Recently, the Government of Canada introduced new legislation, Bill C-26, to amend the Telecommunications Act and the Canada Evidence Act and introduce new cybersecurity regulations to protect critical infrastructure.
The parts of the bill grabbing all the headlines include the removal and replacement of Huawei and ZTE equipment from Canada’s telecom networks. What’s not getting as much attention is the introduction of The Critical Cyber Systems Protection Act (CCSPA). So, let’s take a closer look at the CCSPA.
Bill C-26 objectives are to “establish a regulatory framework” to strengthen baseline cybersecurity for services and systems vital to national security and public safety and provide the Government with “a new tool to respond to emerging cyber threats.” Put more simply, the primary goal of the act is to ensure that designated operators protect the networks and systems underpinning Canada’s critical infrastructure. The Act targets the following sectors:
And the vital services and systems in question are:
- Telecommunications services
- Interprovincial or international pipeline and power line systems
- Nuclear energy systems
- Transportation systems (within the legislative authority of Parliament)
- Banking systems
- Clearing and settlement systems
The bill also states that the Governor in Council may add other sector-specific services and systems to this list later on.
This Act provides the Governor in Council with the power to issue Cyber Security Directions (CSDs). The main goal of these CSDs is to direct a designated operator (or group of operators) to protect a critical cyber system based on measures identified in the CSDs. It’s worth noting that CSDs can also require operators to complete these actions within a specified timeframe.
It’s all very high level at this point, but even at this stage, the broad strokes of the legislation are evident. Operators of critical infrastructure will be required to:
- Establish a cybersecurity program that clearly documents how each operator will protect their “critical cyber systems”
- Report all cyber incidents that meet or exceed “a specific threshold” to the Communications Security Establishment’s Canadian Centre for Cyber Security
The exact threshold for reporting cybersecurity incidents is yet to be determined, but the summary of the Act states that the threshold will be established in forthcoming regulations. What’s clear right now is that the government is getting serious about securing critical infrastructure, as Bill C-26 promises serious penalties for non-compliance, including significant fines or even imprisonment.
We work with many of the operators in the designated sectors and can say with confidence that our customers are well positioned to comply with the conditions of the act right now. While many operators are ahead of the curve, we also know that there are still many laggards among critical infrastructure operators, and the CCSPA may serve as a rude awakening to them. Budget concerns, staffing issues, and other reasons for not having established a comprehensive cybersecurity program will no longer be relevant once this act goes into effect. Operators will need to develop a program, and the capacity to promptly report incidents and respond to government issued CSDs, or they will pay heavy penalties. It’s as simple as that.
We’re glad that the federal government is taking the protection of critical infrastructure seriously, but we foresee a bumpy road ahead when it comes to actual implementation. While the Governor in Council may issue a CSD that says, “protect this system within X days,” the problem is that critical infrastructure consists largely of OT environments, which are highly diverse and very difficult to change.
As we’ve established in past ICS cybersecurity posts, a cybersecurity consultant specializing industrial control systems cannot simply walk into a facility and rattle off a series of cookie cutter recommendations. When helping a customer align their program to a cybersecurity framework, a primary goal of an OT security advisor is to logically segment their OT systems by function to ensure that only necessary personnel have access. However, this is a meticulous process undertaken with the utmost caution to prevent disrupting normal operations. Every OT environment is made up of a wide range of different, proprietary technologies that perform very specific functions and are linked by specialized communication protocols. Gaining a clear understanding of the systems present in these types of environments and how they interoperate takes time and careful listening.
Aligning an organization’s cybersecurity program with an established cybersecurity framework is one thing but achieving and maintaining an appropriate maturity level measured against that framework is the real goal. Our task as an advisor is to help our customers select a framework, establish the general scope of improvements, set the target maturity levels, and put plans in place to achieve those levels over a realistic time frame. For the government to promote these objectives with designated operators, will require getting into the weeds and clearly defining what a critical system is and how it must be secured.
Making changes to an OT environment is like steering an aircraft carrier; it doesn’t turn on a dime. For example, most OT environments have only one or two maintenance windows per year, and they must be as short as possible to prevent service disruptions. One unexpected incompatibility between the designated fix and a single industrial control system can seize up operations at a factory or field site for hours, or even days. If complying with a CSD requires an operator to apply a change to their environment outside of the designated service windows, what then? Applying a brand-new patch to an OT production environment without prior testing is never a good idea, so allowing operators to implement temporary workaround solutions and granting them sufficient time to test the permanent fixes specified in each CSD may alleviate this concern.
Ultimately, the Communications Security Establishment has a great deal of work ahead of it when it comes to establishing specific regulations. It’s great that the government is demonstrating its attentiveness to critical infrastructure security but there are limitations to how quickly operators can apply changes to these types of environments, and we hope the forthcoming regulations take this into account.