Joint guidance for executives and leaders of critical infrastructure organizations on protecting infrastructure and essential functions against PRC cyber activity

The Canadian Centre for Cyber Security (Cyber Centre) has joined the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the following international partners in releasing joint guidance highlighting cyber security measures for critical infrastructure to defend against People’s Republic of China (PRC) state-sponsored cyber activity:

  • Federal Bureau of Investigation (FBI)
  • Australian Cyber Security Centre (ACSC)
  • New Zealand National Cyber Security Centre (NCSC-NZ)
  • United Kingdom (UK) National Cyber Security Centre (NCSC-UK)

This fact sheet provides guidance for executives and leaders in critical infrastructure entities to prioritize the protection of their infrastructure and critical functions. The authoring agencies urge all business leaders of a critical infrastructure organization to treat cyber risks as core business risks. Managing these risks is a matter of both good governance and fundamental national security.

Leaders should take action to recognize and manage PRC cyber activity risks, such as Volt Typhoon:

  • Make informed and proactive resourcing decisions, allowing your cyber security teams to do the following:
    • Apply detection and hardening best practices
    • Hunt guidance contained in joint advisories
    • Receive cyber security training relevant to the threat environment
    • Update and test your information security plan
  • Secure your supply chain
    • Establish strong vendor risk management processes
    • Ensure due diligence is exercised when selecting software, devices, cloud service providers and managed service providers
    • Advocate for vendors to deliver secure and resilient systems
  • Drive a cyber security culture
    • Ensure performance management outcomes align to the cyber goals of the organization
    • Increase awareness of social engineering tactics
    • Always report incidents when they happen

The guidance also includes steps for incident response to help guide business leaders whose organizations have been impacted by an incident or suspected incident.

This fact sheet follows a joint cyber security advisory regarding PRC state-sponsored cyber actors released on February 7, 2024.

Read the joint guidance PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders.

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: