The Canadian Cyber Security Center (Cyber Centre), part of the Canadian Communications Security Establishment (CSE), is a voluntary initiative designed to further protect services critical to Canadians and strengthen overall cybersecurity resilience. Guidelines have been announced. The Cyber Security Readiness Goals (CRG) resource provides a toolkit containing 36 cross-cutting cybersecurity practices that build on available advice and guidance. The CRG lists important steps organizations can take toward the goal of improving their cybersecurity posture in the face of increasingly complex cybersecurity threats.
“CRG was developed in response to the increasing vulnerability of critical infrastructure (CI) to cyber threats,” said Rajiv Gupta, director of the Canadian Center for Cyber Security. “The purpose of these cross-cutting objectives is to strengthen cybersecurity and minimize potential risks to society, public safety, and the overall stability of Canada’s economy. Canada’s CI We face a major challenge in building resilience to
Mr. Gupta noted that helping Canada build resilience is key to the Cyber Centre’s role as Canada’s technical authority on cybersecurity. The CRG identifies specific actions on critical infrastructure that are worth taking at any time. The Cyber Center is also developing a Cyber Security Readiness Framework (CRF) that combines these cross-sector and sector-specific goals to help critical infrastructure mitigate cyber threats.
“The Cyber Center is designing these resources to help system owners and operators protect systems critical to Canada’s infrastructure, national security and public safety,” Mr. Gupta added. “By implementing these measures and adopting a cross-cutting approach, we are establishing a strong and effective defense mechanism to collectively address the ever-changing cybersecurity threat landscape. .”
“As threats evolve, our response must become even more robust. Prevention is key, and this new resource provides an important line of defense against ransomware and other cyber threats,” Canadian Cyber Security Center said. Deputy Director Bridget Walsh said.
The CRG, announced on Tuesday, features six pillars and 36 cross-cutting cybersecurity objectives. Grouped into six pillars of the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0, they include governance, identification, protection, detection, response, and recovery. These goals are in line with recent work by the Cyber Centre’s international partners, including the UK’s Cyber Assessment Framework. This includes resources created by the National Cyber Security Center for organizations with key roles in the UK, including critical infrastructure organizations. and U.S. cross-sectoral cybersecurity performance goals directed by the Cybersecurity and Infrastructure Security Agency (CISA).
During the 2023-2024 financial year, the Cyber Center worked with approximately 1,900 critical infrastructure organizations in Canada to strengthen Canada’s cyber resilience across sectors. These organizations are considered critical systems because they are essential to the functioning of Canada. Key sectors include democratic institutions; Education; Energy; Finance; Food; Health; Information and Communication Technology. Manufacture. City, provincial, territorial and indigenous governments. transportation and water.
This year, the Cyber Center highlighted working with Canada’s energy sector to improve cyber resilience. Last June, the Cyber Center released an assessment of the cyber threats to Canada’s oil and gas sector.
In many areas, Canadian companies work closely with US-based companies. Some have cross-border infrastructure. Given these interdependencies, the Cyber Center consulted with CISA during the development of the CRG to facilitate implementation of the goals across North America’s critical infrastructure sectors.
Currently, CISA CPG version 1.1 consists of 38 cybersecurity objectives. The Cyber Center’s CRG includes 36 cybersecurity objectives. CRGs have some notable differences from CPGs. In line with the latest version of NIST CSF 2.0, the CRG includes “Governance Pillars” with goals that emphasize the value of establishing policies and procedures within an organization. In line with other updates to the CSF, the Government Pillar includes additional goals that emphasize cyber-related privacy objectives and the importance of the people, processes, and technology needed to implement cybersecurity decisions. I am.
The CRG includes other goals not included in the first version of CISA’s CPG, namely cloud and AI goals. The CRG also provides Canadian context for reference and recommended actions to mirror existing Cyber Center advice and guidance. Some of CISA’s objectives with similar outcomes, such as “Cybersecurity Leadership” and “OT Leadership,” have been consolidated and streamlined in Canada’s CRG.
Finally, CRG version 1.0 does not include a “vulnerability disclosure.” This is because there are no safe harbor rules in Canada that allow researchers to test for vulnerabilities without incurring legal liability, which is common in the United States. Nevertheless, disclosing vulnerabilities is a worthwhile act. Incorporation of vulnerability disclosure goals will be considered in future versions of the CRG.
The Cyber Center and CISA remain committed to sharing information on fundamental cybersecurity objectives for critical infrastructure. These efforts will ensure harmonization of practices across the United States and Canada and will allow for regular revisions of the CRG and development of sector-specific goals in the future.
The CRG provides owners and operators of critical infrastructure in Canada with a set of achievable cybersecurity objectives to help them prioritize their cybersecurity investments and strengthen their cybersecurity posture.
The CRG adds further value by covering a wide range of actions for owners and operators of critical infrastructure, building on the work already being done by partners and cyber centres. In addition to the CRG, the Cyber Center provides free cybersecurity guidance and tools to support the critical infrastructure sector. These include baseline cyber security controls for small and medium-sized businesses. Top 10 IT security measures to protect your network and information connected to the Internet. IT Security Risk Management: A Lifecycle Approach.
These resources provide guidance in line with the CRG. There is significant overlap between the CRG and these other tools, as the CRG integrates many of the recommended actions from these other publications and tools. More than two-thirds of the baseline controls and top 10 IT security actions are captured in the CRG, which also provides additional recommendations. Similar to baseline management, the CRG is basic guidance that can be applied to critical infrastructure organizations.
The Cross-Sector Goals Toolkit CRG is provided in a structured format to help organizations understand their goals and related aspects. These cover the intended security outcomes that each CRG strives to achieve and examples of actions an organization can take towards achieving the goals and outcomes, and these actions will continue to evolve as new threats and defenses are identified. will be updated. Risk statement or associated reference to MITER ATT&CK TTP (if available). By implementing the recommended actions, organizations can reduce the risk of TTP being used effectively.
In addition, we support the NIST CSF 2.0 subcategories most closely related to security practices for each goal, as well as Cyber Center guidance related to corresponding goals and outcomes, as additional information and resources.
The agency said the CRG is just the beginning of the Cyber Center’s efforts to support cybersecurity preparedness in critical infrastructure facilities. These objectives will serve as the foundation for future cybersecurity preparedness programs and will be essential to strengthening the cybersecurity posture of Canada’s critical infrastructure. As part of the program, the Cyber Center will continue to educate critical infrastructure owners and operators to better protect their IT and OT from cyber incidents.
Going forward, the Cyber Center will update these cross-cutting CRGs as needed to ensure they remain relevant and applicable to evolving threats and ever-changing regulations. The cross-cutting CRG is a core resource for many Canadian critical infrastructure owners and operators.
Cybercenters extend from cross-sector CRGs to sector-specific objectives. By analyzing each sector’s unique cyber maturity and technology, the agency provides recommendations tailored to that sector. For example, sectoral goals for the energy sector provide a customized view of baseline goals that recognize the capabilities of energy industry operators and the unique threat landscape they face. The Cyber Center focuses on developing sector-specific goals for the energy, finance, telecommunications, and transportation sectors based on consideration of several factors.
In conclusion, the Cyber Center stated that the CRG is an important step forward in the Cyber Center’s efforts to strengthen the cybersecurity of critical infrastructure organizations. The Cyber Center will continue to work closely with industry to develop sector-specific goals for selected critical infrastructure sectors and provide additional customized guidance focused on the unique needs of each sector. I’ll go. This goal will be adapted as threats to Canada’s CI continue to evolve, ensuring that the goal remains applicable and relevant. Feedback from all partners contributes to the improvement of CRG.
The sector-specific goals set by the CRG and CRF help CI organizations continually improve their cybersecurity posture. The Cyber Center will continue to work on guidance to support the implementation of CRGs in critical infrastructure. Preparation is a joint effort and a shared priority. The CRG is the starting point for setting Canada’s critical infrastructure towards a more resilient cyber security posture.
Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in security, data storage, virtualization, and IoT.
