Discussion Paper and Questions
You may download a copy of this the discussion paper, including all survey and ideas board questions, glossary and FAQs, here.
The purpose of this consultation is to collect input, advice, and ideas to renew the National Strategy for Critical Infrastructure and Canada’s overall approach to critical infrastructure resilience.
Background and Context
Canada’s 2009 National Strategy for Critical Infrastructure (National Strategy) was developed to build a safer, more secure, and resilient Canada. The National Strategy establishes a national vision for protecting critical infrastructure (CI) through information sharing, public-private sector partnerships, and a commitment to an all-hazards risk management approach. The National Strategy identifies ten CI sectors: energy and utilities, finance, food, government, health, information and communication technology, manufacturing, safety, transportation and water.
As part of the commitment set out in the National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure, Public Safety Canada examined the National Strategy to assess its relevance, and concluded that a renewed approach to CI is needed. COVID-19 has also exposed areas of weakness, such as limited national stockpiles of critical medical supplies (e.g., Personal Protective Equipment) and the vulnerability of some critical supply chains to major disruption. These weaknesses have highlighted the need to reassess whether the National Strategy has really captured the full breadth of critical infrastructure or essential services that ensure the safety, security, health, and economic well-being of Canadians.
The National Strategy renewal is an opportunity to shed light on what is going well, what needs to be improved, and what our vision for the future should be.
Through meaningful engagement with CI stakeholders, a renewed strategy and overall approach to CI resilience will be created that:
- Modernizes the understanding and definition of CI, particularly regarding the degree to which CI assets and systems rely on one another.
- Prioritizes the most critical infrastructure while recognizing that what is considered critical can change based on circumstances; and
- Supports CI stakeholders in managing the risks associated with complex and changing threats.
Key Considerations for National Strategy Renewal
Canada’s CI faces a range of evolving threats and pressures as it delivers goods and services each day, contributes to Canada’s economic prosperity, and maintains essential services. Increasingly, CI must cope with cyber security risks, environmental risks, and security threats. A renewed National Strategy must support CI to address these challenges.
Digitalization of Systems and Processes
The use of digital systems to operate physical infrastructure, from water treatment plants to agricultural equipment, has enabled better service delivery to Canadians. However, the use of electronic and internet-enabled systems has also created vulnerabilities. The Canadian Centre for Cyber Security (CCCS) found that cyber threat actors are targeting CI to undermine public safety and national security, and that more than half of reported cyber-attack victims in 2021 were CI owners and operators.
Cyber-attacks on CI can have damaging consequences. An attack on a Newfoundland and Labrador health care system in 2021 resulted in cancelled appointments, surgeries, and other medical procedures. Cyber-attacks in allied countries have resulted in poisoned drinking water, power outages, and internet service disruptions. Malicious actors, both international and domestic, are developing new strategies to disrupt infrastructure services, steal personal data, spy on governments, and exploit Canadians.
Canada’s climate is changing, which is affecting CI in multiple and complex ways. Increasingly frequent, intense, and unpredictable floods, fires, earthquakes, and other disasters are wearing down physical infrastructure across the country. As a result, buildings, roads, railways, and other infrastructure are aging prematurely and are increasingly at risk of catastrophic failure. For Canadians, communities, and organizations that deliver critical services, emergency management efforts have become more important and complex. The 2021 floods in southern British Columbia are an example of how extreme weather can result in cascading failures across multiple CI systems. The floods, which were likely compounded by the summer 2021 wildfires, destroyed multiple highway segments and rail lines, and rendered the Port of Vancouver nearly inaccessible. As a result, the flow of goods and people in the region was effectively halted. In addition, many farms were flooded, destroying machinery and other infrastructure, and resulting in the death of many livestock. Utilities were also affected for several weeks. The wastewater treatment plant in the City of Merritt experienced a complete failure, causing the evacuation of its entire population. The insured damages of the 2021 BC floods have been preliminarily estimated at $450 million, and lost economic output has been estimated to be between $250 and $400 million.
Terrorism, violent extremism, organized crime, and intellectual property theft are all security threats to Canada’s CI. For example, melting sea ice is generating renewed interest in Canada’s Arctic resources on the part of states hostile to Canada. This poses a threat to northern CI. Canada’s Arctic and Northern Policy Framework highlights the threat to the region, noting that there is “…growing international interest and competition in the Canadian Arctic from state and non-state actors who seek to share in the region's rich natural resources and strategic position. This comes at a time where climate change, combined with advancements in technology, has made access to the region easier.”
Security threats to Canada’s CI can also be domestic in nature. A recent example are the blockades at multiple border crossings and the occupation of the City of Ottawa, which led to the federal government’s declaration of a public order emergency under the Emergencies Act. At the time of writing, it was estimated that between $3 and $6 billion in goods did not cross the border due to the Ambassador Bridge blockade. The total financial impact is likely larger, since supply chain disruptions can halt manufacturing. For instance, Ford Canada was forced to scale back production in its Oakville and Windsor, Ont. facilities. Furthermore, the occupation of the City of Ottawa endangered public safety, since parked trucks impeded the ability of emergency vehicles to freely travel through the downtown core. In addition, emergency service lines (911) were overwhelmed by false calls from protestors and their supporters.
CI resilience is essential to Canada’s long-term economic prosperity. Resilient and dependable CI drives growth by creating jobs, improving productivity, and enabling business confidence, which in turn leads to increased investments and the creation of new economic opportunities. Infrastructure Canada’s recent report, Building Pathways to 2050 – Moving Forward on the National Infrastructure Assessment, noted that the overall value of publicly and privately owned infrastructure to the Canadian economy “has grown to over $900 billion over the last decade, equivalent to about 46 percent of [Gross Domestic Production] GDP. It plays a massive role in the country’s success”.
Much of Canada’s CI is aging. The 2019 Canadian Infrastructure Report Card states that 30 to 40% of public infrastructure, such as roads and bridges, and water infrastructure, are in poor to very poor condition. Governments have consistently struggled with planning, prioritizing investments, financing new, and maintaining existing infrastructure. Support is required to close the infrastructure gap between its current state and Canada’s future needs. Dependable and effective CI—able to withstand threats—is necessary to foster investment and innovation to develop new technologies and applications. Ensuring that physical and cyber systems are secure and resilient is an important competitive advantage which signals that Canada is a reliable, credible, and attractive place to do business.
Discussion Paper Questions
Please note: The information provided in this consultation is collected for Public Safety Canada’s renewal of the National Strategy for Critical Infrastructure in order to inform a modern approach for Canada’s most vital assets and systems. Please do not provide any personal information or personal opinions in your responses that could identify you or another individual.
1. CI Definition and Sectors
The 2009 National Strategy defines CI as:
the processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence.
The National Strategy identifies ten CI sectors:
- energy and utilities
- information and communication technology
The definition and associated list of ten sectors provide a nationally agreed upon understanding of CI, and form the basis for CI engagement with the federal government. Representatives from the ten sectors are invited to participate in regular cross-sector meetings, workshops, and other CI-related events. The definition and ten sectors were also used to develop the Guidance on Essential Services and Functions in Canada During the COVID-19 Pandemic. However, the ten sectors may not capture the full range of Canada’s CI.
Other countries have sector lists that are broadly consistent with the ten Canadian sectors. Some notable differences can be found in the US, for example. They include Commercial Facilities sector that comprises of places of mass gathering and leisure, and a Public Works sub-sector of the Emergency Services sector, which refers to the combination of physical assets, management practices, policies, and personnel necessary for government to provide and sustain structures and services. Commercial Facilities and Public Works are not considered CI under Canada’s sector configuration. Additionally, the US includes a National Monuments and Icons sub-sector in its Government Facilities sector, which are also not considered CI in Canada. Other countries with key differences include Australia, whose 11 sectors include a Higher Education and Research sector, and a Space Technology sector, both of which are not included in the Canadian sectors. The United Kingdom and France also include Space as a distinct CI sector.
1a) Does the current definition of critical infrastructure adequately capture the essence of critical infrastructure?
1b) If you think the definition of CI should be updated or changed, please explain how.
1c) Canada’s critical infrastructure is currently categorized into ten sectors. Do these adequately represent the breadth of CI in Canada?
1d) Are there CI sectors that are missing? If so, which ones? (select all that apply)
- Space (including ground-segment infrastructure that supports space activities, i.e., GNSS, PNT systems)
- Academic Institutions/ Higher Education and Research
- Natural/Green Infrastructure
- National Monuments (and other symbolic infrastructure)
- Commercial Facilities (i.e., places of mass gathering and leisure like stadiums and shopping malls)
- Democratic Institutions
- Community Infrastructure
- Other (please elaborate)
1e) Please provide reasoning for the addition or removal of critical infrastructure sectors
Critical infrastructure is highly interdependent; all sectors rely on one another to deliver the goods and services that Canadians need. This means that CI failure in one sector can have multiple impacts across other CI sectors. For instance, in January 1998, an unprecedented ice storm hit southwest Québec, east Ontario, and southern New Brunswick and Nova Scotia. Ice accumulations caused electrical transmission lines to collapse, which led to largescale electrical network failures. These triggered failures in telecommunications, transport, banking and financial systems, and drinking water. Power outages also led to the deaths of livestock, since farmers could not provide water or ventilation to their barns. Approximately 4.7 million people experienced power outages (some lasting for 32 days), 30 people died, and it is estimated that the disaster cost $3 billion in Québec alone.
Additionally, Canada’s CI is interdependent on global CI that produces and ships goods and services like medicine and fertilizer. International trade allows Canadian CI to access supplies that are not, or cannot, be produced domestically. However, a trade dispute, international conflict, transportation issue, or disruptions in another country could impact the ability of Canada’s CI to acquire important products and services.
Some of Canada’s CI sectors and systems are more interdependent than others. For example, as many CI become more digitalized, they increase their dependence on information and communications technologies (ICT) to communicate, pay bills, and operate their systems. An ICT disruption could have far-reaching consequences on the ability of many CI sectors to deliver essential services. Similarly, electrical power outages can result in failures across multiple CI systems, as so many depend on the Energy and Utilities sector for their daily operations.
2a) How could the government support owners and operators of CI to better understand their interdependencies? (select all that apply)
- Education and training
- Guidance documents
- Modelling tools
- Impact assessments
- Other (please elaborate)
- I don’t know
2b) Do you have firsthand experience or examples of recurring pain-points related to interdependencies within your sector or area of expertise? Please elaborate.
3. Designating Vital Critical Infrastructure
By understanding what CI sectors are most vital, governments can help to protect these systems and assets that are important to the well-being of citizens. Canada’s current National Strategy, however, does not list or identify specific CI assets, businesses, systems, or other entities. There is a wide scope of what may be considered CI in Canada, and no existing analytical model for prioritizing or distinguishing one type of CI as more vital than another.
Identifying the most vital CI systems or assets could enable all levels of government to prioritize resources to protect and restore the most vital CI. Depending on the situation, this prioritization might include clearing roads after an ice storm or protecting water treatment facilities before a flood. Governments could also offer incentives, allocate resources, and implement standards and regulations on the most vital CI. Establishing standards and regulations for vital CI would enhance the overall resilience of Canada’s CI. Some countries take this approach by listing or designating specific businesses, organizations, or assets as CI. Entities that are designated as vital CI may be subject to service standards, information sharing requirements, or other regulations. In New Zealand, for example, any entity that supplies water, electricity, or telecommunications services is designated a lifeline utility in the Civil Defense Emergency Management Act 2002. The operators of specific ports, airports, and other infrastructure are also designated lifeline utilities. Lifeline utilities must, for example, participate in the development of the national civil defence emergency management strategy and civil defence emergency management plans. In the United States, the Cyberspace Solarium Commission’s 2020 report recommended regulating systemically important critical infrastructure to address the increasing need to identify and protect of the most critical (or vital) of critical infrastructure. A facility, system, or asset is considered “systemically important” if a threat event would result in:
- Interruptions of energy, water, electricity, or emergency services that could cause mass casualties or evacuations.
- Disruptions in financial markets, transportation systems, and critical technology services that could cause catastrophic damage to the economy.
- Degradation of defense, aerospace, military, intelligence, and national security capabilities.
- Widespread compromise or malicious intrusion of the cyber ecosystem.
Identifying vital CI is very challenging, as the role and importance of infrastructure can vary by region, and over time, and there are many factors to consider. For example, a small airport in a fly-in community will be more critical to residents than a small airport in a city where other transportation options are available. Identifying vital CI in advance of an emergency helps governments to ensure the safety and security of Canadians in both non-emergency and emergency situations.
3a) Should criteria be developed to identify and prioritize the most vital CI sectors, organizations, and/or assets?
3b) What factors would you take into consideration to identify the most vital CI? If you used a methodology employed by your organization to prioritize its critical assets or services, can you please identify it?
3c) Should the most vital CI be designated? Please explain your answer.
4. Incentives and Obligations to Ensure Resilience
When a natural disaster, pandemic or cyber threat strikes, it can impede the ability of CI to provide life-sustaining essentials, like clean water, electricity, and medical procedures. Recognizing the importance of CI and the threats they face, some countries require CI owners and operators to meet regulatory requirements to ensure security across sectors.
For example, in Australia, approximately 165 CI organizations are required to provide ownership information to help the government monitor ties between CI and hostile foreign governments. Some organizations must also report cyber security incidents to the Australian Cyber Security Centre within a specific time frame. In some circumstances, government assistance is provided to help organizations respond to cyber security incidents. Furthermore, Australia is designing industry-specific requirements for a risk management program that will require CI to assess and report on the hazards to their assets. In New Zealand, CI lifeline utilities are legally required to develop emergency management plans and to submit them to the government upon request. In the United States, the Cyberspace Solarium Commission’s 2020 report recommended the concept of systemically important critical infrastructure (SICI) be codified into law. Entities responsible for the most important critical systems and assets in the U.S. would be granted special assistance (financial support, intelligence sharing, and liability protection) and would assume increased responsibility for additional security requirements, such as meeting certain performance standards and obligatory incident reporting.
In Canada, infrastructure, businesses, and other organizations are regulated on an industry-by-industry basis. There are no cross-sectoral obligatory requirements or additional benefits in place to ensure the resilience of CI more broadly. Canada’s current CI approach is based on voluntary information sharing and participation in emergency exercises, workshops, and other engagements.
4a) If certain CI are designated as vital, what incentives should be offered to help vital CI owners and operators meet their obligations?
4b) If certain CI are designated as vital, should those responsible for them be subject to additional obligations to ensure their continued resilience?
4c) What obligations should be required of CI owners and operators who are designated as vital CI? (select all that apply)
- Providing ownership information
- Reporting on business continuity and emergency management plans
- Reporting on cyber practices
- Other (please elaborate)
5. Support to the CI Community
Each level of government (federal, provincial, territorial, municipal, and Indigenous) offers programs, incentives and supports to help CI owners and operators enhance their resilience. At the federal level, lead departments offer support programs specific to their sectors. In addition, Public Safety Canada offers a variety of CI-focused products and services to help private sector stakeholders, other federal departments, and provincial/territorial and municipal governments improve preparedness and support emergency management. Various networks (described in the following section) also foster partnerships across all CI sectors.
Although there are many forms of tools and guidance, CI owners and operators are not always aware of the services available to them. To better support the CI community, other countries have created CI centres as a single, trusted source for information, tools, and other resources. For instance, the United States Cybersecurity and Infrastructure Security Agency (CISA) is the main point of access for CI from all sectors to increase their resilience against all hazards. CISA provides guidance and training on natural disasters, cyber security, pandemics, and other threats. It also coordinates emergency responses, issues threat warnings, and supports collaboration in the CI community.
Canada has funded research and development contributing to the resiliency, reliability, and protection of Canada’s physical and information technology (IT) facilities, networks, and services. This includes grants and contributions for Research & Development in the fields of cyber security, climate change adaptation, emergency management, and emerging technologies.
5a) Where does your organization go when it is in need of support? (select all that apply)
- Province or territory
- Federal government
- Industry association
- Other (please specify)
5b) What supports do you think are lacking? (Please explain)
6. CI Community Collaboration
Many engagement opportunities exist to help the CI community share information on risks, threats, and vulnerabilities, and best practices. These engagements are effective mechanisms for exchanging important information, subject-matter expertise, and for building relationships within and across sectors.
The National Cross Sector Forum (NCSF), established by the current National Strategy, meets semi-annually and brings together senior CI leaders from industry and federal, provincial, and territorial governments across the ten sectors. It is a key opportunity for the CI community to collaborate on all-hazards and cross-sector issues. It serves to set priorities, discuss emerging issues, and identify cross-sector interdependencies. The Multi-Sector Network (MSN) engages working-level representatives from across the ten CI sectors (including provinces, territories, and international partners), to promote information-sharing and collaboration.
These collaborative working groups, instituted under the National Strategy, have been successful in developing and maintaining the CI community. However, some gaps in representation have been identified. For example, while municipal governments are responsible for operating and maintaining key CI, such as roads and drinking water infrastructure, they are not represented within the NCSF or MSN. Indigenous communities are also currently not represented in either network. In addition, while CI sectors themselves have established mechanisms for collaboration across industries (e.g., councils, associations, and boards), these entities were not designed for broad, multi-sectoral collaboration and exchange. Furthermore, the COVID-19 crisis has demonstrated that collaboration between government and industry stakeholders is a model that makes good sense. Partnership enables the key elements for resilience: communication, planning, risk assessment, and operational activities, including incident response and recovery. Networks can also be leveraged to get threat information out quickly to members when required.
6a) How could collaboration be enhanced? (please elaborate for each selected response)
- More active collaboration within your respective sector network (e.g., energy sector, ICT sector, etc.)
- More partnership building and networking across sectors
- Partnership building across different levels of government and the private/industry sectors
- Establishment of themed cross-sector working groups or forums (e.g., supply chain disruption / cyber-security / event or risk-based)
- Diversifying the CI stakeholder base (e.g., including municipalities, Indigenous representatives, academia, others?)
- More networking opportunities
- More communication products
- Other (please specify)
7. Objectives for a Renewed Approach to CI
The 2009 National Strategy for Critical Infrastructure was based upon the three objectives listed below. A renewed approach to CI could keep these as is, build upon them, or propose additional objectives.
- Build partnerships. The National Strategy established sector networks for each CI sector and the National Cross-Sector Forum (NCSF) to bring together stakeholders from across the CI community. These networks and the NCSF meet to identify issues of national, regional, or sectoral concern, share guidance on challenges, and develop tools and best practices to strengthen the resilience of CI.
- Implement an all-hazards risk management approach. Risk management refers to the continuous process to understand, manage, and communicate risks, threats, vulnerabilities, and interdependencies across the CI community. The CI community must work together to conduct all-hazards risk analyses that take into account accidental, intentional, and natural hazards.
- Advance the timely sharing and protection of information among partners. Information on threats and vulnerabilities must be shared in a timely fashion for effective action to be taken. At the same time, sensitive information must be protected in the interest of national security.
7a) Please list the objectives in order of importance (1 to 3)?
Implementing an all-hazards risk management approach
Advancing the timely sharing and protection of information among partners
7b) Should these objectives remain unchanged, or are adjustments/new objectives required?
7c) What adjustments would you propose?
8. Broad Remarks
8) Do you have any remaining feedback for a renewed strategy and approach to CI?
9. Survey Satisfaction Question
9) Do you have any feedback on the consultation process? Would you suggest different ways to gather input?
Ideas Board Questions
The following section addresses three themes that were not part of the Survey: Governance, Evaluation, and Academic involvement.
1. Governance structure for prioritizing critical infrastructure issues across jurisdictions
Each level of government in Canada has distinct roles and responsibilities related to each CI sector. Governments have various departments and agencies with distinct mandates related to the operation and resilience of different CI sectors (e.g., health, finance, energy).
There is currently no intergovernmental governance structure in place to guide a coordinated and harmonized approach to prioritizing CI issues across jurisdictions, or to address new issues as they arise. Emergency management, cyber security, and national security each have distinct and established decision-making bodies, which are usually comprised of senior level federal, provincial and territorial government officials. Governance, roles, and responsibilities are often categorised based on sectors or hazards. For example, federal decision-making related to CI resilience is assigned to various lead federal departments (e.g., Transport Canada for transportation-related CI) or other federally regulated bodies (Boards, Agencies, Commissions).
In Australia, there are three levels of CI advisory and consultation bodies. The CI Advisory Council (CIAC), which advises the Minister for Home Affairs on the government’s approach to critical infrastructure resilience, consists of the sector chairs and federal, state, and territorial representatives. There is currently no multi-jurisdictional governance structure similar to the CIAC in Canada. The CIAC also oversees the Trusted Information Sharing Network (TISN). The TISN’s role is to share information (e.g., threat briefings, exercises, and teleconferences on issues of concern), present current and emerging issues to CIAC for consideration, and contribute to policy development and implementation. It consists of private and public sector CI officials. Lastly, the Resilience Expert Advisory Group (REAG) includes industry, academia, the TISN and federal, state and territorial representatives. The REAG advises the TISN and CIAC on the practical dimensions of organizational resilience and to adopt an organization resilience approach to business.
How can all levels of government create a more coordinated and harmonized governance model that would keep CI resilient against all hazards?
2. Evaluating the National Strategy
The Organization of Economic Cooperation and Development’s (OECD) Policy Toolkit on Governance of Critical Infrastructure Resilience identified the need for accountability and monitoring of the implementation of CI resilience policies as a best practice. Internationally, many countries measure the implementation of CI policies and undertake reviews of CI sectors to ensure resilience and compliance with applicable regulations.
Currently, Canada does not have measures in place to evaluate the collaborative, non-regulatory objectives of the National Strategy, nor the results of its supporting Action Plans. A clear evaluation framework is necessary to measure the security and resilience of Canada’s CI and the effectiveness of a renewed National Strategy.
What is the best way to measure the resilience of critical infrastructure?
How might the federal government measure the effectiveness of a renewed National Strategy?
3. Academic Research and Expertise to Support the Critical Infrastructure Community
The National Strategy currently does not have a formal engagement mechanism with academia and the scientific community to leverage their research and expertise. Engagement therefore occurs in an ad-hoc manner, instead of through formal networks like the National Cross Sector Forum (NCSF).
Stronger, formalized partnerships with academia and think tanks that study issues related to CI security and resilience (e.g., infrastructure protection, climate change, digital infrastructure, cyber security, economic security, business continuity, and emergency management) could provide valuable advice to Canada’s CI leadership. Some lead federal departments have created engagement and funding mechanisms to leverage the expertise of academics in their sector. For instance, Natural Resources Canada’s Cyber Security and Critical Energy Infrastructure Program funds research to enhance the cyber security and resilience of domestic and cross-border energy infrastructure, in support of Canada’s National Cyber Security Strategy.
Other countries leverage academic expertise in a coordinated manner. For instance, the United States Department of Homeland Security (DHS) Science and Technology Department (S&T) created Centers of Excellence (COE) that provide guidance, information, and tools to support the broader CI community. An example of a current COE is the Critical Infrastructure Resilience Institute (CIRI) at the University of Illinois. The CIRI is focused on research and education on the resilience of CI. Over 17 universities are partners of the CIRI, along with multiple industry partners from across the country.
Can academia play a more formal role under the National Strategy? If so, how can public and private sector CI stakeholders partner with academia and other subject matter experts to leverage their insight?
4. Open Question
Did we miss anything? Are there any issues pertaining to the National Strategy Renewal that you would like to raise with us?