|
|
|
|
|
Number: TA03-001
Date: 12 March 2003
|
|
|
|
Threats to Canada's Critical Infrastructure
Purpose
The purpose of this paper on Threats to Canada's Critical Infrastructure
is to provide a taxonomy of the natural, accidental and malicious threats
that have been identified as those most likely to impact upon Canada's national
critical infrastructure. The paper will aim to provide informed forecasting
for the relative probability of these threats and hazards.
Audience
This report is primarily intended to provide owners and operators of Canadian
critical infrastructure (CI) with baseline information regarding potential
threats to their networks and systems. Owners and operators are the acknowledged
experts with regard to the vulnerabilities they confront, but many have
indicated that there is a lack of credible information regarding threats.
Emergency managers in the public and private sectors could also employ
this report to enhance their understanding of the variety of threats and
hazards which the Government of Canada is addressing.
Finally, policy makers at all levels of government may use the paper
as a jumping-off point to examine threats and vulnerabilities in CI sectors
within their constituencies.
Note: For the purposes of this paper the terms
"threats" and "hazards" will be used interchangeably
to describe the independent variables which affect existing vulnerabilities
to produce risk/disaster scenarios.
Click here to download full text of report in
PDF
Executive Summary
- Canada is growing increasingly dependent upon the collection of products
and services that make up our domestic critical infrastructure (CI)
network. Those sectors, in turn, are becoming increasingly interdependent,
as telecommunications and cyber elements continue to underwrite them.
These two factors combined make us more vulnerable to threats from natural,
accidental and malicious threats to our CI.
- Risk is assessed as a combination of threat (expressed as the probability
that a given action, attack, or incident will occur), vulnerability
(expressed as the probability that a given attack, or vulnerability
will succeed, given that the action, attack or incident occurs), and
consequence (expressed as some measure of loss, such as dollar cost,
resources loss, programmatic impact, etc.). The total risk of operating
a system is assessed as a combination of the risks associated with all
possible threat scenarios. Risk is reduced by countermeasures. However,
the cost of countermeasures (relative to the potential risks) is applied
when arriving at any holistic risk management strategy.
- Four factors contribute to Canada's vulnerability to the broad spectrum
of threats. First, Canada's population, built environment, and wealth,
are increasingly concentrated in a small number of highly vulnerable
areas and many such communities are at risk from multiple hazards. Second,
climate change could increase the frequency and severity of extreme
weather events. Third, Canada's built environment is aging and is more
susceptible to damage. Fourth, communities are increasingly more reliant
on advanced technologies that are frequently disrupted during disasters.
- Traditionally, the Canadian government has viewed infrastructure protection
in the context of physical security and the protection of physical assets.
The basis of this activity was the Vital Points Programme (VPP), established
in 1938 to identify and protect facilities and services critical to
the national interest. The Government of Canada's ability to gauge threats
to CI has traditionally been contingent upon an ability to evaluate
the intent of an actor, coupled with their capability to carry out a
deliberate action. This process was significantly easier when dealing
purely in the physical realm. However, with the advent of cyber-based
threats, threat agents are diffuse in nature, and the capacity to inflict
significant damage is readily available and relatively easy to use by
those with even a cursory knowledge of and ability with computer technologies.
- The ongoing phenomenon of climate change is altering our capacity
to effectively manage the risks associated with natural disasters. Moreover,
it is affecting Canada in particularly distinct ways. In the past 10
years, Canada has faced the greatest increases in average annual temperatures
of any country, and a commensurate rise in severe weather-related natural
disasters. Associated with these shifts has been an increased occurrence
of phenomena such as severe storms, floods, droughts and forest fires.
Natural Hazards Threats to Canadian
CI
- Natural disasters have accounted for 69.9 percent of all disasters
in Canadian history. Flooding has been, by far, the greatest cause of
disasters in Canada in the 20th century, followed by severe storms.
- Geomagnetic storms, earthquakes, forest fires, tsunamis and health-related
epidemics all represent significant natural hazard threats to Canadian
CI.
- In recent years, the death toll due to natural disasters in Canada
has decreased, while the economic costs of the damage has increased.
The trend is possibly the result of two divergent factors. The response
to natural disasters has become more sophisticated and better coordinated
among all the partners, while the cost of securing our domestic infrastructure
has risen greatly as the Canadian CI network becomes more complex and
interconnected.
- Trends in the number of annual natural hazard-related threats should
continue along an upward trend.
Accidental Threats to Canadian CI
- Accidents are, by definition, unforeseen. It is, therefore, difficult
to predict future trends in accidents involving the critical infrastructure.
- Accidents involving CI generally involve human-error, mechanical failures
and computer programming errors.
- With the increased scrutiny in both the public and private sectors
on critical infrastructure protection and business continuity planning,
accidental threats to CI are less likely than ever before. CI robustness
has been reinforced in virtually all sectors, and where the primary
infrastructure has been deemed vulnerable, redundancies have been built
in. These measures have made most CI sectors less prone to the negative
impacts of accidents on CI facilities and networks.
- The negative impact resulting from accidents involving CI elements
should continue along a downward trend.
Malicious Threats to Canadian CI
- Infrastructure has long been a target for malicious attack, whether
for criminal, military or political purposes.
- There are a range of actors, employing a range of tools (from conventional
weapons, weapons of mass destruction - including chemical, biological
radiological and nuclear agents, to cyber tools) who have displayed
a willingness to engage in malicious activity directed to cyber and
physical CI.
- The September 11 attacks have served to heighten our awareness of
the threats to, and potential vulnerabilities within, Canada's physical
and cyber infrastructure (and the nexus points where the two interconnect).
- Cyber crime and the criminal and terrorist use of information technology
are significant issues for law enforcement. A sophisticated information
infrastructure, a large pool of potential hackers within the country
and heavy reliance on computer-based CI are all factors in making computer-based
crime a serious threat to Canada. However, currently there is a limited
ability on the part of federal and provincial government departments
and agencies to collect, collate, analyze and synthesize the modest
amount of substantive qualitative information on actors, their actual
and potential capabilities, intended targets, and recorded attempts
to penetrate or attack assets or systems.
- The Water, transportation and oil pipeline systems make appealing
targets, given their diffuse nature and the difficulty of effectively
protecting them from attack.
- In spite of attempts to secure these systems, the threat of a malicious
attack on CI could increase. Canadian society relies on these networks,
services and systems to increasing degree, thus making them ever more
attractive targets.
- Responsibility for emergency measures, including CIP, in Canada is
shared among all three levels of government. The federal government
provides national leadership and coordinates the overall CIP effort.
Those agencies with mandates that incorporate CIP are listed in Annex
A
Note to Readers
Public Safety and Emergency Preparedness Canada (PSEPC) collects information
related to cyber and physical threats to, and incidents involving, Canadian
critical infrastructure. This allows us to monitor and analyse threats and
to issue alerts, advisories and other information products. To report threats
or incidents, please contact the PSEPC Government Operations Centre (GOC)
at (613) 991-7000 or opscen@ocipep-bpiepc.gc.ca
by e-mail.
Unauthorized use of computer systems and mischief in relation to data are
serious Criminal Code offences in Canada. Any suspected criminal activity
should be reported to local law enforcement organizations. The RCMP National
Operations Centre (NOC) provides a 24/7 service to receive such reports
or to redirect callers to local law enforcement organizations. The NOC can
be reached at (613) 993-4460. National security concerns should be reported
to the Canadian
Security Intelligence Service (CSIS) at
(613) 993-9620.
Links to sites not under the control of the Government of Canada (GoC) are
provided solely for the convenience of users. The GoC is not responsible
for the accuracy, currency or the reliability of the content. The GoC does
not offer any guarantee in that regard and is not responsible for the information
found through these links, nor does it endorse the sites and their content.
|
|