Item - 2022.AU11.5

The Audit Committee recommends that:

1.  City Council direct that Confidential Attachment 1 to the report (February 4, 2022) from the Auditor General be released publicly at the discretion of the Auditor General, after discussions with the appropriate City Officials.

The Auditor General has proactively raised concerns about evolving cybersecurity threats to the City and its Agencies and Corporations. These threats are real and large-scale attacks have disrupted public services in jurisdictions across North America and around the world, such as emergency response systems, utility services and law enforcement operations.

A SCADA system, also known as an Operational Technology (OT) system, is used to control industrial processes at facilities like water and wastewater treatment plants and at energy, utilities and transportation facilities. Toronto Water uses this system to manage and control critical infrastructure equipment and processes used in the treatment and distribution of water.

Recognizing the need to protect critical water assets, the Auditor General initiated an audit of the SCADA system in 2019 and expedited the follow-up review of the audit recommendations in 2021. The 2019 audit was the Office's first critical infrastructure audit of the City's Operational Technology (OT) systems.

The objective of the 2021 follow-up review was to assess the adequacy of controls in place to address potential threats to the SCADA network, systems and applications, and to review actions taken by management since the 2019 audit. The Auditor General made 11 confidential recommendations in the 2019 SCADA audit. Given the importance of critical infrastructure systems and evolving cybersecurity threats, the Auditor General re-tested the controls to verify the implementation of recommendations. 

At the November 2021 Audit Committee, we provided our public report and a high-level confidential presentation on the implementation status of the recommendations. During our follow-up review, we determined that seven recommendations are fully implemented. An overview of the results is contained in Attachment 1. The details of management actions on each confidential recommendation are presented separately to this report in Confidential Attachment 1.