Item - 2020.AU5.6

Tracking Status

  • City Council adopted this item on June 29, 2020 with amendments.
  • This item was considered by Audit Committee on February 10, 2020 and was adopted with amendments. It will be considered by City Council on June 29, 2020.

AU5.6 - Cyber Safety - Critical Infrastructure Systems: Toronto Water SCADA System

Decision Type:
ACTION
Status:
Amended
Wards:
All

City Council Decision

City Council on June 29 and 30, 2020, adopted the following:  

 

1. City Council adopt the confidential instructions to staff in Confidential Attachment 1 to the report (January 24, 2020) from the Auditor General.

 

2.  City Council adopt the confidential instructions to staff in the Confidential letter (February 10, 2020) from the Audit Committee.

 

3. City Council direct that Confidential Attachment 1 to the report (January 24, 2020) from the Auditor General and the Confidential Letter (February 10, 2020) from the Audit Committee be released publicly at the discretion of the Auditor General after discussing with the appropriate City officials.

 

4.  City Council direct that Confidential Attachment 1 to the supplementary report (June 23, 2020) from the Auditor General remain confidential.

 

Confidential Attachment 1 to the report (January 24, 2020) from the Auditor General and the Confidential Letter (February 10, 2020) from the Audit Committee remain confidential at this time in accordance with the provisions of the City of Toronto Act, 2006, as they concern the security of property belonging to the City of one of its agencies and corporations. Confidential Attachment 1 to the report (January 24, 2020) from the Auditor General and the Confidential Letter (February 10, 2020) from the Audit Committee will be made public at the discretion of the Auditor General after discussing with the appropriate City officials.

 

Confidential Attachment 1 to the supplementary report (June 23, 2020) from the Auditor General remains confidential in accordance with the provisions of the City of Toronto Act, 2006, as it pertains to the security of property belonging to the City or one of its agencies and corporations, and it contains information explicitly supplied in confidence to the City of Toronto which, if disclosed, could reasonably be expected to impact the safety and security of the City and its services.

Confidential Attachment - The security of property belonging to the City or one of its agencies and corporations.

Background Information (Committee)

(January 24, 2020) Report from the Auditor General - Cyber Safety - Critical Infrastructure Systems: Toronto Water SCADA System
https://www.toronto.ca/legdocs/mmis/2020/au/bgrd/backgroundfile-145342.pdf
Confidential Attachment 1 - Cyber Safety - Critical Infrastructure Systems: Toronto Water SCADA System
(February 10, 2020) Confidential Recommendation of the Audit Committee to City Council

Background Information (City Council)

(June 23, 2020) Supplementary report from the Auditor General on Cyber Safety - Critical Infrastructure Systems: Toronto Water SCADA System - Recommendations Implementation Progress by Management (AU5.6a)
https://www.toronto.ca/legdocs/mmis/2020/cc/bgrd/backgroundfile-148217.pdf
Confidential Attachment 1

Motions (City Council)

1 - Motion to Amend Item (Additional) moved by Councillor Paul Ainslie (Carried)

That City Council direct that Confidential Attachment 1 to the supplementary report (June 23, 2020) from the Auditor General remain confidential.


Motion to Adopt Item as Amended (Carried)

AU5.6 - Cyber Safety - Critical Infrastructure Systems: Toronto Water SCADA System

Decision Type:
ACTION
Status:
Amended
Wards:
All

Confidential Attachment - The security of property belonging to the City or one of its agencies and corporations.

Committee Recommendations

The Audit Committee recommends that:  

 

1. City Council adopt the confidential recommendations contained in Confidential Attachment 1 to the report (January 24, 2020) from the Auditor General.

 

2.  City Council adopt the confidential recommendation contained in the Confidential letter (February 10, 2020) from the Audit Committee.

 

3. City Council direct that all information contained in the following confidential documents be released publicly at the discretion of the Auditor General after discussing with the appropriate City official:

 

- Confidential Attachment 1 to the report (January 24, 2020) from the Auditor General; and

 

- the Confidential letter (February 10, 2020) from the Audit Committee.

Decision Advice and Other Information

The Audit Committee recessed its public session and met in closed session to consider confidential information on this Item as it relates to the security of property belonging to the City or one of its agencies and corporations.

Origin

(January 24, 2020) Report from the Auditor General

Summary

Some critical infrastructure at the City, such as the Toronto Water treatment plants, use Operational Technology (OT) systems called industrial control systems (ICS). ICS systems include supervisory control and data acquisition (SCADA) systems. SCADA systems monitor and control the equipment and devices used in critical infrastructure.

 

The Canadian Cyber Security Centre describes how ICS and SCADA systems are vulnerable if appropriate cybersecurity protections are not in place:  

 

"As part of the drive for modernization and efficiency, critical infrastructure providers are continuing to automate their processes and connect IT and OT devices to the Internet. While connecting OT, such as ICS and SCADA devices, to the Internet provides several advantages — for example, remote management — it can also expose critical infrastructure to cyber threat activity".

 

The objectives of the audit were to assess the adequacy of controls in place to address potential threats to the Toronto Water SCADA network, systems and applications, and to review the actions taken by Toronto Water to address concerns raised during the 2019 cybersecurity audit.

 

This public report contains two administrative recommendations. The confidential audit findings and recommendations to improve physical security and cybersecurity controls are presented separately to this report in Confidential Attachment 1. Management has already initiated actions to address the identified risks.

 

The confidential report will be made public at the discretion of the Auditor General after discussing with appropriate City Official.

Background Information

(January 24, 2020) Report from the Auditor General - Cyber Safety - Critical Infrastructure Systems: Toronto Water SCADA System
https://www.toronto.ca/legdocs/mmis/2020/au/bgrd/backgroundfile-145342.pdf
Confidential Attachment 1 - Cyber Safety - Critical Infrastructure Systems: Toronto Water SCADA System
(February 10, 2020) Confidential Recommendation of the Audit Committee to City Council

Speakers

Councillor Paula Fletcher

Motions

1 - Motion to Meet in Closed Session moved by Councillor Stephen Holyday (Carried)

11:17 a.m. - That the Audit Committee recess its public session and meet in closed session to consider confidential information on this Item as it relates to the security of property belonging to the City or one of its agencies and corporations.

 

The Audit Committee recessed its public session and met in closed session.

 

The Audit Committee reconvened in public session at 12:29 p.m.  Councillor Holyday took the Chair and advised that the Committee had completed its closed session consideration of confidential information related to this Item.  The Audit Committee recommended to Council, confidential instructions to staff. The Audit Committee would now proceed with the public debate on this Item.


2 - Motion to Amend Item moved by Councillor Stephen Holyday (Carried)

That the Audit Committee confirm the confidential instructions recommended to City Council.


Motion to Adopt Item as Amended (Carried)
Source: Toronto City Clerk at www.toronto.ca/council