The utility is considered critical infrastructure because it provides drinking water, storm and wastewater services to more than 300,000 people.
“We want to have a system in place that in the event that we are attacked and some of our systems are knocked out, that we can quickly recover from those,” said spokesperson James Campbell.
Halifax Water is seeking approval from the Nova Scotia Utility and Review Board to spend $1.1 million on an information technology disaster recovery plan.
Report identified security holes
In response to a request from the regulator, this week Halifax Water released its five-year IT strategic plan prepared by Saint John-based Mariner Innovations in October 2017.
The report found there were no disaster recovery objectives, plans or identified backup facilities for a number of key IT systems.
The data centre, servers, network, security systems and website — among others — did not have disaster recovery plans.
“This situation reflects a high risk that timely and effective recovery could not be achieved in the event of an emergency evacuation of the main office building, of key infrastructure elements failing, or there was specific damage within the in-house data centre, including a cyberattack breach,” the report said.
The report noted ransomware attacks have made disaster recovery essential and backup systems are one of the most effective responses.
Campbell would not provide details on Halifax Water’s plans to mitigate against a ransomware threat.
Planning and design have already been completed. Implementation will take about eight months, he said.
The cyberthreat has come into focus recently with two high-profile ransomware attacks that shut down the Colonial Pipeline on the east coast of the United States, and JBS meat packing-plants in the U.S., Canada and Australia.
One year ago, the Halifax-based Northwest Atlantic Fisheries Organization was hit. The organization helps manage fish stocks in international waters in the northwest Atlantic for a dozen members, including Canada, the European Union and Russia. It declined to comment.
What other key organizations are doing
The province said it has systems in place to proactively manage cybersecurity risks, including ransomware.
“We ensure our anti-virus software is up to date,” Service Nova Scotia and Internal Services said in a statement. “We apply updates to our operating systems. Where services are provided by vendors, they are required to monitor for system vulnerabilities and update as needed.”
Nova Scotia Power spokesperson Jacqueline Foster said as a regulated utility providing an essential service, it must meet cybersecurity standards and is audited on a regular basis.
“Our cybersecurity plan addresses our critical infrastructure and daily operations,” she wrote in an email. “It involves people, processes and technology and its level of complexity is commensurate based on our critical infrastructure and the service we provide our customers.”