Keeping the Lights On: Canada’s OT Cybersecurity Wake-Up Call

Originally published in the  

When Canadians think of cybersecurity, we picture stolen passwords, hacked emails, or corporate data breaches. But a far greater threat lurks in the background, one that could disrupt transportation, poison water supplies, or plunge entire regions into darkness. This is the realm of operational technology (OT) cybersecurity. According to the Canadian Cybersecurity Network’s (CCN) new national report, titled State of OT: Securing Canada’s Critical Infrastructure, it is the country’s most urgent and overlooked digital battleground.

The Hidden Systems That Keep Canada Running

OT systems don’t just move data, they move the country. They control the electricity that powers our homes, the pipelines that fuel our economy, the mining equipment that extracts our resources, and the ports that move goods. They even support the hospital systems that sustain life.

As information technology (IT) and OT converge, the risks multiply. A single phishing email can cascade into an industrial shutdown. A ransomware attack on a hospital can delay surgeries or divert ambulances. In 2024 alone, 73% of reported cyber incidents in Canada affected OT systems, up from 49% the year before. Public safety and human lives increasingly depend on the integrity of OT systems. 

Two recent incidents underscore the stakes: the U.S. Colonial Pipeline hack, which disrupted fuel supplies across the country, and the Black Basta ransomware attack on Ascension Health, which hindered care for millions. These are stark reminders of the consequences when OT is left exposed.

Canada is Falling Behind Global Peers

While countries like the U.S., U.K., and Germany have prioritized OT with national strategies and funding, Canada has yet to follow suit. Many systems remain outdated and unpatched. Small and mid-sized operators, such as local utilities, often lack the expertise and budget to defend themselves. And there is no national inventory of OT risks, making coordinated response nearly impossible.

Legislation may be on the horizon. The Critical Cyber Systems Protection Act (CCSPA), reintroduced in Parliament as part of Bill C-8, promises to impose mandatory cybersecurity obligations on federally regulated infrastructure, from energy and telecom to banking and transportation. 

But the bill has yet to be enacted, and until it is, Canada remains without a national framework for securing OT systems. As one section of the CCN report warns, ransomware and nation-state probing of critical infrastructure are “almost certain” to continue. Without decisive action, Canada risks being left dangerously exposed.

A National Vulnerability

The report makes clear that OT vulnerabilities stretch across every sector:

• Energy & Utilities – Grid operators track 60 new vulnerabilities daily.
• Healthcare – Cyberattacks compromise everything from HVAC systems to surgical equipment.
• Mining & Natural Resources – Remote automation systems are increasingly targeted.
• Transportation & Maritime – Rail networks, ports, and aviation hubs rely on OT automation.
• Smart Cities & Water Systems – Traffic management, sewage treatment, and drinking water depend on OT.

These examples illustrate the scale and diversity of OT exposure across Canada’s critical infrastructure. The attack surface is massive. The consequences of inaction are larger still, jeopardizing not just economic output, but the safety and trust of Canadians. 

Field CTO Sandeep Lota of Nozomi Networks added: "The CCSPA makes it clear: critical infrastructure operators must treat OT and IoT security as enterprise risk. That starts with visibility, knowing every asset in your environment, then building a program that can manage supply chain risk, detect incidents, and minimize impact."

A Call to Action

As Canada’s largest cybersecurity community, the Canadian Cybersecurity Network launched this report to provide the first national analysis of OT readiness and risks. It offers sector-by-sector insights, case studies of Canadian innovation, and practical recommendations for both governments and industries.

Key priorities include:

• Invest in resilience with modernization and secure-by-design principles.
• Break down silos between IT and OT teams to build trust and accelerate response.
• Share intelligence openly across sectors, because attackers already do.
• Develop talent through training, awareness, and opportunities for the next generation of Canadian cybersecurity leaders. 

As the report concludes, resilience starts with readiness. Cybersecurity cannot be bolted on; it must be built in. Francois Guay, CEO and Founder, Canadian Cybersecurity Network highlights that “Canada’s critical infrastructure – power, manufacturing, transportation, and more – is increasingly digital yet alarmingly underprotected. Our national report exposes this mismatch and calls on leaders to turn awareness into action. Securing OT isn’t optional; it’s essential to national resilience.”

OT is no longer a hidden layer of infrastructure. It is the very stage on which Canada’s safety, prosperity, and resilience are actively shaped. The threats are real, growing, and increasingly sophisticated. But Canada is not starting from scratch, it has world-class talent, innovative cybersecurity firms, and a collaborative community built for this challenge.

The stakes are clear: failing to secure OT won’t just cost dollars, it will cost lives, disrupt industries, and erode public trust. Protecting OT is about defending more than systems: it is about protecting the Canadian way of life.

The report can be downloaded at no cost here.