Canadian Centre for Cyber Security releases guidelines to boost cyber resilience across critical infrastructure

The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment Canada (CSE), released voluntary guidelines designed to further protect essential services for people in Canada and enhance cyber security resilience overall. The Cyber Security Readiness Goals (CRGs) resource offers a toolkit with 36 cross-sector cyber security practices that build on available advice and guidance. The CRGs list important steps organizations can take toward goals that will improve their cyber security posture in the face of increasingly complex cyber security threats.

“The CRGs have been developed in response to the growing susceptibility of critical infrastructure (CI) to cyber threats,” according to Rajiv Gupta, head of the Canadian Centre for Cyber Security. “The objective of these cross-sector goals is to enhance cyber security and minimize potential risks to society, public safety, and the overall stability of the Canadian economy. Canada’s CI faces an enormous challenge to be resilient against cyber threats.”

Gupta identified that helping Canada become more resilient is key to the role of the Cyber Centre as Canada’s technical authority on cyber security. The CRGs present concrete actions for critical infrastructure that are worth implementing at any time. The Cyber Centre is also developing a Cyber security readiness framework (CRF) that will combine these cross-sector goals with sector-specific goals to enable critical infrastructure to mitigate cyber threats. 

“The Cyber Centre is designing these resources to allow you – system owners and operators – to protect systems vital to Canadian infrastructure, national security, and public safety,” Gupta added. “By implementing these measures and adopting a cross-sectoral approach, we are establishing a strong and effective defense mechanism to collectively address the ever-changing cyber security threat landscape.”

“As threats evolve, our response needs to become even more robust. Prevention is key and this new resource is a key defense against ransomware and other cyber threats,” according to Bridget Walshe, associate head of the Canadian Centre for Cyber Security.

Released Tuesday, the CRGs feature six pillars and 36 cross-sector cyber security goals. Grouped into the six pillars of the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0, they include: Govern, Identify, Protect, Detect, Respond, and Recover. These goals align with the recent work of the Cyber Centre’s international partners, including the U.K.’s Cyber Assessment Framework, a resource created by the National Cyber Security Centre for organizations with vital roles in the U.K., including critical infrastructure organizations; and the U.S.’s Cross-Sector Cybersecurity Performance Goals, directed by the Cybersecurity and Infrastructure Security Agency (CISA).

During the 2023-2024 financial year, the Cyber Centre engaged with almost 1,900 Canadian critical infrastructure organizations to increase Canada’s cyber resilience across sectors. These organizations are considered systems of importance because they are essential for Canada to function. Key sectors include democratic institutions; education; energy; finance; food; health; information and communications technology; manufacturing; municipal, provincial, territorial and Indigenous governments; transportation, and water.

This year, the Cyber Centre emphasized working with Canada’s energy sector to improve its cyber resilience. Last June, the Cyber Centre published an assessment of the cyber threat to Canada’s oil and gas sector.

In many sectors, Canadian companies work closely with U.S.-based counterparts. Some may have infrastructure that spans the international boundary. Given these interdependencies, the Cyber Centre consulted with CISA during the development of the CRGs to ensure the goals could be implemented across North American critical infrastructure sectors with ease.

Currently, CISA CPG Version 1.1 consists of 38 cyber security goals. The Cyber Centre’s CRGs contain 36 cyber security goals. The CRGs have some notable differences from the CPGs. To align with the most recent version of the NIST CSF 2.0, the CRGs include a ‘Govern pillar, with goals that highlight the value of establishing policies and procedures within an organization. In keeping with other updates to the CSF, the Govern pillar includes a cyber-related privacy goal, along with additional goals to highlight the importance of people, processes, and technology needed to execute cyber security decisions. 

The CRGs include some other goals that are not in the first version of CISA’s CPGs, namely, cloud and AI goals. The CRGs also provide a Canadian context to the references and recommended actions to reflect existing Cyber Centre advice and guidance. Several of CISA ’s goals with similar outcomes, such as ‘cyber security leadership’ and ‘OT leadership,’ are combined and streamlined in the Canadian CRGs.

Lastly, version 1.0 of the CRGs does not include ‘vulnerability disclosure,’ as Canada does not have Safe Harbour rules, which are common in the U.S. and permit researchers to test for vulnerabilities without risk of legal liability. Nonetheless, disclosing vulnerabilities is a valuable practice. The inclusion of a vulnerability disclosure goal will be considered for future versions of the CRGs.

The Cyber Centre and CISA will continue to engage in information sharing on the baseline cyber security goals for critical infrastructure. These efforts will ensure harmonization of practices across the U.S. and Canada, as well as allow us to periodically revise the CRGs and create sector-specific goals in the future.

The CRGs provide Canadian critical infrastructure owners and operators with a set of achievable cybersecurity goals to help them prioritize investments in cybersecurity and elevate their cybersecurity posture.

Building on work that has already been done by partners and by the Cyber Centre, the CRGs add further value by covering a wider range of actions for critical infrastructure owners and operators. In addition to the CRGs, the Cyber Centre offers complimentary cyber security guidance and tools to assist critical infrastructure sectors. These include the Baseline cyber security controls for small and medium organizations; Top 10 IT security actions to protect internet-connected networks and information; and IT security risk management: A lifecycle approach.

These resources provide guidance that is aligned with the CRGs. As the CRGs consolidate many of the recommended actions from these other publications and tools, there is a notable overlap between the CRGs and these other tools. More than two-thirds of the baseline controls and the top 10 IT security actions are captured in the CRGs while providing additional recommendations. Similar to the baseline controls, the CRGs are foundational guidance that can be applied in critical infrastructure organizations.

The CRGs in the Cross-Sector Goals Toolkit are provided in a structured format to help organizations understand the goals and related aspects. They cover the intended security outcome that each CRG strives to achieve, and examples of action(s) an organization can take towards achieving the goal and outcome and these actions will be updated as new threats and defenses are identified. A risk statement or, where available, relevant reference to MITRE ATT&CK TTPs. By implementing the recommended action, an organization can reduce the risk of the TTP being used effectively.

Additionally, the NIST CSF 2.0 subcategory that most closely relates to the security practice for each goal, and supporting Cyber Centre guidance associated with the corresponding goal and outcome, for additional information and resources.

The agency said that the CRGs are just the beginning of the Cyber Centre’s efforts to support cyber security readiness among critical infrastructure installations. These goals will serve as the foundation of our future Cyber Security Readiness program and will be essential to strengthening the cyber security posture of Canadian critical infrastructure. As part of the program, the Cyber Centre will continue to guide to equip critical infrastructure owners and operators with the knowledge to better protect their IT and OT from cyber incidents.

Moving forward, the Cyber Centre will update these cross-sector CRGs when necessary, to ensure they remain relevant and applicable against evolving threats and the ever-changing legislative landscape. The cross-sector CRGs will be a core resource for many Canadian critical infrastructure owners and operators.

The Cyber Centre will expand from the cross-sector CRGs to sector-specific goals. By analyzing each sector’s unique cyber maturity and technologies, the agency will provide tailored recommendations for the sector. For example, the sector-specific goals for the energy sector will provide a customized view of the baseline goals that recognize the capabilities of operators in the energy industry and the unique threat landscape they face. Based on consideration of several factors, the Cyber Centre is focused on developing sector-specific goals for the energy, finance, telecommunications, and transportation sectors.

Lastly, the Cyber Centre said that the CRGs are an essential step forward in the Cyber Centre’s work to enhance cyber security among critical infrastructure organizations. In close collaboration with industry, the Cyber Centre will continue to develop sector-specific goals for select critical infrastructure sectors to provide additional tailored guidance focused on the unique needs of each sector. The goals will be adapted as threats to Canada’s CI continue to evolve, ensuring the goals remain applicable and relevant. Feedback from all partners will contribute to improving the CRGs.

The CRGs and sector-specific goals, framed by the CRF, will help CI organizations to continue improving their cyber security posture. The Cyber Centre will continue to work on guidance to support the implementation of the CRGs in critical infrastructure. Readiness is a collective effort and a shared priority. The CRGs are a starting point to set Canadian critical infrastructure on a path to a more resilient cyber security posture.