Item - 2021.AU9.7

The Audit Committee recommends that:

1.  City Council request the Auditor General to report to the November 2, 2021 meeting of the Audit Committee with an update on outstanding cybersecurity recommendations from Auditor General reports.

2.  City Council request the Chief Information Security Officer and relevant City division heads to accelerate the implementation of outstanding cybersecurity recommendations from Auditor General reports and to accelerate compliance with cybersecurity standards.

3.  City Council request the Chief Technology Officer to expedite the implementation of high-priority cybersecurity recommendations.

4.  City Council direct that Confidential Attachment 1 to the report (June 22, 2021) from the Interim Chief Information Security Officer remain confidential in its entirety, as it involves the security of property belonging to the City of Toronto.

5.  City Council direct that Confidential Attachment 1 to the supplementary report (July 6, 2021) from the Auditor General be released publicly at the discretion of the Auditor General, after discussions with the appropriate City Officials, as it contains information involving the security of property belonging to the City of Toronto or one of its Agencies and Corporations.

The Audit Committee recessed its public session to meet in closed session to consider this item, as it relates to the security of property belonging to the City of Toronto and the safety and security of property belonging to the City of Toronto or one of its Agencies and Corporations.

The Auditor General reviews the implementation status of recommendations made through her audit and investigation reports. The results of the review are reported to City Council through the Audit Committee.

The Auditor General has conducted a number of audits since 2015 to assess cybersecurity controls of the City's IT infrastructure, systems, and applications. As per the Auditor General's latest report, there are 43 recommendations related to cybersecurity that have not been fully implemented. The Office of the CISO currently has access to 28 of those recommendations through the audit tracking tool, TeamMate.

At its meeting on April 7 and 8, 2021, City Council adopted Item AU8.5, Auditor General's Follow-Up of the Outstanding Recommendations - Status Update, without amendments and without debate.

http://app.toronto.ca/tmmis/viewAgendaItemHistory.do?item=2021.AU8.5

At its February 16, 2021 meeting, the Audit Committee recommended that:

"City Council request the Chief Information Security Officer to report to the May 31, 2021 meeting of the Audit Committee on the implementation status of all outstanding cybersecurity-related audit recommendations, including:

a. high priority recommendations where there are still significant risks;

b. risks being faced by the City of Toronto as a result of not implementing audit recommendations;

c.  a risk assessment identifying the impact of the risks after considering any current vulnerabilities;

d.  any other security risks being faced as a result of the changing cyber threat landscape; and

e. short-, medium-, and long-term plans identifying what needs to be done to reduce the risk level for the City of Toronto in an expedited fashion."

The Office of the CISO has conducted an assessment based on the above criteria and this report provides an update on the status of high priority outstanding recommendations. As the May 31, 2021 Audit Committee meeting was cancelled, this report is being tabled for the July 7, 2021 Audit Committee meeting.

This report pertains to the 28 high priority cybersecurity recommendations currently accessible to the Office of the CISO in TeamMate. The Office of the CISO will continue its assessment of the remaining recommendations, including an assessment of additional security risks related to the changing cyber threat landscape. The Office of the CISO will report on these additional recommendations at the next Audit Committee meeting.

The Office of the CISO (OC) has assessed the residual risk of the high priority recommendations based on remediation progress and compensating controls in the current environment. In summary, 3 of the recommendations have been fully implemented. Additionally, the OC has determined that 21 of the 28 recommendations remain on track to be implemented within 2021 (short and medium terms). The assessment has identified 13 high risk recommendations plus 3 additional risks the City faces due to the continuously changing cyber threat landscape. Due to the recent global attacks on the critical infrastructure, it's therefore extremely important that the implementation of these recommendations be expedited.

Table 1 below captures the status of all 28 recommendations* as shown in TeamMate and their associated risk ratings based on the risk assessment (*as of June 22, 2021):

Table 2 below highlights the associated remediation timeline for open recommendations:

* 3 recommendations are fully implemented.

Other Major Risks (in addition to open recommendations)

The ever-evolving cyber threat landscape can create new and unexpected challenges for the City. Social engineering, ransomware and increased use of third party software are some other major cybersecurity risks that could impact the City's critical infrastructure in the near future.

Management Actions

The following actions are underway in partnership with the Technology Services Division (TSD) to reduce the cyber risk exposure at the City:

Short Term – On boarded cybersecurity vendor partner and MSSP (managed security services provider), in partnership with TSD, to help standardize cybersecurity policies, procedures, tools and threat management practices across the City.

Medium Term – Implementing cybersecurity controls along with logging and monitoring tools across all City divisions (IT infrastructure, systems and applications).

Long Term – Achieve long term cyber maturity tied back to ISO 27001/NIST Frameworks, implement Threat Risk Assessments (TRA) and Cyber Risk Assessments (CRA) on an ongoing basis. Additionally, the City should continue to work on projects such as Microsoft 365, Privileged Access Management (PAM) and Cloud Security implementation to limit the risks emerging from access controls, third party software and cloud computing.

The purpose of this report is to:

-  communicate to Audit Committee and City Council that the Auditor General has commenced a review of a Toronto Fire Services' critical system; and

-  recommend that the Chief Technology Officer continue expediting the Auditor General's prior cybersecurity-related audit recommendations, so the City is ready to prevent, detect and respond to cyberattacks.

Since 2016, the Auditor General has proactively raised concerns about evolving cyber threats to the City and its agencies and corporations. Cyberattacks are widely considered to be one of the most critical operational risks facing organizations. In previous reports, the Auditor General highlighted to City management the importance of being prepared for cyberattacks so that risks can be mitigated. The reports issued by the Auditor General since 2016 are listed in Appendix 1.

Cybersecurity threats are constantly evolving and becoming more sophisticated. With increasing numbers of cyberattacks, in particular ransomware, all types of private and public organizations and most importantly their systems and infrastructure providing critical services are at risk. 

In April 2021, five countries (including Canada, the United States, New Zealand, Australia, and the United Kingdom) issued a Five Country Ministerial Statement saying:

"Ransomware is a growing cyber threat which compromises the safety of our citizens, the security of the online environment, and the prosperity of our economies. It can be used with criminal intent, but is also a threat to national security. It can pose a significant threat to Governments, critical infrastructure and essential services on which all our citizens depend."

The United States Department of Homeland Security issued the following advisory in August 2019:

"Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation's networks, locking up private sector organizations and government agencies alike. And that's only what we're seeing – many more infections are going unreported."

In April 2019, industry experts on information technology (IT) highlighted features of the current threat environment:

"Current attacks are very sophisticated. They're evolving on an almost daily basis."

Further, the Canadian Centre for Cyber Security notes that:

"Canada often ranks among the top countries impacted by ransomware…" and "Over the past two years, ransomware campaigns have impacted hundreds of Canadian businesses and critical infrastructure providers, including multiple hospitals and police departments, as well as municipal, provincial, and territorial governments."

The Canadian Centre for Cyber Security also stresses that:

"Inadequate information technology security practices provide cyber threat actors with an easy way to bring down your organization’s network and give them access to sensitive information."

With cyber threats evolving, there is an urgent need for all City of Toronto organizations to ensure that their cybersecurity programs adapt. Billions of pieces of data are housed in various systems and computers. A single breach could have a devastating impact on its operations. A system is only as strong as its weakest link.

Cyberattacks on municipalities and police services

A New York Times article outlined how more than 40 municipalities in the U.S. –including large cities like Baltimore and Atlanta – have been hit by ransomware attacks.

Some of these municipalities chose to pay the ransom to unlock data that had been encrypted in order to restore access to systems; others did not. It can cost municipalities millions of dollars to recover from these attacks, in addition to the costs of data clean up and systems recovery. Many law enforcement agencies in Canada and the U.S. have been affected by cybersecurity attacks in recent years, as well.

With the level of services, the extent of personal and highly sensitive data, and the critical infrastructure the City supports, the City must do all it can to protect its systems against cyberattacks and to adapt to emerging threats.

Cybersecurity risks continue to be a real and growing threat

Recent cyberattacks targeting public institutions and infrastructure indicate that threat actors are active and organizations like the City must be prepared to respond. The following are a few recent examples:

1.  U.S. Pipeline Attack

In May 2021, a Russian hacker group was behind a major cyberattack against a major U.S. oil and gas pipeline which caused substantial disruptions throughout the Eastern United States. The group created a ransomware program to attack the Colonial Pipeline network, forcing the company to shut down all operations for nearly a week.

"The shutdown caused major disruptions to gas delivery up and down the East Coast, as trucks struggled to restock gas stations, and long lines developed at pumps, especially in the Southeast. Airline operations were also disrupted."

2.  Florida Water Supply Cyberattack

In February 2021, cyber attackers gained access to a Florida city's water facility control system through a remote access software that was connected to the internet. The attackers attempted to raise the amount of sodium hydroxide in the water supply to dangerous levels. Although the attack was detected and water quality was not affected, this shows how important it is to properly secure critical infrastructure.

3.  Cyberattacks on Law Enforcement Agencies

In June 2020, confidential law enforcement data belonging to 38 Canadian police agencies was exposed by cybercriminals who were targeting American police agencies. The RCMP acknowledged being affected by the leak, however the other Canadian police agencies were not publicly identified. Media reports from the United States identified the compromised information from U.S. police agencies affected by this breach contained potentially sensitive files:

"It includes nearly 24 years of documents, with names, email addresses, phone numbers, bank accounts involved in investigations, pictures and other data."

4.  WannaCry Ransomware

In May 2017, the WannaCry ransomware campaign targeted computers around the world that were running Microsoft Windows. The campaign attacked the operating system by encrypting data and demanding ransom payments to restore the data. At the time, the Canadian Centre for Cyber Security warned about the WannaCry ransomware campaign. This specific risk was also brought to the attention of the prior City Manager by the Auditor General. The Auditor General has since issued several cybersecurity reports outlining what needs to be done to help prevent, detect and recover from ransomware attacks.  

WannaCry is just one type of ransomware. Since 2017, ransomware attacks have become more destructive and impactful to organizations.

5.  COVID 19 Cyberattacks

While we understand the demands on staff and the financial burdens caused by COVID-19, it is important for all City organizations to continue working on strengthening cybersecurity and remain vigilant. They must also be supported in doing so. The International Criminal Police Organization's (INTERPOL) assessment of the impact of COVID-19 on cybercrime shows that major corporations, governments and critical infrastructure are at risk more than ever.[8]

"With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.”

“The increased online dependency for people around the world, is also creating new opportunities, with many businesses and individuals not ensuring their cyber defences are up to date.”

Jürgen Stock, INTERPOL’s Secretary General also said:

“Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.”

Critical Infrastructure Systems Reviews

The Auditor General, recognizing the increased risks of cyberattacks, has been proactive in performing cybersecurity audits at the City. In 2020, the Auditor General completed her assessment of Toronto Water's SCADA system and network. The report is available at:

https://www.toronto.ca/legdocs/mmis/2020/au/bgrd/backgroundfile-145342.pdf

The Auditor General is currently completing vulnerability assessments and penetration testing on critical systems and their related IT network, at Toronto Fire Services and Toronto Transit Commission.