Critical infrastructure resilience and escalated threat navigation initiative

As geopolitical instability accelerates cyber threats to critical infrastructure (CI), the Canadian Centre for Cyber Security (Cyber Centre) has designed the Critical Infrastructure Resilience and Escalated Threat Navigation (CIREN) initiative to drive immediate preparedness across organizations to reinforce and protect Canada’s sovereignty and essential services.

The evolving threat landscape is compounded by risks from artificial intelligence (AI). With rapid advancements in AI, the ability to automate vulnerability discovery and exploitation also expands and can increase the scale, speed and impact of cyber incidents.

State-sponsored cyber threat actors are very likely targeting CI networks in Canada and allied countries to pre-position for possible future disruptive or destructive cyber operations. Non-state actor threats may also pursue cybercrime activities for financial gain. Regardless of the origin, CI organizations need the capability to quickly disconnect or isolate affected systems in the face of severe threats. From this isolated or disconnected state, CI sectors also need the ability to rebuild and restore services from trusted offline sources.

Determined and sophisticated adversaries with significant resources can gain access to networks and systems, even if they are heavily secured. CI organizations must plan and prepare their environments for a future where cyber threats far exceed today’s baseline.

On this page

• Preparing for threats
• How isolation works
• Operating independently
• Recovery and restoration
• Key takeaways
• Learn more

Preparing for threats

Modern CI is often highly interconnected with international partners and is synchronized along multiple communication paths, meaning they rely on common telecommunications networks, internet services and data flows to operate. While this is essential for many organizations as it brings considerable operational advantage, it also presents a vulnerability.

Since disruptions to Canada's CI can carry significant risks, all operators of essential services should at minimum:

• be prepared to isolate systems for up to 3 months
• develop and test response plans to operate independently
• develop plans to rebuild systems in response to severe cyber incidents

With the cyber threats to CI further amplified by geopolitical instability and the rapid adoption of artificial intelligence (AI) for malicious purposes, CIREN provides guidance on how organizations can understand, prepare and practice for future widespread cyber incidents, ensuring they can maintain critical functions and services during worst-case scenarios.

CIREN assists owners and operators of CI sectors that protect the safety, security and economic wellbeing of Canadians.

CI owners and operators should have scalable business continuity plans (BCPs) that will enable their organizations to be prepared to isolate and recover.

How isolation works

Isolation involves deliberately separating your organization's networks or specific network segments from all external networks and the public Internet. This limits exposure to external threats and helps ensure the continued protection and operation of critical systems and services.

Isolation can reduce the likelihood of a threat actor gaining initial access. It may also help contain an ongoing cyber attack and preserve essential operations. It buys you time until external infrastructure stabilizes and is secured. When implemented properly, isolation greatly reduces exposure to new remote attacks and can significantly impede adversary command and control. It can also reduce a threat actor’s ability to exploit zero-day vulnerabilities.

CI organizations should be prepared to isolate as a last resort if all other defences fail. It is crucial for CI organizations to define their own isolation triggers within an incident response plan (IRP), recognizing that these triggers will differ across industries.

To implement an effective isolation plan, organizations must have a strong understanding of their:

• operational technology (OT) and information technology (IT) assets
• OT boundaries
• third party and vendor remote access paths (including cloud hosted services in the control loop)
• external connectivity

Organizations may have to work with vendors and integrators and assess potential regulatory implications as part of their planning. Without strong defences and clearly defined isolation triggers, a compromise in one facility can spread through interconnected networks, causing widespread outages that could otherwise have been contained. The Cyber Centre's alerts, advisories and threat bulletins can aid organizations in operational decision-making.

Operating independently

Traditional BCPs assume that disruptions will be short. CI organizations should develop BCPs that assume extended disruption, beyond existing scenarios, to ensure they can withstand prolonged outages, supply chain constraints and multi-site operational stress through deliberate preparation. This type of BCP plans for deliberate, extended and multi-site survivability in anticipation of a widespread crisis. This shift in approach will help leadership determine how long safe operations must continue without external support. It also helps in building a capability to operate independently over time.

To determine the parameters for independent operations during isolation, CI organizations should:

• understand how long critical services can be sustained and how the risks of operational failure escalate over time
• identify where the operational breaking points lie
• determine which functions are essential and which ones can be reduced or paused
• determine how to mitigate vulnerabilities created by dependencies on factors such as people, power, fuel, water, suppliers and communications
• identify how quickly capabilities may degrade under various conditions
• identify how to extend survivability by shifting operations across facilities
• consider how to avoid decisions that protect one site but may have broader impacts in other locations

Ultimately, your organization must develop an isolation-focused BCP that encompasses these elements in the event of a crisis. You must also ensure your IRP includes clear isolation triggers, pre-authorized authorities and communication pathways when isolation may be the only option.

We recommend that your organization's board or senior leadership discuss cyber resilience and make the appropriate decisions accordingly. Understanding your organization's operational parameters during a potential crisis informs and prepares you for a swift and measured response. In turn, this approach can reduce impact on public safety, minimize legal exposure and lessen reputational risk. Developing this focused BCP should be treated as a governance-level priority, supported by transparent reporting and accountable targets.

Recovery and restoration

Full restoration of operations across all systems, services and functions should occur only after you complete the required performance, safety and interoperability checks in accordance with applicable industry standards.

To support resilient restoration, organizations should be prepared to:

• keep offline copies of firmware, configurations and documentation to ensure systems can be restored even if broader services are disrupted
• identify key IT and OT components with long lead-times or single source supply (for example, hardware spares and validated firmware images) and maintain appropriate redundancy
  • consider alternative sourcing strategies for those components
  • assess where cyber compromise could cause physical damage to long lead or irreplaceable components
  • prioritize additional monitoring, integrity checks and protections for those assets
• plan for full system rebuilding using trusted offline copies and immutable backups, aligning with the cyber security emergency preparedness guidance for severe, prolonged disruptions
• validate system integrity before reconnecting, using thorough checks such as threat hunting (including identification of living-off-the-land activity), patch and configuration verification, and additional guidance where required
• test recovery and restoration procedures periodically through established IRPs

Key takeaways

In an escalating cyber threat landscape, elevated by geopolitical instability and emerging technologies such as AI, prolonged disruptions across CI sectors are no longer hypothetical. Isolation requires pre-built capability, not improvisation. CI organizations must implement robust cyber security actions including:

• hardening systems
• monitoring networks
• reviewing and testing isolation-focused IRPs and BCPs
• applying other baseline cyber security measures outlined in our Cyber Security Readiness Goals (CRGs)

Preparedness cannot wait. The time to act is now. Organizations that deliberately plan and prepare their systems are the ones that will sustain their essential services during prolonged cyber disruptions.

Learn more

• Developing your incident response plan (ITSAP.40.003)
• Developing your business continuity plan (ITSAP.10.005)
• Developing your IT recovery plan (ITSAP.40.004)
• Improving cyber security resilience through emergency preparedness planning (ITSM.10.014)
• Frontier artificial intelligence (ITSAP.10.050)
• Cyber Security Readiness Goals: Securing Our Most Critical Systems
• Cross-Sector Cyber Security Readiness Goals Toolkit
• Joint guidance on secure connectivity principles for operational technology
• Joint guidance on creating and maintaining a definitive view of your operational technology architecture
• Related guidance from international partners
  • Australian Cyber Security Centre's CI Fortify: Guidance for Australian critical infrastructure service continuity and resilience
  • United Kingdom's National Cyber Security Centre's How to prepare for and plan your organisation's response to severe cyber threat: a guide for CNI