Insight
Canada Introduces Bill C-26: Setting Cybersecurity Standards to Safeguard Critical Infrastructure
In response to growing cyber threats around the globe, the House of Commons of Canada has introduced Bill C-26 to establish a baseline for good cyber hygiene within the nation’s critical infrastructure. The bill comes in response to a growing number of cybersecurity incidents throughout the country.
The bill, also referred to as the Critical Cyber Systems Protection Act (CCSPA), authorizes the Governor in Council to designate any service or system as vital to the country’s security and establish a class of operators (or organizations) that are responsible for the cybersecurity of those vital systems. Designated operators are then tied to a branch of the government which will oversee the implementation of the regulatory requirements put forth in the bill. For example, the Minister of Transport will be tasked with overseeing the cybersecurity programs of any federally regulated transportation system.
In 2019, 21% of Canadian businesses reported being impacted by cybersecurity incidents. However, it is likely that this number is even higher, because prior to C-26’s passing, the country lacked an incident reporting mandate. The CCSPA specifically targets telecommunications, finance, energy and transportation. This is the first time that Canada has passed a bill addressing cybersecurity in critical infrastructure and follows similar bills passed in the U.S., such as S.2491 – Defense of United States Infrastructure Act of 2021.
What's at Stake
The bill’s goals are multifaceted. Designated operators will need to implement cybersecurity programs, develop systems for mitigating supply chain vulnerabilities, and institute a two-step reporting process for any cybersecurity incident that may occur. These regulations are intended to shine a light on the scope of cyber attacks nationwide and give regulators visibility into the current state of cyber threats to critical infrastructure. While organizations may not currently be too motivated to report an incident, penalties will now be instituted for those who do not report an incident under the new law.
The bill also imbues responsible regulators with broad inspection and audit powers, including the ability to ask organizations to conduct internal audits. Noncompliance with the provisions of CCSPA (including delays in reporting incidents) can result in fines of up to C$15 million, and failure to adhere to certain sections can result in criminal fines or imprisonment.
Adjusting to a New Environment
As designated operators adjust to the new regulatory environment, they need an experienced partner by their side. ABS Consulting has a comprehensive portfolio of services to assess, design, and help implement OT cybersecurity programs to assist companies in complying with CCSPA. Furthermore, as new reporting mandates reveal the true extent of the threat against Canada’s OT systems, ABS Consulting has the capacity to go beyond basic compliance, offering cybersecurity strategies designed to help guide organizations through attack monitoring, detection, response and recovery.
The Solution
Basic cyber hygiene can go a long way toward reducing industrial cyber risk. To mitigate risk and shrink attack surfaces, companies should:
- Take industrial cyber seriously. Industrial cybersecurity should be a business imperative. It can be as important to your growth as any other strategic investment. Make sure to have the program, investment, and capabilities in place to minimize your OT cyber risk.
- Learn what to protect. Make sure to have a robust and automated asset inventory and management system. This will let companies know what they need to protect and which components are connected.
- Manage vulnerabilities. Once a business knows what to protect, it can begin to assess the holes in its defenses, prioritize those holes, and close them.
- Consider cyber from the beginning. Cybersecurity should begin in the concept phase. Companies should make sure security-by-design and supply chain risk management are a core part of their new construction and expansion.
- Maintain visibility and control. Companies should invest in robust monitoring and response programs. Without these programs, cybersecurity teams might as well be flying blind.
- Find the right partner. Industrial cyber is a challenge. It takes domain expertise and a solution built specifically for OT environments. Our team of OT cybersecurity experts can help you design the program that better fits your needs.
Good cybersecurity hygiene leads to preventative actions.