Canada: Internet-Accessible ICS Targeted by Hacktivists in Multiple Incidents
Canadian Cyber Centre and RCMP report multiple incidents where hacktivists targeted internet-exposed ICS devices. What's brutal: attackers tampered with water facility pressure values causing service degradation, manipulated an oil & gas automated tank gauge triggering false alarms, and altered grain silo temperature/humidity controls creating unsafe conditions. The common thread: all systems were directly accessible from the internet without VPN or authentication barriers. Exposed devices include PLCs, RTUs, HMIs, SCADA, SIS, BMS, and IIoT sensors. What's notable: victims weren't specific targets—they were opportunistic, exploiting Shodan/Censys-discoverable endpoints for media attention and to undermine Canada's reputation.
CORTEX Protocol Intelligence Assessment
This highlights the consequences of legacy ICS design assumptions—systems built for isolated networks now exposed to the internet for remote management convenience. Hacktivists prove that even without sophisticated zero-days, simple internet accessibility enables operational disruption with potentially life-threatening consequences.
Strategic Intelligence Guidance
- Immediate action: inventory all internet-facing ICS/SCADA endpoints using Shodan and internal network scans—remove direct exposure.
- Deploy VPN with MFA for all remote ICS access—consider implementing zero-trust architecture with continuous authentication.
- For unavoidable internet exposure: deploy IDS/IPS, enable strict allowlisting, enforce authentication, and implement continuous monitoring.
- Municipalities and smaller organizations: clearly define cybersecurity ownership for ICS—many lack regulatory oversight leaving systems unprotected.
Threats
Targets
Intelligence Source: Canada's Cyber Centre urges action as Internet-accessible ICS face growing cyber threats | Oct 31, 2025