Français	Contact Us	Help	Search	Canada Site
About us	Policy	Research	Programs	Newsroom

Public Safety and Emergency Preparedness Canada

Home

INFORMATION FOR...

ALTERNATE PATHS...

A-Z index

Site map

Organization

OF INTEREST...

		SafeCanada.ca
		Tackling Crime
		EP Week
		Proactive disclosure

Printable version

Send this page

Home Programs Emergency management Critical infrastructure protection NCIAP Best practices

Best practices

What you can do to assure critical infrastructure

Best practices by sector:

Energy and utilities Communications and information technology
Finance
Health care
Food
Water
Transportation
Safety
Government
Manufacturing
International Initiatives
Questions, comments and concerns

Acknowledgements and disclaimer

What you can do to assure critical infrastructure

Canada depends on infrastructures that ensure the provision of essential goods and services such as food, water, transportation, communications, energy, health care and emergency response. These infrastructures are essential for the economic and social well being of Canada, and Canadians have high expectations as to the quality and reliability of the services they provide. In today's world, these critical infrastructures (CI) have become increasingly interconnected and interdependent due in part to a reliance on information technology and emerging business practices, such as shared infrastructure and just in time delivery. This ever-increasing connectivity means that we are increasingly vulnerable to failures caused by natural hazards, acts of terrorism or other human induced threats.

Infrastructure owners, operators, managers and regulators seek appropriate tools with which to make informed decisions. This document aims to provide a user-friendly summary of approaches outlining what you can do to assure CI. The following factors are common to all infrastructure sectors and are fundamental to CI assurance:

Actions designed to assure / protect CI are undertaken by all members of an organization to demonstrate good leadership and sound management;
CI assurance activities should be seen as part of regular business practices and must apply to both physical and cyber elements;
To ensure cost effectiveness, any assurance and security measures should be undertaken on the basis of vulnerability and threat assessments and risk management measures;
Critical infrastructure assurance must have corporate recognition and be demonstrated by all staff from senior management to line personnel;
Education and awareness, exercising and training, communication and information sharing, and continuous / regular review, analysis and update are hallmarks of best practices; and
Complete articulation and documentation of definitions, roles and responsibilities, pre-disruption, disruption, post-disruption and recovery planning, and long-term preparedness are necessary components of best practices.

This section of the summary provides information on generic best practices for the assurance of critical infrastructure that is broadly applicable to all sectors. In addition, the sector specific best practices described herein that address particular needs may also offer some useful information to other sectors. It is recommended that readers consider all of the best practices described in this summary and not just those associated with their particular sector.

Generic best practices

Generic best practices implies that all components have been considered in order to identify the most basic and common elements among them. If we look for the basic commonalities among the different critical infrastructure sectors we find six elements that are essential for ensuring the continuity of services:

Security - refers to the physical security of the infrastructure including human safety aspects;
Support by Senior Managers - is essential to critical infrastructure assurance since it is only with their support that line staff will implement critical infrastructure assurance measures;
Vulnerability Assessment - will help to establish and prioritize the potential weaknesses that exist;
Emergency Risk Management - is necessary to understand and identify appropriate risk mitigation and management needs;
Cyber Security - is equally important and needs to be considered in conjunction with physical security; and
Critical Infrastructure Assurance - is achieved when the necessary mechanisms are in place to conduct effective risk management. These mechanisms include but are not limited to information sharing arrangements, critical asset identification, threat information, vulnerability assessments, interdependency analysis, and business continuity planning.

With these six common elements in mind we need to build a framework for developing the tools necessary for the assurance of critical infrastructure. We can start this process by considering the key principles that must underlie initiatives in this area.

Key principles for best practices

Key principles help identify the types of approaches that are necessary for achieving the objective. There are seven key principles that underlie best practices for the assurance of critical infrastructure that need to be considered collectively and individually in the development of methodologies for all infrastructure sectors. Developed by the Network Reliability and Interoperability Council (NRIC)

, these seven self-explanatory principles are:

People implement best practices;
Best practices stress the essence of good guidance;
Best practices address classes of problems not specifics;
Many organizations already exercise best practices;
Best practices are developed by industry consensus;
Best practices need to be verified by broader industry members; and
Best practices only become such after consideration of the existing implementation level, effectiveness, feasibility of implementation, risk of not implementing and alternatives to the best practice.

With these key principles senior managers can begin the process of developing the necessary tools that line staff will need to assure the critical infrastructure for which they are responsible.

Best practices for senior managers

The Internet Security Alliance

(ISAlliance) was created in April 2001 with a mission to promote sound information security practices, policies and technologies. To this end, they have developed a series of action statements that are grouped under 10 high priority best security practices for demonstrating executive leadership in industry. The best practices address policy, process, people and technology issues, all of which need to be addressed for critical infrastructure and critical function and services assurance. A complete Common Sense Guide for Senior Managers is available from the ISAlliance website at http://www.isalliance.org/

. The ten best practices described therein have been adapted for application to the various critical infrastructure sectors and are summarized as follows:

General Management - senior management needs to promote and demonstrate commitment to critical infrastructure protection (CIP) so that CIP is considered as essential to conducting business and that security considerations become a routine part of regular business processes. Management needs to be aware of any legal or regulatory requirements and each level of management needs to know and understand their security roles and responsibilities;
Policy - documentation of priority security policies and the business objectives they protect, is essential for both governmental and senior management. Roles and consequences of non-compliance (including liability for failure to exercise due diligence) need to be articulated;
Risk Management - identification of assets and associated risks, roles and responsibilities, impact evaluations and potential for mitigating losses;
Security Architecture and Design - security infrastructure, due diligence for outsourcing, processes/tools for assessing new/imported systems, critical functions and the assets on which they depend and who can respond to security architecture and design concerns;
Accountability Issues - senior management participation in security briefings and training, inclusion of security policy and practice reviews in corporate audits, assessment and limitation of liability related to the illegal/malicious use of equipment by employees and manager assurance that critical infrastructure practices are followed;
Electronic Systems and Network Management - includes access control, software integrity, secure software configuration and ensuring regular electronic backup;
Authentication and Authorization - of both facility users and third party and remote users;
Monitoring and Auditing Security - includes monitoring, auditing and inspection protocols and the identification and availability of a central responsible focal point for reporting, evaluating and responding;
Physical Security - appropriate access controls including enforcement protocols and reporting mechanisms for anything suspicious; and
Continuity Planning and Disaster Recovery - senior managers need to ensure that a business continuity and disaster recovery plan is developed and periodically tested.

These best security practices for demonstrating executive leadership will place any organization in a position to assure their critical infrastructure as well as demonstrate sound business management.

Best practices for security

Security is an integral part of critical infrastructure assurance regardless of the type of infrastructure involved. Because of this, the following nine best practices for security developed by the North American Electricity Reliability Council

(NERC) represent good business practice and will be of use to all organizations seeking to assure their critical infrastructure and the continuation of the services they provide:

Vulnerability and risk assessment - identifies assets, loss impacts, vulnerabilities, risk/protection priorities, countermeasures, costs and trade-offs;
Threat response capability - aids in the prioritization of risks and protection efforts;
Emergency management - including assistance agreement, contingency plans, roles/responsibilities, emergency management protocols, communications needs, training/orientation programs and methods for updating/testing/documenting;
Continuity of business processes - consideration of vulnerabilities and needs associated with financial, information technology and business services (procurement and supply, delivery, records management, etc.);
Communications - involves the establishment of effective liaison and communication channels with other agencies, entities and sectors as well as internal communications needs;
Physical security - elements of which may include deterrence, detection, assessment, communication and response, which collectively provide a systems approach. The applicability of the types of physical security needed are determined by vulnerability and risk assessment of critical assets;
Information technology/cyber security - involves system characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control recommendations and results documentation. Risk management programs must be proactive and ongoing, and criticality is determined by the most critical component and vulnerability by the most vulnerable component;
Employment screening - may help mitigate internal threats; and
Protecting potentially sensitive information - includes information regarding critical infrastructure assurance as well as confidential information associated with corporate services.

Translating security into critical infrastructure assurance is the next step, and the Chicago Area Critical Infrastructure Protection Program has identified the following seven-category checklist for providing this assurance:

Responsibilities - identification of lead organizations, contact points, assistance/franchise agreements, employee awareness and communications requirements;
Pre-disruption Planning - identification of critical facilities, criticality levels, interdependencies, loss impacts and sensitivities, vulnerability assessment and alternative preparedness measures;
Disruption Response Planning - includes staged response planning, notification and communication protocols and response protocols for impending and actual service disruptions;
Post-disruption Restoration Planning - involves the development of procedures for the restoration of normal operations and needs to consider all safety precautions that are necessary for this process;
Preparedness Exercises - planning and executing preparedness exercises is essential to identify gaps or inconsistencies that may hamper response and restoration activities;
Longer-term Preparedness - involves review and assessment of policies and regulations that may impact the sector and its ability to assure critical infrastructure; and
Plan Development - involves documenting all of the above in a comprehensive manner including physical and cyber security considerations and security maintenance (employee awareness, response equipment maintenance, changing information and cyber security needs, etc.).

While details related to each of the above categories will be dependent upon the sector in question, they do provide a common framework within which all sectors can build effective critical infrastructure assurance programs that are flexible enough to meet changing needs and circumstances. Flexibility is an essential feature that can be easily overlooked leading to potential new risks that may arise over time.

Conclusions for best practices

The recurrent themes that are important to all infrastructure sectors and generic best practices described in this section are summed up below as conclusions about what you can do to assure CI. The following Best Practices for the Assurance of Critical Infrastructure are integral to sound emergency management and business continuity planning and should be considered essential to good business practice:

Security - big picture approach. Even though security measures are implemented at a local level, they need to be developed in the context of the whole organization;
Management - corporate recognition. Senior management support is essential and policies, protocols, procedures, etc., need to foster good security habits amongst all staff members;
Risk - knowledge for decision making. A thorough understanding of the risk associated with a given infrastructure and its components as well as security/mitigation measures, loss impacts, response and recovery requirements are essential for sound emergency management and business continuity planning;
Assurance - the whole is the sum of its parts. Each and every action at the various levels within an organization contributes to the assurance of its critical infrastructure;
Electronic - more than nuts and bolts. The importance of the cyber environment cannot be over-stressed and its needs must be looked at in conjunction with and not in isolation from physical infrastructure; and
Vulnerability assessment - knowledge is power. Like risk, it is essential to have a thorough appreciation of an organization's vulnerabilities and the most effective measures for mitigating them.

It is important to note that this summary of current and best practices for the protection of critical infrastructure is not based on an exhaustive review of available open literature. The volume and variety of information available through the Internet and other sources is extensive and it is recommended that organizations explore additional sources using the information available in this summary as an initial step towards developing a comprehensive emergency management plan for the assurance of critical functions and services.

Energy and utilities

The energy and utilities sector is generally one of the first considered when the term critical infrastructure is used. All sectors rely on some form of energy as a fundamental need for standard operations and we tend to regard the availability of utilities matter-of-factly until service is disrupted. Equally important is the linkage between the energy and utilities sector and the communications and information technology sector (see next section) for the necessary support infrastructure that is essential to providing uninterrupted energy service.

While electricity is the most obvious form of energy that is tightly linked to all other sectors, the coal, hydro, nuclear, and petroleum and natural gas industries are equally important in the context that they provide the fuel/energy necessary for electrical power generation. Because of this focus, a significant amount of work has been undertaken in developing best practices for the Energy and Utilities Sector. Perhaps the most useful is a checklist developed by the United States Department of Energy (U.S. DOE) for small and medium-sized energy facilities that would actually be of benefit for any organization, regardless of size or type, to consider. Six generic steps for emergency risk management are as follows:

Identify critical assets and the impacts of their loss - including functions and assets, impacts of loss and asset value.
Identify what protects and supports the critical assets - including physical security systems, infrastructure interdependencies and sensitive information.
Identify and characterize the risk/threat - by evaluating the physical and cyber environments in which risks or threats may occur.
Identify and analyze vulnerabilities - by determining the susceptibility to identified risks and threats including those related to cyber attacks.
Assess and determine priorities for asset protection - based on the following: risk rating = impact rating X threat rating X vulnerability rating
Identify mitigation options, costs and trade-offs - including measures to prevent damage, limit consequences, speed recovery and reduce vulnerability.

For additional information regarding the assurance of critical infrastructure in the Energy and Utilities Sector consult the U.S. DOE website at http://www.doe.gov/engine/content.do

Communications and Information Technology

The Communications and Information Technology sector includes telecommunications (telephone, fax, cable, and satellite), broadcasting systems, computer software and hardware, and networks like the Internet. This sector is tightly linked with the finance sector for banking transactions, and the energy and utilities sector for the provision of electrical power. In addition, the reliance of many organizations on computers and the Internet for day-to-day operations both on-site and remote, delivery of services, data management, marketing, etc., illustrates the difficulty in separating physical CIP from cyber CIP, and separating the communications sectors from all the other sectors. As a result, safeguarding communications and information technology is essential to assuring critical infrastructure.

Information regarding best practices for physical security including reliability of services, security of networks and enterprises and cyber security is available for download as a checklist designed for and selected from a menu of network types, industry roles, best practice types and keywords from the Network Reliability and Interoperability Council (NRIC) website at http://www.bell-labs.com/user/krauscher/nric . Reports, a calendar of educational seminars, focus groups and other useful information are also available.

Home users and small businesses can contribute to cybersecurity through the use of safe passwords, by maintaining and updating virus protection and patches and by using traffic filtering, firewalls and similar good practices. Large enterprises can implement A.C.T.I.O.N.S. - authentication, configuration management, training, incident response, organization network, and smart procurement - as voluntary best practices that may be seen generally as sound business practices in a borderless cyber environment. Further details are available from the United States National Strategy to Secure Cyberspace at http://www.whitehouse.gov/pcipb/

Finance

Citizens need assurances that the business of government will continue, monetary currency will be stable and government-issued cheques will arrive. The banking, securities and investment sub-sectors rely heavily on the Communications and Information Technology sector for the provision of timely financial services. Because of our heavy and continually growing reliance on information technology, a secure electronic environment is essential for assuring the continuation of services in the Finance Sector. To this end, the World Bank has identified an e-security framework consisting of seven pillars for the management of risk associated with operations, identity theft, fraud and extortion, credit card quality, and systems and failure resolution:

Pillar I.	Legal framework and enforcement - laws governing electronic transactions and commerce, payment systems security, privacy, cyber-crime and anti-money laundering enforceable through, as a minimum, cease-and-desist orders and compliance actions.
Pillar II.	Electronic security of money transmitters - these non-depository, often third-party automated, commercial enterprises that transfer and exchange monetary instruments and currency, need to be subject to specific reporting requirements, regulations, warranties, indemnification and liability, and security requirements to assure the continuation of payment systems.
Pillar III.	Risk management and challenge prevention - includes authentication, firewalls, active content filtering, intrusion detection systems (IDS), virus scanners, encryption, penetration testing, proper systems administration and incident response plans that are subject to constant review. Redefining regulatory authority and legal liability of downstream vendors, ensuring compliance, and coordination in supervision and information sharing across agencies may help to mitigate compromise.
Pillar IV.	Private insurance as a monitoring mechanism - mandatory use of ISO 17799 standards for information security for insuring operations could provide additional assurance for financial services.
Pillar V.	Certification, standards and roles definition - standards and certification for software, hardware, IT vendors and electronic transactions and articulation of roles for government and industry are essential.
Pillar VI.	Public-private sector information sharing - national and cross-border incentive arrangements that encourage information sharing can improve worldwide electronic security.
Pillar VII.	Education and awareness for incident prevention - is integral to financial security.

For additional information regarding critical infrastructure assurance in the Finance sector consult the following websites:

Internet Security Alliance http://www.isalliance.org/
Computer Emergency Response Team (CERT) http://www.cert.org/
Forum of Incident Response and Security Teams (FIRST) http://www.first.org/
Electronic Crimes Task Force (ECTF) http://www.ectaskforce.org/
InfraGard http://www.infragard.net/
National Infrastructure Protection Centre (NIPC) http://www.nipc.cog.il.us/

Health care

Emergency and contingency experiences from the SARS outbreak have raised sector awareness that Canadians will look for assurance of health care services. Hospitals, health-care facilities, blood-supply facilities, laboratories and pharmaceuticals are integral to maintaining the level of health care that Canadians have come to expect. The U. S. Department of Health and Human Services

(DHHS) has identified three preparedness areas that are necessary for the provision and continuation of health care services. The following paragraphs provide a brief description of these preparedness areas.

Public health preparedness

For public health preparedness, response plans for all types of public health emergencies are essential. These plans need to address all levels (local, regional, national) and consider receiving, managing and distributing pharmaceutical stockpiles, the evaluation of urgent disease reports, communications requirements, the dissemination of information and training needs. Adequate financial support to meet objectives for plan development is required.

Hospital preparedness

Hospitals can prepare through the designation of a Coordinator and the establishment of a Hospital Preparedness Planning Committee to provide guidance, direction and oversight in response planning. Plans for dealing with potential epidemics including the needs of rural patients served by metropolitan centres, are necessary.

Workforce preparedness

Workforce preparedness involves assessing and responding to the needs for efficiency and effectiveness of workforce development and preparedness activities. This involves developing the appropriate linkages and building expertise in public health and emergency management and response. Adequate funding for initiatives in both the public and private sectors is essential.

Additional information

In Canada, health care preparedness needs to meet provincial requirements. For further information in this regard consult the website for your province (see links in the Government section of this summary) or your local hospital.

In the February 2, 2004 Speech from the Throne, the Prime Minister announced a new Canada Public Health Agency that would be responsible for ensuring that Canada is linked nationally and internationally to a disease control and emergency response network. A newly appointed Chief Public Health Officer for Canada will be tasked with developing the Canada Health Protection Act that will further help a strong and responsive public health system.

Food

Food safety, the agriculture and food industry, and food distribution systems are a part of this sector. Domestic and imported food supplies depend on consistent transport and delivery and links to the various CI sectors are important. The economic destabilization, loss of confidence and social instability that arise from food sector incidents can be significant. The impact that a single case of BSE in May 2003 had on the Canadian food industry was enormous. Unfortunately, the designation of this sector as a part of critical infrastructure is very recent and best practices need to be developed for assurance of critical functions and services. Protective and response measures that address the following are necessary:

Protective measures - intelligence measures, monitoring programs, targeted research, international counter-proliferation treaties, protocols and agreements, creating agent-specific resistance in livestock, vaccination, modification of vulnerable practices, bio-security and surveillance and education and training; and
Response measures - consequence management, early detection, prediction and containment, epidemiology and treatment, depopulation and disposal, diplomatic, legal, economic and political responses, compensation and indemnity, education and training, public awareness and outreach and vaccine and pharmaceutical stockpiling.

The responsibility for food safety in Canada rests with the Canadian Food Inspection Agency (CFIA). Within this agency the Office of Emergency Management is designated with the responsibility to play a leading role in preparing for and responding to emergencies involving food safety, animal health, plant protection or any of its other programs. Details regarding food safety and security and associated emergency response initiatives are available from the website at http://www.inspection.gc.ca/english/liaison/emgmte.shtml.

Water

Water supplies for drinking and wastewater management are key issues in Canada. The Canadian Water and Wastewater Association

(CWWA) has prepared two reports describing the "Best Management Practice for small and medium-size municipalities to conduct a vulnerability assessment." The reports address water and wastewater systems separately and include templates and instructions for completing vulnerability assessments. These reports are publicly available at no cost to members and for a nominal charge to non-members from the CWWA website at http://www.cwwa.ca/publicationorder_e.asp

. Provincial governments are encouraged to implement the template through municipalities using local emergency management infrastructure as a part of a national program for water and wastewater facility emergency management/business continuity planning. The template is designed to assess and prioritize risk in the following categories:

Human health;
Natural hazards;
Chemical, biological and other hazards; and
Technical failures.

Although the template was developed for CWWA members, it will also be applicable to other small and medium sized facilities in Canada. Large water and wastewater facilities develop their own emergency management plans based on established industry standards derived from U.S. criteria. Additional information regarding emergency preparedness in this sector is available on the CWWA website at http://www.cwwa.ca/

Transportation

The Transportation sector includes air, rail, marine and surface modes of transport. Transportation is an integral part of our daily lives and linkages to the sectors providing basic survival needs are important. Critical infrastructure assurance must take into consideration the delivery of essential items such as food, medicines, replacement equipment and emergency responders. Best practices for security of public transit have been actively integrated into the air transport sector, in particular as a consequence of September 11, 2001; however, diligence in security of containerized cargo is also, increasingly, a critical infrastructure consideration.

Cross-border issues and increased delays at border crossings demonstrate the importance of carrying adequate and up-to-date documentation. There is a need to develop and encourage the use of electronic methods of identification in an effort to reduce delays and ensure the efficient movement of cross-border traffic.

For information regarding emergency preparedness in the Canadian Transportation sector consult the Transport Canada, Security and Emergency Preparedness website at http://www.tc.gc.ca/vigilance/.

Safety

The Safety sector is tightly linked to the Government sector (see next section) and includes chemical, biological, radiological and nuclear safety, hazardous materials, search and rescue, emergency services (police, fire, ambulance and others) and dams. Note that dams may be critical to a number of sectors (water, transportation, energy and utilities) to ensure service delivery and, for this reason, a cross-cutting concern is dam safety.

The Canadian Nuclear Safety Commission (CNSC) is the agency responsible for nuclear safety in Canada. CNSC involvement in emergency preparedness issues has been considerable and the nuclear industry takes extensive precautions to ensure the safety and security of all assets as part of its standard business operations. Safety and security protocols and emergency preparedness and response plans are highly classified and, as such, highlights regarding best practices for the nuclear industry are not available.

The Canadian Centre for Emergency Preparedness (CCEP) is a not-for-profit organization in Canada that encourages individuals, communities, organizations and governments to make disaster management an important part of daily operations. By raising awareness and providing guidance and tools for reducing risk, the CCEP seeks to reduce the impact and costs associated with natural and human-induced disasters. For additional information, a wide range of templates, publications and documents, education and training, conference notices, etc., regarding emergency preparedness and disaster management visit the CCEP website at http://www.ccep.ca/ .

The Canadian Emergency Preparedness Association (CEPA) is a national forum for individual, associate and corporate members with an interest in emergency management. The association fosters information exchange among members and the development and adoption of national standards or models. It facilitates training and accreditation of professionals and training institutes. Additional details are available from the CEPA website at http://www.cepa-acpc.ca/cepa/ .

Sandia National Laboratory , the U.S. Department of Energy's National Nuclear Security Administration, is a government-owned/contractor operated facility that was established in 1949 to support national security. The organization uses science and technology, people, infrastructure and partnerships to address national needs associated with nuclear weapons, non-proliferation and materials control, energy and critical infrastructure and emerging threats. Critical infrastructure assurance research initiatives are focused on infrastructure elements in the areas of transportation, electric power grid, oil and gas distribution, telecommunications, finance and banking, and vital human services.

Government

Maintaining the machinery of government, leadership, safety, security and control and the provision of services critical to citizens is important. This sector includes government facilities, government services such as meteorological services, government information networks, government assets and key national symbols (cultural institutions, national sites and monuments).

In Canada, critical infrastructure protection is a shared responsibility that requires the cooperation of all levels of government (federal, provincial/territorial, municipal) and the private sector. This shared responsibility should be facilitated by public-private partnerships and the clear articulation of roles and responsibilities for all organizations.

Federal

Public Safety and Emergency Preparedness Canada (PSEPC) is the lead organization in Canada for government emergency and for coordinating the federal response and recovery efforts in the event of terrorist attack or natural hazard emergency. PSEPC provides national leadership through programs and the dissemination of information to enhance the awareness and capacity of Canadians, communities, businesses and governments to manage their physical and cyber security needs. It also serves as advisor for government regarding business continuity planning. PSEPC aims to enhance the safety and security of Canadians in their physical and cyber environments and thereby provide assurance for the continuity of critical functions and services, which it does through the National Critical Infrastructure Assurance Program (NCIAP).

The authority for these efforts comes from the Treasury Board of Canada and the Government Security Policy. The policy describes the management framework and responsibility necessary for Canadian government departments and agencies to protect employees, ensure confidentiality, integrity, availability and value of assets, and continuity of business.

Provincial/territorial

All provincial and territorial governments host a web-based emergency management organization that, as a minimum, recognizes the need for response and recovery planning regarding natural disasters. Several provinces have also recognized the need for CI assurance.

The Government of Alberta implemented the Alberta Counter-Terrorism Crisis Management Plan (ACTCMP) independently from the federal government in 2001; consisting of the following components:

The Solicitor General Security and Information Management Services (SIM), responsible for the maintenance of a Threat Level System in accordance with RCMP standards; distribution of routine threat assessments on a scheduled basis to CI owners and other partners; and security clearance management.
Emergency Management Alberta (EMA) has implemented a program of CI identification, on-site security assessments and advice.

In addition, in 2001, the Government of Alberta established Business Continuity Programs within EMA; to provide guidance, establish business continuity best practices in the development, evaluation and exercising of all 26 ministries' business continuity strategies and plans. Continuity strategies included corporate initiatives for shared resources, facilities and services and an overarching Government of Alberta Business Continuity Plan.

Alberta has established an Emergency Notification System, designed to distribute changes in SIM designated threat levels. This system is maintained by EMA.

Emergency Management Ontario introduced the Ontario Critical Infrastructure Assurance Program to provincial ministries on March 6, 2003. This program, which will include federal, provincial and private sector collaboration, is currently being implemented through the following sector work groups: Public Safety and Security, Electricity, Communications, Food & Water, Transportation, Financial Institutions, Continuity of Government and Oil & Gas. The engagement of private industry in the Ontario Critical Infrastructure Assurance Program will commence in 2004 and continue in earnest throughout 2005.

All provincial ministries are currently engaged in a business continuity planning program led by the Ontario Management Board Secretariat that will produce its first deliverables by December 31, 2004. Additionally, all ministries have been provided a workbook explaining the hazard risk management process that is based on the Management Board and Australian Risk Management guidelines.

The New Brunswick Department of Public Safety is working to develop, implement and validate a provincial model Critical Infrastructure Protection Program. The model is being designed in collaboration with PSEPC and a number of other federal departments including the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Department of National Defence, Natural Resources Canada, National Research Council and Transport Canada. The University of New Brunswick (Conflict Studies) and the Emergency Measures Organizations in Prince Edward Island and Nova Scotia will also be involved in the models development. In addition the Maine Emergency Management Agency, Maine State Homeland Security, and the United States Attorney-General Office of Anti-Terrorism will contribute an American perspective to the model.

It is expected that this model will meet New Brunswick's requirements as well as those expressed in the National Critical Infrastructure Assurance Program for the federal government and the provinces and territories. The New Brunswick program will take an all hazards approach and integrate security, critical infrastructure and emergency management programming, and address cross-border aspects of critical infrastructure in accordance with the Smart Border agenda.

Links for provincial/territorial websites providing information on emergency preparedness and critical infrastructure assurance are as follows:

Alberta - Alberta Municipal Affairs, Emergency Management Branch http://www.municipalaffairs.gov.ab.ca/ema/;
Ontario - Emergency Management Ontario, Ministry of Public Safety and Security http://www.mpss.jus.gov.on.ca/english/pub_security/ emo/about_emo.html;
Yukon - Emergency Measures Branch (EMB) of the Yukon Government http://www.gov.yk.ca/depts/community/emo/;
Northwest Territories - Emergency Measures Organization, Department of Municipal and Community Affairs, Government of Northwest Territories http://www.maca.gov.nt.ca/;
British Columbia - Government of British Columbia, Provincial Emergency Program http://www.pep.bc.ca/;
Manitoba - Manitoba Emergency Measures Organization http://www.gov.mb.ca/gs/memo/;
New Brunswick - New Brunswick Emergency Measures Organization http://www.gnb.ca/cnb/emo-omu/index-e.asp;
Newfoundland and Labrador - Newfoundland and Labrador Emergency Measures Organization, Department of Municipal and Provincial Affairs http://www.gov.nf.ca/mpa/emo.html;
Nova Scotia - Nova Scotia Emergency Measures Organization http://www.gov.ns.ca/emo/;
Nunavut - Nunavut Emergency Management, Dept. of Community Government and Transportation http://www.gov.nu.ca/Nunavut/English/departments/CGT/;
Prince Edward Island - Prince Edward Island Emergency Measures Organization http://www.gov.pe.ca/commcul/emo/index.php3;
Quebec - Quebec Department of Public Security http://www.msp.gouv.qc.ca/; and
Saskatchewan - Saskatchewan Emergency Planning http://www.cps.gov.sk.ca/Safety/emergency/default.shtml

Municipal

Municipal governments are undertaking initiatives to address infrastructure protection issues within their areas of responsibility.

The City of Ottawa released an emergency plan in May 2002 that outlines roles and responsibilities for ensuring essential services to the community, including how it would coordinate with area agencies such as hospitals, school boards, all utilities and the Canadian Red Cross. The plan is coordinated by the Emergency Measures Unit. General emergency information, links, etc., are available through the City of Ottawa website at http://ottawa.ca/city_services/emergencyserv/erp/index_en.shtml .

The City of Toronto Emergency Plan details the methods used to mobilize
city resources in response to an emergency. Highlights include standardized notification methods, emergency declaration procedures, protocols for
coordinating multi-agency response, mobilization of resources and the establishment of Evacuee Centres, among others. Fact sheets, information and details of the plan are available from the Office of Emergency Management website at http://www.city.toronto.on.ca/wes/techservices/oem/index.htm .

The office of Emergency and Risk Management is responsible for emergency preparedness for the City of Vancouver . The First Annual Emergency Preparedness Forum was held in October 2003 to develop awareness amongst attendees regarding local and international emergency preparedness initiative. Earthquakes are of particular concern and neighbourhood programs to provide residents with information, training and emergency preparedness skills are an important part of emergency management. Additional information is available from the website at http://www.city.vancouver.bc.ca/corpsvcs/emerg/index.htm .

For details regarding emergency preparedness and critical infrastructure assurance in your community visit your municipality's website or contact your local government.

Manufacturing

The first priority is ensuring the adequacy of domestic supplies and the second priority is assuring that operations are not disrupted, or that minimal disruption can occur, particularly where toxics and explosives are part of the facility infrastructure.

For infrastructure assurance in Canada, the Manufacturing Sector includes the Chemical Industry and the Defence Industrial Base. Emergencies related to the Chemical Industry arise from the potential for large scale spills of hazardous materials during manufacture, transport and disposal. The economic impact of the disruption of this sector is also a concern since many other sectors rely on the Chemical Industry for needs that are critical to their continuity of business. In the case of the Defence Industrial Base, it is less the potential for disasters that is important and more the need to ensure continuity of business in the wake of one. In emergency situations, defence support is often critical and their ability to supply needed goods and services is essential to mitigation of impacts and the re-establishment of normal operations and conditions. The following 12 steps, developed at Sandia National Laboratories for the US Department of Justice , may help to determine the potential risk that organizations in this sector may face:

Step 1.	Screening for the need for a vulnerability assessment - factors for consideration include event identification, impact on Nation, inventory, accessibility, recognizability and the importance of the facility at the local, regional and national levels.
Step 2.	Project definition - includes a review of the purpose, tasks, resources, schedule of activities and the composition of the team undertaking the project.
Step 3.	Facility characterization - is a complete and comprehensive matrix/inventory of processes, activities and resources used in manufacturing coupled with a criticality rating that enables the identification of critical activities and the assignment of priorities.
Step 4.	Deriving severity levels - considers the potential for worker or public injury/fatality, extensive property damage, duration facility is disabled, environmental impact and evacuation needs.
Step 5.	Risk/threat assessment - involves compiling information on potential threats and risks that may result in emergency situations including the type, potential action, motivation and capabilities of an adversary whether external or internal and general or site-specific in nature.
Step 6.	Prioritizing risks/threats - is accomplished by plotting the severity of the consequences associated with each risk/threat.
Step 7.	Site analysis - will determine the likelihood of an emergency situation or threat occurring. Physical protection systems, process control protection systems that consider all critical functions and interfaces including communications, commercial hardware and software, application software, parameter data and support infrastructure (e.g. power and HVAC), and mitigation measures such as automatic shut-down sensors, early warning systems, etc., may help to reduce risk.
Step 8.	Conducting a site survey - involves validation of site information and a walk-through survey emphasising critical activities and target information is preparatory to analyzing system effectiveness.
Step 9.	Analyzing system effectiveness - involves determining the effectiveness of physical and process control systems.
Step 10.	Analyzing risks - can be facilitated by a flowchart and a template for summarizing risk levels for facility activities as aids for developing priorities.
Step 11.	Making recommendations for risk reduction - should consider low-cost, high-return upgrades as a goal. Improvement recommendations may include physical protection, consequence reduction or process control protection.
Step 12.	Fully documenting the results of the assessment - is essential.

For additional information regarding infrastructure assurance needs for the manufacturing sector visit the Sandia National Laboratory website at http://www.sandia.gov/ .

International initiatives

Critical infrastructure assurance is a concern for all nations and international initiatives abound, as evidenced by the number of websites providing information in this regard. The following list provides a cross-section of activities occurring worldwide and should not be considered as exhaustive in nature:

Australia - Emergency Management Australia (EMA) http://www.ema.gov.au/ema/emaInternet.nsf and the Australian National Security Attorney-General's Department http://nationalsecurity.ag.gov.au/www/nationalsecurityhome.nsf/
United Kingdom - the UK Financial Sector Continuity Group http://www.financialsectorcontinuity.gov.uk/ and Resilience http://www.ukresilience.info/home.htm
United States - Department of Homeland Security http://www.dhs.gov/dhspublic/; the Critical Infrastructure Assurance Office, US Commerce Department, Bureau of Industry and Security http://www.ciao.gov/ ; the US National Infrastructure Protection Centre http://www.nipc.gov/ ; and the Federal Emergency Management Agency http://www.fema.gov/
Sweden - Swedish Emergency Management Agency (SEMA) http://www.krisberedskapsmyndigheten.se/defaultEN____224.aspx
Switzerland - Civil Protection http://www.bevoelkerungsschutz.admin.ch/internet/bs/en/home.html

Questions, comments and concerns

For additional details regarding the best practices described herein and a complete list of references for source documents see the "Best Practices for the Protection of Critical Infrastructure" dated March 31, 2003. This publication is available by request as indicated below.

Your opinion matters to us. Should you have any questions or comments about the contents of this publication or specific concerns regarding National Infrastructure Assurance in Canada please contact:

Louise Forgues
Director, Program Initiatives
Tel: (613) 990-3498
E-mail: Louise.Forgues@psepc-sppcc.gc.ca

Disclaimer

This publication has been prepared for Public Safety and Emergency Preparedness Canada by SENES Consultants Limited

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Public Safety and Emergency Preparedness Canada.



	Last updated: 2006-01-18		Important notices