Parliamentary Committee Notes: Canada’s Approach to Critical Infrastructure Security and Resilience
Date:
April 14, 2022
Branch/Agency:
CID/NCSB/PSC
Issue:
You have been invited to appear before the Standing Committee on Public Safety and National Security to discuss Canada’s security posture in relation to Russia where protecting Canada’s critical infrastructure may be raised. This note addresses Canada’s overall approach to critical infrastructure security and resilience, focusing on the National Strategy for Critical Infrastructure, stakeholder engagement mechanisms, and specific Public Safety Canada programs. More detailed information on the nexus between cyber security and critical infrastructure can be found in the complementary note titled Cyber Security and Protecting Canada’s Critical Infrastructure.
Proposed Response:
- Critical infrastructure refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government.
- It can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions to critical infrastructure can result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence.
- Canada’s National Strategy and Action Plan for Critical Infrastructure sets out an all-hazards risk management approach to strengthening the resilience of Canada’s critical infrastructure. This approach takes into account natural, accidental, and intentional threats that could affect Canada’s vital assets and systems.
- Published in 2009, Canada’s National Strategy for Critical Infrastructure sets out ten critical infrastructure sectors: (1) energy and utilities, (2) finance, (3) food, (4) transportation, (5) government, (6) information and communication technology, (7) health, (8) water, (9) safety, and (10) manufacturing.
- Each of the ten critical infrastructure sectors is led by a Lead Federal Department. For example, the Energy and Utilities sector is led by Natural Resources Canada, while the Transportation sector is led by Transport Canada.
- The Government continuously works to enhance critical infrastructure resilience by identifying threats and hazards and sharing this information with stakeholders.
- Strengthening the resilience of critical infrastructure is a shared responsibility and requires collaboration with stakeholders. As such, we regularly work with industry partners to prepare and protect Canada and Canadians for incidents that can lead to disruptions.
- One of the principal ways we do this is through the National Cross Sector Forum, which is a national-level consultation and outreach entity that brings together leaders from Canada’s ten critical infrastructure sectors to identify priorities and discuss cross-sector issues and initiatives to enhance the resilience of Canada’s vital assets and systems.
- The Russia-Ukraine conflict has created a heightened threat of malicious cyber activity against Canadian critical infrastructure. One of the ways we are addressing this threat is by engagement and awareness-raising with our industry stakeholders.
- In February of this year, we hosted a Multi-Sector Network meeting where industry partners were briefed by the Communications Security Establishment’s Canadian Centre for Cyber Security on the current cyber threat landscape. Public Safety Canada also shared information on Government of Canada tools and resources to improve cyber resilience.
- Given the importance of this issue and the ongoing nature of the threat, we convened another Multi-Sector Network meeting on April 26 [April 27 in French] to provide industry stakeholders with an update on the threat landscape and a briefing on the cyber security roles and responsibilities of various departments and agencies within the Government of Canada, including the Cyber Centre, Public Safety Canada, and the RCMP.
- At the same time, it allowed our officials to continue to remind and encourage Canadian critical infrastructure providers and organizations to take proactive mitigation measures against persistent cyber threats.
- In addition to our efforts to engage and share information with our private sector partners, the Government of Canada offers a range of programs and services to support critical infrastructure owners and operators to enhance their resilience.
- For example, the Regional Resilience Assessment Program conducts assessments to identify and address physical as well as cyber vulnerabilities, and helps critical infrastructure owners and operators to both measure and enhance the resilience of their facilities.
- Public Safety Canada also prepares all-hazards critical infrastructure impact assessments that focus on the linkages and connections—or interdependencies—between sectors. This includes assessments on major Canadian ports that will raise awareness of the hazards, risks, and impacts they face as key nodes in our supply chains.
- Recent events—ranging from the ongoing pandemic, to so- called “Freedom Convoy” blockades, to Russia’s invasion of Ukraine—have shown that we must take new approaches to critical infrastructure protection to enhance our resilience in the face of new threats and hazards in a rapidly evolving world.
- To that end, the Government of Canada is currently renewing the National Strategy for Critical Infrastructure, with the goal of having a new strategy and approach in place by the end of 2023.
- Indeed, along with my colleague Minister Blair, I was pleased to launch the online consultation process for the renewal of the National Strategy for Critical Infrastructure on April 20.
- This work is complementary to other initiatives the Government of Canada is undertaking on national, economic, and cyber security that will make Canada safer and more resilient.
Thank you.
Background:
Canada’s National Strategy for Critical Infrastructure
Critical infrastructure (CI) consists of the physical assets, information technology systems, networks and services essential to the health, safety, security, and economic well-being of Canadians.
Under the Emergency Management Act, the Minister of Public Safety and Emergency Preparedness is responsible for leading the overall national effort to strengthen CI resilience.
Canada’s approach to CI security and resilience is outlined in the 2009 National Strategy for Critical Infrastructure.
Every three years, an action plan is published with concrete deliverables for Public Safety to fulfil in collaboration with public and private sector partners to further the objectives of the 2009 National Strategy for Critical Infrastructure. With the conclusion of the 2018-2020 Action Plan for Critical Infrastructure, Public Safety Canada published the 2021-2023 Action Plan for Critical Infrastructure in the spring of 2021.
The 2021-2023 Action Plan for Critical Infrastructure commits Public Safety Canada to renewing Canada’s National Strategy for Critical Infrastructure by 2023.
Specific Public Safety Canada CI programs and initiatives are outlined below.
Regional Resilience Assessment Program (RRAP)
RRAP provides free on-site and online assessments to CI owners and operators in all sectors across Canada to address vulnerabilities and to measure and enhance the resilience of their facilities from an all-hazards perspective.
RRAP also conducts broader regional resilience assessment projects designed to assess and improve the resilience of cross-border CI with the United States.
Virtual Risk Analysis Cell at Public Safety Canada
The Virtual Risk Analysis Cell (VRAC) prepares impact assessments to support situational awareness of CI facilities and the hazards, risks, and impacts they face.
In these assessments VRAC identifies infrastructure that may be impacted and prepares analysis and considerations of cascading impacts that could cause further disruption or degradation of goods, services, and Canada’s supply chains.
Partnerships
The CI Partnerships team at Public Safety Canada focuses on developing and nurturing trusted partnerships between government and CI stakeholders. It organizes national meetings and events to share information and best practices across all CI sectors.
It regularly collaborates with Lead Federal Departments responsible for CI and coordinates and connects with CI representatives from Provincial and Territorial governments (PTs) as well as CI industry stakeholders.
Exercises
The program coordinates exercises that foster partnerships and coordination across jurisdictions, with CI stakeholders in both private and public sectors to enhance their overall resilience before, during and after an emergency.
Specifically, the program identifies key risk areas and vulnerabilities, interdependencies, and cross-sector issues or capabilities to be exercised. It also examines CI stakeholder roles and responsibilities in accordance with emergency plans and policies. Further, it promotes, facilitates, and coordinates exercises involving the CI community and the sharing of lessons learned from exercises to strengthen CI resilience in Canada.
Cyber Engagements
The goal this program is to raise cyber security awareness in the Canadian CI stakeholder community through the delivery of Industrial Control System (ICS) protection webinars and training symposiums, cyber exercises, cyber security assessments, and insider risk.
This team developed the Canadian Cyber Security Tool in collaboration with the Canadian Centre for Cyber Security at the Communications Security Establishment, which is being applied across all ten CI sectors to help stakeholders assess their cyber security posture.
Contacts:
Prepared by: Jade Craig-Payette, A/Policy Advisor, National and Cyber Security Branch, 613-407-5233
Approved by: Dominic Rochon, Senior Assistant Deputy Minister, National and Cyber Security Branch, 613-990-4976
- Date modified: