and the metro is interrupted, it would clog the streets and prevent priority services (police, firefighters, ambulances) from circulating properly. Without metro and buses, people can still move, but at the cost of long delays; furthermore, emergency services are unable to fulfill their missions. With 1.3 million trips per day, the STM is the second largest public transit company in Canada after Toronto and the third largest in North America (New York and Toronto).



There are nearly 10,000 employees at the STM but half of them do not have computer workstations: bus drivers, subway operators, mechanics, maintenance people, etc. In the case of bus drivers, this particular feature is expected to disappear because they will be equipped with smartphones so that the headquarters can communicate with them in real time (reporting a congested street, unexpected work, accident…). The STM includes two major families of computer systems: - Operational technologies (OT) that

encompass all metro control systems and peripheral equipment (escalators, elevators...). These are SCADA type industrial systems.

- Traditional IT systems used to manage the internal administration of the STM such as ERP and ticketing.

The STM owns and manages most of its systems internally through two data centres – a principal and a backup. Regular cost analysis proves that it is more economical than any cloud solution. Thus, thanks to the iBus system, the STM's 1,850 buses are equipped with on-board systems that are connected to Wi-Fi and when they return to the garage, the amount of revenue is automatically downloaded into the financial databases. Each bus is geo-located, which allows the control centre to follow the movement of its buses. As the vehicles also have passenger counters, the STM can know in real time the network traffic, see which circuits are the busiest and adjust the service according to the demand. For their part, passengers can view real-time information on their mobile phones as to the upcoming bus departures (time or delay).

The iBUS System Makes Bus Schedules Available to the Public

Security Organization

The STM's IT division has 350 employees. The cybersecurity team consists of 15 people and

is complemented by approximately 100 matrix officers in each of the business sectors who act as ambassadors for good


cybersecurity practices. It is through them that requests for access and withdrawal are made. There are also networking specialists in the operations teams. The Head of Security reports to the Executive Director of Information Technology and Innovation (CIO) who sits on the Management Committee. An Information Resources and Asset Management Committee has been created that brings together the executive directors of all STM divisions to deal with cybersecurity governance matters. A dashboard tracks compliance, incidents, the investment program, and any policies that may impact cybersecurity. An independent risk-based cybersecurity assessment was conducted in 2015 to assess gaps. As a result, the STM implemented a three-year investment program to raise the level of controls and monitor the evolution of threats. As the latter always increase, it is not enough to maintain the status quo, the company needs to improve its capacity of anticipation and its reactivity. This strategic approach focuses on three main areas: - Establishment of the basic rules of digital

hygiene; - Technological watch, surveillance and

detection of threats; - Resilience, that is, continuous testing of

processes and controls. In this context, a simulation of cyberattack is carried out once a year to check if the processes in place react effectively.

Through the triennial program, the STM deployed an internal SOC to ensure the safety of equipment during business hours. In parallel there is an external 24/7 SOC to ensure the security of the ticketing systems. The latter meets a requirement of the PCI-DSS security standard of the credit card industry. Both environments are strictly separated.

Cooperation

The STM is part of various watchdog and information exchange groups and, in particular, the SecurIT Network, which is a specialized division of Réseau ACTION TI. This organization is aimed at the chief information security officers of large companies and organizations in Québec. The members meet twice a year to exchange good practices. The SecurIT Network conducts benchmarking studies aimed at identifying new practices used elsewhere. The STM is also a member of the American Public Transportation Association (APTA), which brings together most of the North American public transit companies and offers numerous cybersecurity resources. It also makes it possible to compare the state of cybersecurity with the STM and its peers. Compared to the same-sized transit companies, STM is in the small lead group. On the other hand, it is clear that a public enterprise like the New York City Transit Authority, which is six times larger than the STM and, in addition, is a highly symbolic target, adopts much more advanced cybersecurity measures.

Cybersecurity issues

The number one safety issue at the STM is the metro. If the metro falls, the entire City of Montréal is paralyzed, while a broken bus is a mere incident. The biggest threat is that a ransomware can encrypt a system like radio, sound, electrification, etc. In the event of such an occurrence, Sébastien Lapointe emphasizes, “we would stop everything because it is about the safety of the public. All our critical systems must be 100% reliable.”


That's why the computer network that manages the metro is "air gap" – it's closed to the Internet. It is therefore more difficult for an intruder to introduce a virus into such a system. Nevertheless, an act of malicious intent is always possible using a USB key with the active or passive complicity of an employee. More generally, there is a growing risk for IT systems due to the appearance on the dark web of over-the-counter technical resources that allow a hacker without IT training to mount an extremely sophisticated attack. Lapointe illustrates the situation: “The competition is asymmetrical. We have an obligation to control all doors, whereas intruders only need to find an open door to carry out their plans. What's more, we have to work with a limited budget by definition.”

Risk Management

Lapointe explains that: “The risk awareness of the STM's senior management, as of all other organizations, has been accelerated by media coverage. No day goes by without announcing a denial of service (DDoS) attack, ransomware or any other computer weapon. As a result, senior management and the Board of Directors want to have a clear picture of the situation in their organization.” The STM has never experienced a major cybersecurity incident. The only crisis came during the spring 2012 student strike when some leftist activists challenged the attitude of Montréal's police and, by extension, all municipal institutions. The Anonymous hacktivist group had mounted denial of service (DDoS) attacks against several websites to make them fall. The STM had to take measures to strengthen the robustness of its website. Although the STM site is not critical, it does contribute to the image of the organization.


Toronto Police Service

40 College Street Toronto, ON M5G 2J3 416-808-8004 www.torontopolice.on.ca/

Contact Shawna Coxon, Deputy chief of Police, Priority Response Command Data Founded


1834 Toronto 7,465 (5,710 police officers + 2,500 civilians) Law enforcement General public

Mission The Toronto Police Service (TPS) is dedicated to delivering police services, in partnership with its communities, to keep Toronto the best and safest place to be.

Strategy The TPS is committed to non-biased, professional, and accountable practices in the delivery of policing services. This strategy constitutes the common threads woven throughout the priorities and goals.

Means The TPS performs a comprehensive environmental scan every three years to assess the demands and challenges of a dynamic and very diverse community, as well as its own ability to respond to those demands and challenges. The process includes extensive public and internal consultation, research, and statistical analysis.

Markets The City of Toronto and its surrounding area Cyber Issue The Computer Cyber Crime Section focuses on prevention. It achieves that

goal by building partnerships with the private sector and universities.

Personal Experience

Inspector Coxon has a B.A. with Honours in Psychology from York University, an M.A. in Criminology from the University of Toronto and her Ph.D. in Criminal Law from Leicester University, UK. She is a published academic who has lectured internationally. Her areas of research include varying local and international laws pertaining to technology and crime. Shawna Coxon also participated in and led various community development initiatives in Kenya, Uganda, Ghana, Thailand and China.

Inspector Shawna Coxon is in her 21st year of policing with the Toronto Police Service. She has professional experience in youth crime, child abuse, sex crimes, community response, and intelligence analysis. She is currently the second in charge of Intelligence Services, which includes cyber and technological crime. To sum up her career, Shawna Coxon says: “Most of my experience was acquired through investigative work.”


Background: The creation of the Computer Cyber Crime Section

In 2012, Inspector Coxon directed a project called “Operation Reboot” which consisted of gathering all things digital and processes that could be useful to the service and to look for opportunities. Shawna Coxon conducted an extensive world survey of many law enforcement and intelligence agencies, public utilities as well as the private sector. The project resulted in 10 recommendations, among which was the creation of a dedicated cybercrime section. The new unit was launched in 2014 under the name Computer Cyber Crime (C3) with a team of nine people. Shawna Coxon was asked to create the special unit and act as its director. C3 was the second specialized cybercrime unit created in Canada, a few months after the Edmonton Police Service had created its own unit. As Shawna Coxon got promoted soon after, she became second in charge of intelligence that oversaw both cybercrime and tech crime which is the digital forensic side. In 2019, the C3 Section merged with the Technology Crime Section.

Inter-Police Cooperation and Coordination

The Toronto Police Service cooperates very closely with the Ontario Provincial Police (OPP). Before the C3 Section was created, TPS consulted with the OPP even though the latter did not have a cybercrime unit yet. C3’s objective was to create an organization that would be consistent with what the OPP envisioned for itself. The reason for this tightly knitted collaboration is that in Canada, the setting of policing orientations and standards is the responsibility of the province. And then, when the OPP created its own cybercrime section, TPS provided all its material and best practices. The result is that the two teams are very similar in make-up,

model and training, and this was done by design. The OPP-TPS type of concertation was reproduced afterwards by many other police services in Canada wishing to create a cybercrime unit. The C3 Section would share all its material, experience and best practice techniques. In many cases, police officers from other cities would come to observe the C3 Section to see what procedures are used in Toronto so that they could replicate them. More formally, much networking takes place in the Ontario Association of Chiefs of Police (OACP) and the Canadian Association of Chiefs of Police (CACP). Both these associations have an IT committee and an intelligence committee where cyber issues are extensively discussed – though there is no cybercrime group per se. On a bi-national level, the Major Cities Chiefs Association (MCCA) brings together the 69 largest law enforcement agencies in the United States and the 9 largest cities in Canada to exchange on cybersecurity. The TPS also participates in the work of the International Association of Chiefs of Police (IACP) which represents 150 countries. It is the world’s largest professional association for police leaders, and it has a number of programs that address cybercrime.

Invention of “Radical Collaboration”

The C3 Section investigates cybercrimes and has a state-of-the-art forensic team, but its focus is on prevention. Not only does it participate in awareness events on cybercrime, but it also issues external bulletins, builds partnerships with public and private sector organizations to learn about the ever-changing cyberspace, and it regularly informs media stakeholders. This prevention approach is part of a broader commitment to public-private cooperation formalized in the


TPS Innovation Program which includes hackathons, engagement with local start-ups, data competitions, community-based think-tank workshops, and experiential learning opportunities for university students across Canada. All aspects of the program combine community and client service in view of technological improvements. In 2018, a C3 Section cyber police officer was embedded six months with the Digital Media Zone (DMZ) which is Ryerson University's business incubator for early-stage technology start-ups. TPS was the first law enforcement agency in the world to make such a bold move. TPS went further and partnered with other organizations like the Civic Hall Toronto, Code4Canada and Ontario Centres of Excellence programs where a C3 Section cyber officer is embedded within as well. Out of this experience, Shawna Coxon’s team adopted the start-ups agile management techniques for developing projects. Currently, TPS is negotiating alliances with large corporations on key cybersecurity initiatives that are to be announced shortly. TPS coins the process “radical collaboration”. Ms Coxon explains: “Cybersecurity is very expensive and technological evolution is so fast that police forces plagued with complex procurement procedures, limited budgets, and administrative delays cannot follow the agile private sector. So, in view of our financial and legal limitations, we propose that private corporations come up with innovative ideas, manage the projects and we act as key advisors bringing to the table our intelligence gathered in cyberspace and our multifaceted knowledge of cybercrime. Going forward, it is the ideal mix.”

81 Defcon is a network of cyber-specialists that meets annually in Las Vegas and organizes online contests. Defcon 416 is the Ontario branch of the organization. TraceLabs is a group of volunteers who use Open Source (OSINT) to, among other things, find missing persons.

Experiences That Move the World

“Street outlaws have moved online,” states Shawna Coxon. “The only way for police to deal with this recent trend is through radical collaboration and partnerships.” Radical collaboration can take strange forms: the C3 Section began to work with hackers. It did so through DEFCON 416 and TraceLabs81. Together, they organized a Capture The Flag (CTF) competition where teams search for bits of information to capture the flag82. In this one-day hackathon, Canadian and foreign participants DEFCON and TraceLabs used Open Source information from the RCMP missing persons’ online files. When a participant finds a lead, he reports it to the police agency and is allocated points. “You are basically asking hackers to find information,” explains Shawna Coxon, “but under very strict rules such as not reaching out to people online, because we didn’t want to bother people. At the end of the event, all the submitted information was verified. The exercise resulted in the finding of two Toronto missing persons. The next day, Las Vegas announced it would immediately reproduce our model and run the same Capture the Flag internationally.” Initially, in TPS, many officers expressed concern of “radical collaboration”. “The process could get out of hand,” they said. But Shawna Coxon retorts: “Where else could we get hundreds of talented people to work on a problem with us? Many people out there, especially millennials, want to make a difference in the world and they are digitally savvy. This is an opportunity for the Police Force to leverage that capacity, and interestingly enough, many police

82 Capture The Flag: This is a team game that consists of finding information that captures the flag of the opposing side, while defending its perimeter. In this case, the flag was missing and wanted persons.


organizations now want to get involved.” Ms Coxon is especially proud to say that none of the radical initiatives were invented from scratch by the C3 Section. Every time the initial idea came from a third party, like Ryerson’s DMZ, Code4Canada or DEFCON 416. “Our role in all of this was to listen attentively, identify the right project and seize the opportunity on the fly.”

Innovation

Innovation is often created outside the police perimeter. “We tap the Toronto technology ecosystem, which is one of the largest in North America,” Shawna Coxon notes, “So many technology innovations take place in the city. As we always look outside, just by doing our police work, we are constantly making discoveries. For example, there are several universities in Toronto with cybercrime or cybersecurity laboratories and start-ups just mushroom around them. The lines between the academic environment and the private sector are blurring. People want to graduate from university with private sector experience and more and more often they want to start a company before the end of their studies. Regardless of the type of digital or hybrid society, the police have a role to play, if only to obtain an international provisional arrest warrant or to enforce the laws.”


Union des municipalités du Québec (UMQ)

2020 Robert Bourassa Blvd. Suite 210 Montréal, QC H3A 2A5 514-282-7700, ext. 279 https://umq.qc.ca/

Contact Patrick Lemieux, Communications and Media Relations Advisor Data Creation

Headquarters Number of employees Activity Clients

1919 Montréal 50 To represent and support the municipal world Québec municipalities

Mission - Represent the interests of members at the regional and provincial governments’ level.

- Offer personalized commercial services and privileges to members. - Inform members of the evolving municipal sector world through its

publications, activities and training. Strategy The UMQ is a facilitator for elected officials to help them develop joint

objectives and joint actions. Means The UMQ regroups all of its members in different groups (affinity causes,

standing committees, political and technical committees) in order to reflect the diversity of Québec municipalities.

Markets Québec municipalities. Cyber Issue Pooling the needs of all its members for the development of an adequate

cybersecurity insurance coverage for small municipalities.


With a master’s and bachelor’s degree in political science, Patrick Lemieux oriented his career towards communications and research. Before joining l’Union des municipalités du Québec (UMQ) five years ago, he worked at the Québec Employers Council and at the Institute for Research on Public Policy (IRPP). Patrick Lemieux has a vested interest in technology.


There are over 1,100 municipalities in Québec, and 87 regional county municipalities (RCMs). The UMQ represents 370 municipalities and RCMs. That accounts for 85% of the Québec population. There is another association named Fédération québécoise des municipalités (FQM) which brings together nearly 1,000 municipalities and RCMs. Most municipal administrations are therefore members of both associations. Historically, the UMQ includes mainly large and medium-sized cities, while the FQM represents primarily small municipalities.


Over time, however, these differences tend to disappear. In recent years, many municipalities have embarked on a "smart-city" strategy. To offer online services and mobile services, computer systems that were previously closed must now be opened. This movement towards open government facilitates interactions between the municipal administration and its citizens, but it increases cyber-risk. Not all municipalities are created equal, very large cities are supported by large complex facilities whilst villages have hardly any security equipment.

Situation analysis

Several municipalities have been victims of cyber-attacks in the last 12 months. The RCM Mékinac was the most publicized attack with 13,000 inhabitants dispersed in ten municipalities in the Mauricie region. On the night of Sunday 9 to Monday 10 September 2018, while the world-renowned Saint-Tite Western Festival was in full swing, hackers penetrated the servers of the RCM and encrypted all the data. Upon returning to the office, employees discovered unusable workstations and a ransom demand for eight bitcoins, which was equivalent to about $68,000 at the time. The RCM initially refused to pay because it thought they would be able to recover the data. Alerted, the police seized most of the computers for analysis and asked the RCM not to negotiate or transfer money to criminals. The twenty or so employees of the organization went back to work using the traditional means: pens and typewriters. Checks were written by hand. After analysis, cybersecurity specialists told the RCM that the restoration would be very

slow – probably a year – and would be very expensive. In fact, the consulted experts estimated the price of the intervention at ten times the amount of the ransom. The leaders of the RCM then decided to ignore the advice of the police and negotiate with the perpetrators with the help of a cybersecurity consulting firm. A ransom of $30,000 was finally paid, ending two weeks of paralysis. The encrypted data was partly recovered, and the security of the computer systems was immediately increased. In total, ransom, restoration and security cost the small regional government $100,000. This example is far from unique. At exactly the same time, the municipality of Midland in Georgian Bay, Ontario, was the victim of a ransom demand for six bitcoins. They too chose to pay. But the hackers then released only part of the encrypted data. The municipality had to pay twice more bitcoins to recover the entire data.

Insurance strategy

With automation a new risk has arisen: computer attacks, hacking of personal data and ransom demands. The media have largely echoed the misadventures of the RCM Mékinac which was paralyzed for several weeks. But it is a threat that affects all municipalities. "On that occasion," explains Patrick Lemieux, "we noticed that there was no insurance that covered all municipal activities at a reasonable price. Since the UMQ already offers group insurance, damage insurance or legal expenses insurance, we decided to analyze and assess the threat related to cyber risks. A cyber-risk insurance group has therefore been created and an enrolment


campaign is currently underway [February-April 2019] at the end of which a public call for tenders will be launched to select an insurer.” The problem faced by municipalities is that insurers too often offer very narrow coverage in case of intrusion or piracy. The UMQ is betting on offering premiums that may be a little higher than the competition, but with as much insurance coverage as possible. The principle is that if a municipality is a victim of a disaster, it does not have to pay anything once it has paid its premium. This is an offer that will be particularly interesting for small municipalities who could soon be on the same footing as protected as large cities. Since this is a new offer, it is difficult to accurately determine the amount of premiums prior to the outcome of the call for bids, but the UMQ is targeting a premium that would ideally range from 500 to 1,500 $ annually. In addition to the amount of the premium that is more advantageous for a group than for an isolated municipality, this approach saves on tenders. No need to prepare specifications, select and negotiate with an insurer. All these steps will have been taken care of by the UMQ.

Training / Awareness

The UMQ has planned a cybersecurity clinic as part of its annual conference in May 2019 with the help of experts in the field. This involves informing elected officials about the measures to be taken to better protect their administration's data and equipment, the best tools to deploy, as well as the training to be offered to municipal employees to deal with this new reality.

Glimpse at the Future

The UMQ's priority issue is the creation of cybersecurity insurance. Beyond insurance, the association has decided to focus on training. The UMQ already offers courses on several aspects of municipal management. Courses on cybersecurity would be a natural follow-up to the existing program. A manual of best practices for municipal cybersecurity is also being considered. It is possible that later on, the UMQ will go further and offer shared tools to its members. For its part, the FQM offers software suites on a private network to its members. In addition to providing services, the UMQ also plays a representative role with the governments of Québec and Canada to encourage them to provide technical and financial support to municipalities.


Xittel Telecommunications

Former head office: 1350 Royale Street Trois-Rivières, QC G9A 4J4 (819) 380-4501 www.xittel.net/

Interview Robert Proulx, former President and Founder Data Founded

Headquarters N. of employees Main activity Clients Sold to Maskatel

2002 Trois-Rivières 80 Telecommunication services School boards, municipalities and the general public 2015

Mission Deploy "open" fiber optic networks. Strategy Propose to users’ groups living in remote areas as well as public institutions

(school boards, municipalities and others) to become co-owners of the network and thus share implementation and maintenance costs between them.

Means Double role of consulting engineering firm dedicated to turnkey optical fibre projects and telecommunication services company.

Markets Rural areas. Cyber Issue Ensure the maintenance of the telecommunications service during a cyberattack.


Robert Proulx has nearly 40 years of experience in the engineering and telecommunications field, during which time he has participated in the development of several companies. In addition to the creation of Xittel, Robert Proulx was responsible for the creation of several companies including: Picanoc.net Network, TACTIC, etc. Robert Proulx completed a master’s degree in Electrical Engineering from McGill University and the Entrepreneurship Program from the Massachusetts Institute of Technology's Sloan School of Business.


The creation of Xittel [eg-zitel] stems from the vision of engineer Robert Proulx who understood early-on the potential of “open” fibre optic networks. The spark plug was, in 1997, the deregulation in the telecommunications sector of territories that hitherto were the preserve of traditional monopolies. Robert Proulx started out in this niche as head of the telecommunications division of IMS Experts-Services, a multidisciplinary engineering consulting firm based in Trois-Rivières. Thanks to the launch in 2001 by the Québec government program “Villages branchés” (Connected Villages) the telecom


division of IMS quickly became the provincial leader in the implementation of private fibre optic networks. In 2002, Robert Proulx acquired the IMS division and founded Xit Telecom, which acted as a consulting engineering firm specializing in telecommunications. In 2006, Xittel was created to offer broadband services (telephony, television and Internet) mainly by optical fibre, but also by microwave links. Xittel is the first telco to obtain from the CRTC's the right to lay its optical cables on Bell Canada’s telephone poles. As a result, Xittel was selected for three consecutive years in the “Profit 200” ranking of Canada’s fastest-growing companies. In February 2015, the Maskatel Group bought Xittel. The company then employed more than 80 people (engineers, technicians, telecommunications specialists) and had yearly revenues of $15 million. Earnings before interest, taxes, depreciation and amortization (EBITDA) were close to $2.5 million. In January 2018, Maskatel was in turn acquired by Bell Canada.


At the time of its demise as an independent company, Xittel had two main divisions: - Telecommunications services. - 50

employees to serve 15,000 subscribers in 400 rural areas in Québec, Ontario and Prince Edward Island.

- Engineering consulting. - 31 employees in the fibre optic division who all had the experience of large projects such as the creation of the Québec Scientific Information Network (RISQ) and the interconnection of 35 school boards (over 1,400 schools) and 16 municipalities or RCMs (more than 335 buildings). Xittel had also participated in a series of major optical networking projects (Palais des Congrès de Montréal, the National

Assembly of Québec, Armand-Frappier Biotechnology Research Centre, etc.).

A telco has much higher cybersecurity requirements than a consulting engineering firm. That's why when Xittel launched its broadband network, it hired a cybersecurity specialist on day one to put in place a comprehensive protection strategy. Robert Proulx describes him as follows: “He was a security maniac who wanted to control everything. He even forbade me to take my own USB key home. As Xittel clientele grew, the number of attacks grew exponentially. But we succeeded in pushing them away. We were shielded!”

The Attack

Everything changed on November 25, 2012 when a denial of service attack (DDoS) flooded Xittel’s network. It was not the first attack of this kind to target the company, but usually these incidents were countered before they could do any damage. But that day, the volume of illegitimate traffic exceeded the total capacity of the Xittel network. The backbone that connected Trois-Rivières to Montréal had a bandwidth of 4 GB which still included an excess capacity of 25%. The attack consisted of sending requests to the network with an incomplete TCP handshake. The server replied in return: “Service Unavailable”. When thousands, and then millions of incomplete requests arrived at the same time, the server was saturated, and the network crashed. Xittel quickly realized that it was one of its clients, a small IT services company named Concepta Inc, which was targeted. Xittel temporarily isolated Concepta and the traffic resumed. But the next day the DDoS attacks started all over again. Xittel changed Concepta’s IP address. The attackers second guessed Xittel


and Concepta’s new address was targeted again. All measures tried by Xittel failed. On December 14, Xittel reluctantly asked Concepta to find another supplier. The computer company spoke to Cogeco, a large cable company, but the attacker turned against the cable company and its server fell. Cogeco immediately showed the door to its new unfortunate client. When informed of the turn of events, Xittel decided to assume its responsibilities and again provided the service to Concepta. On the morning of December 25, the attacks resumed, but this time it was no longer Concepta that was targeted, but the servers of Xittel. Whenever Xittel set up a new tool, it was attacked. In many cases, DDoS operations serve as a prelude to intrusion. When computer operators open a back door in the firewall to make repairs, criminals take the opportunity to enter into the system and steal the data or destroy it. Xittel's cybersecurity manager always avoided using this easy solution. Robert Proulx comments: “Despite all the problems we have encountered, the integrity of our data had never been compromised.” Nevertheless, the attacks occurred several times a day and would last exactly 20 minutes. Employees of the IT group kept watch day and night at Xittel's premises, including during the New Year. As soon as an attack occurred, they would “kill” the server and routed traffic to a secondary server. “Thanks to the dedication of our team, we were able to reduce the service interruption time from 20 minutes to less than five minutes. But we only had a minute to react. If we missed a beat, the service was lost for the entire 20 minutes,” says Robert Proulx. The situation was all the more critical as the Xittel network served the local 911 emergency call centre. Customers

began to get discouraged and soon began to unsubscribe. Xittel also had to deal with the impact of the attacks on its own bandwidth providers. The company purchased from four suppliers at a rate of one gigabyte each. The reaction of the latters was surprising, but representative of the corporate culture of the companies concerned: one threatened to cut the service, another to charge for excess traffic, a third one proposed to provide billed technical support but not before 15 days, and lastly, Videotron offered unlimited free technical support. “Its specialists worked with our team day and night, even on New Year's Eve, never a word higher than the other, all without even asking for a thank you,” says Proulx.

Attack Attribution

In response to what had become a real crisis, Xittel began a thorough analysis. At the start of the events, Concepta said they thought they knew who the author of the attacks was. One of their analysts named Kevin Courtois had resigned in stormy circumstances and had launched a competing company. Concepta had filed an interlocutory injunction to enforce the non-competition clause in Kevin Courtois' employment contract. It was just before November 25 and the beginning of the incidents. There was therefore strong suspicion, but no proof. During his investigations, Robert Proulx noticed that Kevin Courtois' LinkedIn account contained a list of his own business contacts, including the names of clients who had no direct relationship with Trois-Rivières or the computer industry. He telephoned several of his clients who were on the list and found that Kevin Courtois had already contacted them to offer his website hosting services with the


following argument: “The service I offer you is safe from attacks by DDoS.” Robert Proulx explains: “We were now certain, but still no proof.” Xittel then asked the police services to open an investigation, but they recused themselves. At the time, the police had no experts in cybercrime. Xittel continued his investigation and eventually discovered that on the suspect's Faceboook account there was a "like" pointing to the Demolition Stresser site that provided “booter” type tools to mount DDoS attacks, which site pointed to another site called RageBooter. Won! RageBooter was marketing the very application used to mount all the past attacks that hit Concepta, then Xittel. At that point of its investigation, Xittel decided to hire an external cybersecurity specialist, himself a former “hacktivist” linked to the Anonymous group who had experienced some setbacks with the courts for attacking the Québec Ministry of Social Affairs. Reformed, Robert Masse was now a much sought-after expert. His first action was to Skype the owner of RageBooter in Memphis, Tennessee. Robert Masse won his sympathy, to the point that the suspect confirmed he had a client in Trois-Rivières at the transparent identifier of "concepta2" and even sent Masse an exchange of e-mails between him and his client. The owner of RageBooter immediately understood that he had broken the most basic rules of caution and tried to erase the information he had just transmitted. Too late! Xittel's consultant managed to capture the correspondence between Memphis and Trois-Rivières in the cache memory of his computer. It was the much sought-after proof.

The Arrest Once again, the police refused to consider Xittel's complaint. Robert Proulx observes: “That same week, a bar burned down in Cap-de-la-Madeleine and its owner told the police that he suspected a former employee. The police immediately arrested the individual and, after one night of interrogation, he confessed. While we, with all our evidence, were told our case was inadmissible. It was as if the police remained blind to the intangible world of cybercrime.” Meanwhile, DDoS attacks continued. Three times a day, the telecommunication network would fall. The accusations of amateurism against Xittel became more and more insistent and loud. The regional media were beginning to spread the rumor that the company was incompetent. In desperation, Xittel's officials and their lawyers went before the judge and requested a private seizure, which was granted. This is an unusual procedure that does not require police intervention. Robert Proulx sent an e-mail to the Concepta managers to inform them of the judge’s decision. The following day, February 21, 2013, the plaintiffs and their lawyers broke into Kevin Courtois' house with a bailiff and police forces requisitioned by the judge. Smiling, the accused seemed to be waiting for them. Robert Proulx explains: “We later learned that our man had set up a back door in Concepta's information systems and would read all of the president's e-mails. He knew exactly what time the search would take place and he had erased all the data from his computers.” In vain, deleted data never completely disappears from a hard drive. It can be formatted, broken or even burned: a disc always keeps track of destroyed files. Within


Figure 40 - The RageBooter Web Page Prior to its Forced Closure


hours, Robert Masse, ex-Anonymous and now Xittel's cybersecurity consultant, managed to rebuild all the hard drives recovered by the search. The next day Kevin Courtois was arrested and convicted to two years of imprisonment to be served in the community. Such a sentence is always accompanied by a series of binding conditions. In his case, among other constraints, he was forbidden to use a computer.

The Perpetrator

Kevin Courtois was a young man of just 27 years old with a spouse and three children, extremely talented, a computer whizz capable of resolving inextricable situations, particularly frequent in the complex environment of telecommunication networks. “At the time, we were a little disappointed at the light sentence,” says Robert Proulx. “I thought it was not too high a price to pay for losses of millions of dollars. In addition, as far as I'm concerned, I lost my business. I had to exorcise all that. Perhaps that's why I agreed to deliver a testimony-conference to the Caisse de dépôt.” In February 2018, at the end of his sentence, Kevin Courtois died in mysterious circumstances. According to Robert Proulx, “For him, the situation was all the more untenable that he had all the qualities of a professional cybersecurity specialist and because he took the wrong path and got caught, his life was destroyed. In the industry, he no longer had a professional future. One can understand a social or political hacker but, in his case, it was a purely financial cyber-attack. This was the first scam of its kind in Canada. Who would hire a computer scientist, as brilliant as Courtois was, who defrauded his former boss? He was lost.”

83 Brian Krebs, "Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor?", KrebsonSecurity, 13 May 2013

The Weapon

The Trois-Rivières crisis was made possible by the RageBooter application, which is marketed as a test tool for the user's on-line equipment. Behind this “respectable” facade was a service to rent a DDoS attack tool. This works by subscription for a given period of time (from 200 to 3,600 seconds) payable monthly or under a fixed price. RageBooter had installed several software programs on various points of the Internet and could mount attacks mobilizing up to 15 GB of bandwidth. At the beginning of the 2012 crisis, the Xittel consultant Robert Masse contacted the RageBooter Internet service provider in Tennessee to request the site be closed down, which was granted. But the next day, RageBooter opened a new site in Australia. New call to the local Internet provider and the site was relocated in Great Britain. At this game of cat and mouse, it was impossible to win without the help of the police. In the United States, in Australia or in Great Britain, as in Trois-Rivières, the police seemed to be paralyzed by the appearance of this new type of crime. In fact, at that time, a new industry of on-line rental of DDoS services was born – called “DDoS-For-Hire Services”. The RageBooter merchant site did not even hide in the “dark web” but was out in the open on the Internet. The rationale put forward by its owners was always the same: validate the resilience of a site or server through a stress test process. It was only in December 2018 that the FBI closed 15 DDoS rental sites – including RageBooter. The owner of RageBooter, Justin Poland, was not arrested. It is true that the rumour ran that he was an informant under contract from the FBI...83


Figure 41 - The RageBooter Web Page After its Forced Closure

The emergence of this malicious software industry now allows anyone without technological training to mount not only DDOS attacks, but also to disseminate viruses, hack e-mail accounts, Facebook or Twitter accounts, steal data, etc. All of this in perfect anonymity. The full tool range of the perfect hacker is available online for a few dollars or bitcoins with bonus tutorials for beginners. “They can blow everyone up!” says Robert Proulx. “With what I know now, I could stop any company, make it end up without a single working computer and without a network.”

The Consequences of the Crisis for Xittel

The DDoS crisis caused income losses in the order of $60,000 per month. For a telco, the most expensive cost is the connection of new subscribers. It takes $600 to connect a new

line to the network. Then, operating revenues averaging $60 per month for a residential line are almost net profits. The return on investment is about a year. As the number of new subscribers grew steadily, Xittel needed $200,000 a month in cash-flow to continue generating new revenue. That's why a telco is always looking for operating financing. Xittel was orchestrating a fundraising campaign when the DDoS crisis hit. One by one, Xittel’s usual sources of funding refused. “I explained that the crisis was punctual and assured them all our problems were now behind us,” recalls Robert Proulx, “but investors thought we had had disruptions in service because we were incompetent. Xittel's liquidity constraints became insurmountable.”


In February 2015, Xittel had to accept Maskatel's offer to purchase, backed by the investment firm Birch Hill Equity Partners. Based in St. Hyacinthe, Maskatel was itself the result of a grouping of small local telcos. The price offered by Maskatel was significantly lower than the net value of Xittel. In fact, the valuation of an enterprise is determined by debt-adjusted EBITDA, to which a multiplier is

applied. In the case of Xittel, Robert Proulx valued the difference between the intrinsic value and the price offered at about $3 million. Three million dollars: this is the total cost of the DDoS attack against Xittel between November 2012 and February 2013.

Bibliography

Robert Masse, “The Xittel Story”, Conference Infisec, YouTube, 13 August 2013. Brian Krebs, “How Not to DDoS Your Former Employer”, blog KrebsonSecurity, 20 August 2013. Mario Audet, "L'affaire Xittel: survivre aux DDoS", Sécus, Autumn 2013. Dennis Fisher, "FBI takes DDoS-for-hire sites offline", Decipher, 21 December 2018.


Appendix 2 – Methodology This survey was conducted between January and April 2019 with Canadian or foreign companies operating in Canada. The basic population consisted of 2,521 organizations – 1,694 industrial companies and 827 critical infrastructures. Québec was slightly overrepresented with 32% of the basic population (815 companies). The base population came from the industrial companies that participated in the 2017 study on Advanced Automation. We selected those that had fully or partially automated their operations. We have added all the essential infrastructures that could be identified. A first email in January generated 28% of the responses. The vast majority of the responses therefore come from the telephone follow-up that was conducted by the marketing

research firms Ad hoc Recherche (Montréal) and Xeo Marketing (Mississauga) between January and April. To ensure that we have meaningful respondents in the areas of Information Technology (IT) and Operational Technology (OT) cybersecurity, we have inserted two screening questions at the beginning of the questionnaire. The organization had to have digitized its IT or OT or intend to do so within 12 months. Any organization that answered no to these two questions was eliminated. Incomplete responses were also eliminated.

Survey Demographics

The final sample consists of 208 respondents, or 8.25% of the base population.

Response rate

Population Number % Base population 2,521 100% Respondents 240 9.52% Eliminated 32 1.26% Final Sample 208 8.25%

The response rate indicates a strong over-representation of Québec with 52% of respondents. What explains this distortion in the answers? No satisfactory socio-economic explanation can be advanced, since the respondents' professional profile and the size of the companies are almost identical.

In any case, the answers to the questionnaire indicate a great homogeneity between the different regions of Canada. Faced with the threat of cybercrime, there are no notable regional differences.


Figure 42 - Geographical Origin of the Respondents


Respondent's Title or Function

The majority of respondents indicated their title or function (70%). It appears that the largest group of respondents are senior management: 45% of respondents are Chief Executive Officers (CEOs) or Vice-Presidents. IT specialists come next with 26% of

respondents. In practice, the division between senior management and IT specialists is not as clear-cut as it seems: more than 4% of information technology managers or CIOs are also vice-presidents (in one case, it is an assistant deputy minister).

Figure 43 - Respondent's Position Within the Organization


7%

52%24%

17%

Atlantic Québec Ontario West

3% 9%

12%

14%

14%15%

33% IT TechnicianCISOVice PresidentExecutiveCIOIT ManagerCEO


Services to which Respondents Refer

Fewer respondents indicated the service to which they belong (53%). However, the vast majority of those who responded indicated that they are part of the IT department (61%). In several cases, the respondent reports to the director or vice-president of finance (8%). This is a historical survival. In many organizations, the digitization of processes began with the introduction of an Enterprise

Resource Planning (ERP) system and reported to the Chief Financial Officer (CFO). Later, when other processes were digitized, the responsibility was naturally assigned to him. Importantly, in 10% of cases, the respondent reports directly to the CEO or even to the Board of Directors. It can be either the CISO of a large financial institution or the simple IT technician of an SME. Finally, few respondents report being in the Operations Department or OT (5%).

Figure 44 - Service to Which the Respondent Refers


Economic Sectors of Companies and Organizations

The classification of the economic sectors to which companies and organizations belong has been based on the North American Industry Classification System (NAICS). As expected, two-thirds of the respondents belong to the manufacturing sector. It should be noted, however, that for community of interest reasons, in the figure below, we have grouped agricultural businesses (111 and 112), food manufacturing (311 and 312) and wholesale and retail trade (413 and 445) into the “agri-food” category.

We proceeded in the same way for the metal industry, where we grouped together primary metal manufacturing (331) and metal product manufacturing (332). In “Energy and Utilities”, we grouped utilities (221) with oil and gas extraction (211). In the case of “Safety”, the reconciliation is rather functional. We extracted the police forces from the provincial or municipal governments to which they report and grouped them with the investigation and security services (561). However, we did not group “Transportation

61%

10%

8%

6%

5%

4%6%

IT DepartmentPresidencyFinanceCorporateOperations (OT)Cybersecurity DptOther


Services” (481, 482, 483, 484, 485 and 488) with “Transportation Equipment Manufacturing” (336). To the extent possible, we have tried to match the categories selected with the broad division of our study between critical

infrastructure and the manufacturing sector. That is why, without ever abandoning the NAICS code, to which we always refer in the last instance, we have used categories that we believe are better suited to the purpose of cybersecurity research.

Figure 45 - Sectoral Distribution of Respondents


Definition of critical infrastructure based on the NAICS code

Since the Government of Canada has not established a precise definition of critical infrastructure, we thought it would be useful to list the industries that make up critical infrastructure. Our “Sectoral Distribution of Respondents” is largely based on the work of

84 Tyson Macaulay, Critical Infrastructure: Understanding Its Component Parts, Vulnerabilities, Operating Risks, and Interdependencies, CRC Press, 2008, 317 pages. Cf. pp. 29-31.

Tyson Macaulay, who expressed in NAICS code each of the industrial components of the 10 sectors that make up this infrastructure84.

3% 5%3%

4%

4%

5%

5%

7%

9%

11%

12%

8%

7%

17%

IT

Energy & Utilities

Healthcare

Finance

Safety

Chemical manufacturing

Governments

Electrical & Electronic

Machinery manufacturing

Agri-food

Industry (other)

Transportation (services)

Transportation (manufacturing)

Metal manufacturing


“For instance,” writes Tyson Macaulay, “when one considers the Food sector and its formalized definition of production, processing, distribution, and safety, you might not immediately make a leap to soft drink bottling. Yet this is a very reasonable inclusion given established NAICS classifications in Canada and the United States. Has anyone bothered to tell the bottlers that they are considered critical infrastructure? Similarly, tobacco and alcohol products are grouped very tightly with food products under NAICS and in statistical products from Statistics Canada and the BEA85 (perhaps because they are also physically consumed by people). Yet it would appear absurd to consider tobacco and alcohol as CI, unless you are a gangster, smuggler, or pirate.86

Tyson Macaulay had to overcome some of the inaccuracies in the definition and inadequacies of the NAICS code for the purpose of the research by extracting some data manually. For example, how can police forces be separated from government services when there is nothing in the NAICS code to distinguish them? All the groupings or extractions operated by Tyson Macaulay seemed relevant to us and we adopted them as far as possible. That is why it seemed essential to quote in-extenso the table prepared by this researcher.

Contemporary Critical Infrastructure Sector Definitions under NAICS CI Sector and Harmonized Definitions Canadian Statistics NAICS Mapping to CI

Sectors Finance (banking, storage, investment exchange, disbursement, and securities)

5A01 — Monetary authorities and depository credit intermediation 5A02 — Insurance carriers 5A06 — Other finance, insurance and real estate and management of companies and enterprises

Energy (electric power generation and transmission, oil and gas production and storage)

2211 — Electric power generation, transmission, and distribution 2111 — Oil and gas extraction 3241 — Petroleum and coal products manufacturing 4860 — Pipeline transportation

Information and communications (telecommunications and information technology, broadcasting systems, software, hardware, and networks including the Internet)

513A — Pay TV, speciality TV and program distribution and telecommunications 541B — Computer systems design and other professional, scientific, and technical services

Health care (hospitals, ambulances, blood banks, laboratories, surveillance, and personal health services)

62A0 — Health care services (except hospitals) and social assistance GS11 — Hospitals

85Bureau of Economic Analysis of the Department of Commerce of the United States. 86Tyson Macaulay, "Critical Infrastructure, Understanding Its Component Parts, Vulnerabilities, Operating Risks, and

Interdependencies", CRC Press, Boca Baton, Fl., 2008, 317 pages. Cf. p. 28.


CI Sector and Harmonized Definitions Canadian Statistics NAICS Mapping to CI Sectors

3254 — Pharmaceuticals and medicine manufacturing

Food (production, processing, distribution, and safety)

11A0 — Crop and animal production 1140 — Fishing, hunting, and trapping 3111 — Animal food manufacturing 3113 — Sugar and confectionary manufacturing 3114 — Fruit and vegetable preserving and speciality food manufacturing 311A — Miscellaneous food manufacturing 312A — Soft drink and ice manufacturing 3115 — Dairy product manufacturing 3116 — Meat product manufacturing 3117 — Seafood product manufacturing

Water (drinking water and wastewater management treatment)

221A — Natural gas distribution, water, sewage, and other systems

Transport (aviation, mass transit, rail, marine, and road)

4810 — Air transportation 4820 — Rail transportation 4830 — Water transportation 4840 — Truck transportation 4850 — Transit and ground passenger transportation NA—Couriers, messengers, and postal services are excluded from Canadian CI definitions

Safety (law enforcement, fire, search and rescue, and emergency services)

GS40—Other municipal government services GS50—Other provincial government services GS60—Other federal government services

Government (social services, regulation) GS40—Other municipal government services GS50—Other provincial government services GS60—Other federal government services

Manufacturing (defense industrial base, chemical industry)

325A—Miscellaneous chemical product manufacturing 3251—Basic chemicals 3364 Aerospace product and parts manufacturing

Source: Tyson Macaulay, Critical Infrastructure: Understanding Its Component Parts, Vulnerabilities, Operating Risks, and Interdependencies, CRC Press, 2016.


Appendix 3 – Selected Bibliography Title Organization Country Date Pages

Top New Attacks and Threat Report SANS USA 2019 11 M-Trends FireEye Mandiant USA 2019 75 Official Annual Cybercrime Report Herjavec Group Canada 2019 12 Internet Security Threat Report Symantec USA 2019 61 Global Cybersecurity Index 2018 International

Telecommunications Union (UIT)

Switzerland 2019 86

Understanding Cybersecurity Standards CGI Canada 2019 13 Safety, Security & Privacy in the Interconnected World of IT, OT & IIoT

Ponemon Institute USA 2019 34

Cybersecurity Futures 2025 Centre for Long Term Cybersecurity (CLTC)

USA 2019 34

2019 Official Annual Cybercrime Report Cybersecurity Ventures USA 2019 12 Must-Know Cybersecurity Statistics for 2019 Varonis USA 2019 2 2019 HIMMS Cybersecurity Survey HIMSS USA 2019 19 State of Cybersecurity 2019- Current trends in workforce development

Isaca / HCL USA 2019 21

The Social Impact of the use of Cyber-Physical Systems in Manufacturing (Master’s Thesis)

Universidade de Porto – Faculty of Engineering

Portugal 2019 45

The Cyber Resilience of Canadian Organizations Scalar/IDC Canada Canada 2019 76 Is cybersecurity about more than protection? (Global Information Security Survey)

EY USA 2018 36

The State of Industrial Cybersecurity Kaspersky Lab Russia 2018 33 The changing faces of cybersecurity – Closing the cyber risk gap

Deloitte Canada 2018 42

Cybersecurity: Technical and Policy Challenges Library of Parliament Canada 2018 20 Cyber Assault: It should keep you up at night The Standing Senate

Committee on Banking, Trade and Commerce

Canada 2018 35

Governing Cyber Security in Canada, Australia and the United States

Centre for International Governance Innovation

Canada 2018 36

An Overview of Fintech in Canada Global Risk Institute Canada 2018 26 Where Financial Services Live Ontario Government Canada 2018 4 Top Security Challenges for the Financial Services Industry

Bitdefender Romania 2018 12

Survey of Engineering and Operational Technology Professionals

KPMG USA 2018 20

National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure

Public Safety Canada Canada 2018 21

Security Trends in the Healthcare Industry IBM X – Force Research USA 2018 21 Cybersecurity Survey CIRA/Akamai Canada 2018 35 Seeding Cybersecurity Workforce Pathways with Secondary Education

IEEE

USA 2018 75


Title Organization Country Date Pages Cyber Security in Canada: Practical Solutions to a Growing Problem

Canadian Chamber of Commerce

Canada 2017 42

Cybercrime and Canadian Enterprises Statistics Canada Canada 2017 48 Cyber Review Consultations Report Public Safety Canada Canada 2017 39 Cybersecurity Skills: Foundational Theory and the Cornerstone of Advanced Persistent Threats (APTs) mitigation

Online Journal of Applied Knowledge Management

USA

2017 12

Network and information security challenges within Industry 4.0 paradigm

Manufacturing Engineering Society International Conference

Spain 2017 7

The Global Cyber Security Challenge Huawei Technologies USA 2016 60 Cybersecurity Best Practices Guide & Cyber Incident Management Planning Guide

Investment Industry Regulatory Organization of Canada (IIROC)

Canada 2015 53

28 Asia-Pacific Cybersecurity Dashboard- A Path to a Secure Global Cyberspace

Galexia Singapore 2015 24

Cyber Risks – Implications for the insurance industry in Canada

Insurance Canada Canada 2015 60

Business versus Technology: Sources of the Perceived Lack of Cyber Security

Centre for Doctoral Studies in Cyber security

UK 2015 20

State of Cybersecurity: Implications for 2015 ISACA USA 2015 22