Bill C-26 (ARCS) and what it means for Cybersecurity in Canada – Part 4 (Transportation Systems)

June 2022 was when the first reading of Bill C-26 was done in parliament. The full title of the Bill is:

“Act Respecting Cyber Security, amending the Telecommunications Act and making consequential amendments to other Acts”.

Bill C-26 can also be called “ARCS” for short.

If you want to dig into the actual wording on the bill, have a gander at it here.

There are a few things this bill does. The first is to provide an amendment to the Telecommunications Act. The second is to enact the CCSPA (Critical Cyber Systems Protection Act).

In this post I will discuss how the CCSPA will affect Federally regulated transportation systems .

How the CCSPA will affect Federally regulated transportation systems.

ScopeFederally regulated transportation systems have been identified in the legislation as systems that are vital to national security and/or public safety.

The CCSPA authorizes the Federal Cabinet to designate a class of operators in respect of these systems who must comply with the requirements of the legislation.
Responsible RegulatorThe Minister of Transport is the regulator charged with administering the CCSPA in respect of federally regulated transportation systems.

The legislation also imposes a reporting obligation to the Communications Security Establishment (CSE), Canada’s national cryptologic agency.
Cybersecurity ProgramsDesignated operators will be required to establish a cybersecurity program (CSP) within 90 days of being designated under the CCSPA. The CSP must:

1. Include reasonable steps to identify and manage organizational cybersecurity risks;

2. Include reasonable steps to protect critical cyber systems from being compromised, detect cybersecurity incidents and minimize related impacts;

3. Be reviewed and updated annually, or more frequently if specified by regulation; and

4. Be filed with the Minister of Transport including notices of any updates to the CSP following periodic reviews.

For railway and aircraft operators, these obligations will supplement the safety management system obligations under the Railway Safety Management System Regulations and the Canadian Aviation Regulations, respectively.
Supply Chain ManagementDesignated operators must take reasonable steps to mitigate any identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP.
Change of Control ReportingDesignated operators are required to notify the Minister of Transport of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services.
Cybersecurity Incident ReportingDesignated operators will be required to report a “cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system.

First, designated operators must “immediately” report a cybersecurity incident to the CSE in a manner to be set out in the CCSPA’s regulations. Second, designated operators must notify the Minister of Transport “immediately after reporting a cybersecurity incident” to the CSE.
RecordkeepingDesignated operators must keep certain records, including copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA.

These required records must be kept in Canada in accordance with additional guidance that may be established by the Minister of Transport or regulations.
Compliance with DirectionsThe CCSPA grants the Federal Cabinet broad authority to issue directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system.

The Minister of Industry is also granted powers to order a designated operator to stop doing anything that is or is likely to be in contravention of the CCSPA or to take any measure that is necessary to ensure compliance or mitigate noncompliance with the CCSPA.

These powers are similar to those already granted to the Minister of Transport under the Aeronautics Act and the Railway Safety Act (RSA).
Disclosure Restrictions on Confidential InformationThe CCSPA prohibits the disclosure of certain confidential information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or the Minister of Transport under the CCSPA is also generally prohibited.
Inspections and AuditsThe Minister of Transport is granted broad audit and inspection powers under the CCSPA, which are not limited to the physical premises of the designated operator. 

The Minister of Transport may also order a designated operator to conduct an internal audit of its practices, books and other records to determine compliance with the CCSPA.

Aircraft operators will be familiar with the similarly broad inspection powers granted to the Minister of Transport under the Canadian Aviation Regulations, as will railway operators in respect of the RSA and marine transport operators under the Canada Shipping Act, 2001 (CSA).
EnforcementEnforcement of the CCSPA includes administrative monetary penalties regime for noncompliance with the legislation. Railway operators will be familiar with the regime under the Railway Safety Administrative Monetary Penalties Regulations (RSAMPR) as will marine transport operators under the Administrative Monetary Penalties and Notices (CSA 2001) Regulations (AMPNR).

Directors and officers of designated operators are party to any violations of the CCSPA if they direct, authorize, participate, assent to, or acquiesce in the commission of the violation.

The CCSPA states that the purpose of a penalty is to promote compliance and not to punish. The CCSPA allows a designated operator or their directors and officers to raise a due diligence defence in a violation proceeding.

The range of penalties are to be prescribed by regulation, but CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers. These are significantly higher than the penalties prescribed by the RSAMPR for railway operators and marine transport operators under the AMPNR.

Noncompliance with certain provisions of CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment.

The CCSPA also authorizes the Minister of Transport, to enter into a compliance agreements with a designated operator in respect of the operator’s obligations under the CCSPA.

First let’s look at the scope. This legislation applies to Federally regulated transportation systems. This means interprovincial and international transportation, including:

  • Air (including airport authorities)
  • Rail (including VIA Rail)
  • Road
  • Maritime (Including Ports)

Air (including airport authorities)

Canada’s National Airport System (NAS) was defined in the National Airports Policy published in 1994. It was intended to include all airports with an annual traffic of 200,000 passengers or more, as well as airports serving the national, provincial and territorial capital.

Until the early 1990s, the Canadian government built, operated and maintained Canada’s major airports. In 1992, in the wake of the movement towards privatization (Air Canada, Canadian National) and liberalization and economic deregulation of various modes of transportation, and as part of a new national airport policy (NAP), the Canadian government handed over to local airport authorities (LAAs)
the management, operation, and development of the airports in Montreal, Calgary, Edmonton and Vancouver. This devolution of responsibilities for airports was subsequently extended to include all of the 26 major Canadian airports that make up the National Airports System (NAS). The NAP also provided for the gradual relinquishing of ownership of small regional and local airports to regional interests, such as municipalities.

So, by virtue of the NAP, the commercial management and operation of NAS airports are entrusted to Canadian airport authorities (CAAs) that must ensure their profitability as well as the provision of services adapted to their users’ needs.

Transport Canada owns two types of Canadian airports:

  1. Airports that offer local, regional or remote service
    See the list of Small airports owned by Transport Canada
  2. Larger airports serving national, provincial and territorial capitals, which we own and third parties operate
    See the list of airports in Canada’s National Airports System

The National Airports System also includes three airports owned and operated by territorial governments.

The following 23 airports are owned by Transport Canada and leased to Canadian airport authorities. 21 airport authorities operate these airports

National Airports System

Province/TerritoryAirportOperated by
British ColumbiaVictoria (YYJ)Victoria Airport Authority
 Vancouver (YVR)Vancouver International Airport Authority
 Prince George (YXS)Prince George Airport Authority Inc.
 Kelowna (YLW)City of Kelowna
AlbertaEdmonton (YEG)Edmonton Regional Airports Authority
 Calgary (YYC)Calgary Airport Authority
SaskatchewanSaskatoon (YXE)Saskatoon Airport Authority
 Regina (YQR)Regina Airport Authority
ManitobaWinnipeg James Armstrong Richardson (YWG)Winnipeg Airports Authority Inc.
OntarioThunder Bay (YQT)Thunder Bay International Airports Inc.
 London (YXU)Greater London International Airports Authority
 Toronto Pearson (YYZ)Greater Toronto Airports Authority
 Ottawa Macdonald-Cartier (YOW)Ottawa Macdonald-Cartier International Airport Authority
QuebecMontréal-Pierre Elliott Trudeau (YUL)Aéroports de Montréal
 Mirabel International Airport (YMX)Aéroports de Montréal
 Québec City Jean Lesage (YQB)Aéroport de Québec Inc.
New BrunswickFredericton (YFC)Fredericton International Airport Authority
 Greater Moncton (YQM)Greater Moncton International Airport Authority Inc.
 Saint John (YSJ)Saint John Airport Inc.
Prince Edward IslandCharlottetown (YYG)Charlottetown Airport Authority Inc.
Nova ScotiaHalifax Stanfield (YHZ)Halifax International Airport Authority
NewfoundlandGander (YQX)Gander International Airport Authority Inc.
 St. John’s (YYT)St. John’s International Airport Authority

National Airport System airports owned and operated by territorial governments

TerritoryAirportOperated by
Northwest TerritoriesYellowknife (YZF)Government of the Northwest Territories
NunavutIqaluit (YFB)Government of Nunavut
YukonErik Nielson Whitehorse International (YXY)Government of Yukon

Rail (including VIA Rail)

Rail regulations in Canada are set by Transport Canada and the Canadian Transportation Agency.

A railway under the legislative authority of Parliament is one that holds a valid certificate of fitness. The list of federally-regulated railways includes the Agency decision which authorizes the issuance of each certificate. Regional systems, such as the BC West Coast Express, or Ontario’s Go Train, are not federally regulated.

Recently suspended or cancelled certificates are also listed here temporarily.

Railway CompanyDecision No. /
Order No.
Issue DateAmended ByStatus
6970184 Canada Ltd.376-R-2016December 21, 2016 cancelled
9961526 Canada Ltd.376-R-2016 LET-R-34-2020 
Arnaud Railway Company2016-R-195November 21, 2016 cancelled
BNSF Railway Company16-R-2014January 21, 2014LET-R-34-2020 
Canadian National Railway Company3-R-2016January 8, 2016LET-R-34-2020 
Canadian Pacific Railway CompanyR-2021-36March 8, 2021LET-R-34-2020 
Central Maine & Québec Railway Canada Inc.R-2021-36March 8, 2021LET-R-34-2020cancelled
City of Ottawa carrying on business as Capital RailwayR-2020-84May 4, 2020  
CSX Transportation, Inc.R-2020-165September 22, 2020  
Eastern Maine Railway Company245-R-2012June 22, 2012LET-R-34-2020 
Essex Terminal Railway CompanyLET-R-2-2020January 6, 2020  
Ferroequus Railway Company Limited2005-R-277May 19, 2005 suspended
Goderich-Exeter Railway Company LimitedR-2020-185November 9, 2020LET-R-34-2020 
Great Canadian Railtour Company Ltd.27-R-2007January 17, 2007  
Hudson Bay Railway Company230-R-2001May 9, 2001LET-R-34-2020 
International Bridge and Terminal Company, The2015-R-195November 6, 2015 cancelled
Kettle Falls International Railway CompanyR-2019-105June 7, 2019LET-R-34-2020 
Knob Lake & Timmins Railway Company Inc.414-R-2014November 14, 2014LET-R-34-2020 
Logistec Stevedoring (Nova Scotia) Inc. also carrying on business as Sydney Coal Railway2018-R-130July 27, 2018 cancelled
Minnesota, Dakota & Western Railway Company2015-R-195November 6, 2015 cancelled
National Railroad Passenger Corporation (Amtrak)391-R-1997June 26, 1997  
Nipissing Central Railway Company448-R-1997July 11, 1997LET-R-34-2020 
Norfolk Southern Railway CompanyR-2019-158August 22, 2019LET-R-34-2020 
Pacific and Arctic Railway and Navigation Company/British Columbia Yukon Railway Company/British Yukon Railway Company Limited carrying on business as or proposing to carry on business as White Pass & Yukon Route666-R-1997November 25, 1997  
Quebec North Shore & Labrador Railway Company563-R-2007November 2, 2007LET-R-34-2020 
RaiLink Canada Ltd.R-2020-43March 16, 2020LET-R-34-2020 
St. Lawrence & Atlantic Railroad (Québec) Inc.567-R-1998November 24, 1998LET-R-34-2020 
St. Paul & Pacific Northwest Railroad Company, LLCR-2018-275December 28, 2018LET-R-34-2020 
Toronto Terminals Railway Company Limited, TheR-2018-175July 31, 2018LET-R-34-2020 
Tshiuetin Rail Transportation Inc.190-R-2005April 1, 2005LET-R-34-2020 
Union Pacific Railroad Company371-R-1997June 16, 1997LET-R-34-2020 
VIA Rail Canada Inc.R-2018-263December 6, 2018LET-R-34-2020 
Wabush Lake Railway Company, Limited2016-R-195November 21, 2016 cancelled


Canada has more than a million kilometres of (two-lane equivalent) roads, roughly 38,000 of which make up the National Highway System ( NHS ). The NHS also has more than 8,700 bridges. The companies that use these interprovincial roads are subject to federal regulation. This includes trucking companies and bus companies like Greyhound. The trucking industry, which includes 56,800 firms, consists of for-hire carriers, private carriers, owner-operators and courier firms. Another trucking category of “other” includes all trucks used for purposes other than hauling freight commercially—for example, a construction company using trucks for hauling heavy machinery to a job site.

The federal government has an inventory of some 500 highway-related bridges open to the public, representing a very small subset (approximately 1%) of all bridges in Canada. These bridges are the responsibility of four federal departments/agencies: Public Works and Government Services Canada, Parks Canada Agency, the National Capital Commission (which owns and operates its own structures) and Transport Canada, whose portfolio of bridges is managed by Crown corporations or shared governance regimes ( FBCL , Blue Water Bridge Canada, Buffalo and Fort Erie Public Bridge Authority [Peace Bridge Authority] and the St. Lawrence Seaway Management Corporation).

I am not going to list all the companies that are federally regulated in relation to roads and bridges, as there are too many to list. However, here is the full list of federally regulated companies in Canada. It is accurate as of 2020.

Maritime (ports)

Canada Port Authorities (CPA) operate at arm’s length from the federal government. CPAs are governed by a board of directors chosen by port users and the municipal, provincial and federal government.


  • set the business direction and make commercial decisions for the port
  • set their own fees (for example, berthage and wharfage fees) but such fees must be fair
  • are responsible for maintaining and dredging commercial shipping channels
  • act as landlords, leasing their port operations to private operators

Canada Port Authorities by province

British ColumbiaNanaimo Port Authority
Port Alberni Port Authority
Prince Rupert Port Authority
Vancouver Fraser Port Authority
OntarioHamilton-Oshawa Port Authority
Toronto Port Authority
Thunder Bay Port Authority
Windsor Port Authority
QuebecMontreal Port Authority
Quebec Port Authority
Saguenay Port Authority
Sept-Îles Port Authority
Trois-Rivières Port Authority
New BrunswickBelledune Port Authority
Saint John Port Authority
Nova ScotiaHalifax Port Authority
Newfoundland and LabradorSt. John’s Port Authority

Now that we have determined what the scope is. What is required for these entities to do?

The Minister of Transport has oversight on all federally regulated transportation entities defined as designated operators. This is a very large group of organizations and I would imagine, very difficult to enforce the new regulations on. However, the designated operators are subject to the following when bill C-26 comes into effect. The railway and aircraft operators are still subject to the following legislation in addition to Bill C-26.

Rail: Railway Safety Management System Regulations

Aircraft: Canadian Aviation Regulations

1. Within 90 days of Bill C-26 being enacted, a Cybersecurity plan needs to be established.

  • Within the CSP, it should include steps to identify and remediate cybersecurity risks. This should include a risk management practice that keeps a continual watch on threats, where the organization is vulnerable, the likelihood of breach and the impact thereof. There should also be a plan in place to increase the security posture over time. and to limit the attack surfaces.
  • Annual reviews (at a minimum) of the CSP, with updates provided to the Minister of Transport

2. Any changes to the ownership / control of the organization require the Minister of Transport to be informed. This applies to any changes within the supply chain as well.

3. The supply chain associated with the designated operators must meet certain standards to mitigate risks. The wording says: “reasonable steps to mitigate any identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services”. This is a broad statement and good be up for interpretation. I would imagine that the validation process for HW, software and 3rd party services to be used would have to meet stringent requirements. For smaller operators that are still federally regulated, this may force a substantial cost to change or qualify 3rd party systems. I can foresee an opportunity for validated SaaS services emerging in this space as a reasonable alternative.

4. Any cybersecurity incident will have to immediately be reported to the Communications Security Establishment (CSE), then directly after to the Minister of Transport.

5. All records of cybersecurity incidents, including logs and reports need to kept for a period of time defined by the Minister of Transport, and they must remain in Canada.

6. If the government tells the designated operator to do something, like terminate services with a 3rd party or stop using a certain technology, they cannot disclose those details to anyone. In other words, follow the first rule of fight-club, or you will be in non-compliance.

7. If the government wants to audit an organization, they have carte blanche to do so. They can also just get organizations to do it themselves and provide detailed reports. This is similar to what aircraft and rail companies currently have in place, but now it extends to many more organizations in scope.

The legislation will improve the security posture of critical infrastructure in Canada, and something had to be done quickly and forcefully.

There is a full-scale global cyber war ongoing right now and it is not a matter of “if”, but “when” any given organization is breached. How well they are prepared will determine their continued viability as an entity. It’s like being told that a hurricane is coming and everybody needs to board up their homes. Whether or not it’s possible with the resources, time and skills at hand, remains to be seen for many.

However the onus is left on organizations to figure it out in very short order, and there is a massive shortage in staff with sufficient capabilities in the market. This is where an external company that focuses on cybersecurity can comes in and addresses all of the requirements of bill C-26 in a short period of time. I’ll write another article that describes in detail how they can do it, but in the meantime, have a look here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s