Parliamentary Committee Notes: Cyber Security and Protecting Canada’s Critical Infrastructure
Date:
Apr 20, 2022
Branch/Agency:
NCSB/NCSD
Issue:
You have been invited to appear before the Standing Committee on Public Safety and National Security to discuss Canada’s security posture in relation to Russia, where cyber security and protecting Canada’s critical infrastructure may be discussed.
Proposed Response:
- Malicious cyber activities targeting the cyber systems that underpin critical infrastructure are a constant concern for businesses, individuals, and governments in Canada.
- The Government of Canada takes the security of our critical infrastructure seriously. Canada’s National Cyber Security Strategy has acted as a roadmap for Canada’s path forward on cyber security.
- The Government of Canada is working to enhance the cyber security of the country’s critical infrastructure through the identification of cyber threats and vulnerabilities, and by preparing for and responding to cyber incidents.
- For example, Public Safety Canada’s Cyber Security Assessment tools help owners and operators of Canada’s critical infrastructure evaluate their cyber maturity against established benchmarks and by peer comparison, while also offering concrete guidance on how they can become more cyber-resilient.
- Public Safety Canada also delivers programs focused on industrial control systems for critical infrastructure, which refer to the devices and software that operate or automate processes at facilities such as waste water treatment plants and power stations.
- Public Safety hosts a triannual industrial control system security symposium for critical infrastructure stakeholders, offers free technical workshops on cyber incident awareness and handling, and hosts online foundational security awareness sessions.
- Public Safety Canada also coordinates and delivers cyber-based exercises for the critical infrastructure community to test and develop capabilities to respond to, and recover from, malicious cyber activities. More broadly, the Department promotes communication and collaboration to raise awareness of cyber threats and risks, including with our international partners.
- Public Safety Canada works closely with the Communication Security Establishment’s Canadian Centre for Cyber Security to enhance the resilience of critical infrastructure in Canada. The Cyber Centre, in addition to providing public advisories, shares valuable cyber threat information with Canadian critical infrastructure owners and operators.
- In light of Russia’s invasion of Ukraine, the Government has enhanced engagements with critical infrastructure sectors. To this end, Public Safety Canada hosted a Multi-Sector Network meeting on April 26th and 27th for critical infrastructure owners and operators to discuss cyber threats and proactive mitigation measures for Canadian industry.
Background:
Cyber Security Strategy
Canada’s National Cyber Security Strategy (NCSS), published in 2018, has three primary goals – secure and resilient Canadian systems; an innovative and adaptive cyber ecosystem; and effective leadership, governance, and collaboration. The subsequent National Cyber Security Action Plan (2019-2024) lays out the specific roadmap that will allow for the realization of the NCSS’ goals.
In the December 2021 mandate letter, the Minister of Public Safety was asked, alongside the Ministers of National Defence, Foreign Affairs, Innovation, Science and Industry, and other implicated Ministers, to develop and implement a renewed NCSS which will articulate Canada’s long-term strategy to protect our national security and economy, deter cyber threat actors, and promote norms-based international behaviour in cyberspace.
Industrial Control Systems
There has been a global rise in the number of cyber incidents affecting Industrial Control Systems (ICS) which are devices and software that operate or automate processes at many critical infrastructure (CI) facilities. This is significant as malicious cyber activities targeting these critical systems can cause physical consequences and disruptions to essential assets and services. As part of the aforementioned National Cyber Security Action Plan, Public Safety Canada is leading on several items that will enable critical infrastructure (CI) owners and operators to better secure their systems and information.
Public Safety works to enhance the cyber security of ICS by raising awareness of risks to these systems and enhancing the capabilities of ICS operators through symposiums and technical workshops.
In addition, Public Safety has worked closely with the Cyber Centre to develop the Canadian Cyber Security Tool (CCST) which provides Canadian CI organizations with an easy-to-use, online self-assessment tool to strengthen their cyber security posture.
Public Safety also offers Canadian CI organizations more in-depth, facilitated assessments and analysis of their cyber security programs and practices through the Canadian Cyber Resilience Review (CCRR) and the Network Security Resilience Analysis (NSRA).
Cyber Security Exercises
Public Safety coordinates and participates in national and international cyber security exercises to strengthen readiness and response efforts to potentially disruptive physical and cyber-based events. Through these exercises, critical infrastructure owners and operators are able to validate their plans, procedures, processes that enable response, recovery, and continuity of essential services. For example, in March 2021, Public Safety Canada, in collaboration with the RCMP and the Cyber Centre, delivered table-top exercises to examine the response to a ransomware incident, with a focus on strengthening collaboration between government and private sector organizations. In addition, Public Safety Canada recently launched the Cy-Phy Exercise Program which will examine the interconnectedness between the cyber and physical realms through a series of cyber and physical security related exercises, culminating in a large-scale functional capstone exercise in the Fall of 2023.
Russian Threat
In light of Russia’s invasion of Ukraine, the Communications Security Establishment and its Canadian Centre for Cyber Security (Cyber Centre) have strongly encouraged all Canadian organizations, including CI, to take immediate action and bolster their online defences. Canada’s Allies have attributed multiple incidents of malicious cyber activities targeting Ukrainian CI sectors to Russia; Canada has issued statements of support, condemning these activities. Russia has significant cyber capabilities and a demonstrated history of using them irresponsibly.
In January and February 2022, the Cyber Centre published threat bulletins urging CI owners and operators to adopt a heightened state of awareness and to take mitigations against Russian cyber threat activity.
Contacts:
Responsible Manager: [REDACTED] National Cyber Security Directorate, [REDACTED]
Approved by: Dominic Rochon, Senior Assistant Deputy Minister, National and Cyber Security Branch, 613-990-4976
- Date modified: