Cyber and Infrastructure Resilience Assessments
The Regional Resilience Assessment Program
The Regional Resilience Assessment Program (RRAP) is a vulnerability and dependency assessment program for owners and operators of critical infrastructure (CI) facilities within the 10 CI sectors in Canada. This program involves site assessments to help organizations measure and improve their resilience to all hazards in Canada, such as cyber threats, accidental or intentional man-made events, and natural catastrophes.
Onsite assessments are voluntary, non-regulatory, free-of-charge and confidential. Participants are asked to complete three five-minute surveys on their experience with the program after the assessment is conducted.
An online resilience self-assessment will be made available in late 2023 to early 2024.
If you have general questions about our program or are interested in any of the assessments, please fill out our online form.
How it works
The RRAP is comprised of four tools:
Critical Infrastructure Resilience Tool (CIRT) (1 day to complete)
- An on-site, survey-based tool that measures the resilience and protective measures of a facility.
- Outputs include a report and interactive dashboards that provide scores and peer comparisons, and highlight dependencies and resilience enhancement options for physical security, resilience, and cyber security.
Critical Infrastructure Multimedia Tool (CIMT) (1/2 day to 1 day to complete)
- A virtual rendering of a facility based on floor plans. It features panoramic photographs of interior and exterior significant areas and can be shared with first responders and/or used in exercises.
- The CIMT output can be shared with first responders for training and tactical purposes.
Canadian Cyber Resilience Review (CCRR) (1 to 1.5 day to complete)
- An on-site, survey-based tool that measures the cyber security posture of an organization.
- Outputs include two reports (brief and comprehensive) with scores across the 10 domains of the NIST Cyber Security Framework, peer comparisons, and resilience enhancement options.
Resilience Online Self-Assessment (at least 1 hour to complete – will be available in late 2023 to early 2024)
- An online tool that measures the resilience and protective measures of a facility. Users are encouraged to consult the different key employees responsible for safety and planning in your facility while answering.
- Based on the CIRT methodology.
- Output is a report of options for consideration with a general and a section-specific color-score measuring your resilience level. The report you receive after completing the Resilience Online Self-Assessment should be considered with your threat profile and facility operations.
Both the CIRT and CCRR should be completed by individuals who are subject matter experts on facility security, IT, and facility management. Organizations can request each one of the tools individually or as a package. Use of all tools typically takes three days. Post-assessment check-ups may be conducted with your organization up to 24 months after the assessment.
Organizations may also signal interest in participating in a broader regional assessment. These projects typically involve Public Safety working with multiple organizations in a particular region. Examining a specific hazard, the objective is to help identify key interdependencies, as well as opportunities to individually and collectively minimize the impact and likelihood of a disruption. During a regional assessment, the individual assessment tools are deployed alongside modelling tools, workshops, stakeholder meetings, and subject matter expert interviews.
How it helps your organization
Results from all our assessments are intended to help owners and operators enhance their resiliency by identifying dependencies and vulnerabilities within their organization.
Assessments also identify a series of optional cost-effective measures to help owners and operators mitigate risks and improve their ability to respond to and recover from disruptions.
Specifically, the RRAP helps to enable:
- Better risk management
Increases an organization's understanding of its physical and procedural vulnerabilities.
- Strengthened government relationships
Enhances relationships with multiple government departments, including municipal level representatives such as first responders.
- Improved cyber security awareness
Identifies how well an organization is prepared for cyberattacks and other cyber threats.
Other key considerations for CI owners and operators:
- Minimal investment of time and resources
RRAP service is quick and is offered at no cost.
- Security
Public Safety Canada will protect the confidentiality of documents and information provided by owners and operators of CI
Implementation of any/all resilience enhancements options and observations provided following an assessment are at the discretion of the owner/operator.
If you have general questions about our program or you are interested in any of the assessment, please fill out our online form.
For more information or to request an assessment
For more information please see Frequently Asked Questions.
If you're a CI owner or operator, contact us to discuss the possibility of having an assessment of your facility. Members are also available to provide an interactive presentation to further explain the program and the products provided.
To start the assessment process, please fill out our online form.
Regional Resilience Assessment Program
Transcript
Welcome to Public Safety Canada’s Regional Resilience Assessment Program.
This video will guide you through the program and help you determine if its services are suited for your organization’s needs.
The Regional Resilience Assessment Program, referred to as RRAP, conducts specialized facility assessments
to identify a wide range of vulnerabilities that can impact Canada’s critical infrastructure sectors.
What is critical infrastructure?
The Government of Canada defines it as processes, systems, facilities, technologies, networks, and services that are essential to the health, safety, security, or economic well-being of Canadians.
It is also essential to the effective functioning of government.
In Canada, critical infrastructure is categorized as the following 10 sectors: Energy and utilities, Finance, Food, Government,
Health, Information and Communication Technology, Manufacturing, Safety, Transportation, and Water.
Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders.
Disruptions to critical infrastructure could result in catastrophic loss of life and adverse economic effects.
It’s in all of our interests to keep critical infrastructure safe and resilient from constantly evolving threats and hazards.
The RRAP was established in 2012 and has conducted hundreds of assessments throughout the country, across all provinces and territories, and critical infrastructure sectors.
It’s been designed to help address challenges ranging from physical security threats to natural hazards
Assessments are voluntary, non-regulatory, and free-of-charge.
In addition, Public Safety Canada protects the confidentiality of information shared by owners and operators in accordance with the Emergency Management Act.
Now, let’s turn to an in-depth overview of RRAP’s assessments: the Critical Infrastructure Resilience Tool, the Critical Infrastructure Multimedia Tool.
The Critical Infrastructure Resilience Tool, referred to as the CIRT, is an on-site, survey-based tool.
The goal is to identify and document the overall resilience and security posture of a facility, and is based on an all-hazards approach.
The CIRT contains questions that cover three general areas: Facility operations, emergency management, and business continuity,
Physical security, and Third party utility dependencies - such as water, wastewater, telecommunications, and electricity.
The CIRT process consists of facilitated discussions with a team of Public Safety Canada Critical Infrastructure specialists and it takes a half- to a full- day to complete.
Facility staff with an understanding in operations, emergency management, business continuity, security, IT, and building maintenance typically participate in these assessments,
although personnel can vary from site to site. Public Safety Canada specialists provide guidance on these logistics when organizing assessments.
Once complete, you can expect to receive a report and dashboards that provide resilience scores relative to North American peers operating in similar sectors and industries.
These products highlight a facility’s security and resilience posture, third party dependencies, and provide insight that can help address gaps and challenges.
The next service offered by RRAP is the Critical Infrastructure Multimedia Tool, referred to as CIMT.
The CIMT offers a virtual rendering of a facility based on floor plans. It’s a digital product that features 360 degree panoramic imagery of interior and exterior areas.
The CIMT process starts with floorplans that are usually provided to Public Safety Canada by the facility management.
Once shared, the RRAP team proceeds with a walk-through of the facility to capture imagery of its exterior and interior, while also ensuring to capture at risk areas.
This can take anywhere from half a day to two full days depending on the size of the facility.
One facility staff member is typically required to guide the Public Safety Canada team as it captures imagery of the site.
Once the image capture process is complete, a digital product is assembled. This file can be displayed on a range of hardware, from mobile devices to desktops.
Many recipient organizations opt to share their CIMT file with first responders so it can be used as a tool to prepare for, and respond to, emergency situations.
This is at the discretion of the organization.
As this requires photography of the site, Public Safety Canada can only offer this service in-person.
The previous tool, the CIRT is usually administered simultaneously with the CIMT for efficiency purposes. The combined assessment can take from one to two days to perform.
Now you know a little more about RRAP and all the services that Public Safety Canada can offer.
Not only do these services offer a wide-range of assessments, benefits of having your organization evaluated include:
Better risk management by gaining or reinforcing the understanding of site vulnerabilities on the basis of rigorous methodologies used.
Information decision-making using the interactive dashboard to see how specific investments can improve security or resilience.
And establishing partnerships by starting or reinforcing relationships with multiple government actors, including first responders.
96.3% of program participants believe there is a continued need for this program.
97.6% take action to increase resilience or physical security due to an assessment.
Here are a few testimonials from satisfied clients:
“I take care of emergency response and security as part of other disciplines. This assessment really helped me understand what to look for and what needs improving. I enjoyed it and have passed on the info regarding the assessment to others.”
“The entire RRAP process was beneficial. The discussions and information exchange during the facility walkthrough helped us confirm our understanding or identify areas for improvement.
Overall the process was simple, straightforward, and informative. I would encourage all CI sectors to take part in the RRAP for their benefit and for the benefit of CI in Canada.”
“The program is great and is something we had been looking for since we started doing vulnerability assessments.”
“Would refer other government organizations and certainly encourage them to partake in this.”
Thank you for watching. If you would like to learn more, please visit us at publicsafety.gc.ca
or complete the participation form on our website to be considered for an assessment.
- Date modified: