Electronic Products & Technology

Black & McDonald hit with cyber attack

EP&T Magazine   

Electronics Engineering Cybersecurity security

Toronto engineering firm has contracts tied to power plants, industrial infrastructure

A Canadian engineering giant whose work involves critical military, power and transportation infrastructure across the country has been hit with a ransomware attack.

Toronto-based Black & McDonald has so far refused to publicly comment on the cyberattack, while the Department of National Defence and other clients of the company have downplayed any impact or damage.

“Black & McDonald notified OPG that they had experienced a ransomware attack which was unrelated to OPG operations and information,” said Ontario Power Generation spokesman Neal Kelly.

Source: Getty Images

“OPG conducted an immediate investigation and found there was no impact to our operations. OPG constantly monitors to ensure the highest levels of cybersecurity.”


Experts are nonetheless concerned, saying the attack on Black & McDonald represents a far greater threat to Canada’s national security and critical infrastructure than the attack on Canada’s largest bookstore chain, Indigo Books & Music Inc.

Details on ransomware attack are scarce

“This is a different ball game,” said David Shipley, CEO of cybersecurity firm Beauceron Security. “If it’s tied back to Russia in some way, then we’ve got some more questions to ask. Other nation-states are stepping up cybercrime groups as well, notably North Korea, but also Iran.”

Details about the ransomware attack are scarce, with Black & McDonald refusing even to confirm it happened.

Department of National Defence spokeswoman Jessica Lamirande in a statement said it was first reported to Defence Construction Canada, which handles contracts with outside companies for the support and maintenance of military bases across the country.

What measures did the company take

“Once DCC was informed of the incident, it blocked all incoming emails from Black & McDonald out of an abundance of caution and conducted business by phone or in person,” she said. “Once the contractor restored its email system and informed DCC, email communication resumed.”

But while Lamirande confirmed the company reported the cyber breach early last month, she could not comment on the ransomware’s origins or what measures the company had taken.

Black & McDonald and its subsidiary Canadian Base Operators have several multimillion-dollar contracts with the Defence Department for the support of Canadian military bases, including one signed in 2020 and valued at $157 million over 10 years.

Strengthen Canada’s cyber defence

The company, which has 5,500 employees across Canada and reported more than $1.5 billion in sales last year, also provides engineering and construction services for critical infrastructure projects, including nuclear power plants, airports and with the Toronto Transit Commission.

“We were advised by B & M last week, but no immediate concerns were conveyed,” TTC spokesman Stuart Green said in an email, adding: “No impact on the TTC.”

Cybersecurity officials inside and outside government have been warning for years about the need to strengthen Canada’s cyber defences when it comes to critical infrastructure. The country has already seen the impact of such an attack.

Late last year, hackers accessed the private data of more than 58,000 Newfoundlanders. They also wiped out the information technology systems of the province’s largest health authority, forcing officials to cancel thousands of appointments, including cancer care.

The threat of a successful attack isn’t just losing information. A growing number of devices used to control nuclear power plants, air-traffic control systems and other infrastructure can be accessed remotely, said Terry Cutler, CEO of cybersecurity firm Cyology Labs.


Stories continue below

Print this page

Related Stories