Canada’s national cyber agency has issued a warning to organisations responsible for vital infrastructure, urging them to adopt additional security measures, including mandatory two-factor authentication, after a series of incidents involving industrial control systems accessible via the internet. The Canadian Centre for Cyber Security (Cyber Centre) and the Royal Canadian Mounted Police (RCMP) recently received reports of unauthorised access at multiple facilities, including a water treatment plant, an oil and gas company and an agricultural site.
In one case, a water facility experienced tampered pressure values resulting in degraded service. Another incident involved an oil and gas company where the manipulation of an automated tank gauge triggered false alarms. A third case saw hackers interfere with temperature and humidity controls at a grain-drying silo, which could have posed unsafe conditions if not promptly detected. These events underscore the fact that even when critical infrastructure remains operational, attackers may still inflict physical risk or reputational damage.
The advisory released by the Canadian Centre for Cyber Security highlights that the attackers appear to rely on opportunistic access to devices that are directly visible on the internet, including programmable logic controllers (PLCs), remote terminal units (RTUs), human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and building management systems. The document emphasises that while no specific state-sponsored actor has been identified, these hacktivist campaigns are increasingly targeting physical infrastructure to create disruption, social alarm or damage to reputation.
Because industrial control systems are now commonly connected to the internet to provide remote access, monitoring or vendor support, they present a tempting target for threat actors. The Cyber Centre warns that the design and deployment of many of these systems did not originally prioritise cybersecurity, which means default or weak credentials, exposed services, and a lack of network segmentation remain prevalent. Once accessed, these systems may be manipulated or used as a pivot point to other operational networks.
In response to these incidents, the agency is recommending that infrastructure owners take immediate steps. These include conducting a full inventory of all internet-accessible ICS devices and assessing whether they should remain exposed at all. Where direct exposure cannot be eliminated, organisations are advised to implement a virtual private network with two-factor authentication for remote access, deploy intrusion prevention and detection tools, perform regular penetration testing and maintain continuous vulnerability management. Municipalities and smaller utilities which may lack formal oversight of cybersecurity are urged to coordinate with service providers and confirm that vendor-managed devices are configured securely and maintained throughout their lifecycle.
One of the specific recommendations emphasises the role of two-factor authentication, or 2FA, for remote and administrative access to infrastructure systems. By requiring a second method of verification beyond a password, organisations can significantly reduce the risk of unauthorised access resulting from credential theft or phishing. The Cyber Centre’s alert places 2FA front and centre as a basic yet vital control in the protection of critical infrastructure networks.
Organisations handling vital services now face heightened exposure because infrastructure components are increasingly interconnected, and the blending of information technology and operational technology networks has grown. A compromise of one device can cascade into wider system access, potential disruption of service or safety-critical incidents. Experts say that physical safety becomes intertwined with cybersecurity when water pressure, fuel levels or environmental conditions are manipulated by attackers.
The alert also emphasises that hacktivists may not only aim for financial gain but also seek visibility, to undermine trust or to create public alarm. By attacking internet-connected devices in energy, agriculture or water management, the adversaries can make a statement while avoiding large-scale destruction, which in turn may lower immediate detection. These tactics emphasise the need for vigilant monitoring of both unusual technical events and abnormal physical plant behaviour.
As a result of this advisory, Canada’s infrastructure operators and municipal organisations are being asked to review their security stance, check remote access logs, ensure administrative accounts are locked down and apply multi-factor authentication where possible. The Cyber Centre emphasises that access controls and monitoring are only effective when supported by governance, incident response planning and clear coordination between IT and operational technology teams.
Although the alert does not attribute the incidents to any particular nation or group, it reflects the broader global trend of infrastructure-targeting campaigns by actors seeking to exploit exposed operational systems. These developments have triggered renewed attention across sectors, including water, food, manufacturing and energy. The Canadian government is using this moment to push organisations to treat cybersecurity for infrastructure as a public safety and national resilience issue.
In summary, the Cyber Centre’s warning should be taken by infrastructure providers as a call to action. With multiple incidents already reported and the growing connectivity of industrial systems, the risk picture has never been more urgent. Two-factor authentication, remote access controls, inventory of exposed devices and integrated vendor oversight represent foundational steps in protecting the national security and service continuity of Canada’s critical sectors.