CRIN hosted a discussion on May 21 focused on the transformative impact of Bill C-26 on Canada’s critical infrastructure.
Nannette Ho-Covernton, engineer, sustainability leader, and Executive Director of the ETC Foundation at the Energy Transition Centre, hosted the conversation with Jeff Brown, a solution leader for Fortinet Operational Technology and Critical Infrastructure, a global leader in cybersecurity solutions.
Bill C-26 – Protecting Canada’s Critical Infrastructure, completed third reading in the previous session of Parliament and is expected to return to the House of Commons for amendments.
“You’re going to see a lot of changes happening” in terms of cybersecurity regulations once Bill C-26 passes, Brown said. He recommended getting a cybersecurity program in place as soon as possible.
Some of the impacts of the bill include the fact that legal liability of cybersecurity will fall on executives and directors of governments, public companies, private companies, and corporations. Bill C-26 includes the enactment of the Critical Cyber Systems Protection Act (CCSPA), which will have effects on telecom services, transportation (air, rail, road, and sea), power and pipelines, nuclear energy, banking systems, and clearing systems.
Brown outlined the following essential controls to secure Operational Technology (OT) environments:
- Zones and conduits (or segmentation)
- Secure remote connectivity
- Deep OT visibility
- Role-based access control
- Endpoint security
- NOC/SOC
- Advanced persistent threat
His five-step guide to OT network segmentation is:
- Build an IT/OT team
- Map your network
- Design your segmentation plan
- Deploy your plan
- Enhance, maintain, and train
He also shared some secure remote access best practices:
- Implement zero trust (never trust, always verify)
- Update remote access tools
- Continuous monitoring and network visibility
- Strong security policies and procedures
- Enhance user awareness and training