New Brunswick

Sewage and cyber threats: Feds probe TransAqua's digital security

A New Brunswick wastewater treatment plant is working with the federal government to investigate its own cyber security vulnerabilities, hoping to keep the wrong people from taking control of the highly automated system.

General manager says computer system hit last year by ransomware attack

Kevin Rice, TransAqua's general manager, says the federal government has worked with the wastewater treatment facility to look for potential cyber security vulnerabilities. (Shane Magee/CBC)

New Brunswick's largest wastewater treatment plant can be run by a cellphone.

Ensuring the right person keeps control has been the focus of cyber security reviews recently carried out at the TransAqua plant in the Moncton area. 

It's work that Kevin Rice, general manager of the plant that handles wastewater from Moncton, Dieppe and Riverview, calls critical.

"When you're working in a highly automized world, especially in our industry, where everything can be run from a cellphone, you have to be very cognizant of how you manage the security on your IT systems," Rice said in an interview. 

The biggest risk, he said, is someone gaining access and triggering the release of untreated sewage into the Petitcodiac River. On a smaller scale, unauthorized access to TransAqua's IT system could breach employee files. 

It's not a remote risk. 

Last Easter, Rice said, he was called by someone claiming to work for TransAqua's IT service provider. The caller asked Rice for the system's administrator password. Rice said he told the caller if they were who they claimed, they should have the information. The caller hung up. 

But an email to an unsuspecting employee also claiming to be from the provider led to some of TransAqua's administrative files becoming encrypted through a ransomware attack.

Such an attack encrypts files and typically demands payment to release the files. The University of Calgary paid $20,000 to restore data after a ransomware attack in 2016.

Rice said TransAqua didn't get a demand — and the actual IT service provider detected the issue and restored the files from a regular backup.

"The reactive side did work well," Rice said. "The system was compromised, detected immediately and the system was restored. Now our focus is shifting more to the preventive side of how do we work better to protect our systems alongside detection."

TransAqua treats wastewater and sewage from Moncton, Dieppe and Riverview. (Shane Magee/CBC)

The attack came only months after the federal department of Public Safety assessed TransAqua's cyber security, as part of the Regional Resilience Assessment Program.

The free program carries out on-site assessments of critical infrastructure around the country and provides a report with recommendations. 

The department returned in March, piloting software to probe for vulnerabilities known as single-point of failures.

Rice said the results from both assessments will be combined in an implementation plan.

Cost not yet clear

"It's important for us to not put this on a shelf and forget about it," he said. 

It's not yet clear how much it could cost to implement the recommendations. 

It's not clear how many other New Brunswick utilities have carried out the assessments. 

Public Safety did not respond to CBC's requests for information Monday and Tuesday.

Lisa Caissie, a City of Saint John spokesperson, said the city has completed a security risk assessment on critical infrastructure as part of the program and will continue routine checks to protect against threats. 

Late last year, the city's online parking payment system was breached, leading it to warn thousands of people their personal information may have been stolen.

About the Author

Shane Magee

Reporter

Shane Magee is a Moncton-based reporter for CBC.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.