Sewage and cyber threats: Feds probe TransAqua's digital security
General manager says computer system hit last year by ransomware attack
New Brunswick's largest wastewater treatment plant can be run by a cellphone.
Ensuring the right person keeps control has been the focus of cyber security reviews recently carried out at the TransAqua plant in the Moncton area.
It's work that Kevin Rice, general manager of the plant that handles wastewater from Moncton, Dieppe and Riverview, calls critical.
"When you're working in a highly automized world, especially in our industry, where everything can be run from a cellphone, you have to be very cognizant of how you manage the security on your IT systems," Rice said in an interview.
The biggest risk, he said, is someone gaining access and triggering the release of untreated sewage into the Petitcodiac River. On a smaller scale, unauthorized access to TransAqua's IT system could breach employee files.
It's not a remote risk.
Last Easter, Rice said, he was called by someone claiming to work for TransAqua's IT service provider. The caller asked Rice for the system's administrator password. Rice said he told the caller if they were who they claimed, they should have the information. The caller hung up.
But an email to an unsuspecting employee also claiming to be from the provider led to some of TransAqua's administrative files becoming encrypted through a ransomware attack.
Such an attack encrypts files and typically demands payment to release the files. The University of Calgary paid $20,000 to restore data after a ransomware attack in 2016.
Rice said TransAqua didn't get a demand — and the actual IT service provider detected the issue and restored the files from a regular backup.
"The reactive side did work well," Rice said. "The system was compromised, detected immediately and the system was restored. Now our focus is shifting more to the preventive side of how do we work better to protect our systems alongside detection."
The attack came only months after the federal department of Public Safety assessed TransAqua's cyber security, as part of the Regional Resilience Assessment Program.
The free program carries out on-site assessments of critical infrastructure around the country and provides a report with recommendations.
The department returned in March, piloting software to probe for vulnerabilities known as single-point of failures.
Rice said the results from both assessments will be combined in an implementation plan.
Cost not yet clear
"It's important for us to not put this on a shelf and forget about it," he said.
It's not yet clear how much it could cost to implement the recommendations.
It's not clear how many other New Brunswick utilities have carried out the assessments.
Public Safety did not respond to CBC's requests for information Monday and Tuesday.
Lisa Caissie, a City of Saint John spokesperson, said the city has completed a security risk assessment on critical infrastructure as part of the program and will continue routine checks to protect against threats.
Late last year, the city's online parking payment system was breached, leading it to warn thousands of people their personal information may have been stolen.