By Enza Alexander, Executive Vice President, ISA Cybersecurity
This article was originally published in the CCN report “State of OT: Securing Canada’s Critical Infrastructure” in September 2025.
From power grids to hospitals, our modern world depends on operational technology (OT). But as these systems become more connected to traditional IT networks, they also become more exposed to today’s relentless cyber threats. The stakes aren’t just financial – they are human, societal, and existential.
This article explores the evolving threat landscape, sector-specific risks, emerging regulations, and the essential role of AI and resilience planning in securing Canada’s national infrastructure.
The Evolving Threat Landscape Requires Proactive Risk Management
The convergence of OT and IT has significantly expanded the cyber attack surface on critical infrastructure (CI). Legacy OT systems were not designed with cybersecurity in mind and are now exposed to modern threats. Ransomware-as-a-Service (RaaS), zero-day vulnerabilities, and AI-driven attacks are increasingly targeting CI. Cybersecurity in OT isn’t just about networks or data. It also requires cyber professionals to understand that these systems were designed – and are often still supported – by professional engineers who prioritize public safety above all else.
Critical infrastructure sectors – including energy, healthcare, water, transportation, etc. – operate systems that, if compromised, can result in catastrophic consequences. Cyber attacks on industrial control systems (ICS) can disable safety mechanisms, causing explosions, chemical leaks, or power grid failures. Healthcare systems can be paralyzed by ransomware, delaying patient care and putting lives at risk. Transportation systems, such as rail or aviation control networks, may be manipulated to cause large-scale accidents. These environments aren’t just about data – they’re about physical safety. A breach could directly endanger thousands of people.
A successful cyber attack on infrastructure can create ripple effects across global supply chains and national security frameworks, making resilience a geopolitical imperative.
Public safety and human lives depend on OT system integrity.
Canada’s OT environments face pressure from all sides. Ransomware gangs exploit legacy systems, often targeting CI, where downtime can compromise outcomes – and even cost lives. Nation-state actors are probing our critical infrastructure¹. Hacktivists are looking for ways to make a statement.
Insider risk is a significant concern, either in the form of malicious activity or unintentional actions². Many OT systems were never designed for internet exposure: now that they are being connected to IT networks for efficiency, the attack surface has expanded dramatically. And we’re seeing this play out in the real world: in 2024, 73% of reported cyber incidents affected OT systems in some way, up from just 49% the year before³.
The Canadian Centre for Cyber Security (CCCS)’s National Cyber Threat Assessment 2025-2026 confirms ransomware is the top cyber crime threat to our critical infrastructure. In energy, attackers understand the financial leverage of disrupting fuel or power distribution. In healthcare, attackers know that the criticality of systems can force IT teams to make ransom payments. These aren’t opportunistic strikes – they’re calculated moves.
Sector in Focus: Energy
Canadian energy providers face similar challenges. Legacy industrial control systems, complex supply chains, and remote operations all create vulnerabilities with potentially catastrophic results. A cyber attack that manipulates pressure sensors or disables safety alarms could lead to real-world disaster. In fact, I’ve personally spoken to some critical infrastructure executives who are opting to retain manual processes instead of automating, due to concerns with the potential for OT infrastructure attacks. That’s how grave the risks are.
In April 2024, Reuters quoted a North American Electric Reliability Corporation (NERC) report that power grids are increasingly vulnerable, with the number of susceptible points in electrical networks growing by about 60 per day. Weak points across grid software and hardware jumped to a range of 23,000 to 24,000 in 2024 — up from 21,000 to 22,000 the previous year4.
The CCCS assessment also reports that foreign state actors are “almost certainly” probing our energy infrastructure and pre-positioning malware that could be used to disrupt or destroy systems if conflict breaks out. Meanwhile, ransomware groups are opportunistically targeting oil and gas companies, looking for a quick payout. The convergence of IT and OT means a compromised office email can lead to control room access. Segmentation, monitoring, and response plans are no longer optional – they’re essential.
Sector in Focus: Healthcare
In over two decades working with clients, I’ve seen dramatic change from an OT cybersecurity perspective. Twenty years ago, OT wasn’t nearly as critical a component of our healthcare sector as it is today. These days, hospitals rely on complex networks of medical devices, HVAC systems, diagnostic platforms, and administrative tools – all forming an OT ecosystem that can be challenging to track, maintain, and protect. Securing these devices is difficult – patches may be hard to apply, if available at all. There’s zero tolerance for downtime. Meanwhile, clinical staff face overwhelming demands, and cybersecurity often competes with immediate care priorities.
And the risks are real. Consider the Ascension ransomware incident5 in the United States in 2024. A ransomware attack by the Black Basta gang forced Ascension to shut down its OT networks and electronic health record systems across 142 facilities, severely disrupting healthcare services. Surgeries and appointments were delayed, ambulances diverted, and pharmacies and labs reverted to manual processes as digital systems went offline. Many hospitals operated on paper records for weeks, leading to slowdowns and patient safety concerns. The breach, which stemmed from an employee accidentally downloading a malicious file, ultimately affected 5.6 million individuals.
Whether in power plants or hospitals, cyber threats don’t wait for modernization.
They exploit what’s already online.
Compliance and Regulatory Response
Critical infrastructure forms the backbone of a nation’s economy and security. Sophisticated cyber attacks –especially from nation-state actors – target CI to disrupt essential services (e.g., fuel pipelines, water treatment, telecommunications), cause financial loss through downtime, recovery, and regulatory penalties, and undermine public confidence in government and private institutions.
In 2022, Canada’s Bill-26 was introduced, with a goal of strengthening Canada’s national cybersecurity framework by giving the federal government broad powers to protect critical infrastructure. Though Bill C-26 was shelved following the January 2025 prorogation of Parliament, its replacement, Bill C-86, was introduced in June 2025 as a renewed legislative effort to bolster national cybersecurity. It comprises two main components: amendments to the Telecommunications Act and the introduction of the Critical Cyber Systems Protection Act (CCSPA). These measures aim to empower federal authorities to direct telecommunications providers in safeguarding Canada’s infrastructure against cyber threats, including potential interference and manipulation. Non-compliance could lead to significant penalties or imprisonment, underscoring the government’s commitment to modernizing its approach to cybersecurity and protecting critical national systems.
Alongside this proposed legislation is the Canadian Program for Cyber Security Certification (CPCSC) – a new standard for national defense contractors and supply chain partners. Launched in 2025, CPCSC is Canada’s equivalent of the U.S. CMMC, requiring cybersecurity certification to bid on sensitive government projects. While it starts in defense, there is potential for this model to be extended across other sectors. It sets a baseline, creates competitive advantage for certified firms, and raises the bar for national cyber hygiene.
Meanwhile, evolving standards and frameworks like NERC CIP (for power system cybersecurity), NIST CSF (a U.S. risk management framework), and IEC 62443 (industrial automation security), and more are highlighting the importance of compliance and following best practices. Without modern safeguards, CI operators risk falling behind attackers.
National security and economic stability are at stake.
The AI Factor
And of course, there’s the AI factor. Canada’s appointment of its first-ever Minister of Artificial Intelligence and Digital Innovation in May 2025 underscores the nation’s commitment to this revolutionary technology. Secure AI development and governance is a strategic national priority.
According to Andrew Buckles, EVP of Cyber Services at ISA Cybersecurity, and a thought leader in the field of artificial intelligence recognizes the impact of AI in the OT cybersecurity space. He offered this example: “Think about monitoring security cameras. Even if they are analog, AI could recognize someone approaching the door and unlock it without a badge or retinal scan.”
He observes that “for native IoT devices, AI will play a huge role in supporting these types of systems. Regulation and legislation may slow the pace of AI adoption in this space; at this stage, that’s probably a good thing.”
My friend and colleague John Jaisaree is a professional engineer and a pioneer in applying artificial intelligence to automation and OT. We’ve often discussed public safety and the national security concerns that are at the core of securing OT, ICS and IIoT systems. “In 2024, state-sponsored hackers utilized AI tools, such as ChatGPT, to map and exploit water treatment plants. This isn’t sci-fi. It’s happening now – and the front line is ICS and OT systems,” he wrote recently.
The potential of AI is powerful – and so is the risk.
A Call to Action
Get informed and use the resources that are out there. Talk to partners and industry groups to share knowledge and best practices. The Cybersecurity Infrastructure Security Agency (CISA) consistently adds new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active OT exploitation.
I recently participated in a tabletop exercise simulating an attack on municipal CI, including its OT networks. If you’ve never participated in one, they are real eye-openers. These cyber drills illustrate the importance of teamwork and communication in effectively managing a cyber incident that could affect thousands of people. The threats we face are complex and fast-moving: no one can tackle them alone.
I’ve often said that cybersecurity isn’t just a job – it’s a calling. Cybersecurity is no longer the sole responsibility of IT professionals. Boards, regulators, engineers, and frontline operators all have a role to play. From the factory floor to the emergency room, we must build cultures of security. We must put a priority on incident response, modernization, intelligence sharing, and bridging IT-OT gaps to protect lives and critical infrastructure. It means protecting OT and CI systems as carefully as we deploy them. It’s imperative that we share intelligence – because the bad actors do.
Resilience starts with readiness.
Cybersecurity shouldn’t be bolted on – it needs to be baked in.
Ready to bring order to your security data? ISA Cybersecurity helps Canadian organizations design, implement, and optimize modern SIEM environments – from architecture assessments and pipeline design through detection engineering, operational governance, and managed services.
Contact our team to schedule a consultation and learn how we can help you turn security telemetry into actionable intelligence.
¹ The Canadian Centre for Cyber Security (CCCS) contributed to a May 2024 fact sheet fact sheet issued by CISA that highlighted increased foreign interference, along with resources to help defend against these sophisticated attacks.
2 Fortinet’s 2024 State of Operational Technology and Cybersecurity Report revealed that unintentional insider breaches were involved in 50% of OT-related incidents in 2024; nearly double that of 2023.
3 Ibid. at 13.
5 See https://www.hipaaguide.net/ascension-ransomware-attack.
6 See https://www.parl.ca/DocumentViewer/en/45-1/bill/C-8/first-reading.
