Canada's OT Cybersecurity Crisis: What the 2025 State Report Reveals for Industrial Organizations

The Canadian Cybersecurity Network (CCN)  just released their comprehensive State of Canada OT Report 2025, and the findings reveal a cybersecurity landscape that should concern every industrial organization operating in North America. With over 45,000 cybersecurity professionals contributing to this analysis, the report paints a lousy picture of escalating threats against Canada's critical infrastructure, threats that extend far beyond national borders. This means that other nations need to pay more attention.

The Numbers Tell a Disturbing Story

Here's the reality: 73% of reported cyber incidents in 2024 impacted OT systems, representing a dramatic increase from 49% in 2023. This isn't just a Canadian problem but rather an indicator of global trends affecting operational technology environments worldwide. Energy providers are now tracking 60 new vulnerabilities in grid networks daily, while the 2025–2026 National Cyber Threat Assessment warns that ransomware and nation-state probing of critical infrastructure are "almost certain" to continue.

As RubyComm has highlighted for some time, perhaps most concerning is how IT/OT convergence has created new attack vectors where a single phishing email can cascade into industrial shutdowns. This convergence, while driving efficiency and innovation, has fundamentally transformed the risk landscape for organizations across all industrial sectors.

The report reveals that 50-75% of OT cyberattacks originate from IT networks, highlighting the urgent need for organizations to address the security implications of their increasingly connected operational environments. Combined with a persistent skills gap in OT cybersecurity expertise, particularly affecting smaller sized organizations in remote areas, the challenge becomes even more complex.

Regulatory Landscape Shifts

The regulatory environment is also rapidly evolving, with significant implications for organizations operating across North America. Bill C-8 (Critical Cyber Systems Protection Act) establishes mandatory cybersecurity programs for critical sectors, including telecommunications, energy, transportation, banking, and clearing systems. The penalties are substantial: up to $1 million for individuals or $15 million for organizations.

For the first time, we're seeing provincial-level OT cybersecurity regulations in Canada with Alberta Regulation 84/2024, which requires cybersecurity baselines in OT environments and mandates CSA Z246.1 compliance for critical infrastructure. This trend toward mandatory compliance frameworks is likely to expand across other provinces and states.

Sector-Specific Vulnerabilities

The report details concerning vulnerabilities across key sectors:

Energy Infrastructure faces particular challenges, with power grids showing 23,000-24,000 weak points in 2024. Foreign state actors are "almost certainly" pre-positioning malware for potential disruption, while ransomware groups continue opportunistically targeting oil & gas companies.

Healthcare Systems operate with zero tolerance for downtime, creating challenging security implementation scenarios. The 2024 Ascension ransomware attack, which affected 5.6 million individuals across 142 facilities, demonstrates the scale of potential impact when healthcare OT systems are compromised.

Smart Buildings present an often-overlooked vulnerability across the industry. According to the report, 51% of building systems are insecurely connected to the internet, while 33% of cyberattacks involve Building Automation System (BAS)-connected IoT devices; including connected elevators, HVAC systems, kiosks, and more. Additionally, over 23,000 BAS devices are currently discoverable via Shodan, highlighting the widespread exposure of these critical systems

Strategic Implications for Industrial Organizations

The report's recommendations align closely with what we've observed in RubyComm’s work with industrial organizations. The key strategic imperatives include:

• Establishing unified governance across IT/OT teams to break down silos that slow threat response

• Implementing comprehensive asset inventory with continuous monitoring capabilities

• Deploying network segmentation following established frameworks like the Purdue Model

• Building cyber resilience through robust backup and redundancy systems

• Integrating security into modernization from the initial planning stages

The report emphasizes that protecting OT means protecting people, communities, and economic prosperity. For organizations operating in industrial environments, this isn't just about compliance; it's about operational continuity and competitive advantage.

The Path Forward

Canada's experience offers valuable lessons for industrial organizations worldwide. The convergence of IT and OT systems, combined with increasing cyber threats, demands immediate action. The report makes clear that resilience starts with readiness, and organizations that act decisively now will be better positioned to defend against the evolving threat landscape.

As we've seen in our work with industrial clients, the organizations that thrive are those that view OT cybersecurity not as a cost center, but as a strategic enabler of safe, reliable operations. The Canadian report reinforces this perspective while providing concrete data points to support investment decisions.

About RubyComm: RubyComm delivers tailored operational technology (OT) cybersecurity solutions for industrial environments where standard products fall short. Based in Israel with a U.S. presence, we secure critical systems for industrial manufacturers, infrastructure operators, medical equipment providers, energy producers, and smart building managers. Our competitive advantage lies in creating customized security architectures that address the specific challenges conventional solutions cannot: functionality limitations in specialized settings, complex operational environments requiring precision approaches, prohibitive pricing structures, and technical expertise gaps within client organizations. Unlike one-size-fits-all offerings, RubyComm's solutions maintain operational efficiency while providing comprehensive protection, transforming security from a product purchase into a strategic partnership. We make cyber OT easy for organizations of all sizes!