The City of Calgary’s emergency management agency said they’re taking a proactive approach to dealing with a growing number of cyberattacks against Canadian towns and cities.
The Calgary Emergency Management Agency (CEMA) presented their assessment on cyber risks and how the city handles them during Thursday’s Emergency Management committee meeting.
In the report, committee members heard that there’s been a 40 per cent increase in cyberattacks against municipalities. This is largely due to the multiple business lines that a city has that may be vulnerable to infiltration.
“The increases in cyberattacks globally truly define the borderless nature of our risks in the future,” said CEMA Chief Sue Henry.
“Events initiated from anywhere in the world can have cascading impacts to Calgary’s critical infrastructure operations, our service delivery and the economy.”
Henry said there’s potential that any sort of cyberattack could impact things like transportation, emergency response systems or other essential services. According to IBM, the annual cost of a cyber breach globally is around $4.5 million per breach. Chief Henry referenced an attack on the City of Dallas that resulted in $8.5 million in recovery costs.
Christopher Scutchings, team lead of information security operations said the most well-known attacks are ransomware. These attacks gain access to a system, it encrypts the data and then holds it for ransom. He said recently, they’ve seen extortion being used – where the data will be released publicly if the ransom isn’t paid. They also deal with denial of service (DDoS) attacks, that render devices or computers unavailable, and business email attacks.
The goal is to avoid the attacks altogether, said Scutchings.
“Today, we are working with our business partners to make the City of Calgary a hard target,” he said.
“It costs resources to attack an organization. So, unless specifically being targeted, many threat actors who are criminal in nature will move on to much easier targets.”
What steps the City takes for cyber protection
Tyler Andreychuk, manager of operations information technology, said while the disaster assessment risk is medium, the security risk has been ID’d as extensive on IT’s risk register, he said.
“Ongoing monitoring and mitigation is required by the city for the foreseeable future,” he said.
“With the shift to remote work and the globalization of news and social media, the lines have shifted. There is now a need to protect devices everywhere from inside the organization to anywhere employees work remotely.”
Andreychuk said the City uses multi-factor authentication (MFA) to secure remote connections.
“MFA has been identified as one of the top, if not the top, lines of defense against cyber threats,” he said.
They also practice crisis management in the event of a major technology failure or outage. He said that helps each business unit understand the potential risks associated with these threats.
According to Scutchings, they also have a process to validate third-party contractors.
“They would go through an assessment, and we evaluate the risk that could potentially be to the organization and then we take that into consideration working with our business units.”
Chief Henry said that in the event of a cyberattack, the City’s corporate security unit and the Calgary police would typically take the lead.
“Our whole job is to bring people together and bring the right people into the room to discuss whatever problem happens to be in front of us,” she said.
“So, the difference between a flood and a cyber incident would be during a flood there’s a different lead agency.”
