Cyber and Infrastructure Resilience Assessments

The Regional Resilience Assessment Program

The Regional Resilience Assessment Program (RRAP) is a vulnerability and dependency assessment program for owners and operators of critical infrastructure (CI) facilities within the 10 CI sectors in Canada. This program involves site assessments to help organizations measure and improve their resilience to all hazards in Canada, such as cyber threats, accidental or intentional man-made events, and natural catastrophes.

These site assessments are voluntary, non-regulatory, free-of-charge and confidential. Participants are asked to complete three 5-minute surveys on their experience with the program after the assessment is conducted.

How it works

The RRAP is comprised of four tools:

Critical Infrastructure Resilience Tool (CIRT) (1 day to complete)
  • An on-site, survey-based tool that measures the resilience and protective measures of a facility.
  • Outputs include a report and interactive dashboards that provide scores and peer comparisons, and highlight dependencies and resilience enhancement options for physical security, resilience, and cyber security.
Critical Infrastructure Multimedia Tool (CIMT) (1/2 day to 1 day to complete)
  • A virtual rendering of a facility based on floor plans. It features panoramic photographs of interior and exterior significant areas and can be shared with first responders and/or used in exercises.
  • Although doing so is at the discretion of the organization, we highly encourage sharing the CIMT with first responders so it can be used as a tool to prepare for, and respond to, emergency situations.
Canadian Cyber Resilience Review (CCRR) (1 to 1.5 day to complete)
  • An on-site, survey-based tool that measures the cyber security posture of an organization.
  • Outputs include two reports (brief and comprehensive) with scores across the 10 domains of the NIST Cyber Security Framework, peer comparisons, and resilience enhancement options.
Network Security Resilience Analysis tool (NSRA) (1 day to complete)
  • An on-site, technical analysis tool that provides device configuration remediation, and benchmarks cyber security networks against standards compliance.
  • Outputs include reports (brief and comprehensive) with network visualization, identification of critical attack risk pathways along with network device non-compliance identification and resilience enhancement options.

Both the CIRT and CCRR require the presence of individuals who are subject matter experts on facility security, IT, and facility management. Organizations can request each one of the tools individually or as a package. Use of all three tools typically takes three days. Post-assessment check-ups may be conducted with the organization up to 24 months after the assessment.

Organizations may also signal interest in participating in a broader regional assessment. These projects typically involve the Department working with multiple organizations in a particular region. Examining a specific hazard, the objective is to help identify key interdependencies, as well as opportunities to individually and collectively minimize the impact and likelihood of a disruption. During a regional assessment, the individual assessment tools are deployed alongside modelling tools, workshops, stakeholder meetings, and subject matter expert interviews.

How it helps your organization

Results from assessments are intended to help owners and operators enhance their resiliency by identifying dependencies and vulnerabilities within their organization. Site assessments also identify a series of optional cost effective measures to help owners and operators mitigate risks and improve their ability to respond to and recover from disruptions.

Specifically, the RRAP helps to enable:

Better risk management
Increases an organization's understanding of its physical and procedural vulnerabilities.
Strengthened government relationships
Enhances relationships with multiple government departments, including municipal level representatives such as first responders.
Improved cyber security awareness
Identifies how well an organization is prepared for cyber-attacks and other cyber threats.

Other key considerations for CI owners and operators:

Minimal investment of time and resources
RRAP service is quick and is offered at no cost.
Security
Public Safety Canada will protect the confidentiality of documents and information provided by owners and operators of CI

Implementation of any/all resilience enhancements options and observations provided following an assessment are at the discretion of the owner/operator.

For more information or to request an assessment

For more information please see Frequently Asked Questions.

If you're a CI owner or operator, contact us to discuss the possibility of having an assessment of your facility. Members are also available to provide an interactive presentation to further explain the program and the products provided.

CI Talks: Regional Resilience Assessment Program

Transcript

Hello and welcome to CI Talks. Today we will be talking about Public Safety Canada's Regional Resilience Assessment Program. This video will guide you through the program and help you determine if its services are suited for your organization's needs.

The Regional Resilience Assessment Program, referred to as RRAP, conducts all-hazards site assessments to identify a wide range of vulnerabilities that can impact Canada's critical infrastructure sectors.

RRAP was established in 2012 and has conducted hundreds of assessments throughout the country, across all provinces and territories, and critical infrastructure sectors. Assessments are voluntary, non-regulatory, and free-of-charge. In addition, Public Safety Canada protects the confidentiality of information shared by owners and operators.

Now, let's turn to a quick overview of RRAP's assessments: the Critical Infrastructure Resilience Tool, the Critical Infrastructure Multimedia Tool, and Regional Assessment Projects.

The Critical Infrastructure Resilience Tool, referred to as the CIRT, is an on-site, survey-based tool. Its goal is to identify and document the overall resilience and security posture of a facility, and is based on an all-hazards approach.

The CIRT process consists of facilitated discussions with a team of Public Safety Canada critical infrastructure specialists and it takes a half- to a full- day to complete.

Once complete, you can expect to receive a report and dashboards that provide resilience scores relative to North American peers operating in similar sectors and industries. These products highlight a facility's security and resilience posture, third party dependencies, and provide insight that can help address gaps and challenges.

An on-line version targeted at smaller organizations, known as the CIRT self-assessment is also available.

The next service offered by RRAP is the Critical Infrastructure Multimedia Tool, referred to as CIMT. The CIMT offers a virtual rendering of a facility based on floor plans. It's a digital product that features 360 degree panoramic imagery of interior and exterior areas. This can take anywhere from half a day to two full days depending on the size of the facility. Once the image capture process is complete, a digital product is assembled. This file can be displayed on a range of hardware, from mobile devices to desktops. Many recipient organizations opt to share their CIMT file with first responders so it can be used as a tool to prepare for and respond to, emergency situations. This is at the discretion of the organization.

RRAP also offers broader regional assessment projects which go beyond the site specific tools.

The goal of these assessment projects is to generate greater understanding and action among public and private sector partners to improve the resilience of a region's critical infrastructure. Outcomes of these multi-year projects can include facilitated discussions, facility assessments, modeling and a report which seeks to: resolve infrastructure security and resilience knowledge gaps, inform risk management decisions, identify resilience-building opportunities and strategies and improve critical partnerships among stakeholders.

Now you know a little more about RRAP and how it can be of use. Benefits of working with RRAP include: better risk management by gaining or reinforcing the understanding of site vulnerabilities on the basis of rigorous methodologies used, informed decision-making using the interactive dashboard to see how specific investments can improve security or resilience, and establishing partnerships by starting or reinforcing relationships with multiple government actors, including first responders.

Thank you for watching. If you would like to learn more, please visit us at publicsafety.gc.ca or complete the participation form on our website to be considered for an assessment.

CI Talks: Critical Infrastructure Cyber Security Assessment Program

Transcript

Hello and welcome back to CI Talks. Today we will be talking about Public Safety Canada's Critical Infrastructure Cyber Security Assessment Program.

Managing organizational cyber security can be a daunting task, and ensuring the correct controls are in place to do so can be incredibly complex. Performing comprehensive cybersecurity assessments can be crucial when determining whether or not an organization is prepared to defend against potential malicious actors.

Public Safety Canada offers free, voluntary and non-regulatory cybersecurity assessments to support Canada's CI organizations in providing a better understanding of the organization's overall cyber security postures and ensuring that the appropriate security frameworks can be understood and developed to secure their vital systems.

In this talk we will discuss three cyber security assessments that are voluntary, non-regulatory, and delivered at no cost, to Canada's CI.

The Canadian Cyber Resilience Review, or CCRR, is a comprehensive, detailed survey facilitated by our assessment team, that evaluates operational resilience and cyber security capabilities of a CI organization.

The Canadian Cyber Security Tool, or CCST, is an easy-to-use, virtual tool designed for CI organizations to self-assess their cyber security technical and program resilience.

The tool takes less than an hour to complete and includes web links to approved industry standards and guidelines to provide further guidance and information.

Finally, the Network Security Resilience Analysis, or NSRA, is a technical analysis tool that provides device configuration remediation, and benchmarks cyber security networks against standards compliance.

The assessment team will spend a full day with representatives from an organization to assess their capacities and capabilities with regards to managing and securing their informational and operational technology.

When participating in any part of the Cyber Security Assessment Program, it is important that subject matter experts from across all areas of the organization are included in the process and consulted, as all assessments are designed to assess the programs and practices of an organization as a whole.

After organizations participate in any of the Cyber Security Assessments offered by Public Safety Canada, they will receive a detailed report of the findings as well as valuable guidance and information that organizations can implement to help increase the resilience of their critical systems. 

These three cyber assessments are intended to help Canada's critical infrastructure owners and operators enhance their resilience by providing advice and guidance to ensure that the proper mitigation steps can be taken.

The results of these assessments are also used by Public Safety Canada to understand the cyber security posture of Canadian CI industries, and to assist in tailoring the next generation of products and services to address the cyber security needs of Canada.

Organizations wishing to complete a cyber-assessment can find more information by visiting the Public Safety Canada webpage on Canada.ca, or contact Public Safety Canada's Cyber Partnerships team at: cyberassessments-evaluationscyber@ps-sp.gc.ca

Date modified: