Cyber Centre issues security guidelines for Canadian critical infrastructure providers

With the Liberal government’s proposed critical infrastructure cybersecurity legislation still before Parliament and the prospect that the opposition may soon force a federal election, Canada’s cybersecurity agency isn’t sitting around waiting for events to pass.

The Canadian Centre for Cyber Security today published a suite of voluntary guidelines for critical infrastructure providers — including banks, utilities, municipalities, hospitals and more — to improve the country’s cyber security resilience.

Called the Cyber Security Readiness Goals (CRGs), it’s a toolkit with 36 cross-sector cyber security practices that build on available advice and guidance.

The Cyber Centre says the CRGs are in line with the U.K.’s Cyber Assessment Framework and the U.S. Cross-Sector Cybersecurity Performance Goals.

Note that while the CRGs are aimed at critical infrastructure providers, they can be adopted by any public or private organization.

The Canadian toolkit is another way critical infrastructure providers here can hone their existing cybersecurity practices without waiting for Bill C-26 — which would change the Telecommunications Act for telcos and implement the Critical Cyber Systems Protection Act (CCSPA). Initially affected would be federally-regulated telecommunications, energy pipeline, transportation and financial services companies. Briefly, they would be have to establish and implement cyber security programs, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions from the government.

This is the detailed version of the proposed legislation. It passed relatively untouched by the House of Commons and is now before the Senate. It isn’t clear if the Senate will deal with it quickly and before the next election. Even when it becomes law C-26 wouldn’t likely come into effect for another year because regulations — like reporting deadlines — still have to be set.

The CRGs are linked with existing frameworks IT leaders may already use, including the U.S. CPGs and the NIST CSF 2.0. That way organizations can focus on implementing the goals, rather than integrating a new model. This is especially beneficial for organizations operating across the border, in both Canada and the U.S., the Cyber Centre says.

However, the Cyber Centre notes the Canadian CRGs have some notable differences from the other frameworks. To align with the most recent version of the NIST CSF 2.0, the CRGs include a “Govern” pillar, with goals that highlight the value in establishing policies and procedures within an organization. In keeping with other updates to the CSF , the Govern pillar includes a cyber-related privacy goal, along with additional goals to highlight the importance of people, processes and technology needed to execute cyber security decisions. The CRGs include some other goals that are not in the first version of CISA ’s CPGs , namely, cloud and AI goals. The CRGs also provide a Canadian context to both the references and recommended actions to reflect existing Cyber Centre advice and guidance. Several of CISA ’s goals with similar outcomes, such as “cyber security leadership” and “ OT leadership,” are combined and streamlined in the Canadian CRGs .

Lastly, the Cyber Centre notes, version 1.0 of the CRGs do not include “vulnerability disclosure.” Canada does not have Safe Harbour rules, which are common in the U.S. and permit researchers to test for vulnerabilities without risk of legal liability. Still, it says disclosing vulnerabilities is a valuable practice. Inclusion of a vulnerability disclosure goal will be considered for future versions of the CRGs .

The Cyber Centre says the CRGs “are intended to establish a foundational standard for cyber security practices, a baseline that connects with other existing frameworks and guidance, both in Canada and from our international partners. The CRGs are voluntary actions aimed at augmenting your organization’s cyber security posture. They should not be seen as a comprehensive cyber security framework or a one-size-fits-all approach to cyber security.

“Given that the CRGs are a starting point, we encourage your organization to make risk-informed decisions based on your context,” the Cyber Centre adds. For example, your organization should determine how often you should revisit the goals identified in the CRGs . Your organization should also prioritize the goals, based on the maturity of your cyber security program, with the objective of continuously improving cyber security by implementing as many of the recommended actions as resources allow.