The Canadian Centre for Cyber Security (CCCS) is warning of increased malicious activity from hacktivists targeting critical infrastructure, which could have potentially severe safety risks.
The Cyber Centre reports that it has received numerous complaints of malicious actors targeting internet-facing industrial control systems (ICS) and modifying system settings, interfering with their operations.
“In recent weeks, the Cyber Centre and the Royal Canadian Mounted Police have received multiple reports of incidents involving internet-accessible ICS,” it stated.
Cyber Centre observed hacktivists breaching critical infrastructure via ICS devices
The Cyber Centre documented various incidents involving hacktivists successfully breaching critical infrastructure entities, causing unexpected behaviors.
In one incident, hacktivists tampered with water pressure values at a Canadian water treatment facility, resulting in service degradation. The second one involved manipulating an Automated Tank Gauge (ATG) at a Canadian oil and gas company, resulting in false alarms.
CCCS also received reports of hacktivists altering the temperature and humidity levels at a grain drying silo on a Canadian farm, which could have resulted in hazardous conditions if it went undetected.
“Hacktivists breached Canadian water, oil and gas, and agriculture facilities by tampering with industrial controls,” opined Ryan Sherstobitoff, Chief Threat Intelligence Officer. “They created unsafe environments and service interruptions by manipulating systems. The incident shows, once again, how critical infrastructure can be easily compromised when operational technology is exposed without proper safeguards.”
However, the Cyber Centre believes that the attacks were opportunistic rather than sophisticated or planned, underscoring the need for security best practices to deter minor league threat actors.
While the real threat posed by hacktivists cannot be overlooked, CCCS assesses that their primary objective is to gain public attention and discredit the Canadian government and critical infrastructure organizations.
“While individual organizations may not be direct targets of adversaries, they may become victims of opportunity as hacktivists are increasingly exploiting internet-accessible ICS devices to gain media attention, discredit organizations, and undermine Canada’s reputation,” it explained.
According to Sherstobitoff, the attacks reflect “a broader pattern of opportunistic targeting across essential services.”
Subsequently, he blamed authorities for leaving “the door wide open” for threat actors to damage the country’s reputation and stability, which seems to be their primary objective.
“When infrastructure operations are disrupted, the impact extends to public health and energy reliability. These systems remain vulnerable when visibility gaps persist, and access controls are weak. Strengthening oversight across industrial environments is no longer optional,” said Sherstobitoff.
Meanwhile, CCCS has published a list of targeted devices that includes Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems, Remote Terminal Units (RTUs), Safety Instrumented Systems (SIS), Building Management Systems (BMS), and Industrial Internet of Things (IIoT) devices.
While the Cyber Centre highlighted the growing threat from hacktivists, it also inadvertently exposed the threat from advanced persistent threat actors, particularly those from state-sponsored groups, that could easily exploit these vulnerabilities.
Steps critical infrastructure organizations should take
Subsequently, it published a list of actionable steps that critical infrastructure organizations should take to protect their assets from hacktivists and other malicious actors.
They include taking inventory of all internet-accessible ICS devices and disconnecting them from the internet where possible. Government entities, including local authorities, should also work with critical infrastructure organizations to ensure that all exposed ICS devices are inventoried, documented, and protected.
Where disconnection was impossible, critical infrastructure organizations should deploy virtual private networks (VPNs) with multi-factor authentication (MFA) to ensure that ICS devices are not directly exposed to the internet. Where it was not possible to employ other defensive tactics, they should adopt enhanced monitoring practices to detect cyber intrusions on time.
“This includes active threat detection measures such as Intrusion Prevention Systems (IPS), regular penetration testing, and continuous vulnerability management,” the Cyber Centre explained.
Critical infrastructure organizations should also conduct regular tabletop exercises to enhance their incident response capabilities in the event of a cyber intrusion.
Lastly, they should follow vendor recommendations and guidelines throughout the device lifecycle from deployment through decommissioning.

