Operational technology cyber risk: Securing Canada’s energy, health, transportation and manufacturing industry systems

Imagine a frigid January night. A power station in Alberta goes dark. In Toronto, a hospital loses access to patient data mid-surgery. Traffic lights in Vancouver glitch. A logistics hub in Montreal halts freight tracking. A manufacturing line in Ontario grinds to a stop.

This isn’t a storm. It’s not human error. And it’s definitely not science fiction.

It’s a coordinated cyberattack targeting Canada’s operational technology.

As a commercial insurance broker and risk strategist, I’ve seen the threat landscape evolve dramatically. The front lines are no longer just corporate networks — they’re the systems that power our daily lives.

Operational technology (OT) runs our power grids, hospitals, factories, ports and transportation networks. When these systems fail, it’s not just business that suffers; it’s communities, safety and lives.

Cybercriminals are penetrating the systems we rely on every day, making Canada’s essential infrastructure a prime target for cyber threats.

The shift from IT to OT: Cyber risks facing power grids, hospitals and ports

The recently released Canadian Cybersecurity Network’s 2025 (CCN, 2025) State of Operational Technology Report revealed something alarming:

73% of cyber incidents in 2024 hit operational systems, up from 49% in 2023.

This staggering jump that shows attackers are no longer just focused on stealing data; they want to shut down operations, disrupt supply chains and cause physical harm.

Think of OT as the technology that keeps “the real world” running:

When attackers breach these systems, the results go far beyond the IT department — they affect entire communities.

Globally, Waterfall Security’s 2025 OT Threat Report found a rapid increase in attacks with physical consequences, such as equipment damage, service disruption and safety hazards.

Here in Canada, we’re facing the perfect storm: highly connected critical systems, legacy technology and an evolving regulatory environment, all wrapped in a “it probably won’t happen to us” attitude.

The human toll of OT cyber attacks

To be blunt: when infrastructure fails, it’s not just machines that break.

Operational technology cyber attack examples:

A hospital attack results in patient suffering.

A manufacturing shutdown idles hundreds of workers.

Logistics failure halts food or medication distribution.

A grid attack leaves communities in the cold.

These aren’t cyber problems; they are human ones. Cybersecurity is now public safety.

Top 5 Canadian industries facing operational technology cyber risks

Cyber threats don’t respect silos and neither should we.

To understand our national exposure, let’s look at the five sectors forming the spine of Canada’s operational infrastructure: healthcare, energy and utilities, manufacturing, transportation and logistics, and telecommunications.

Hospitals have become a hacker’s dream target: highly digital, time-critical and publicly accountable. Here are some examples:

• In 2021, Humber River Hospital in Toronto faced a ransomware attack that crippled its systems, delayed critical treatments and forced temporary shutdowns.
• A more devastating example occurred in 2021, when a Newfoundland and Labrador breach occurred that paralyzed the province’s healthcare network and exposed 200,000 patient files. The breach disrupted care across the province for weeks and forced healthcare workers to revert to pen-and-paper methods, which delayed care across the province.
• Globally, the Ascension Health attack in 2023 crippled systems and delayed surgeries. This serves as a small preview of what could easily happen here.

When a healthcare facility’s systems go dark, it’s not just “data loss.” It’s lost lives, public panic and shattered trust.

As IoT-connected medical devices, smart HVAC systems and AI-enabled diagnostics merge into OT ecosystems, the attack surface keeps expanding.

Energy grids, pipelines and utilities are high-value targets for cybercriminals and state-sponsored hackers. One successful breach can cascade into chaos and shut down an entire region.

Here are some examples:

• The CCN 2025 Report highlights the rapid rise of cyber incidents across energy and utility systems.
• Canada’s National Cyber Threat Assessment 2025–2026 warns that state-sponsored actors are “very likely” to continue probing these sectors.
• Bill C-8 (and its embedded Critical Cyber Systems Protection Act – CCSPA) explicitly identifies energy, oil, gas and electricity operators as high-risk infrastructure now under regulatory scrutiny (Cypfer, 2025).

A grid outage or water-treatment hack isn’t just inconvenient; it’s an existential threat. Ask anyone in Alberta during winter how temporary power loss feels when the thermostat hits -30°C.

Reality Check: According to ManuSec Canada, 2025, 80% of Canadian manufacturing firms have critical vulnerabilities, and 65% of executives report targeted cyberattacks within the past 18 months.

Here’s why the manufacturing industry has become one of the most targeted sectors for OT attacks.

• Automation everywhere: Robotics, PLCs, digital twins and IIoT (Industrial Internet of Things) sensors create efficiency and massive attack surfaces.
• Legacy systems: Many plants run on control software older than most interns, often left unpatched because “downtime costs money.”
• Supply chain fragility: Manufacturing sits at the center of vendor webs; one infected supplier can paralyze dozens of lines.
• Economic espionage: Attackers don’t just ransom; they steal IP and production data.

Whether it’s auto parts in Ontario, aerospace components in Manitoba or food processing in Alberta, disruption ripples instantly across sectors.

A single OT breach can halt export shipments, violate contract deadlines, compromise intellectual property and trigger insurance claims that dwarf any ransom.

Transportation and logistics systems (railways, ports, airlines and trucking/couriers) form Canada’s circulatory system and cybercriminals know it.

• Rail, road, air and port automation systems are now networked OT environments.
• A 2025 cyber incident at Kelowna International Airport hijacked digital displays and PA systems via a vendor breach, proof that even adjacent OT systems can be exploited. Thankfully, there was no direct safety threat.
• Transport Canada’s Road Infrastructure OT Cybersecurity Primer warns of rising vulnerabilities as road networks adopt intelligent traffic systems (ITS/TMS) integrated with legacy IT systems.
• In 2020, TFI International’s courier division (Canpar) suffered ransomware attacks disrupting logistics operations and eroding public trust.

If manufacturing is the muscle, transportation is the bloodstream, and a clot anywhere stops everything.

Telecom networks interconnect with every other critical system. Bill C-8 (Canada’s proposed cyber security law) gives the federal government sweeping authority to compel carriers to remove insecure equipment, impose security standards and issue compliance orders with penalties of up to $10 – $15 million per violation (McMillan LLP, 2025). 

Protecting operational technology: Key cybersecurity tactics for Canadian companies

Every incident we’ve seen, whether a hospital, pipeline, factory or logistics network, teaches the same lesson:

Cyber visibility, accountability and resilience is a team sport.

Below is a simplified strategy playbook to protect your business.

Strategic Area	Key Actions	Why It Matters
Governance & Accountability	Assign an OT risk executive. Break down silos between IT and operations. Make cyber a board topic.	Accountability demonstrates maturity; insurers and regulators expect it.
Asset Mapping & Visibility	Catalogue all OT assets (robots, sensors, PLCs, traffic systems) and vendors. Identify interdependencies.	You can’t protect/defend what you don’t see.
Segmentation & Zero Trust	Separate OT from IT networks. Use least-privilege access and micro-segmentation.	Limits attacker movement. Reduces loss severity.
Incident Response & Tabletop Exercises	Run joint IT/OT simulations (i.e., production halt, transport grid lock). Test escalation and communication.	Proves resilience and readiness to both insurers and regulators. Builds muscle memory before a crisis.
Supply Chain Oversight	Require vendor security attestations, limit remote access and review OT vendor contracts.	Many breaches begin with third parties, which are now considered the number one entry point.
Monitoring & Detection	Deploy OT-aware anomaly detection tools; baseline normal behaviour.	Early detection saves millions in downtime and claims.
Compliance & Readiness (Bill C-8)	Conduct a gap analysis against CCSPA standards. Start reporting structure design.	Being proactive avoids fines and coverage disputes.
Insurance Program Alignment	Ensure cyber policies cover physical damage, equipment failure and business interruption from OT incidents. Add contingent business interruption and reputational harm coverage.	Some cyber policies may exclude these exposures. Ask before you assume.

What is Bill C-8 and how will it change cybersecurity compliance in Canada?

For years, cybersecurity in critical infrastructure and cybersecurity frameworks were largely voluntary. That era is ending.

Introduced in June 2025, Bill C-8: An Act Respecting Cybersecurity, resurrects the old Bill C-26 and codifies the Critical Cyber Systems Protection Act (CCSPA). (Miller Thomson, 2025)

Bill C-8 key takeaways

• Creates enforceable cybersecurity obligations for designated operators in energy, transportation, telecom, finance and other sectors.
• Mandates incident reporting, third-party vetting and risk-management programs.
• Authorizes federal directives and multi-million-dollar penalties for non-compliance.
• Elevates cyber resilience from “best practice” to legal duty.

Even if you’re not federally regulated, the ripple effect will reach you through vendor contracts, supply-chain audits and insurance expectations.

Compliance isn’t optional anymore; it’s your new risk baseline and it’s becoming law.

Cybersecurity is everyone’s responsibility: A call to action for Canadian businesses

Canada’s critical infrastructure is sophisticated, interconnected and, unfortunately, under attack.

But with the right preparation, collaboration and accountability, we can keep the lights on, the trucks moving and the hospitals running. Our defence starts with awareness and ends with action.

FAQs: Operational technology cyber insurance considerations

Share this article:

• LinkedIn
• Facebook
• Mail

Aliya Daya, Senior Client Executive, specializes in risk management strategies and insurance solutions for the technology sector, as well as disruptive and emerging industries. With more than 25 years of experience in the insurance industry, Aliya serves as a Cyber Technical Specialist and National Mixed Practice Team Lead at Acera Insurance. She specializes in innovation, technology, cyber insurance and privacy breach, political risk, manufacturing/fabrication/wholesale/distribution, hospitality, non-profit and faith-based organizations.

You can reach Aliya at 403.717.5895 or aliya.daya@acera.ca

Related reading:

• The rise of AI-powered cyberattacks: How your business can keep pace with emerging cyber threats
• Why cybersecurity is now a board responsibility
• How AI-powered manufacturers can address cybersecurity threats

---

Information and services provided by Acera Insurance, Acera Benefits and any other tradename and/or subsidiary or affiliate of Acera Insurance Services Ltd. (“Acera”), should not be considered legal, tax, or financial advice. While we strive to provide accurate and up-to-date information, we recommend consulting a qualified financial planner, lawyer, accountant, tax advisor or other professional for advice specific to your situation. Tax, employment, pension, disability and investment laws and regulations vary by jurisdiction and are subject to change. Acera is not responsible for any decisions made based on the information provided.