June 2022 was when the first reading of Bill C-26 was done in parliament. The full title of the Bill is:
“Act Respecting Cyber Security, amending the Telecommunications Act and making consequential amendments to other Acts”.
Bill C-26 can also be called “ARCS” for short.
If you want to dig into the actual wording on the bill, have a gander at it here.
There are a few things this bill does. The first is to provide an amendment to the Telecommunications Act. The second is to enact the CCSPA (Critical Cyber Systems Protection Act).
In this post I will discuss how the CCSPA will affect Federally regulated transportation systems .
How the CCSPA will affect Federally regulated transportation systems.
| Scope | Federally regulated transportation systems have been identified in the legislation as systems that are vital to national security and/or public safety. The CCSPA authorizes the Federal Cabinet to designate a class of operators in respect of these systems who must comply with the requirements of the legislation. |
| Responsible Regulator | The Minister of Transport is the regulator charged with administering the CCSPA in respect of federally regulated transportation systems. The legislation also imposes a reporting obligation to the Communications Security Establishment (CSE), Canada’s national cryptologic agency. |
| Cybersecurity Programs | Designated operators will be required to establish a cybersecurity program (CSP) within 90 days of being designated under the CCSPA. The CSP must: 1. Include reasonable steps to identify and manage organizational cybersecurity risks; 2. Include reasonable steps to protect critical cyber systems from being compromised, detect cybersecurity incidents and minimize related impacts; 3. Be reviewed and updated annually, or more frequently if specified by regulation; and 4. Be filed with the Minister of Transport including notices of any updates to the CSP following periodic reviews. For railway and aircraft operators, these obligations will supplement the safety management system obligations under the Railway Safety Management System Regulations and the Canadian Aviation Regulations, respectively. |
| Supply Chain Management | Designated operators must take reasonable steps to mitigate any identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP. |
| Change of Control Reporting | Designated operators are required to notify the Minister of Transport of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services. |
| Cybersecurity Incident Reporting | Designated operators will be required to report a “cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system. First, designated operators must “immediately” report a cybersecurity incident to the CSE in a manner to be set out in the CCSPA’s regulations. Second, designated operators must notify the Minister of Transport “immediately after reporting a cybersecurity incident” to the CSE. |
| Recordkeeping | Designated operators must keep certain records, including copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA. These required records must be kept in Canada in accordance with additional guidance that may be established by the Minister of Transport or regulations. |
| Compliance with Directions | The CCSPA grants the Federal Cabinet broad authority to issue directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system. The Minister of Industry is also granted powers to order a designated operator to stop doing anything that is or is likely to be in contravention of the CCSPA or to take any measure that is necessary to ensure compliance or mitigate noncompliance with the CCSPA. These powers are similar to those already granted to the Minister of Transport under the Aeronautics Act and the Railway Safety Act (RSA). |
| Disclosure Restrictions on Confidential Information | The CCSPA prohibits the disclosure of certain confidential information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or the Minister of Transport under the CCSPA is also generally prohibited. |
| Inspections and Audits | The Minister of Transport is granted broad audit and inspection powers under the CCSPA, which are not limited to the physical premises of the designated operator. The Minister of Transport may also order a designated operator to conduct an internal audit of its practices, books and other records to determine compliance with the CCSPA. Aircraft operators will be familiar with the similarly broad inspection powers granted to the Minister of Transport under the Canadian Aviation Regulations, as will railway operators in respect of the RSA and marine transport operators under the Canada Shipping Act, 2001 (CSA). |
| Enforcement | Enforcement of the CCSPA includes administrative monetary penalties regime for noncompliance with the legislation. Railway operators will be familiar with the regime under the Railway Safety Administrative Monetary Penalties Regulations (RSAMPR) as will marine transport operators under the Administrative Monetary Penalties and Notices (CSA 2001) Regulations (AMPNR). Directors and officers of designated operators are party to any violations of the CCSPA if they direct, authorize, participate, assent to, or acquiesce in the commission of the violation. The CCSPA states that the purpose of a penalty is to promote compliance and not to punish. The CCSPA allows a designated operator or their directors and officers to raise a due diligence defence in a violation proceeding. The range of penalties are to be prescribed by regulation, but CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers. These are significantly higher than the penalties prescribed by the RSAMPR for railway operators and marine transport operators under the AMPNR. Noncompliance with certain provisions of CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment. The CCSPA also authorizes the Minister of Transport, to enter into a compliance agreements with a designated operator in respect of the operator’s obligations under the CCSPA. |
First let’s look at the scope. This legislation applies to Federally regulated transportation systems. This means interprovincial and international transportation, including:
- Air (including airport authorities)
- Rail (including VIA Rail)
- Road
- Maritime (Including Ports)
Air (including airport authorities)
Canada’s National Airport System (NAS) was defined in the National Airports Policy published in 1994. It was intended to include all airports with an annual traffic of 200,000 passengers or more, as well as airports serving the national, provincial and territorial capital.
Until the early 1990s, the Canadian government built, operated and maintained Canada’s major airports. In 1992, in the wake of the movement towards privatization (Air Canada, Canadian National) and liberalization and economic deregulation of various modes of transportation, and as part of a new national airport policy (NAP), the Canadian government handed over to local airport authorities (LAAs)
the management, operation, and development of the airports in Montreal, Calgary, Edmonton and Vancouver. This devolution of responsibilities for airports was subsequently extended to include all of the 26 major Canadian airports that make up the National Airports System (NAS). The NAP also provided for the gradual relinquishing of ownership of small regional and local airports to regional interests, such as municipalities.
So, by virtue of the NAP, the commercial management and operation of NAS airports are entrusted to Canadian airport authorities (CAAs) that must ensure their profitability as well as the provision of services adapted to their users’ needs.
Transport Canada owns two types of Canadian airports:
- Airports that offer local, regional or remote service
See the list of Small airports owned by Transport Canada - Larger airports serving national, provincial and territorial capitals, which we own and third parties operate
See the list of airports in Canada’s National Airports System
The National Airports System also includes three airports owned and operated by territorial governments.
The following 23 airports are owned by Transport Canada and leased to Canadian airport authorities. 21 airport authorities operate these airports
National Airports System
National Airport System airports owned and operated by territorial governments
| Territory | Airport | Operated by |
|---|---|---|
| Northwest Territories | Yellowknife (YZF) | Government of the Northwest Territories |
| Nunavut | Iqaluit (YFB) | Government of Nunavut |
| Yukon | Erik Nielson Whitehorse International (YXY) | Government of Yukon |
Rail (including VIA Rail)
Rail regulations in Canada are set by Transport Canada and the Canadian Transportation Agency.
A railway under the legislative authority of Parliament is one that holds a valid certificate of fitness. The list of federally-regulated railways includes the Agency decision which authorizes the issuance of each certificate. Regional systems, such as the BC West Coast Express, or Ontario’s Go Train, are not federally regulated.
Recently suspended or cancelled certificates are also listed here temporarily.
| Railway Company | Decision No. / Order No. | Issue Date | Amended By | Status |
|---|---|---|---|---|
| 6970184 Canada Ltd. | 376-R-2016 | December 21, 2016 | cancelled | |
| 9961526 Canada Ltd. | 376-R-2016 | LET-R-34-2020 | ||
| Arnaud Railway Company | 2016-R-195 | November 21, 2016 | cancelled | |
| BNSF Railway Company | 16-R-2014 | January 21, 2014 | LET-R-34-2020 | |
| Canadian National Railway Company | 3-R-2016 | January 8, 2016 | LET-R-34-2020 | |
| Canadian Pacific Railway Company | R-2021-36 | March 8, 2021 | LET-R-34-2020 | |
| Central Maine & Québec Railway Canada Inc. | R-2021-36 | March 8, 2021 | LET-R-34-2020 | cancelled |
| City of Ottawa carrying on business as Capital Railway | R-2020-84 | May 4, 2020 | ||
| CSX Transportation, Inc. | R-2020-165 | September 22, 2020 | ||
| Eastern Maine Railway Company | 245-R-2012 | June 22, 2012 | LET-R-34-2020 | |
| Essex Terminal Railway Company | LET-R-2-2020 | January 6, 2020 | ||
| Ferroequus Railway Company Limited | 2005-R-277 | May 19, 2005 | suspended | |
| Goderich-Exeter Railway Company Limited | R-2020-185 | November 9, 2020 | LET-R-34-2020 | |
| Great Canadian Railtour Company Ltd. | 27-R-2007 | January 17, 2007 | ||
| Hudson Bay Railway Company | 230-R-2001 | May 9, 2001 | LET-R-34-2020 | |
| International Bridge and Terminal Company, The | 2015-R-195 | November 6, 2015 | cancelled | |
| Kettle Falls International Railway Company | R-2019-105 | June 7, 2019 | LET-R-34-2020 | |
| Knob Lake & Timmins Railway Company Inc. | 414-R-2014 | November 14, 2014 | LET-R-34-2020 | |
| Logistec Stevedoring (Nova Scotia) Inc. also carrying on business as Sydney Coal Railway | 2018-R-130 | July 27, 2018 | cancelled | |
| Minnesota, Dakota & Western Railway Company | 2015-R-195 | November 6, 2015 | cancelled | |
| National Railroad Passenger Corporation (Amtrak) | 391-R-1997 | June 26, 1997 | ||
| Nipissing Central Railway Company | 448-R-1997 | July 11, 1997 | LET-R-34-2020 | |
| Norfolk Southern Railway Company | R-2019-158 | August 22, 2019 | LET-R-34-2020 | |
| Pacific and Arctic Railway and Navigation Company/British Columbia Yukon Railway Company/British Yukon Railway Company Limited carrying on business as or proposing to carry on business as White Pass & Yukon Route | 666-R-1997 | November 25, 1997 | ||
| Quebec North Shore & Labrador Railway Company | 563-R-2007 | November 2, 2007 | LET-R-34-2020 | |
| RaiLink Canada Ltd. | R-2020-43 | March 16, 2020 | LET-R-34-2020 | |
| St. Lawrence & Atlantic Railroad (Québec) Inc. | 567-R-1998 | November 24, 1998 | LET-R-34-2020 | |
| St. Paul & Pacific Northwest Railroad Company, LLC | R-2018-275 | December 28, 2018 | LET-R-34-2020 | |
| Toronto Terminals Railway Company Limited, The | R-2018-175 | July 31, 2018 | LET-R-34-2020 | |
| Tshiuetin Rail Transportation Inc. | 190-R-2005 | April 1, 2005 | LET-R-34-2020 | |
| Union Pacific Railroad Company | 371-R-1997 | June 16, 1997 | LET-R-34-2020 | |
| VIA Rail Canada Inc. | R-2018-263 | December 6, 2018 | LET-R-34-2020 | |
| Wabush Lake Railway Company, Limited | 2016-R-195 | November 21, 2016 | cancelled |
Roads
Canada has more than a million kilometres of (two-lane equivalent) roads, roughly 38,000 of which make up the National Highway System ( NHS ). The NHS also has more than 8,700 bridges. The companies that use these interprovincial roads are subject to federal regulation. This includes trucking companies and bus companies like Greyhound. The trucking industry, which includes 56,800 firms, consists of for-hire carriers, private carriers, owner-operators and courier firms. Another trucking category of “other” includes all trucks used for purposes other than hauling freight commercially—for example, a construction company using trucks for hauling heavy machinery to a job site.
The federal government has an inventory of some 500 highway-related bridges open to the public, representing a very small subset (approximately 1%) of all bridges in Canada. These bridges are the responsibility of four federal departments/agencies: Public Works and Government Services Canada, Parks Canada Agency, the National Capital Commission (which owns and operates its own structures) and Transport Canada, whose portfolio of bridges is managed by Crown corporations or shared governance regimes ( FBCL , Blue Water Bridge Canada, Buffalo and Fort Erie Public Bridge Authority [Peace Bridge Authority] and the St. Lawrence Seaway Management Corporation).
I am not going to list all the companies that are federally regulated in relation to roads and bridges, as there are too many to list. However, here is the full list of federally regulated companies in Canada. It is accurate as of 2020.
Maritime (ports)
Canada Port Authorities (CPA) operate at arm’s length from the federal government. CPAs are governed by a board of directors chosen by port users and the municipal, provincial and federal government.
CPAs:
- set the business direction and make commercial decisions for the port
- set their own fees (for example, berthage and wharfage fees) but such fees must be fair
- are responsible for maintaining and dredging commercial shipping channels
- act as landlords, leasing their port operations to private operators
Canada Port Authorities by province
Now that we have determined what the scope is. What is required for these entities to do?
The Minister of Transport has oversight on all federally regulated transportation entities defined as designated operators. This is a very large group of organizations and I would imagine, very difficult to enforce the new regulations on. However, the designated operators are subject to the following when bill C-26 comes into effect. The railway and aircraft operators are still subject to the following legislation in addition to Bill C-26.
Rail: Railway Safety Management System Regulations
Aircraft: Canadian Aviation Regulations
1. Within 90 days of Bill C-26 being enacted, a Cybersecurity plan needs to be established.
- Within the CSP, it should include steps to identify and remediate cybersecurity risks. This should include a risk management practice that keeps a continual watch on threats, where the organization is vulnerable, the likelihood of breach and the impact thereof. There should also be a plan in place to increase the security posture over time. and to limit the attack surfaces.
- Annual reviews (at a minimum) of the CSP, with updates provided to the Minister of Transport
2. Any changes to the ownership / control of the organization require the Minister of Transport to be informed. This applies to any changes within the supply chain as well.
3. The supply chain associated with the designated operators must meet certain standards to mitigate risks. The wording says: “reasonable steps to mitigate any identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services”. This is a broad statement and good be up for interpretation. I would imagine that the validation process for HW, software and 3rd party services to be used would have to meet stringent requirements. For smaller operators that are still federally regulated, this may force a substantial cost to change or qualify 3rd party systems. I can foresee an opportunity for validated SaaS services emerging in this space as a reasonable alternative.
4. Any cybersecurity incident will have to immediately be reported to the Communications Security Establishment (CSE), then directly after to the Minister of Transport.
5. All records of cybersecurity incidents, including logs and reports need to kept for a period of time defined by the Minister of Transport, and they must remain in Canada.
6. If the government tells the designated operator to do something, like terminate services with a 3rd party or stop using a certain technology, they cannot disclose those details to anyone. In other words, follow the first rule of fight-club, or you will be in non-compliance.
7. If the government wants to audit an organization, they have carte blanche to do so. They can also just get organizations to do it themselves and provide detailed reports. This is similar to what aircraft and rail companies currently have in place, but now it extends to many more organizations in scope.
The legislation will improve the security posture of critical infrastructure in Canada, and something had to be done quickly and forcefully.
There is a full-scale global cyber war ongoing right now and it is not a matter of “if”, but “when” any given organization is breached. How well they are prepared will determine their continued viability as an entity. It’s like being told that a hurricane is coming and everybody needs to board up their homes. Whether or not it’s possible with the resources, time and skills at hand, remains to be seen for many.
However the onus is left on organizations to figure it out in very short order, and there is a massive shortage in staff with sufficient capabilities in the market. This is where an external company that focuses on cybersecurity can comes in and addresses all of the requirements of bill C-26 in a short period of time. I’ll write another article that describes in detail how they can do it, but in the meantime, have a look here.
Designing Risk in IT Infrastructure 