this post was submitted on 30 Jun 2026
90 points (98.9% liked)

Canada

12117 readers
461 users here now

What's going on Canada?



Related Communities


🍁 Meta


🗺️ Provinces / Territories


🏙️ Cities / Local Communities

Sorted alphabetically by city name.


🏒 Sports

Baseball

Basketball

Curling

Hockey

Soccer


💻 Schools / Universities

Sorted by province, then by total full-time enrolment.


💵 Finance, Shopping, Sales


🗣️ Politics


🍁 Social / Culture


Rules

  1. Keep the original title when submitting an article. You can put your own commentary in the body of the post or in the comment section.

Reminder that the rules for lemmy.ca also apply here. See the sidebar on the homepage: lemmy.ca


founded 5 years ago
MODERATORS
 

Archived link

Russian cybercriminals managed to hack into a Quebec municipality’s water treatment plant systems and had the ability to wreak havoc on the crucial infrastructure before getting caught, according to Canada’s cyber spy agency.

In its latest annual report released Monday, the Communications Security Establishment (CSE) said that it detected over 3,200 cyber incidents affecting either federal government organizations or one of ten critical infrastructure sectors, such as energy, critical minerals and water.

In one particular case discussed in the report, the signals intelligence agency said it was advised last October that Russian hacktivist group NoName had broken into the Quebec water plant’s network and gained access to many crucial systems.

...

According to CSE, NoName claimed it had gained the “ability to covertly control pumps, chlorine dosing, pressure settings and monitoring/alerts systems.” The report does not identify the impacted Quebec municipality.

...

The annual report ... points to two main state cyber adversaries: Russia and China. The report emphasizes that both countries pose a growing threat in the Canadian Arctic, where challenges posed by adversaries go “beyond traditional military and cyber threats to include economic and influence-related activities that seek to shape access, infrastructure, and decision-making in the region.”

...

top 27 comments
sorted by: hot top controversial new old
[–] shininghero@pawb.social 39 points 4 days ago (7 children)

Why are these systems controllable via the internet to begin with? If I was designing this, it would be accessible via LAN only, and tightly regulated VPN access.

[–] violentfart@lemmy.world 18 points 4 days ago

Why hire someone locally when you can save money with random contractors that will do it just as well? /s

[–] Dionysus@leminal.space 11 points 4 days ago

But how do you provide durable savings by outsourcing management if you airgap critical life systems?

/s

[–] kent_eh@lemmy.ca 7 points 4 days ago

I'm surprised too. At my former company, to get access to the infrastructure took at minimum 3 different passwords (4 if you were coming in on the VPN) to get at anything. Even within the O&M system, different subsystems were segregated from each inherent. There was a lot of nested VLANS going on.

Made it interesting to configure new stuff, and there were regular audits to make sure you couldn't simply telnet (or SSH or whatever other protocol) from one device to another.

And we weren't anything near as important as a water utility.

[–] orioler25@lemmy.ca 6 points 4 days ago

There's far more secure methods than what you listed, but I'm also curious how this happened as neither the article or anything it cites specifices what the actual weakness was. I would love if someone has any sources on this infrastructure. If they are accessible via the internet, why was any device with an SSH key compromised and how? It would likely be on that end and potentially any cybersecurity contractor that was used for this (I'm guessing this is a consequence of some neoliberalism as per usual).

[–] Magister@lemmy.world 6 points 4 days ago (1 children)

Wait for power grid... it's incredible as everything is connected on the internet with SCADA, some for like 20-25 years now, I'm sure China/Russia could have full control on it and shutdown everything in a few seconds.

[–] gramie@lemmy.ca 4 points 4 days ago (1 children)

The hydroelectric dam near my home runs with 14 employees on site, who work from 8:00 to 4:00. All control and monitoring is done remotely at an office about 300 km away.

[–] ILikeBoobies@lemmy.ca 1 points 4 days ago

That's not enough time to sleep.

[–] adespoton@lemmy.ca 4 points 4 days ago (2 children)

Because a town council wanted to get re-elected and so “streamlined” the budget for the water department to save voter tax dollars.

[–] gramie@lemmy.ca 2 points 4 days ago (1 children)

My town has a population of 300. There is no way they could afford full-time employees managing the water treatment system.

[–] adespoton@lemmy.ca 5 points 4 days ago

They have a water treatment system? With SCADA?

When I lived in a town of 300, water treatment was a building in behind the credit union where someone had to manually go, check the levels visually, top up the fluids and check a checklist. Once a year some university student came around and did a battery of tests to certify the water and the system.

None of it required an Internet connection or even a computer.

[–] orioler25@lemmy.ca 2 points 4 days ago* (last edited 4 days ago)

This is true? The article doesn't even mention what municipality this was, so it'd be good to actually see where this happened as well. I'm trying to find sources on this, do you have one?

[–] Scotty@scribe.disroot.org -1 points 4 days ago* (last edited 4 days ago) (1 children)

Yes, and the same is true for all public infrastructure and other sensitive technology.

But tankies keep up the illusion that remote control of Chinese tech isn't a problem.

As an addition: In August 2025, a joint advisory of Western goverments' intel - including Canadian Centre for Cyber Security (Cyber Centre) and the Canadian Security Intelligence Service (CSIS) - said,

People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks. [Source (pdf)]

[–] orioler25@lemmy.ca 6 points 4 days ago* (last edited 3 days ago)

Could you explain how this relates to the article about Russian-contracted actors? The source you linked doesn't make that association beyond that both Russia and the PRC are cybersecurity concerns, and neither this article or the CSE report it references mentions any hardware used in this system and that report only stated they are concerned about PRC cyber-attacks, but not that this specific attack was in any way related to the PRC or that devices used in these systems are potentially compromised by the PRC is used in this system (the CSE report even emphasizes personal mobile devices, not the infrastructure of public services). The source you link also just talks about routers like, in general, which is a given in network security, and I'm sure that there is indeed a risk given the production of these devices (such as whether there is proof that this was on a network that used Westermo devices), but there's no specifics that indicate something along the lines of PRC having direct remote control of devices used in this infrastructure. Given you're also posting a known propaganda network (Postmedia Network agencies are basically tabloids), I'm curious if there's some real sources associated with any of this.

(this is also the first time in my life that I've seen someone say that "tankies" are keeping up an illusion about Chinese tech as more secure, I'm curious where that's come from as well)

Edit: okay, so it looks like they've been pretty active since I made this comment. I think it's safe to say they're bullshitting and did not actually take the time to research what they are talking about.

[–] ContactClosure@lemmus.org 2 points 3 days ago

This is why I'm super glad the US put the electrical grid and water meters on the internet.

[–] orioler25@lemmy.ca 3 points 4 days ago (3 children)

Does anyone have any sources or knowledge on how the network infrastructure for these systems are designed? I've never investigated this and wouldn't know where to look, and this article doesn't provide much information (it's a Postmedia Network source, btw, so take this all with a grain of salt).

I can't imagine that any remote access isn't done through SSH or an intranet for exactly this reason. Is that incorrect? Or is there a reason they wouldn't be and a way that these systems could be compromised by an employee's device that has access to the internet?

[–] I_am_10_squirrels@beehaw.org 4 points 4 days ago (1 children)

I worked in water treatment during an internship and learned about air gapping. You make it so that data can go out for monitoring, but nothing can come in. You need physical access to make changes. Because if someone can control it remotely, that means anyone can control it remotely.

[–] orioler25@lemmy.ca 1 points 3 days ago

I mean, SSH would create some barriers that makes this question even more relevant, if there was a weakness somewhere (even if just because remote access was available), it better have been a result of user error and not poor infrastructure design.

[–] kent_eh@lemmy.ca 4 points 4 days ago (1 children)

The smaller the municipality (and the older the system), the less likely that they have a robust IT department managing all the access controls.

Then again, I've also an encountered office (not utility infrastructure) where some random employee had plugged a WIFI access point into their desks ethernet port and set it on the window ledge so they could use their phone on the company network while they were outside having a smoke... (yes they faced consequences when management was made aware)

As we all know, security is only as good as your weakest link.

[–] orioler25@lemmy.ca 0 points 3 days ago* (last edited 3 days ago) (1 children)

Yeah I think the size of the municipality is a great thing to keep in mind for this, as I'm sure a more rural, low population, and dispersed municipality would likely have less funding to update and maintain these systems. What I'm curious about is if this is a consequence of that neoliberalization -- whether this was a result of reduced public funding and therefore the adoption of privatized, profit-driven solutions -- or if it was simply a consequence of older infrastructure and poor discipline. Those are very different explanations that present their own risks for the rest of us to be concerned about and options for what we are able to do about it.

[–] kent_eh@lemmy.ca 1 points 2 days ago

Which is why it is important for facility operators to pay attention to the forensic audits of the compromised systems, and react appropriately.

And, obviously, it is also important that those audit reports be made available, and not hidden away because of some sense of corporate embarrassment or claims of "proprietary information"

[–] quick_snail@feddit.nl 1 points 4 days ago (1 children)

Most likely Windows XP on an old dell desktop in a closet. Can't be upgraded due to some no longer maintained driver blah blah

[–] orioler25@lemmy.ca 1 points 3 days ago (1 children)

Why is that most likely? I'm having a hard time finding reliable information on how these water treatment systems are actually designed, but everyone feels very comfortable speculating.

[–] quick_snail@feddit.nl 1 points 3 days ago (1 children)

I've worked for the government before. This is from experience

[–] orioler25@lemmy.ca 2 points 3 days ago (1 children)

Okay, but you do understand that anyone can just say that though, right? Do yo have any public links that you'd be aware of from working in the govt that relates to information on this?

[–] quick_snail@feddit.nl 1 points 3 days ago (1 children)

No, they wouldn't advertise that.

Best you'll find is news articles about compromises on critical infrastructure. But, even then, the government is going to do its best to bury their incompetence that was the root cause.

[–] orioler25@lemmy.ca 0 points 3 days ago

Again, I've never researched this before (especially so for Quebec), so I guess it is a little surprising that public spending like that wouldn't have to disclose some specifics around the use of funds and who is involved for contracts.

And like, yeah, but what level of government is this? Was it a consequence of municipal decisions? Provincial funding? The general neoliberalism that has dominated Canadian politics and economics for the past four decades? There are a lot of factors to determine how much of a concern this actually is and how to realistically address it.