Home Programs Emergency management Critical infrastructure protection NCIAP Discussion paper

Discussion paper

Please note that the following document was published before PSEPC was created in 2003. Thus it reflects the old departmental name, Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP). We hope this causes no confusion.

1.0 Introduction
2.0 Purpose of NCIAP
3.0 Definition of National Critical Intrastructure
4.0 NCIAP approach
5.0 Case for participation
6.0 Stakeholder roles
7.0 Issues for the NCIAP
8.0 Next steps
Appendix:Lexicon

1.0 Introduction

The Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP) has been established to provide national leadership in the protection of Canada's critical infrastructure and in the enhancement of emergency management in Canada. OCIPEP is also the government's primary agency for ensuring national civil emergency preparedness.

For several months, OCIPEP has been discussing with partners the feasibility of developing a program to provide appropriate assurance for critical infrastructure (CI); those systems, assets and network elements that would have national impacts should they be unavailable due to an emergency situation. These discussions have led to a proposal for a National Critical Infrastructure Assurance Program (NCIAP) with the goal of assuring service and function continuity for Canadians.

This paper is a discussion document to stimulate a productive dialogue with principal stakeholders on key concepts and issues, including those that require joint or collaborative actions. Response to this paper will shape the establishment of the NCIAP.

2.0 Purpose of NCIAP

Canadian citizens and organizations have come to depend on a wide range of physical and cyber infrastructures, from power grids and computer networks to water systems and roads. Events such as the 1998 Ice Storm, the 2001 Code Red computer worm and the September 11, 2001 terrorist attacks have demonstrated that these important infrastructures are vulnerable, and that their disruption can have significant impacts on our lives and our economy. Canadians require solid assurance that these infrastructures are viable and resilient to disasters and attacks. These infrastructures have grown highly complex and interdependent and are owned by many different parties, so there is no longer any single government, region, or company that can stand up and provide this assurance. A national partnership is required in order to provide the best possible assurance of infrastructure resilience and viability for Canadian citizens, businesses and governments.

The purpose of the NCIAP is to establish an ongoing, dynamic, national partnership among critical infrastructure owner/operators and governments to assure the continued functioning of Canada's critical infrastructure. Having this partnership will increase the overall critical infrastructure protection (CIP) capability within Canada - - that is, the ability to prepare for, protect against, mitigate, respond to and recover from critical infrastructure disruptions or destruction. The NCIAP will seek to assist industry and governments at all levels in Canada, while respecting individual mandates and accountabilities. The program will increase awareness of CIP issues, promote communication among sectors and regions and support existing CIP programs.

The program will benefit:

• Canadians through more secure infrastructure;
• industry through support and better information to operate their own assurance activities efficiently;
• emergency planners and first responders through better partnerships with CI owner/operators; and
• governments through the ability to better meet the expectations of Canadians and represent Canada's interests in international fora.

3.0 Definition of National Critical Infrastructure

3.1 NCI Definition

Canada's National Critical Infrastructure (NCI) consists of those physical resources, services and information technology facilities, networks and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of Canadians or the effective functioning of governments in Canada.

The task of defining NCI is more challenging because of:

• increasing dependence on information systems and networks for the operation of all critical infrastructure;
• the possibility of cascading effects resulting from interdependence of elements;
• governments only owning and operating a small share of the NCI; and
• "borderless" cyberspace.

3.2 NCI Sectors

The NCI exists in six sectors:

• Energy and Utilities Sector (electrical and nuclear power, natural gas and oil production and transmission systems);
• Communications Sector (telecommunications, Internet and broadcasting systems);
• Services Sector (financial services and health care);
• Transportation Sector (air, rail, marine, and surface);
• Safety Sector (nuclear safety, search and rescue, emergency services); and
• Government Sector (major government facilities, services, information networks or assets).

4.0 NCIAP approach

OCIPEP proposes that the initial phases of the NCIAP focus on: the need to work together; the evolving risk/threat environment, the benefits of information-exchange; and awareness raising.

Dialogue among CI owner/operators, sector associations and governments is required to launch an effective public-private partnership. Earlier consultations conducted by OCIPEP indicate that owners/operators of critical infrastructure have concerns about the production of a national list of critical infrastructure. The creation of a master list raises issues about ownership and protection of the list and associated information. Consequently, OCIPEP has shifted the focus from a Government of Canada (GOC) master list of National Critical Infrastructure (NCI) to establishing a partnership that will coordinate efforts to provide assurance that the combined actions of infrastructure owners, operators, governments and others results in a resilient and viable NCI. Consultations indicated an interest in a collaborative approach to assuring the provision of critical services, systems, networks and assets, and to better understanding the cross-impacts caused by potential unavailability of elements in other sectors.

4.1 Assurance activites at all levels

While the terms "critical infrastructure protection" or "critical infrastructure assurance" are relatively new, a great deal of activity has taken place in Canada within governments, individual companies and sector associations.

Most (estimates are in the 80-90% range) of Canada's critical infrastructure is owned and operated by private industry, with a small amount owned and operated by various levels of government. These companies and governments are continuously involved in developing their critical infrastructure assurance capability. The owner/operator of an element of CI is accountable for assuring it as part of normal business practices and is subject to applicable regulatory requirements.

Owners and operators of CI already use a wide range of approaches and strategies to assure delivery of critical infrastructure services. The NCIAP could increase this capability by:

• raising awareness of CI issues nationally;
• conducting outreach to encourage and support local, provincial/territorial and sectoral programs;
• developing a Government of Canada program for its own CI ("getting our house in order");
• coordinating Government of Canada efforts in selected / high impact areas, such as research and development, training and education, and sharing and promoting best practices;
• coordinating the CI efforts by all levels of government; and
• facilitating international cooperative initiatives.

4.2 National level risk management approach

OCIPEP is proposing to launch the NCIAP as an ongoing, dynamic, national partnership among critical infrastructure owner/operators and governments in order to:

• enhance information sharing;
• identify cross-sectoral interdependencies;
• generate useful, timely threat and vulnerability assessments; and
• strengthen analysis and warning capabilities.

Assuring CI services against disruption or failure is a risk management process. Some organizations manage this process formally; many others do it informally.

Risk management comprises a spectrum of possible actions. Owners and operators manage their risks of operation by investing in a range of activities to ensure the viability and resiliency of their critical infrastructure services. Ensuring a resilient and viable infrastructure includes activities such as prevention, mitigation, response and crisis management, recovery and restoration.

Since 100% security or assurance is neither feasible nor affordable, decisions will require sound risk management practices. Risks can be better managed by focusing investments on most relevant threats and vulnerabilities. Decisions on investments are based on determinations of the types of consequences that could result if potential threats were to exploit vulnerabilities. As risk management is implemented as a continuous improvement process, better knowledge of both the vulnerabilities and plausible threats improves the quality of these decisions.

The goal of the process is to increase the knowledge of vulnerabilities, the understanding of threats and thereby increase the ability of all members of the partnership to do better risk management.

4.3 Selection criteria

The criteria for determining those factors that make a particular infrastructure, or element of an infrastructure critical are expanding. For instance, events in the US in September 2001 showed the potential importance of identifying 'symbolic' infrastructure (e.g., Parliament Hill, CN Tower, Financial District, etc.).

The NCIAP partnership will work together in the development of selection criteria for NCI. These selection criteria should also be founded on a collective determination of expertise within each sector and relevant specialized knowledge.

Three factors are suggested for identifying potential NCI:

• Scope - The loss of an NCI element is rated by the extent of the geographic area which could be affected by its loss or unavailability - international, national, provincial/territorial or local.
• Magnitude - The degree of the impact or loss is assessed as None, Minimal, Moderate or Major. A single metric (e.g., a dollar figure) will not apply consistently across all sectors. Among the criteria which could be used to assess potential magnitude are:
• Service delivery (qualitative measure of lost or degraded service delivery);
  • Public impact (loss of life, medical illness, serious injury, evacuation);
  • Economic (loss of service of degraded service);
  • Political (confidence in the ability of government);
  • Environmental (impact on the public and surrounding location); and
  • Interdependency (between other CI elements).
• Effects of time - This criteria ascertains at what point the loss of an element could have a national impact (i.e., immediate, 24-48 hours, one week, other).

4.4 Principles

The principles of the NCIAP are:

Promote broad participation
While the federal government has a responsibility to contribute to a national strategy, the participation of stakeholders from private industry and from provincial/territorial governments is essential to the NCIAP success. Participation is voluntary for non-federal agencies, and can take many forms in terms of partnerships, work programs, and concurrent activities.

Build on activities within Canada
The NCIAP will complement and enhance current CIP activities and relationships within Canada - - those that are well-established and those that are in the formative stages.

Build international relationships
While the focus for the NCIAP is within Canada, the Government of Canada is also involved in international discussions that will affect relevant activities in Canada (for example, Canada's commitment to the Canada - U.S. Smart Borders declaration). Provincial and territorial governments and sectoral associations are currently involved in a range of cross-border CIP activities. The NCIAP will complement and enhance these cross-border and international activities.

Adopt an all-hazards approach
Canada's critical infrastructure could be affected by either deliberate attack or natural hazards. For example, electricity supply can be severely disrupted by a tornado (physical threat), a major accident (physical or IT threat) or a computer hacking attack that disables an essential control system (IT threat). The NCIAP will reflect an all-hazards approach.

Promote accountability
Owners of critical infrastructure provide assurance, based on the need for business or functional continuity. The NCIAP is intended to support this accountability through program activities that increase understanding of threats, vulnerabilities and interdependencies and best practices to manage risk.

Enable information sharing
Information exchange is the foundation of the NCIAP approach. Initial consultation among federal government departments and the private sector identified information protection and exchange as the most significant issues to be resolved in order to engage the participation of the private sector. OCIPEP is working with its partners toward an information-sharing framework to address these challenges.

5.0 Case for participation

The NCIAP will provide a forum to promote a range of actions designed to meet program objectives that are jointly agreed. The aim is to increase national assurance capability and effectiveness for CI sectors. It will support and strengthen existing partnerships and programs between the Government of Canada, provincial/territorial governments and the private sector.

The benefits to participants include:

• better information and understanding about threats and vulnerabilities that put our CI at risk;
• the opportunity to work with other sectors on which their own CI is dependent;
• better understanding of interdependencies so that services become less vulnerable to disruptions;
• increased ability to meet customer and shareholder expectations about assurance;
• increased awareness of current CI issues;
• facilitation of dialogue among stakeholders to share best practices;
• better-focused R&D;, training and education; and
• dynamic U.S. - Canada collaborative projects and activities.

And for Canada and Canadians, the benefit is - better readiness, reliability and continuity of critical services.

6.0 Stakeholder roles

The major stakeholders in this program are the CI owner/operators and provincial, territorial and federal governments that represent Canadians.

6.1 Proposed stakeholder contributions

All stakeholders could participate in and benefit from:

• multi-jurisdictional partnerships for information and best practices sharing;
• R&D; efforts;
• training and awareness programs; and
• sectoral, regional and national-international exercises.

6.2 Private sector role

Private sector partners/associations could:

• develop, lead and manage sectoral CI identification and assurance programs; and,
• develop best practices and interdependencies analyses.

6.3 Provincial and territorial governments role

Provincial or territorial governments could:

• develop, lead and manage provincial/territorial programs (for all critical infrastructure with a provincial/territorial scope);
• work with other partners to devise protection/assurance of their infrastructure (e.g. via police/emergency management expertise); and
• issue guidelines within regulated sectors as warranted.

6.4 Government of Canada role

The Government of Canada could:

• coordinate the development of the NCIAP;
• develop programs aimed at national outreach and awareness raising;
• coordinate policy development aimed at solution building (e.g., information exchange, protection issues)
• work with other partners to devise protection/assurance of their infrastructure (e.g. via police/military/security/emergency management expertise);
• develop guidelines and best practices;
• provide warnings, alerts, advisories and relevant threat assessments; and
• provide links to other national and international programs.

7.0 Issues for the NCIAP

The NCIAP is in the formative stages and issues will continue to arise as the program evolves. Some of the issues that will require attention are listed here.

7.1 NCI selection criteria

What are the selection criteria for identifying and prioritizing elements?

A set of criteria is being developed and used initially by the federal and provincial/territorial governments to identify their own CI. These criteria could form the basis of discussions within the partnership during the risk management process of the NCIAP.

7.2 Exchanging information on threats

• What is the most effective means of preparing and disseminating relevant threat assessments, specific warnings and advice in a timely manner?

OCIPEP is examining the feasibility of a CI incident warning system for critical infrastructure to assist stakeholders responsible for emergency management and critical infrastructure protection. In its first year of operation, OCIPEP has developed a program which disseminates alerts, advisories, information notes and other analyses to CI owner/operators in Canada.

While the Government of Canada has extensive networks which generate threat-related information, other NCIAP partners may likewise learn of potential threats via their own contacts and associations. In the United States, several sectors have established Information Sharing and Analysis Centers (ISACs) as voluntary, cooperative information-exchange arrangements. The U.S. government has taken the role of facilitator for some ISACs, and government agencies participate as members of some ISACs. In other cases, the ISACs operate exclusively within industries.

• Should the ISAC model be considered in Canada?
• Which other models could be used?

7.3 Information exchange for risk management

The NCIAP depends on the willingness of partners to exchange information about their CI including assessments of criticality and interdependency and existing assurance plans.

• Under what conditions can we establish robust information sharing arrangements?
• What are the concerns and how can they be addressed?
• Does current access to information/freedom of information legislation support or constrain the sharing of CIP relevant information?

7.4 Liabilities and costs

• What are the liabilities and costs (or benefits) that might accompany the designation of industry assets as national critical infrastructure?

7.5 Governance / Management

• How formal should the NCIAP be?
• What, if any, governance arrangement is required?
• What, if any, legislative basis is required for NCIAP?
• What are the resource implications?

7.6 Coordination with the United States

A July 2002 report by the United States General Accounting Office identified CIP responsibilities spread across 50 federal organizations in the U.S. The same month, the President announced plans to establish a Department of Homeland Security which would amalgamate many of these programs, as well as associated staff and resources.

• How will Canada coordinate its CI assurance programs with those of the U.S. at the national, regional and sectoral levels?

8.0 Next steps

OCIPEP invites stakeholders to shape the NCIAP by providing input on the concepts and questions presented in this paper.

OCIPEP intends to share an aggregated summary of stakeholders' comments in keeping with the partnership philosophy of this discussion paper.

OCIPEP is currently planning regional and national meetings and workshops with stakeholders. More details will be provided shortly.
 

Lexicon

Critical Infrastructure (CI)
Those physical resources; services; and information technology facilities, networks and assets which, if disrupted or destroyed, would have a serious impact on the operation of an organization, sector or government.

Critical Infrastructure Protection (CIP)
The programs, activities and interactions used by owners and operators to protect their critical infrastructure.

CIP capability
The ability to prepare for, protect against, mitigate, respond to, and recover from critical infrastructure disruptions or destruction.

Infrastructure
The framework of interdependent networks and systems comprising identifiable industries, institutions (including people and procedures), and distribution capabilities that provide a reliable flow of products and services, the smooth functioning of governments at all levels, and society as a whole.

National Critical Infrastructure (NCI)
Critical infrastructure which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of Canadians or the effective functioning of governments in Canada.

National Critical Infrastructure Assurance
The expectations of Canadians that NCI will continue to function and that governments and private sector owners and operators will co-operate to guarantee the resilience and viability of NCI services.

National Critical Infrastructure Assurance Program (NCIAP)
The Government of Canada's proposed response to addressing the complex issues around national critical infrastructure protection, through the establishment of an agreed national framework for the provision of national level risk management and increased CIP capability. The goal of NCIAP is to provide assurance for service and function continuity of NCI in Canada by working through partnerships with all NCI stakeholders.

Risk
The possibility of loss, damage or injury. The level of risk is a condition of two factors: (1) the value placed on the asset by its owner/operator and the impact of loss or change to the asset, and (2) the likelihood that a specific vulnerability will be exploited by a particular threat.

Risk Assessment
A process of evaluating threats to the vulnerabilities of an asset to give an expert opinion on the probability of loss or damage and its impact, as a guide to taking action.

Risk Management
A deliberate process of understanding risk and deciding upon and implementing actions to reduce risk to a defined level, which is an acceptable level of risk at an acceptable cost. This approach is characterized by identifying, measuring, and controlling risks to a level commensurate with an assigned level.

Threat
Any event that has the potential to disrupt or destroy critical infrastructure, or any element thereof. An all-hazards approach to threat includes accidents, natural hazards as well as deliberate attacks.

Threat Assessment
A standardized and reliable manner to evaluate threats to infrastructure.

Vulnerability
A characteristic of an element of the critical infrastructure's design, implementation, or operation that renders it susceptible to destruction or incapacitation by a threat. (Synonym = weakness)