The Canadian Centre for Cyber Security released its Cyber Security Readiness Goals (CRGs) on October 29, 2024. This guidance provides Canadian critical infrastructure (CI) operators with 36 actionable goals designed to enhance security, minimize risks, and reinforce Canada’s resilience against evolving cyber threats. Aligned with the NIST Cybersecurity Framework 2.0, the CRGs support system owners in protecting vital assets and improving the security posture across various sectors, including energy, finance, healthcare, and telecommunications.
Key Threats Addressed
Canada’s CRGs address the increased cyber risks impacting CI. Key threats include:
- Nation-State Cyber Actors: CI sectors face persistent targeting from state-sponsored actors in countries like China, Russia, Iran, and North Korea, using cyber operations for espionage, geopolitical leverage, and potential disruption of essential services.
- Ransomware Attacks: Targeted ransomware (or "big game hunting") poses an immediate threat to CI operators who, facing operational disruptions, are often more willing to pay large ransoms. This tactic has impacted healthcare, financial services, and essential utilities globally.
- AI-Driven Cyber Threats: Adversaries use AI to enhance the sophistication of phishing, social engineering, and malware tactics. These technologies enable attackers to evade traditional defenses and exploit vulnerabilities within connected OT environments, increasing CI’s overall exposure.
Framework and Alignment
The CRGs align closely with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Cross-Sector Cybersecurity Performance Goals (CPGs) to facilitate cross-border collaboration. This alignment aids CI organizations operating between Canada and the U.S., helping streamline defense mechanisms across the North American region. The CRGs also include a Govern pillar, focusing on organizational accountability, cloud provider vetting, and privacy leadership, highlighting the Canadian Centre’s commitment to comprehensive governance as a key defense.
Core Components
The CRGs are structured to cover six pillars of security:
- Govern - Emphasizes the importance of cyber security leadership and privacy governance.
- Identify - Ensures complete asset inventories, including cloud ecosystems, for improved visibility.
- Protect - Outlines training, secure log storage, and cyber hygiene standards.
- Detect - Strengthens monitoring capabilities for timely identification of threats.
- Respond - Details incident response procedures for CI-specific cyber threats.
- Recover - Focuses on recovery protocols to minimize disruption and restore operations post-incident.
Sector-Specific Expansion
Recognizing that each CI sector faces unique challenges, the Canadian Centre will issue additional sector-specific goals for energy, telecommunications, finance, and transportation. These customized guidelines will consider the specific threat landscapes and operational requirements of each sector, helping organizations prioritize actions that align with their current cyber maturity and risk levels.
Next Steps for Implementation
CI operators are encouraged to use the Cross-Sector Cyber Security Readiness Goals Toolkit, which includes:
- Outcome-Driven Actions: Each goal is paired with specific outcomes, recommended actions, and risks addressed.
- TTPs and Mitigation Guidance: Risk statements and references to MITRE ATT&CK’s tactics, techniques, and procedures (TTPs) are provided to help mitigate advanced threats.
- Framework References: Cross-references with NIST CSF 2.0 and related guidance streamline alignment with existing frameworks.
The CRGs and the upcoming Cyber Security Readiness Framework (CRF) will serve as foundational resources to guide CI operators. These efforts represent a commitment to maintaining and continuously advancing Canada’s national security and CI resilience against cyber threats.
Conclusion
The CRGs mark a critical step in Canada’s cyber defense strategy. By implementing these cross-sector goals, CI operators in Canada contribute to a collective defense approach that enhances national security and operational continuity, reinforcing Canada’s resilience against an increasingly sophisticated cyber threat landscape.