Executive Summary

The Canadian Centre for Cyber Security (the Cyber Centre) and the Royal Canadian Mounted Police (RCMP) have issued a joint national alert warning of a rising tide of hacktivist attacks targeting Canada's critical infrastructure. The advisory, released on October 30, 2025, was prompted by multiple recent incidents where hacktivists successfully breached internet-accessible Industrial Control Systems (ICS) and Operational Technology (OT). These attacks have impacted the water, food, and manufacturing sectors, creating a direct risk to public safety. The government is urging organizations to take immediate defensive measures to identify and secure exposed ICS/OT assets.

Regulatory Details

The alert serves as an official warning to Chief Information Security Officers (CISOs) and other leaders within Canadian critical infrastructure organizations. It highlights a dangerous trend: hacktivist groups are evolving their tactics beyond website defacements and Distributed Denial-of-Service (DDoS) attacks. They are now actively targeting and successfully compromising operational technology, such as:

• Programmable Logic Controllers (PLCs)
• Human-Machine Interfaces (HMIs)
• Supervisory Control and Data Acquisition (SCADA) systems

The Cyber Centre warns that the direct exposure of these systems to the internet poses a systemic risk, particularly in sectors that may lack mature cybersecurity programs or regulatory oversight, such as smaller municipalities and private manufacturing facilities.

Affected Organizations

The alert is directed at all Canadian critical infrastructure operators, with a specific focus on sectors where recent breaches have been observed:

• Water and Wastewater Systems
• Food and Agriculture
• Manufacturing

The advisory stresses that small and medium-sized organizations, including municipalities, are at high risk due to potentially limited resources and cybersecurity expertise.

Compliance Requirements

While not a legally binding regulation, the alert outlines urgent recommendations that are considered the standard of due care for operators of critical infrastructure:

1. Conduct a Full Inventory: Organizations must immediately identify all internet-accessible ICS/OT devices and assess the business requirement for their exposure.
2. Eliminate Direct Exposure: For any system that does not absolutely need to be internet-facing, access should be removed. For systems requiring remote access, it must be secured behind a Virtual Private Network (VPN) with two-factor authentication (2FA).
3. Enhance Monitoring: For any systems that must remain exposed, organizations should implement enhanced security monitoring. This includes deploying an Intrusion Prevention System (IPS), conducting regular penetration testing, and establishing a continuous vulnerability management program.
4. Clarify Responsibilities: Organizations must establish clear roles and responsibilities for cybersecurity, especially when working with third-party vendors and Managed Service Providers (MSPs).

Impact Assessment

The impact of these hacktivist attacks extends beyond data theft or financial loss. Intrusions into ICS/OT environments can have severe real-world consequences:

• Public Safety Risks: An attack on a water treatment facility could alter chemical balances, making water unsafe. An attack on a food processing plant could tamper with safety controls.
• Service Disruption: Hacktivists could shut down essential services, impacting manufacturing output, energy distribution, or transportation.
• Economic Damage: Disruption to industrial processes can lead to significant financial losses and supply chain interruptions.

Enforcement & Penalties

This is a national security alert, not a new law with defined penalties. However, failure to act on this guidance could expose organizations to significant liability in the event of an incident. Regulators in specific sectors (e.g., energy) may conduct audits based on this alert, and a failure to demonstrate due diligence could lead to future regulatory action or fines.

Compliance Guidance

Organizations should take the following tactical steps:

1. Immediate Action (0-30 days):
   • Use tools like Shodan or other ASM platforms to discover all internet-facing devices associated with your organization's IP space.
   • Cross-reference findings with an internal asset inventory to identify any unauthorized or unknown ICS/OT exposures.
   • For any exposed ICS device, immediately place it behind a firewall and implement access control lists (ACLs) to restrict access to trusted IPs as a temporary measure.
2. Strategic Implementation (30-90 days):
   • Deploy a secure remote access solution (e.g., VPN with MFA) for all OT environments. This is a core tenet of M1032 - Multi-factor Authentication.
   • Implement network segmentation to create a defensible boundary between IT and OT networks, as per M1030 - Network Segmentation.
   • Develop an incident response plan specifically for OT environments.
3. Continuous Improvement (Ongoing):
   • Establish a program for regular vulnerability scanning and patching of ICS/OT systems.
   • Deploy network security monitoring tools specifically designed for OT protocols (e.g., Modbus, DNP3) to detect anomalous behavior.