Is Canada’s Electricity Safe from Cyber Attacks?

Who could forget the Northeast Blackout of 2003? Eighteen years ago, on August 14th,
50 million people in Canada and the USA lost power.

In Toronto, I remember hearing stories of students having to walk from their summer jobs down at Queens Quay to Yonge and Finch, 4 hours to get home, uphill. Along the way, variety store owners were offloading buckets of ice cream to these kids for their freezers had broken down.


In one apartment building, they lost water. Tenants from the 18th floor to penthouse had to haul buckets up the emergency staircase from the only source of running water in the building – a vacant unit on the 12th floor.

In New York City, people were sleeping on the sidewalk with water bottles as makeshift pillows for their necks. The subway was down.

The nightmare lives on in a stunning array of photos compiled by The Daily Mail to mark the 15th anniversary:
https://www.dailymail.co.uk/news/article-6057157/Dramatic-images-15-years-ago-chaos-caused-2003-New-York-City-blackout.html

It took a week for power to be restored. Some $4 billion to $10 billion USD were lost. Nearly 100 people died from that Summer Blackout.
(https://www.energy.gov/sites/default/files/oeprod/DocumentsandMedia/BlackoutFinal-Web.pdf
https://www.reuters.com/article/us-blackout-newyork-idUSTRE80Q07G20120127)

Now imagine losing your electricity in the dead of winter. To help with visualization,
check out the icicles hanging from the ceiling inside an apartment building in Texas during the recent power outage in February 2021:
https://www.usatoday.com/story/news/nation/2021/02/17/ice-hangs-off-ceiling-fan-texas-one-many-surreal-winter-photos/6781681002/

This crisis went on for days. 111 people died.
(https://www.nytimes.com/interactive/2021/02/16/us/winter-storm-texas-power-outage-map.html
https://apnews.com/article/hypothermia-health-storms-power-outages-texas-ffeb5d49e1b43032ffdc93ea9d7cfa5f#:~:text=AUSTIN%2C%20Texas%20(AP)%20%E2%80%94,power%20outages%20in%20U.S.%20history)

The number of deaths are nothing in comparison to the COVID-19 numbers, but things could be far worse if society was left stranded for an indeterminate period of time without electricity. Civilization as we know it, would collapse.

It took a US-Canada Task Force 8 months to churn out a 238-page report to fully explain the Northeast Blackout of 2003. It is easy to get lost in the kV, MW, MISO, SCADA, FE technical language of this report, but it is striking to learn that partly to blame for this outage was a lack of tree-trimming in the Ohio power lines.

Another revelation was that it was not the result of a cyber attack; however, just 8 months prior, FirstEnergy Corporation reported that the “Slammer” virus did infiltrate their system. Just so you know, “Slammer” was notorious for breaking the internet in 15 minutes.
(https://www.wired.com/2003/07/slammer/)

On the heels of the 9/11 attacks, al-Qaeda did try to take credit for the Northeast Blackout 2003, but investigators ruled out this possibility.
(https://www.energy.gov/sites/default/files/oeprod/DocumentsandMedia/Blackout_Press_Release_April_5_2004.pdf
https://www.energy.gov/sites/default/files/oeprod/DocumentsandMedia/BlackoutFinal-Web.pdf)

Eighteen years later, DarkSide hackers in Russia paralyze the Colonial Pipeline in America and muscle $90 million in bitcoin through Ransomware.
(https://abcnews.go.com/Business/wireStory/pipeline-cyberextortion-attempt-gasoline-ticks-higher-77600028
https://www.cnbc.com/2021/05/18/colonial-pipeline-hackers-darkside-received-90-million-in-bitcoin.html)
If this could happen to fuel, this could very well happen to electricity.

On a global scale, Canada is in 2nd place for the production of hydroelectricity. In 1st place is China. 59.3% of Canada’s power comes from hydroelectricity and the residual is derived from coal, uranium, natural gas, petroleum and non-hydro renewable sources.
(https://www.nrcan.gc.ca/our-natural-resources/energy-sources-distribution/electricity-infrastructure/about-electricity/7359
https://www.usgs.gov/special-topic/water-science-school/science/hydroelectric-power-water-use?qt-science_center_objects=0#qt-science_center_objects)

However, Canada’s electric grid does not exist in a vacuum. Canada is connected to the United States and Mexico through the North American Bulk Electric System (BES) Canada and the USA share 34 active transmission lines.
(https://www.nrcan.gc.ca/our-natural-resources/energy-sources-distribution/electricity-infrastructure/electricity-canada/canada-electric-reliability-framework/18792)

In November 2020, the Canadian Centre for Cyber Security released the “Cyber Threat Bulletin: The Cyber Threat to Canada’s Electricity Sector”. Given this interconnectedness with the USA, Canada is most likely an “intermediate target” for future cyber attacks “within the next three years” – a sinister projection that should not be taken lightly.

Electricity makes its way from the power plant to a transformer that boosts the voltage for transmission. From there, electricity travels long distance by way of transmission lines. These aforementioned steps make up the “Bulk Power System (BPS)”.

Next, a transformer lowers the voltage of the electricity and then relays this power to distribution lines destined for houses. Transformers on poles lower the electricity even more before entering an individual home. These latter steps make up the “Local Distribution”.

The Cyber Threat Bulletin foresees hackers as targeting the Bulk Power System (BPS). The production of electricity involves an interplay between “Operational Technology (OT)” and “Information Technology (IT)”, i.e., manual operations vs. manoeuvres that require internet connection. Any time the internet is involved, our electricity will be at risk.

Moreover, Canada’s electricity relies on “Managed Service Providers (MSPs)”, essentially the middlemen, who perform work on the system. These players may be vulnerable to cyber attacks if their networks are not fully safeguarded.
(https://cyber.gc.ca/sites/default/files/publications/Cyber-Threat-to-the-Electricity-Sector-Bulletin_e.pdf)

Imagine losing electricity all because hackers were able to infiltrate Microsoft email software used by grid operators. A simple thing like an Outlook calendar could very well be a potential entry point.

Another example is the “Blaster” virus, which interferes with Windows updates.
(https://www.washingtonpost.com/business/on-small-business/microsoft-attack-blamed-on-china-morphs-into-global-crisis/2021/03/06/48bffec4-7ee1-11eb-8c5e-32e47b42b51b_story.html
https://www.pandasecurity.com/en/mediacenter/malware/virus-blaster/)

Cyber attacks on Hydro One are not unheard of, given the incident of 2017 whereby it was particularly challenging to track down the hackers.
(https://www.ctvnews.ca/canada/compromised-hydro-one-computer-shows-difficulty-of-tracking-hackers-1.3226481)

The North American Electric Reliability Corp (NERC) released a statement on May 14, 2021 that Central United States, California, Texas and New England could suffer power outages this summer. New England is not that far from Toronto; we are not out of the woods.

In 2017, it was reported that New England derives electricity from Quebec and New Brunswick alone and this translates to an economic benefit of $103 million to $471 million. We are all interconnected in some way – there is no avoiding it.
(https://www.c2es.org/site/assets/uploads/2017/05/canada-interconnected.pdf)

Whether these power outages are attributed to demand exceeding supply, as we saw in the Northeast Blackout of 2003, or whether these are linked to cyber attacks on infrastructure, as we saw with the recent Colonial Pipeline crisis – Canadians must not let down their guard.

There is indeed a valid reason for this recent @Get_Prepared campaign that has been nagging the Twittersphere, courtesy of the Government of Canada: “Disasters can strike at any time. Know the risks in your area, make a plan and build an emergency kit”:
https://twitter.com/Get_Prepared/status/1377625094667825158