![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() ![]() ![]() |
|
|||||||||||
![]() |
||||||||||||
![]() |
||||||||||||
You have accessed an archived page on the Public Safety and Emergency Preparedness Canada website. This material may be outdated. Please consult our new site for up-to-date information. |
|
National Critical Infrastructure Assurance Program Foreword Background PSEPC has been discussing with partners the feasibility of developing
a program to provide appropriate assurance for critical infrastructure
(CI) -- those systems, assets and network elements that would have national
impacts should they be unavailable due to an emergency situation. These
discussions have led to a proposal for a National Critical Infrastructure
Assurance Program (NCIAP) with the goal of the continued availability
of essential services to Canadians. A draft NCIAP Discussion
Paper was issued November 1, 2002 to stimulate a productive dialogue
with principal stakeholders on key concepts and issues. As announced in
the National Security Policy on April 27, 2004, An updated NCIAP Position
Paper will be issued in the summer of 2004. This paper builds on the work done in the draft document Tool to Assist Owners and Operators to Identify Critical Infrastructure Assets released on December 19, 2002 and the consultations with, and feedback from, stakeholders on that document. The material from consultations, conferences, studies, workshops and available literature on Critical Infrastructure Protection displayed increasing congruence of the various models in use; for example, many jurisdictions have looked at and supported the National Contingency Planning Group March 2000 report and supporting material Canadian Infrastructures and their Dependencies which provided a detailed reference for modeling criticality and interdependencies of Canada's infrastructures. This paper does not supercede the Tool to Assist
Owners and Operators to Identify Critical Infrastructure Assets
which remains a valid reference document as it and other existing asset
identification models can be used as complementary tools to this paper.
For example, owners, operators and critical infrastructure stakeholders
may use the approach in this paper to either validate an existing list
or to develop an initial list of critical assets. There is significant
benefit in validating a critical assets list against other models. Objectives One proposal for consideration is that CI stakeholders tie their individual organization or sector ratings into the CI Priority Assessment Screening Model grid shown at the end of this paper until the overall model is developed. This screening model reflects the risk management approach upon which the NCIAP is based. Many CI owners use risk management during their normal business practices and the use of consistent, proven, risk management principles (as presented in this paper and in the NCIAP Position Paper) will contribute to the uniform use of the overall model developed. It is also proposed that if CI owners, operators and stakeholders need assistance with Vulnerability Assessments, Threat and Risk Assessments or funding, that they must illustrate their requirements with the eventual model. PSEPC will meet with interested stakeholders to review the application of the proposed criteria in the context of the NCIAP Position Paper. The identification and rating of CI assets fits squarely within the risk management process. Because assets have differing values, an assessment is required to determine the investment to properly secure them. Some assets are indispensible to the continuity of a service and will require significant resources to provide for their security. As 100% protection is neither affordable nor feasible, the assuring of CI services against disruption or failure is ultimately a risk management process. A risk management framework, such as the one issued by the Treasury Board
of Canada Secretariat for the Government of Canada (GOC), provides an
organization with a mechanism to develop an overall approach to manage
strategic risks by creating the means to discuss, compare and evaluate
substantially different risks on the same page. It applies to an entire
organization and covers all types of risks faced by that organization
(e.g. policy, operational, human resources, financial, legal, health and
safety, environment and reputational). Implementation of a risk management
framework will support governance responsibilities, improve results through
more informed decision-making, strengthen accountability and enhance stewardship. The Treasury Board Secretariat's Integrated Risk Management Framework anticipates that the GOC's implementation of the framework will:
See Treasury Board of Canada Secretariat (TBS), Integrated
Risk Management Framework, March 2000. For the NCIAP, reference to a common risk management process will encourage
partners and CI sectors to address identified CI consistently within a
common risk management process. For the purposes of this paper, Figure
1 below illustrates a risk management model based on widely-accepted business
continuity practices. The following model uses four stages as the basis
of an ongoing, iterative risk management process. Other models use additional
stages, but all start with the identification of assets (and/or associated
services) and the associated impact assessments relating to loss or damage
of each asset (and/or service) as the starting point. Using this information,
the assets (and/or services) are prioritized based on the potential consequences
of their loss.
Stage 3 involves the activities undertaken to control the risks to the service and calls upon the discretion and accountability of the executive level of the organization. The risk control stage is a consideration of possible measures to be taken to minimize threats and to reduce the vulnerabilities of and the impacts to the asset from the hazard. The stage 4 level is reached when there is an acceptable level of risk
for each asset. Stage 4 also involves an ongoing assessment of each new
asset and changing threat and vulnerability information to determine the
requirement to re-allocate scarce resources. Under the NCIAP, information
sharing is recognized as fundamental to cooperative efforts in protecting
critical infrastructures. Incorporating information sharing solutions
into the regular business processes of stakeholders will facilitate the
review process. In addition, the criteria (used in stage 1) for determining
what might be critical assets have changed and expanded over time and
will likely continue to do so.
Asset selection criteria Characterize or standardize assets At the highest level in the NCIAP, PSEPC has identified 10 main sectors:
Energy and Utilities, Communications and Information Technology, Finance,
Health Care, Food, Water, Transportation, Safety, Government and Manufacturing.
These broad sectors are divided into sub-sectors which are further sub-divided
into more detailed descriptions of the infrastructure. For example, the
Energy and Utilities sector is divided into Electrical Power, Natural
Gas and Oil Production and Transmission Systems. Electrical Power is sub-divided
into power generation plants, transmission stations, power line corridors
(or transmission lines), distribution stations, control centres and nuclear.
For the purposes of this paper, it is expected that partners and CI sectors
will focus at a comparative level of detail as shown in the Electrical
Power sub-sector example.
Without standardization of the assets to be considered, prior to any attempted assessment, potentially critical assets might not all be at an equal level of granularity. The level of detail would likely vary from CI sector to CI sector depending on whether the asset and/or service impacts the owner/operator and population at a local, regional, provincial or national level. Before attempting to measure criticality, the asset listing should be validated by the appropriate owners and operators of the infrastructure. A useful review process is provided in Science Applications International Corporation Contractor's Final Report prepared for The American Association of State Highway and Transportation Officials' Security Task Force, A Guide to Highway Vulnerability Assessment for Critical Asset Identification and Protection, ![]() Establishing criticality Experience has shown that it is a fairly straightforward process to identify critical assets (Op. cit. Deloitte & Touche report, page 8). However, it is most often very difficult (1) to establish the criticality of an asset compared to other assets and (2) to quantify the potential impact of the loss or compromise of an asset or service in precise terms such as dollar value. This occurs because assessing value is more complex than it first appears. One might consider replacement cost, or book value of an asset, but this may understate the impact of the loss of the asset as the asset takes on acquired value because it supports a service function (Op. cit. Deloitte & Touche report, page 9). For example, the value of navigational equipment to support air and marine services exceeds its replacement cost. See also RCMP Technical Operations Directorate, Information Technology Security Branch, Guide to Threat and Risk Assessment for Information Technology, November 1994, page 2. While the notion of acquired value is logical, attempting to quantify it is often quite difficult except on simple scales such as "Low, Medium, High, etc." These scales generally provide enough accuracy to identify and prioritize the most critical assets in the infrastructure of the enterprise (Ibid. page 9). Given experience with the various models and methodologies, it is recommended that measurement of criticality employ the qualitative measures "Low, Medium and High". Having an assessment team do this type of evaluation and rationalize different opinions can be very reliable. If necessary, the methodology can be refined using more precise quantitative techniques (one might introduce a quantitative technique for conducting a cost-benefit analysis of options for protecting a particular CI asset). For example, the economy-wide service impact associated with the loss of a critical telecommunications service asset could affect any number of businesses depending upon electronic commerce, which could in turn affect other enterprises in various CI sectors. The resulting multiplier effect could be estimated quantitatively using techniques, such as input-output modeling. However, attempting to establish precise multipliers and costs is probably not necessary since the goal is to simply identify the most critical assets. Successful models must strike a balance between simplicity and validity and should be designed to assess the criticality of various assets. Experience has shown that the process is not an easy one. Initial results should not be viewed as "cast in stone" but should be adjusted as the exercise progresses or is reviewed. It is envisioned that the development of a rule set comprising critical
infrastructure impact factors and consequence criteria (these terms are
explained below) where the judgment is based on specific conditions being
met will lead to a simpler approach for establishing criticality. In the
next sections criticality is broken out into impact factors and consequence
criteria. Impact factors (criteria)
Consequence criteria
Economic
Critical infrastructure sector
Interdependency
Service delivery
Public confidence
Ranking and the use of a rule-set A CI priority assessment screening model is proposed on page 11 with
a rule-set based on consequence criteria. The consequence criteria employed
in the screening model provide a range of consequences from low to medium
to high. A severe consequence criterion has been proposed to allow for
executive discretion when rating the higher value assets. Finally, if
an asset is not critical, as it has negligible
impact assessment, a score of "0" should be used (this is not
shown on the grid). The National Critical Infrastructure Assurance Program's chief objective
is that NCI is sufficiently resilient, thereby assuring the continued
availability of essential services to Canadians. The assurance actions
of the partners and the priorities of those actions are based on risk
management principles using common national criteria where appropriate.
The identification and ranking of CI assets fits squarely within the risk
management process of the NCIAP. The use of a common risk management process
will encourage partners to address CI consistently. This paper identifies the following steps to identifying and ranking critical assets:
In the paper, the following six impact factors are proposed:
A Critical Infrastructure Assessment Screening Model is proposed. As
the NCIAP continues to move forward, CI owners and stakeholders will contribute
to the development of an overall model for identifying and ranking national
CI assets. |
RTF version of this Sample Worksheet |
![]() |
![]() | Last Updated: 12/30/1899 | Important Notices |