Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →
Breaking NewsUpdated as information becomes available
Back to Knowledge Vault
BreakingBreaking5 July 20266 min read

Russia's NoName Hacks Quebec Water Plant | Utility Response

Russia-linked NoName breached a Quebec water treatment plant's SCADA. What UK and Canadian water utilities must isolate, air-gap and audit now.

Mark Fermor

Mark Fermor

Director & Co-Founder, Firevault

Share
A silhouetted figure with a laptop overlooks a water treatment plant at dusk, with glowing network lines and warning lights overlaying the scene to symbolise a cyber-attack on critical infrastructure.

Canada''s Communications Security Establishment (CSE) has confirmed in its 2025 to 2026 annual report that Russian hacktivist group NoName broke into the network of a Quebec municipality''s water treatment plant and gained access to systems that control public health. According to CSE, NoName claimed the "ability to covertly control pumps, chlorine dosing, pressure settings and monitoring and alerts systems". The intrusion was flagged by the Organization of American States cyber network in October, not by CSE itself, and the affected municipality has not been named.

This is one of the most specific public confirmations to date that state-aligned actors are inside water infrastructure on the North American side of the Atlantic. It should also settle a question that water sector boards in the United Kingdom and Europe have been quietly debating for two years: whether physical isolation of treatment control systems is proportionate. It is.

What CSE actually disclosed

The key facts from the CSE report and adjacent reporting by National Post are these:

  • The intrusion targeted a Quebec municipal water treatment plant.
  • NoName claimed access to pumps, chlorine dosing, pressure setpoints and the monitoring and alerting systems that would normally warn operators something was wrong.
  • Detection came through the Organization of American States cyber coordination network, not through the operator''s own monitoring or CSE.
  • The US Department of Justice classifies NoName as a cybercriminal group financially backed by the Russian government and notes that the group frequently targets North American water systems.
  • CSE recorded more than 3,200 cyber incidents affecting Canadian federal organisations or critical infrastructure sectors in the year covered.

The phrase that matters is "covertly control". Attackers were not simply on the office network. They had reached the layer where a wrong number becomes a public health incident.

When attackers can nudge a chlorine setpoint and quiet the alarm at the same time, the argument about the cost of physical separation ends. You are now scoring risk in milligrams per litre, not tickets per quarter.

Why this matters for every water utility

Water companies everywhere run a small central control room connected to a very large field. Thousands of outstations, RTUs and PLCs are reachable over private telemetry. Treatment SCADA sits behind an industrial DMZ, but the corporate estate, the works information management system, asset management and billing frequently share the same paths.

Three structural weaknesses show up in almost every water estate we assess:

  • IT and OT convergence. A foothold on the corporate network can be pivoted, through a shared engineering jump server, into a treatment SCADA fabric that was assumed to be separate.
  • Long-lived outstations. Kit deployed over decades cannot all be patched at once, and the private APN telemetry that connects it was designed for availability, not adversary resistance.
  • Persistent vendor and integrator access. Remote support paths that were opened for a specific project remain in place years later, often outside change control.

Every one of these is a candidate route to the same outcome as Quebec: silent access to dosing, pressure and alerting.

The physical safety consequence

The reason this incident is different from a data breach is that a wrong chlorine dose or a spoofed pressure reading is not a compliance finding. It is a public health event and, at scale, a supply event. In the United Kingdom, the Drinking Water Inspectorate holds water companies responsible for wholesomeness at the tap; the NIS2 Directive across the European Union places directors personally on the hook for security of essential services; the US Environmental Protection Agency has issued repeated guidance on the same theme. None of these frameworks accept "a firewall rule was misconfigured" as a defence.

What software-layer defences cannot do here

Modern water operators already invest in endpoint detection, network monitoring, identity governance and 24/7 SOC coverage. All of it matters. None of it, on its own, prevents the Quebec pattern, because the pattern depends on paths that should not exist being reachable at all.

  • Credential-based controls fail the moment a legitimate vendor account is abused.
  • Firewall rules degrade over time and are rarely reviewed against a written zone model.
  • Historians, engineering workstations and recovery archives are often in the same domain, so an attacker who reaches one reaches the evidence of what they did.

The only control that survives a determined adversary with valid credentials is a physical boundary they cannot cross remotely.

The Firevault Control answer for water

Firevault Control is designed for exactly the topology that Quebec exposed. It operates at the network connectivity layer beneath your SCADA and does not require changes to PLC programs, dosing logic or telemetry protocols. It puts a real, physical boundary between the office, the industrial DMZ, the treatment SCADA fabric and the outstation telemetry network, and it enforces named human authorisation for anything that crosses those boundaries.

The four modules apply to water as follows:

  • Firebreak. Emergency severance. A compromised zone is physically disconnected during a live incident so an office or telemetry compromise cannot reach the plants.
  • Isolate. Enforced physical boundaries between corporate IT, the industrial DMZ, treatment SCADA and outstation telemetry. The paths NoName used in Quebec simply do not exist between zones.
  • Execute. Setpoint changes, firmware updates and dosing actions that cross a zone boundary require explicit, named, multi-party approval. A stolen credential is not enough.
  • Archive. Verified baselines of treatment recipes, dosing limits and network configuration are held on infrastructure with no live network path to production, so a known-good restore is guaranteed.

Water Sector Playbook

The Firebreak Water Playbook is the sector companion to this incident.

It maps the zone architecture, the multi-party authorisation model and the regulatory evidence pack for treatment, distribution and outstation telemetry. Written for water CISOs, engineering directors and boards.

Download the Firebreak Water Playbook →

Regulatory context, UK and Europe

The Quebec disclosure lands squarely in the middle of an active regulatory push. Under NIS2, water companies operating in the European Union are essential entities with personal liability for directors. In the United Kingdom, the Drinking Water Inspectorate and Ofwat have both signalled tougher expectations on cyber resilience of operational technology. The EPA in the United States has repeatedly warned that treatment SCADA is being probed by state-aligned actors. This is now the reference case regulators will point to when they ask a board a very simple question: could this have happened here, and how would you know?

What to do this week

  1. Map every path between corporate IT, WIMS, treatment SCADA and outstation telemetry. Do not trust the network diagram. Trust a fresh walk of the actual routes, including vendor and integrator jump servers.
  2. Identify every persistent remote access path. Anything that is on by default and does not require named, time-bounded authorisation is a candidate for the Quebec pattern.
  3. Commission a physically enforced zone design. Aligned to your plants and distribution estate, with a Control module at each boundary and verified configuration baselines held out-of-band.

Sector Blueprint

See the full Water Control blueprint.

Treatment SCADA, outstation telemetry, dosing safety and regulatory evidence, mapped module by module.

Control for Water Utilities → Download the Firebreak Water Playbook →

Sources: National Post via Yahoo News Canada; CSE Annual Report 2025-2026; US Department of Justice on NoName.

About the author

Mark Fermor

Mark Fermor

Director & Co-Founder

Co-founder of Firevault, focused on offline secure storage and protecting individuals and businesses from fraud, fines, loss and damage. Speaker, owner and advisor.

Share this article

Breaking News
Breaking5 July 20266 min read

Russia's NoName Hacks Quebec Water Plant | Utility Response

Russia-linked NoName breached a Quebec water treatment plant's SCADA. What UK and Canadian water utilities must isolate, air-gap and audit now.

Russia's NoName Hacks Quebec Water Plant | Utility Response
Mark Fermor
Published by Mark Fermor, Director & Co-Founder

    Firevault

    Firevault is Offline Secure Storage. Hardware you own, physically disconnected by default, with KYC-verified access. Ransomware-proof by design, not by patch.

    © 2026 Firevault Limited. Disconnect to Protect®