National Critical Infrastructure Assurance Program
Discussion Paper
DRAFT - November 1, 2002
Table of Contents
1.0 |
INTRODUCTION |
2.0 |
PURPOSE OF NCIAP |
3.0 |
DEFINITION OF NATIONAL CRITICAL INFRASTRUCTURE |
4.0 |
NCIAP APPROACH |
|
4.1 |
ASSURANCE ACTIVITY AT ALL LEVELS |
|
4.2 |
NATIONAL LEVEL RISK MANAGEMENT APPROACH |
|
4.3 |
NATIONAL CRITICAL INFRASTRUCTURE SELECTION CRITERIA |
|
4.4 |
PRINCIPLES |
5.0 |
CASE FOR PARTICIPATION |
6.0 |
STAKEHOLDER ROLES |
|
6.1 |
PROPOSED STAKEHOLDER CONTRIBUTIONS |
|
6.2 |
PRIVATE SECTOR ROLE |
|
6.3 |
PROVINCIAL AND TERRITORIAL GOVERNMENTS ROLE |
|
6.4 |
GOVERNMENT OF CANADA ROLE |
7.0 |
ISSUES FOR THE NCIAP |
|
7.1 |
NCI SELECTION CRITERIA |
|
7.2 |
EXCHANGING THREAT INFORMATION |
|
7.3 |
INFORMATION EXCHANGE FOR RISK MANAGEMENT |
|
7.4 |
LIABILITY MANAGEMENT AND COSTS |
|
7.5 |
GOVERNANCE/MANAGEMENT |
|
7.6 |
CO-ORDINATION WITH UNITED STATES |
8.0 |
NEXT STEPS |
NCIAP LEXICON |
1.0 INTRODUCTION
The Office of Critical Infrastructure Protection and Emergency Preparedness
(OCIPEP) has been established to provide national leadership in the protection
of Canada's critical infrastructure and in the enhancement of emergency
management in Canada. OCIPEP is also the government's primary agency for
ensuring national civil emergency preparedness.
For several months, OCIPEP has been discussing with partners the feasibility
of developing a program to provide appropriate assurance for critical
infrastructure (CI); those systems, assets and network elements that would
have national impacts should they be unavailable due to an emergency situation.
These discussions have led to a proposal for a National Critical Infrastructure
Assurance Program (NCIAP) with the goal of assuring service and function
continuity for Canadians.
This paper is a discussion document to stimulate a productive dialogue
with principal stakeholders on key concepts and issues, including those
that require joint or collaborative actions. Response to this paper will
shape the establishment of the NCIAP.
Top
2.0 PURPOSE OF NCIAP
Canadian citizens and organizations have come to depend on a wide range
of physical and cyber infrastructures, from power grids and computer networks
to water systems and roads. Events such as the 1998 Ice Storm, the 2001
Code Red computer worm and the September 11, 2001 terrorist attacks have
demonstrated that these important infrastructures are vulnerable, and
that their disruption can have significant impacts on our lives and our
economy. Canadians require solid assurance that these infrastructures
are viable and resilient to disasters and attacks. These infrastructures
have grown highly complex and interdependent and are owned by many different
parties, so there is no longer any single government, region, or company
that can stand up and provide this assurance. A national partnership is
required in order to provide the best possible assurance of infrastructure
resilience and viability for Canadian citizens, businesses and governments.
The purpose of the NCIAP is to establish an ongoing, dynamic,
national partnership among critical infrastructure owner/operators and
governments to assure the continued functioning of Canada's critical infrastructure.
Having this partnership will increase the overall critical infrastructure
protection (CIP) capability within Canada - - that is, the ability to
prepare for, protect against, mitigate, respond to and recover from critical
infrastructure disruptions or destruction. The NCIAP will seek to assist
industry and governments at all levels in Canada, while respecting individual
mandates and accountabilities. The program will increase awareness of
CIP issues, promote communication among sectors and regions and support
existing CIP programs.
The program will benefit:
- Canadians through more secure infrastructure;
- industry through support and better information
to operate their own assurance activities efficiently;
- emergency planners and first responders
through better partnerships with CI owner/operators; and
- governments through the ability to better
meet the expectations of Canadians and represent Canada's interests
in international fora.
Top
3.0 DEFINITION OF NATIONAL CRITICAL INFRASTRUCTURE
3.1 NCI DEFINITION
Canada's National Critical Infrastructure (NCI) consists of those physical
resources, services and information technology facilities, networks and
assets which, if disrupted or destroyed, would have a serious impact on
the health, safety, security or economic well-being of Canadians or the
effective functioning of governments in Canada.
The task of defining NCI is more challenging because of:
- increasing dependence on information systems and networks for the
operation of all critical infrastructure;
- the possibility of cascading effects resulting from interdependence
of elements;
- governments only owning and operating a small share of the NCI; and
- "borderless" cyberspace.
3.2 NCI SECTORS
The NCI exists in six sectors:
- Energy and Utilities Sector (electrical and nuclear power, natural
gas and oil production and transmission systems);
- Communications Sector (telecommunications, Internet and broadcasting
systems);
- Services Sector (financial services and health care);
- Transportation Sector (air, rail, marine, and surface);
- Safety Sector (nuclear safety, search and rescue, emergency services);
and
- Government Sector (major government facilities, services, information
networks or assets).
Top
4.0 NCIAP APPROACH
OCIPEP proposes that the initial phases of the NCIAP focus on: the need
to work together; the evolving risk/threat environment, the benefits of
information-exchange; and awareness raising.
Dialogue among CI owner/operators, sector associations and governments
is required to launch an effective public-private partnership. Earlier
consultations conducted by OCIPEP indicate that owners/operators of critical
infrastructure have concerns about the production of a national list of
critical infrastructure. The creation of a master list raises issues about
ownership and protection of the list and associated information. Consequently,
OCIPEP has shifted the focus from a Government of Canada (GOC) master
list of National Critical Infrastructure (NCI) to establishing a partnership
that will coordinate efforts to provide assurance that the combined actions
of infrastructure owners, operators, governments and others results in
a resilient and viable NCI. Consultations indicated an interest in a collaborative
approach to assuring the provision of critical services, systems, networks
and assets, and to better understanding the cross-impacts caused by potential
unavailability of elements in other sectors.
4.1 ASSURANCE ACTIVITIES AT ALL LEVELS
While the terms "critical infrastructure protection" or "critical
infrastructure assurance" are relatively new, a great deal of activity
has taken place in Canada within governments, individual companies and
sector associations.
Most (estimates are in the 80-90% range) of Canada's critical infrastructure
is owned and operated by private industry, with a small amount owned and
operated by various levels of government. These companies and governments
are continuously involved in developing their critical infrastructure
assurance capability. The owner/operator of an element of CI is accountable
for assuring it as part of normal business practices and is subject to
applicable regulatory requirements.
Owners and operators of CI already use a wide range of approaches and
strategies to assure delivery of critical infrastructure services. The
NCIAP could increase this capability by:
- raising awareness of CI issues nationally;
- conducting outreach to encourage and support local, provincial/territorial
and sectoral programs;
- developing a Government of Canada program for its own CI ("getting
our house in order");
- coordinating Government of Canada efforts in selected / high impact
areas, such as research and development, training and education, and
sharing and promoting best practices;
- coordinating the CI efforts by all levels of government; and
- facilitating international cooperative initiatives.
4.2 NATIONAL LEVEL RISK MANAGEMENT APPROACH
OCIPEP is proposing to launch the NCIAP as an ongoing, dynamic, national
partnership among critical infrastructure owner/operators and governments
in order to:
- enhance information sharing;
- identify cross-sectoral interdependencies;
- generate useful, timely threat and vulnerability assessments; and
- strengthen analysis and warning capabilities.
Assuring CI services against disruption or failure is a risk management
process. Some organizations manage this process formally; many others
do it informally.
Risk management comprises a spectrum of possible actions. Owners and
operators manage their risks of operation by investing in a range of activities
to ensure the viability and resiliency of their critical infrastructure
services. Ensuring a resilient and viable infrastructure includes activities
such as prevention, mitigation, response and crisis management, recovery
and restoration.
Since 100% security or assurance is neither feasible nor affordable,
decisions will require sound risk management practices. Risks can be better
managed by focusing investments on most relevant threats and vulnerabilities.
Decisions on investments are based on determinations of the types of consequences
that could result if potential threats were to exploit vulnerabilities.
As risk management is implemented as a continuous improvement process,
better knowledge of both the vulnerabilities and plausible threats improves
the quality of these decisions.
The goal of the process is to increase the knowledge of vulnerabilities,
the understanding of threats and thereby increase the ability of all members
of the partnership to do better risk management.
4.3 NATIONAL CRITICAL INFRASTRUCTURE SELECTION CRITERIA
The criteria for determining those factors that make a particular infrastructure,
or element of an infrastructure critical are expanding. For instance,
events in the US in September 2001 showed the potential importance of
identifying 'symbolic' infrastructure (e.g., Parliament Hill, CN Tower,
Financial District, etc.).
The NCIAP partnership will work together in the development of selection
criteria for NCI. These selection criteria should also be founded on a
collective determination of expertise within each sector and relevant
specialized knowledge.
Three factors are suggested for identifying potential NCI:
- Scope - The loss of an NCI element is rated
by the extent of the geographic area which could be affected by its
loss or unavailability - international, national, provincial/territorial
or local.
- Magnitude - The degree of the impact or
loss is assessed as None, Minimal, Moderate or Major. A single metric
(e.g., a dollar figure) will not apply consistently across all sectors.
Among the criteria which could be used to assess potential magnitude
are:
- Service delivery (qualitative measure of
lost or degraded service delivery);
- Public impact (loss of life, medical illness, serious injury,
evacuation);
- Economic (loss of service of degraded service);
- Political (confidence in the ability of government);
- Environmental (impact on the public and surrounding location);
and
- Interdependency (between other CI elements).
- Effects of time - This criteria ascertains
at what point the loss of an element could have a national impact (i.e.,
immediate, 24-48 hours, one week, other).
4.4 PRINCIPLES
The principles of the NCIAP are:
Promote broad participation
While the federal government has a responsibility to contribute to a national
strategy, the participation of stakeholders from private industry and
from provincial/territorial governments is essential to the NCIAP success.
Participation is voluntary for non-federal agencies, and can take many
forms in terms of partnerships, work programs, and concurrent activities.
Build on activities within Canada
The NCIAP will complement and enhance current CIP activities and relationships
within Canada - - those that are well-established and those that are in
the formative stages.
Build international relationships
While the focus for the NCIAP is within Canada, the Government of Canada
is also involved in international discussions that will affect relevant
activities in Canada (for example, Canada's commitment to the Canada -
U.S. Smart Borders declaration). Provincial and territorial governments
and sectoral associations are currently involved in a range of cross-border
CIP activities. The NCIAP will complement and enhance these cross-border
and international activities.
Adopt an all-hazards approach
Canada's critical infrastructure could be affected by either deliberate
attack or natural hazards. For example, electricity supply can be severely
disrupted by a tornado (physical threat), a major accident (physical or
IT threat) or a computer hacking attack that disables an essential control
system (IT threat). The NCIAP will reflect an all-hazards approach.
Promote accountability
Owners of critical infrastructure provide assurance, based on the need
for business or functional continuity. The NCIAP is intended to support
this accountability through program activities that increase understanding
of threats, vulnerabilities and interdependencies and best practices to
manage risk.
Enable information sharing
Information exchange is the foundation of the NCIAP approach. Initial
consultation among federal government departments and the private sector
identified information protection and exchange as the most significant
issues to be resolved in order to engage the participation of the private
sector. OCIPEP is working with its partners toward an information-sharing
framework to address these challenges.
Top
5.0 CASE FOR PARTICIPATION
The NCIAP will provide a forum to promote a range of actions designed
to meet program objectives that are jointly agreed. The aim is to increase
national assurance capability and effectiveness for CI sectors. It will
support and strengthen existing partnerships and programs between the
Government of Canada, provincial/territorial governments and the private
sector.
The benefits to participants include:
- better information and understanding about threats and vulnerabilities
that put our CI at risk;
- the opportunity to work with other sectors on which their own CI is
dependent;
- better understanding of interdependencies so that services become
less vulnerable to disruptions;
- increased ability to meet customer and shareholder expectations about
assurance;
- increased awareness of current CI issues;
- facilitation of dialogue among stakeholders to share best practices;
- better-focused R&D, training and education; and
- dynamic U.S. - Canada collaborative projects and activities.
And for Canada and Canadians, the benefit is - better readiness, reliability
and continuity of critical services.
Top
6.0 STAKEHOLDER ROLES
The major stakeholders in this program are the CI owner/operators and
provincial, territorial and federal governments that represent Canadians.
6.1 PROPOSED STAKEHOLDER CONTRIBUTIONS
All stakeholders could participate in and benefit from:
- multi-jurisdictional partnerships for information and best practices
sharing;
- R&D efforts;
- training and awareness programs; and
- sectoral, regional and national-international exercises.
6.2 PRIVATE SECTOR ROLE
Private sector partners/associations could:
- develop, lead and manage sectoral CI identification and assurance
programs; and,
- develop best practices and interdependencies analyses.
6.3 PROVINCIAL AND TERRITORIAL GOVERNMENTS ROLE
Provincial or territorial governments could:
- develop, lead and manage provincial/territorial programs (for all
critical infrastructure with a provincial/territorial scope);
- work with other partners to devise protection/assurance of their infrastructure
(e.g. via police/emergency management expertise); and
- issue guidelines within regulated sectors as warranted.
6.4 GOVERNMENT OF CANADA ROLE
The Government of Canada could:
- coordinate the development of the NCIAP;
- develop programs aimed at national outreach and awareness raising;
- coordinate policy development aimed at solution building (e.g., information
exchange, protection issues)
- work with other partners to devise protection/assurance of their infrastructure
(e.g. via police/military/security/emergency management expertise);
- develop guidelines and best practices;
- provide warnings, alerts, advisories and relevant threat assessments;
and
- provide links to other national and international programs.
Top
7.0 ISSUES FOR THE NCIAP
The NCIAP is in the formative stages and issues will continue to arise
as the program evolves. Some of the issues that will require attention
are listed here.
7.1 NCI SELECTION CRITERIA
- What are the selection criteria for identifying and prioritizing elements?
A set of criteria is being developed and used initially by the federal
and provincial/territorial governments to identify their own CI. These
criteria could form the basis of discussions within the partnership during
the risk management process of the NCIAP.
7.2 EXCHANGING THREAT INFORMATION
- What is the most effective means of preparing and disseminating relevant
threat assessments, specific warnings and advice in a timely manner?
OCIPEP is examining the feasibility of a CI incident warning system for
critical infrastructure to assist stakeholders responsible for emergency
management and critical infrastructure protection. In its first year of
operation, OCIPEP has developed a program which disseminates alerts, advisories,
information notes and other analyses to CI owner/operators in Canada.
While the Government of Canada has extensive networks which generate
threat-related information, other NCIAP partners may likewise learn of
potential threats via their own contacts and associations. In the United
States, several sectors have established Information Sharing and Analysis
Centers (ISACs) as voluntary, cooperative information-exchange arrangements.
The U.S. government has taken the role of facilitator for some ISACs,
and government agencies participate as members of some ISACs. In other
cases, the ISACs operate exclusively within industries.
- Should the ISAC model be considered in Canada?
- Which other models could be used?
7.3 INFORMATION EXCHANGE FOR RISK MANAGEMENT
The NCIAP depends on the willingness of partners to exchange information
about their CI including assessments of criticality and interdependency
and existing assurance plans.
- Under what conditions can we establish robust information sharing
arrangements?
- What are the concerns and how can they be addressed?
- Does current access to information/freedom of information legislation
support or constrain the sharing of CIP relevant information?
7.4 LIABILITIES AND COSTS
- What are the liabilities and costs (or benefits) that might accompany
the designation of industry assets as national critical infrastructure?
7.5 GOVERNANCE/MANAGEMENT
- How formal should the NCIAP be?
- What, if any, governance arrangement is required?
- What, if any, legislative basis is required for NCIAP?
- What are the resource implications?
7.6 CO-ORDINATION WITH UNITED STATES
A July 2002 report by the United States General Accounting Office identified
CIP responsibilities spread across 50 federal organizations in the U.S.
The same month, the President announced plans to establish a Department
of Homeland Security which would amalgamate many of these programs, as
well as associated staff and resources.
- How will Canada coordinate its CI assurance programs with those of
the U.S. at the national, regional and sectoral levels?
Top
8.0 NEXT STEPS
OCIPEP invites stakeholders to shape the NCIAP by providing input on the
concepts and questions presented in this paper.
OCIPEP intends to share an aggregated summary of stakeholders' comments
in keeping with the partnership philosophy of this discussion paper.
OCIPEP is currently planning regional and national meetings and workshops
with stakeholders. More details will be provided shortly.
Top
NCIAP LEXICON
Critical Infrastructure (CI)
Those physical resources; services; and information technology facilities,
networks and assets which, if disrupted or destroyed, would have a serious
impact on the operation of an organization, sector or government.
Critical Infrastructure Protection (CIP)
The programs, activities and interactions used by owners and operators
to protect their critical infrastructure.
CIP capability
The ability to prepare for, protect against, mitigate, respond to, and
recover from critical infrastructure disruptions or destruction.
Infrastructure
The framework of interdependent networks and systems comprising identifiable
industries, institutions (including people and procedures), and distribution
capabilities that provide a reliable flow of products and services, the
smooth functioning of governments at all levels, and society as a whole.
National Critical Infrastructure (NCI)
Critical infrastructure which, if disrupted or destroyed, would have a
serious impact on the health, safety, security or economic well-being
of Canadians or the effective functioning of governments in Canada.
National Critical Infrastructure Assurance
The expectations of Canadians that NCI will continue to function and that
governments and private sector owners and operators will co-operate to
guarantee the resilience and viability of NCI services.
National Critical Infrastructure Assurance Program
(NCIAP)
The Government of Canada's proposed response to addressing the complex
issues around national critical infrastructure protection, through the
establishment of an agreed national framework for the provision of national
level risk management and increased CIP capability. The goal of NCIAP
is to provide assurance for service and function continuity of NCI in
Canada by working through partnerships with all NCI stakeholders.
Risk
The possibility of loss, damage or injury. The level of risk is a condition
of two factors: (1) the value placed on the asset by its owner/operator
and the impact of loss or change to the asset, and (2) the likelihood
that a specific vulnerability will be exploited by a particular threat.
Risk Assessment
A process of evaluating threats to the vulnerabilities of an asset to
give an expert opinion on the probability of loss or damage and its impact,
as a guide to taking action.
Risk Management
A deliberate process of understanding risk and deciding upon and implementing
actions to reduce risk to a defined level, which is an acceptable level
of risk at an acceptable cost. This approach is characterized by identifying,
measuring, and controlling risks to a level commensurate with an assigned
level.
Threat
Any event that has the potential to disrupt or destroy critical infrastructure,
or any element thereof. An all-hazards approach to threat includes accidents,
natural hazards as well as deliberate attacks.
Threat Assessment
A standardized and reliable manner to evaluate threats to infrastructure.
Vulnerability
A characteristic of an element of the critical infrastructure's design,
implementation, or operation that renders it susceptible to destruction
or incapacitation by a threat. (Synonym = weakness)
|