Canadian Centre for Cyber Security News

<article data-history-node-id="7291" about="/en/news-events/joint-guidance-malicious-cyber-threats-sd-wan-networks" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>Malicious cyber threat actors are targeting Software-Defined Wide Area Networks (SD-WAN) networks used by organizations globally. The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment Canada (CSE), and international partners strongly encourage immediate action to ensure <abbr title="Software Defined Wide Area Network">SD-WAN</abbr>s are patched, hardened and investigated for potential compromise.</p> <p>Consult the following for additional information and recommendations:</p> <ul><li><a href="https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf">Australia’s Signals Directorate’s Australian Cyber Security Centre (ASD ACSC) CISCO <abbr title="Software Defined Wide Area Network">SD-WAN</abbr> threat hunt guide (PDF)</a></li> <li><a href="/en/alerts-advisories/al26-004-critical-vulnerability-affecting-cisco-catalyst-sd-wan-cve-2026-20127">Cyber Centre alert on this threat</a></li> <li><a href="/en/alerts-advisories/cisco-security-advisory-av26-166">Cyber Centre advisory on this threat</a></li> <li><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk">Cisco’s advisory on this threat</a></li> </ul><p>The Cyber Centre is monitoring the situation and can provide assistance and advice as required. If you believe your organization has been impacted or requires assistance, contact us by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> or by phone at <a href="tel:+16139497048">613-949-7048</a> or <a href="tel:+18332923788">1‑833‑CYBER‑88</a>.</p> <h2>Quote</h2> <blockquote>We urge Canadian organizations and their network defenders to heed this warning, use the hunt guide, and patch. These malicious cyber threat actors are targeting organizations globally. Vigilance and immediate action will help us all harden our defences to get ahead of this threat. <footer>Rajiv Gupta, Head of the Canadian Centre for Cyber Security</footer></blockquote> <h2>Background</h2> <p>The Cyber Centre has joined <abbr title="Australian Cyber Security Centre">ACSC</abbr> and the following other international partners in releasing guidance alerting of malicious cyber threat actors targeting <abbr title="Software Defined Wide Area Network">SD-WAN</abbr> networks used by organizations globally:</p> <ul><li>New Zealand National Cyber Security Centre (NCSC-NZ)</li> <li>United Kingdom National Cyber Security Centre (NCSC-UK)</li> <li>United States National Security Agency (NSA)</li> <li>United States Cybersecurity and Infrastructure Security Agency (CISA)</li> </ul><p>Threat actors have been observed using CVE-2026-20127 to add a malicious rogue peer. They have then conducted a range of follow-on actions to achieve root access and maintain persistent, long-term access to <abbr title="Software Defined Wide Area Network">SD-WAN</abbr> networks.</p> <p><a href="https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led Cisco SD-WAN Hunt Guide.pdf"><abbr title="Australian Cyber Security Centre">ACSC</abbr>’s hunt guide (PDF)</a> has been prepared based on observations from various investigations and details the tactics, techniques and procedures (TTPs) leveraged by these malicious actors. The hunt guide aims to support network owners and defenders to conduct detection and threat hunting activities and provides mitigation guidance to reduce the risk from the observed <abbr title="techniques and procedures">TTPs</abbr>.</p> <h2>Mitigation advice</h2> <p>The authoring agencies strongly urge network defenders to ensure <abbr title="Software Defined Wide Area Network">SD-WAN</abbr>s are fully patched (including for CVE-2026-20127) and to hunt for evidence of compromise detailed in the hunt guide. The guidance also urges organizations to review and implement <a href="https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide">Cisco’s <abbr title="Software Defined Wide Area Network">SD-WAN</abbr> hardening guidance.</a></p> <p>To reduce the risks to your networks, Cisco’s <abbr title="Software Defined Wide Area Network">SD-WAN</abbr> hardening guidance should be reviewed in full. It includes advice on the following:</p> <ul><li><strong>Network perimeter controls: </strong>Ensure control components are behind a firewall, isolate <abbr title="virtual private network">VPN</abbr> 512 interfaces, and use <abbr title="internet protocol">IP</abbr> blocks for manually provisioned edge <abbr title="internet protocols">IPs</abbr></li> <li><strong><abbr title="Software Defined Wide Area Network">SD-WAN</abbr> manager access:</strong> Replace the self-signed certificate for the web user interface</li> <li><strong>Control and data plane security:</strong> Use pairwise keying</li> <li><strong>Session timeout:</strong> Limit to the shortest period possible</li> <li><strong>Logging:</strong> Forward to a remote syslog server</li> </ul><h2>Additional resources</h2> <p>For more information on vulnerabilities, visit our <a href="https://www.cyber.gc.ca/en/alerts-advisories">Alerts and advisories page</a>.</p> <p>For best practices, visit our <a href="https://www.cyber.gc.ca/en/guidance">Cyber security guidance page</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="7308" about="/en/news-events/cse-calls-canadian-organizations-critical-infrastructure-providers-strengthen-defences-fourth-anniversary-russias-invasion-ukraine" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Communications Security Establishment Canada (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) are urging Canadian organizations to stay vigilant and strengthen their defences against malicious cyber threats as the four-year mark of Russia’s full-scale invasion of Ukraine approaches.</p> <p>Over the past four years, the Cyber Centre has observed pro-Russia cyber actors targeting countries, including Canada, that support Ukraine. These activities have affected government and military agencies, private and public sector organizations, and critical infrastructure networks in Canada. Russian cyber threat actors have also attempted to disrupt services to Canadians by targeting cloud-based platforms, supply chains, and Internet-facing systems, including through distributed denial of service (DDoS) attacks.</p> <p>As we previously reported, we continue to see ideologically motivated, pro-Russia non-state cyber groups conducting malicious activity against perceived enemies. These groups are generally less sophisticated than state-sponsored actors but act independently, leading to unpredictability and a higher tolerance for risk.</p> <p>Canadian organizations and critical infrastructure operators should remain vigilant to threats posed by cyber actors aligned with Russian interests and prepare for potential service disruptions, website defacement and increased ransomware activity. Operators of Internet-connected operational technology (OT) devices should remain alert, as these systems are easily discoverable and vulnerable to cyber threats.</p> <p>We urge all Canadian organizations to implement appropriate measures now to defend against threats from Russian-aligned cyber actors.</p> <h2>Recommended actions</h2> <ul><li>Adopt the Cyber Centre’s <a href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-Sector Cyber Security Readiness Goals</a></li> <li>Follow the Cyber Centre’s guidance on: <ul><li><a href="/en/guidance/ransomware-playbook-itsm00099">Ransomware</a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003"><abbr title="information technology">IT</abbr> incident response</a></li> <li><a href="/en/guidance/website-defacement-itsap00060">Website defacement</a></li> <li><a href="/en/guidance/distributed-denial-service-attacks-prevention-and-preparation-itsap80110">Distributed denial-of-service attacks</a></li> </ul></li> <li>Consult the Cyber Centre’s <a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">top 10 security actions to protect Internet-connected networks and information</a> with special attention to: <ul><li>Consolidating, monitoring and defending Internet gateways</li> <li>Segmenting information</li> <li>Isolating web-facing applications</li> </ul></li> <li>Review joint guidance on: <ul><li><a href="/en/news-events/joint-guidance-secure-connectivity-principles-operational-technology">Secure connectivity principles for operational technology</a></li> <li><a href="/en/news-events/joint-guidance-creating-maintaining-definitive-view-your-operational-technology-architecture">Creating and maintaining a definitive view of your operational technology architecture</a></li> <li><a href="/en/news-events/joint-cyber-security-advisory-pro-russia-hacktivists-conducting-opportunistic-attacks-global-critical-infrastructure">Pro-Russia hacktivists conducting opportunistic attacks on global critical infrastructures</a></li> </ul></li> <li>Consult the Cyber Centre’s <a href="https://www.canada.ca/en/communications-security/news/2025/11/backgrounder-malicious-cyber-activity-targeting-canadian-critical-infrastructure.html">backgrounder on malicious cyber activity targeting Canadian critical infrastructure</a> and <a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">security considerations for critical infrastructure,</a> focusing on: <ul><li>Isolating components, services and systems</li> <li>Maintaining and testing offline backups</li> <li>Developing an incident response plan</li> <li>Monitoring <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> environments and enabling logging</li> </ul></li> <li>Take note of the Cyber Centre’s alert on <a href="/en/alerts-advisories/al25-016-internet-accessible-industrial-control-systems-ics-abused-hacktivists">Internet-accessible industrial control systems abused by hacktivists</a></li> <li>Review perimeter network systems for signs of suspicious activity</li> <li>Report cyber incidents to the Cyber Centre</li> </ul><p>The Cyber Centre continues to share cyber threat information with Canadian critical infrastructure and government partners via protected channels throughout the year. We actively monitor the cyber threat environment in Canada and globally. Canadian organizations that believe they may have been targeted by cyber threat activity should contact the Cyber Centre by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> or by phone at <a href="tel:18332923788">1-833-CYBER-88</a>.</p> <h2>Related resources</h2> <ul><li><a href="/en/guidance/national-cyber-threat-assessments">National Cyber Threat Assessments</a></li> <li><a href="/en/guidance/ransomware-threat-outlook-2025-2027">Ransomware Threat Outlook 2025-2027</a></li> <li><a href="/en/guidance/cyber-threat-canadas-water-systems-assessment-mitigation">Cyber threats to Canada’s water systems</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="7244" about="/en/guidance/security-considerations-sims" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>February 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.10.021</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>February 2026 | Awareness series</strong></p> </div> </div> <p>A subscriber identity module (SIM) card is an electronic chip that stores mobile network user information, such as your phone number and authentication key used to grant access to the cellular network. A SIM card is also referred to as a universal integrated circuit chip (UICC), which is the modern day version of the original SIM card. Although the UICC is the technical term, it continues to be referred to as the SIM card.</p> <p>Because of the information they store, SIMs can be valuable targets for threat actors. This publication aims to help you understand the main threat, known as SIM swapping, and provide you with recommendations to better protect yourself.</p> <h2>On This Page</h2> <ul><li><a href="#Differences">Difference between a SIM card and an eSIM</a></li> <li><a href="#Swap">SIM swapping</a></li> <li><a href="#How-swap">How SIM swapping happens</a></li> <li><a href="#Consequences">Consequences of SIM swapping</a></li> <li><a href="#Signs">The signs of SIM swapping</a></li> <li><a href="#Protect">How to protect your SIM</a></li> <li><a href="#Learn-more">Learn more</a></li> </ul><h2 class="text-info" id="Differences">Difference between a SIM card and an eSIM</h2> <p>A SIM card is a physical card inserted into a device. It uses information stored within it to identify and authenticate the user on a mobile network. An embedded SIM (eSIM) is a non-removable electronic chip integrated into the device, making it easy to configure and activate remotely. An eSIM is capable of storing several SIM profiles at once.</p> <h3>Considerations for eSIMs</h3> <p>Providers are increasingly offering eSIMs as a format due to convenience. However, there are risks associated with them. eSIMs can make it easier for threat actors to:</p> <ul><li>compromise and gain access to your mobile accounts</li> <li>conduct social engineering and remote attacks, as they can be digitally generated and electronically transferred</li> <li>compromise multiple profiles at a time</li> <li>leverage malicious software through arbitrary code execution</li> </ul><h2 class="text-info" id="Swap">SIM swapping</h2> <p>SIM swapping is an attack against your mobile phone account that transfers your phone number to a threat actor’s SIM card or eSIM without your knowledge or permission. Some other common terms used for SIM swapping include SIM jacking, SIM napping and SIM porting.</p> <p>If a threat actor is successful with a SIM swapping attack, they can use their device to control communications meant for you, including through impersonation. This scam is also used to access other accounts, such as your bank account, that might use your phone number as a method to verify your identity.</p> <h2 class="text-info" id="How-swap">How SIM swapping happens</h2> <p>Threat actors leverage the following methods to conduct SIM swapping attacks.</p> <h3>Calling your provider</h3> <p>Threat actors attempt SIM swapping using a similar process that providers follow when they transfer a user’s phone number from their old device to a new one during an upgrade. Threat actors can try to transfer a victim’s phone number to their own device by calling the mobile network provider and fraudulently impersonate the victim. They can bypass common security questions used to verify your identity by researching the personal information you’ve shared online.</p> <h3>Stealing your credentials</h3> <p>Threat actors can also try to access your mobile account details on the provider’s website to initiate and authorize a SIM swap. They use credential stuffing, where criminals use stolen usernames and passwords, or collect personal information that has been shared online and on social media to answer security questions during account authentication.</p> <h3>Exploiting insider access</h3> <p>SIM swapping can occur due to insider threat. Employees and other insiders with internal access to a mobile service provider can falsely authorize changes to customer accounts and sell swapped SIMs.</p> <h2 class="text-info" id="Consequences">Consequences of SIM swapping</h2> <p>If you are a victim of SIM swapping, a threat actor will receive your phone calls, messages and notifications on their device. Since mobile devices are often used as an authentication measure, a threat actor can impersonate you and gain access to your accounts and information, putting both you and your organization at risk.</p> <h3>Individual risks</h3> <p>As an individual, being a victim of SIM swapping possesses several risks. A threat actor can:</p> <ul><li>change and steal other account credentials</li> <li>prevent you from accessing and managing your accounts</li> <li>steal your money and financial information</li> <li>control and handle information managed through personal accounts</li> <li>impersonate you to spread the scam to your contacts</li> </ul><h3>Organizational risks</h3> <p>Depending on your organization’s posture on device-use (for example, company-owned or personal devices) and remote work, it is important to evaluate the level of sensitivity of the data being handled. If threat actors compromise a mobile service that handles your organization’s information, they can:</p> <ul><li>impersonate the individual behind the account</li> <li>spread phishing scams and malware to other accounts and devices</li> <li>gain access to sensitive and confidential information</li> <li>compromise systems and processes</li> <li>damage your business’ reputation and trust with customers and partners</li> </ul><h2 class="text-info" id="Signs">The signs of SIM swapping</h2> <p>There are signs you can look out for that signify that a threat actor may be trying to or has swapped your SIM. These include:</p> <ul><li>abnormal reduction in messages on your device</li> <li>lack of verification messages when using multi-factor authentication (MFA)</li> <li>phishing messages asking to verify your account with a PIN or clicking a link to login</li> <li>messages indicating activity on your account that you don’t remember</li> <li>changes to account information you did not make</li> <li>losing access to online accounts (for example, banking, email and social media)</li> <li>transactions on accounts that are unknown</li> <li>disconnection from cellular network</li> </ul><p>If your SIM has been successfully swapped, you will lose cellular service as well as Wi-Fi calling capabilities. It is important to note that being connected to Wi-Fi can keep your data connection active. If you switch between cellular service and Wi-Fi automatically and frequently, you may not immediately recognize when your SIM is compromised.</p> <h2 class="text-info" id="Protect">How to protect your SIM</h2> <p>It is important to take preventative security measures to reduce the risks of being a victim of SIM swapping. The best ways to protect yourself from SIM swapping include:</p> <ul><li>using any additional verification requirements your mobile provider offers to help protect your account</li> <li>requesting your mobile provider to enable port protection or a SIM lock on your accounts, if available</li> <li>enabling MFA that includes methods other than those that rely on your phone number (for example, a PIN, biometric or authentication app)</li> <li>keeping sensitive information related to account security questions private (for example, date of birth, home address and mother’s maiden name)</li> <li>using separate and unique email addresses for financial accounts and social media</li> <li>creating different passwords and passphrases for each of your accounts</li> <li>keeping up with your provider’s security advisories and Cyber Centre guidance and alerts</li> </ul><h3>Organization-specific security measures</h3> <p>Alongside the security measures mentioned, there are some specific security practices your company should consider to help prevent SIM swapping.</p> <ul><li>Have a clear device usage policy for what data can be handled on certain devices</li> <li>Enforce cellular contracts for company-owned devices that prohibit account migration without your organization’s approval</li> <li>Implement mandatory maintenance sessions for company-owned devices</li> <li>Use authenticator applications that generate one-time passcodes for MFA rather than verification measures connected to the phone number (for example, text message and phone call)</li> <li>Deploy hardware security keys to secure and authenticate highly sensitive accounts if necessary</li> <li>Classify and label data according to sensitivity levels and clearly establish how data belonging to each level should be handled</li> <li>Offer cyber security training</li> </ul><h2 class="text-info" id="Learn-more">Learn more</h2> <ul><li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="38a1fb42-00d7-4f06-89ad-c73fa0e72ce9" href="/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="4869097e-e33a-4268-9ada-1e0ba0a027ed" href="/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003">End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="27e5d9ca-0c82-4d31-90a0-207c22c7652b" href="/en/guidance/social-engineering-itsap00166">Social engineering (ITSAP.00.166)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="e9e04d2f-d1d6-4f04-b897-95e9ca060c7f" href="/en/guidance/rethink-your-password-habits-protect-your-accounts-hackers-itsap30036">Rethink your password habits to protect your accounts from hackers (ITSAP.30.036)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8d072457-288e-4bd1-a076-da037de9ad03" href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="df4d897c-c726-4e48-8901-408ba2bdf6d3" href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="7277" about="/en/geekweek/geekweek-11" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p><img alt="geekweek banner" class="img-responsive mrgn-bttm-lg" src="/sites/default/files/images/geekweek-11-ef-1170×347.png" /></p> <h2 class="page-header">Detection and Deception</h2> <p>GeekWeek provides an opportunity for participants to take few days away from their day-to-day and work with public sector, industry, critical infrastructure and international partners to explore innovative ideas in the cyber security space.</p> <div class="row"> <section class="col-md-4 col-sm-5 pull-right well well-sm mrgn-tp-lg"><h3 class="mrgn-tp-sm">Venue</h3> <img alt="Photo of Vanier Facility" class="img-responsive" src="/sites/default/files/images/vanier-edifice-vanier_1.jpg" /><p class="mrgn-tp-md">Canadian Centre for Cyber Security<br /> 1625 Vanier Parkway, Ottawa<br /> ON K1L 7P1</p> </section><div class="col-md-8 col-sm-7 mrgn-tp-lg"> <h2 class="page-header">Event date</h2> <p>May 27 to June 5, 2026</p> <p>If you’re interested in future Geek events, reach out to <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> <div class="clearfix"> </div> <h2 class="page-header mrgn-tp-lg">Registration information</h2> <p>Given the technical nature of the workshop, GeekWeek is an <strong>invitation-only event</strong>.</p> </div> </div> <h2 class="page-header">Keynote speaker</h2> <p>To be confirmed.</p> <h2 class="page-header">Participating organizations</h2> <p class="mrgn-bttm-lg">To be confirmed.</p> <h2 class="page-header">Topics and themes</h2> <p>The following topics and themes have been proposed for GeekWeek 11.</p> <ul class="list-unstyled"><li> <details><summary>Cyber physical systems</summary><ul><li>Industrial spectrum monitoring</li> <li>Industrial control systems and operational technology security for energy</li> <li>Early warning threat sharing for industrial control systems and operational technology security environments</li> <li>Connected vehicules</li> <li>Hunting the hunters</li> <li>Firmware security</li> </ul></details></li> <li> <details><summary>Cyber toolboxes and analytical environments</summary><ul><li>Memory analysis</li> <li>Industrial control systems honeypot</li> <li>Home modems and routers protection</li> <li>Internet scanner</li> <li>Digital Forensics and Incident Response in Cybersecurity</li> </ul></details></li> <li> <details><summary>Cyber threat hunting</summary><ul><li>Detecting and decoding advanced persistent threat (APT) malware</li> <li>Malicious infrastructure and threat hunting</li> <li>Cross-organization data harvesting and analytics</li> <li>It’s all about money</li> </ul></details></li> <li> <details><summary>Cyber threat analytics</summary><ul><li>Cyber security posture</li> <li>Cyber threat storytelling (a.k.a it’s all about graphs!)</li> <li>Using large language models for malware analysis</li> <li>Malicious email identification and triage enhancement with large language models (LLMs)</li> <li>Cyber news aggregation and summarization with large language models</li> <li>Automated signature generation</li> <li>AI-powered fraud prevention for Canadians</li> <li>Monitoring, analytics and scaling security in the cloud</li> </ul></details></li> <li> <details><summary>Open-source solutions: Giving back to the cyber security community</summary><ul><li>Cyber range development</li> <li>Cyber tools development: Borealis/Clue, Chameleon/Beever, Howler</li> </ul></details></li> <li> <details><summary>Cyber defence turnkey solutions</summary><ul><li>Cyber defense Fly-Away kit</li> <li>Secure operations centre (SOC) in a box <ul><li>Platform</li> <li>Pipeline for data collection</li> <li>Analytics</li> <li>Machine learning-based analytics</li> </ul></li> </ul></details></li> </ul><p>For more general information about GeekWeek, visit the <a href="/en/geekweek">GeekWeek page</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="7019" about="/en/guidance/cyber-threat-marine-transportation" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#judgements">Key judgements</a></li> <li><a href="#intro">Introduction</a></li> <li><a href="#digitalization-threat">Digitalization is expanding the sector threat surface</a></li> <li><a href="#cybercriminals-threat">The threat from cybercriminals</a></li> <li><a href="#threat-state-sponsored">The threat from state-sponsored cyber actors</a></li> <li><a href="#treat-non-state">The threat from non-state cyber threat actors</a></li> <li><a href="#outlook">Outlook</a></li> <li><a href="#fn">Endnotes</a></li> </ul></details></section><section><div> <h2 class="text-info">Audience</h2> <p>This report is part of a series of cyber threat assessments focused on Canada’s critical infrastructure. It is intended for leaders in the marine transportation sector, cyber security professionals with maritime infrastructure to protect, and the general reader with an interest in the cyber security of critical infrastructure. For additional information on technical mitigation of these threats, consult the <a href="https://www.cyber.gc.ca/en/guidance">Canadian Centre for Cyber Security’s (Cyber Centre) guidance</a> or contact the Cyber Centre.</p> </div> <div> <h2 class="text-info">Contact</h2> <p>For follow-up questions or issues, contact the Cyber Centre by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> </div> <div> <h2 class="text-info">Assessment base and methodology</h2> <p>The key judgements in this assessment rely on reporting from multiple sources, both classified and unclassified. The judgements are based on the knowledge and expertise in cyber security of the Cyber Centre. Defending the Government of Canada’s information systems provides the Cyber Centre with a unique perspective to observe trends in the cyber threat environment, which also informs our assessments. The Communications Security Establishment Canada’s foreign intelligence mandate provides us with valuable insight into adversary behaviour in cyberspace. While we must always protect classified sources and methods, we provide the reader with as much justification as possible for our judgements.</p> <p>Our judgements are based on an analytical process that includes evaluating the quality of available information, exploring alternative explanations, mitigating biases and using probabilistic language. We use terms such as “we assess” or “we judge” to convey an analytic assessment. We use qualifiers such as “possibly,” “likely,” and “very likely” to convey probability.</p> </div> <div>The assessments and analysis are based on information available as of <strong>August 31, 2024</strong>.</div> <h3>Estimative language</h3> <div class="panel panel-default col-md-12"> <div class="panel-body"> <figure><p class="mrgn-bttm-lg">The chart below matches estimative language with appropriate percentages. these percentages are not derived via statistical analysis, but are based on logic, available information, prior judgements, and methods that increase the accuracy of estimates.</p> <img alt="Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/tarp-language-chart-transparent-e.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Estimative language chart </summary><ul class="list-unstyled mrgn-tp-md"><li>1 to 9% Almost no chance</li> <li>10 to 24% Very unlikely/very improbable</li> <li>25 to 39% Unlikely/improbable</li> <li>40 to 59% Roughly even chance</li> <li>60 to 74% Likely/probably</li> <li>75 to 89% Very likely/very probable</li> <li>90 to 99% Almost certainly</li> </ul></details></figure></div> </div> <span class="clearfix"></span></section><section><h2 class="text-info" id="judgements">Key judgements</h2> <ul><li>We assess that financially motivated cybercriminals are the most likely cyber threat to affect the marine transportation sector. We assess that cybercriminals will almost certainly continue to exploit marine transportation and supporting organizations through extortion tied to ransomware, in addition to selling or exploiting stolen personal or proprietary business information. We assess that ransomware is almost certainly the most likely disruptive cyber threat to affect marine transportation operations.</li> <li>The marine transportation sector’s importance to Canada’s economic and strategic supply chains makes it a high priority target for state-sponsored cyber threat activity. We assess that state-sponsored cyber threat actors will very likely continue targeting the Canadian marine transportation sector and supporting organizations to steal logistical and operational data that can be leveraged for economic advantage, and to steal intellectual property that can be used to support state commercial, military, and intelligence priorities.</li> <li>We assess that the marine transportation sector is a strategic target for disruption or destruction by state-sponsored cyber threat actors. However, we judge that these actors would likely only intentionally disrupt or damage Canadian marine transportation infrastructure in times of crisis or conflict between states.</li> <li>We assess that non-state cyber threat actors will very likely continue targeting the Canadian marine transportation sector in connection to international events and conflicts, primarily though distributed denial-of-service (DDoS) attacks and website defacements.</li> </ul></section><section><h2 class="text-info" id="intro">Introduction</h2> <p>The marine transportation sector (MTS) plays a pivotal role in Canada’s economy by supporting the movement of goods and travelers to and from domestic and international markets. Marine transportation and its supporting activities contributed over $8.3 billion to Canada’s gross domestic product in 2022 and accounted for 24% of Canadian merchandise imports and 18% of Canadian merchandise exports in 2023.<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> Marine transportation is a key method of connection for communities and industries across Canada’s expansive geography and is the sole option for resupply in some northern communities.<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> The <abbr title="marine transportation sector">MTS</abbr>’s importance to Canada makes the cyber security of Canadian ports, vessels, supporting infrastructure, and the organizations that operate them a matter of critical importance for Canada’s national and economic security.</p> <p>Cyber threat activity against the <abbr title="marine transportation sector">MTS</abbr> can have significant consequences. Cyber-enabled fraud and scams are costly for victims,<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup> and disruptive cyber threat activity such as ransomware can interfere with marine transportation operations, implicating safety and causing costly disruptions to supply chains. For example, in 2017, the NotPetya wiper malware affected organizations worldwide, including global shipping company A.P. Møller-Maersk.<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup> Maersk was forced to entirely rebuild the affected computer systems and experienced global operational interruptions. Maersk experienced an estimated $250 to $300 million USD in damages, and unknown additional damages on the part of Maersk customers stemming from supply chain interruptions and shipping delays.<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup></p> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="digitalization-threat">Digitalization is expanding the sector threat surface</h2> <p>The <abbr title="marine transportation sector">MTS</abbr> is digitalizing its operations to improve efficiency and address environmental challenges such as decarbonization. Digitalization refers to the incorporation of data-informed decision making, connected technology, and automation throughout the scope of marine transportation operations. Digitalization is supported by the wide deployment of sensors that collect operational and environmental data—for example, smart buoys, video-based container recognition systems, and shipboard sensors—that provide enhanced situational awareness and allow for centralized management over marine transportation operations.<sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> It also involves the adoption of digitally transformed operational technology (OT) and industrial systems within ports and on vessels, such as ship-to-shore cranes and physical access control systems.</p> <p>Digitalization is expanding the <abbr title="marine transportation sector">MTS</abbr>’s threat surface. Increased adoption of connected <abbr title="operational technology">OT</abbr> systems provides cyber threat actors more opportunities to exploit those systems to disrupt their functioning, or to use them to gain access to business or <abbr title="operational technology">OT</abbr> networks. New methods of connection such as very short aperture terminal satellite Internet connections extend the reach of cyber threat actors to vessels and <abbr title="operational technology">OT</abbr> systems even in remote areas. Further, the growing volume of operational and environmental data being collected and shared within and across organizations, and the systems supporting that growth, are valuable targets for commercial or strategic espionage and potential targets for disruption.</p> <!– change styling? –> <div class="panel panel-primary"> <header class="panel-heading"><h3 class="panel-title">Position, navigation and timing systems are vulnerable to interference</h3> </header><div class="panel-body"> <p>The <abbr title="marine transportation sector">MTS</abbr> relies on the integrity and availability of various position, navigation and timing (PNT) systems, including the Automatic Identification System (AIS) and the Global Positioning System (GPS). Accurate <abbr title="position, navigation and timing">PNT</abbr> information is critical for safe vessel navigation and is essential for new technologies such as autonomous vessels and smart port systems. AIS and <abbr title="Global Positioning System">GPS</abbr> signals are vulnerable to interference because they typically lack encryption or any mechanism for validating the content or originator of a signal.</p> <p>Interference with <abbr title="position, navigation and timing">PNT</abbr> systems falls into 2 categories:</p> <ul><li><strong>Signal jamming</strong> is a form of <strong>denial-of-service attack</strong> that prevents a target system from receiving an intended communication by overwhelming the receiver using a malicious signal, making <abbr title="position, navigation and timing">PNT</abbr> information inaccessible to the victim.</li> <li><strong>Signal spoofing</strong> is a form of <strong>data manipulation</strong> that deceives a target system into accepting a malicious signal rather than the intended communication. This can result in incorrect location information being provided to a user, which may cause them to adjust course and potentially navigate into dangerous areas.</li> </ul><p>There has been an increase in the number of reported <abbr title="position, navigation and timing">PNT</abbr> interference incidents affecting civilian marine and air transportation in the past several years. Some reported incidents are likely incidental effects of military electronic warfare measures near conflict areas, including around Ukraine. However, <abbr title="position, navigation and timing">PNT</abbr> interference may also be used to hide criminal maritime activities or support state geopolitical objectives.<sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup> For example, in July 2019, the British-flagged Stena Impero was seized by Iran in the Strait of Hormuz for violating Iranian territorial waters. Analysis by security researchers suggests that the Stena Impero may have diverted course into Iranian territorial waters because they were provided spoofed positional information through <abbr title="Automatic Identification System">AIS</abbr>, possibly to justify seizure of the vessel by Iran.<sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup></p> </div> </div> <p>As the <abbr title="marine transportation sector">MTS</abbr> continues to digitalize, the associated threat surface from proprietary information and data being shared with third-party service providers expands.</p> <div class="well"> <p>We assess that medium and high-sophistication threat actors will very likely attempt to exploit third parties to steal sector information, or to gain access to organizations within the sector by exploiting the digital supply chain.</p> </div> <p>Arrangements where suppliers have remote access to organizational networks, or where they provide a product with consistent data exchange between organizations, increase the opportunities for supplier-based compromise by cyber threat actors.<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup> This may include organizations that provide information technology services such as cloud or managed service providers, software-as-a-service providers, and suppliers for digitally transformed technology.</p> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="cybercriminals-threat">The threat from cybercriminals</h2> <div class="well"> <p>We assess that financially motivated cybercriminals are the most likely cyber threat to affect the <abbr title="marine transportation sector">MTS</abbr>. We assess that cybercriminals will almost certainly continue to exploit marine transportation and supporting organizations through extortion tied to ransomware, in addition to selling or exploiting stolen personal or proprietary business information.</p> </div> <p>The <abbr title="marine transportation sector">MTS</abbr> is an attractive target for extortion by cybercriminals because of the economic importance of supply chains and the dependence of its clients on the continuity of shipping operations. Some cybercriminals specifically target organizations such as ports or shipping companies that may be willing to pay large ransoms to recover from disruptions as quickly as possible. However, most cybercriminal activity opportunistically targets organizations regardless of their size by exploiting vulnerable Internet-exposed devices or through bulk phishing or password spraying campaigns.<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup></p> <h3>Top 10 ransomware threats to Canada in 2024 by rank</h3> <ol class="colcount-sm-2"><li> <p>AKIRA<br /><strong>Ransomware-as-a-service:</strong> <span class="label label-success">Yes</span></p> </li> <li> <p>PLAY<br /><strong>Ransomware-as-a-service:</strong> <span class="label label-success">Yes</span></p> </li> <li> <p>MEDUSA<br /><strong>Ransomware-as-a-service:</strong> <span class="label label-success">Yes</span></p> </li> <li> <p>LOCKBIT<br /><strong>Ransomware-as-a-service:</strong> <span class="label label-success">Yes</span></p> </li> <li> <p>BLACK BASTA<br /><strong>Ransomware-as-a-service:</strong> <span class="label label-success">Yes</span></p> </li> <li> <p>RANSOMHUB<br /><strong>Ransomware-as-a-service:</strong> <span class="label label-success">Yes</span></p> </li> <li> <p>CACTUS<br /><strong>Ransomware-as-a-service:</strong> <span class="label label-warning">Unknown</span></p> </li> <li> <p>CL0P<br /><strong>Ransomware-as-a-service:</strong> <span class="label label-danger">No</span></p> </li> <li> <p>HUNTERS INTERNATIONAL<br /><strong>Ransomware-as-a-service:</strong> <span class="label label-success">Yes</span></p> </li> <li> <p>QILIN<br /><strong>Ransomware-as-a-service:</strong> <span class="label label-success">Yes</span></p> </li> </ol><p>Cybercriminals are continuously evolving their tactics to increase their ability to extract profit from victim organizations. Illicit marketplaces for cybercrime tools and services reduce the barrier to entry for cybercriminal activity, and the proliferation of prebuilt cyber tools such as <strong>ransomware-as-a-service (RaaS)</strong> variants increases the impact even low sophistication cybercriminals can have on their victims.<sup id="fn10a-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup> In the <abbr title="ransomware-as-a-service">RaaS</abbr> model, a cybercrime group maintains their own version of ransomware and leases it to other cybercriminals in exchange for a portion of ransom payments they receive. In the January to March 2024 period, 8 of the top 10 most impactful ransomware variants by number and severity of incidents were assessed as being <abbr title="ransomware-as-a-service">RaaS</abbr>.<sup id="fn10b-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup></p> <!– subsection –> <div> <h3>Ransomware is the most likely disruptive threat to marine transportation</h3> <div class="well"> <p>We assess that ransomware is almost certainly the most likely disruptive cyber threat to affect the <abbr title="marine transportation sector">MTS</abbr>.</p> </div> <p>Ransomware attacks can cause operational disruptions by preventing access to business systems and information, disrupting operational communications within or between organizations, or by preventing operators from accessing or safely operating industrial systems. Although the primary means of extortion against ransomware victims is data or device encryption, cybercriminals frequently use other methods to pressure victims into providing a ransom payment. This includes exfiltrating sensitive files and data prior to deploying the ransomware and threatening to sell the stolen information if payment is not received.<sup id="fn11-rf"><a class="fn-lnk" href="#fn11"><span class="wb-inv">Footnote </span>11</a></sup></p> <p>There are several recent examples of ransomware attacks disrupting marine transportation operations. In July 2023, a ransomware attack against the Japanese Port of Nagoya caused the port to entirely stop its container operations for several days.<sup id="fn12-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup> The Nagoya Harbor Transportation Association disclosed that the attack was conducted with LockBit 3.0, one of the most widely deployed RaaS variants.<sup id="fn13-rf"><a class="fn-lnk" href="#fn13"><span class="wb-inv">Footnote </span>13</a></sup></p> <p>Cybercriminals have also targeted organizations that provide managed services and software for clients across the <abbr title="marine transportation sector">MTS</abbr> and disrupted the availability of those services. In January 2023, a ransomware attack forced a Norwegian maritime software provider to shut down servers used by their ship management product.<sup id="fn14-rf"><a class="fn-lnk" href="#fn14"><span class="wb-inv">Footnote </span>14</a></sup> The outage affected 70 of the organization’s clients and approximately 1,000 vessels, with clients only able to access the software’s offline functionalities.<sup id="fn15-rf"><a class="fn-lnk" href="#fn15"><span class="wb-inv">Footnote </span>15</a></sup> We assess that cybercriminals will very likely continue targeting organizations that provide services to large numbers of clients within the <abbr title="marine transportation sector">MTS</abbr> to maximize the effects of their activity and to increase pressure on victims to provide ransom payment.</p> <div class="panel panel-primary"> <header class="panel-heading"><h4 class="panel-title">Significant ransomware attacks against the marine transportation sector</h4> </header><div class="panel-body"> <ul><li>In July 2021, a ransomware attack against a South African logistics company disrupted operations at container terminals in Durban, Ngqura, Port Elizabeth, and Cape Town. The Durban Port alone accounts for approximately 60% of all South African container traffic and was reduced to 10% of its operational capacity for almost a week.<sup id="fn16-rf"><a class="fn-lnk" href="#fn16"><span class="wb-inv">Footnote </span>16</a></sup></li> <li>In January 2022, a ransomware attack against European oil and gas organizations resulted in disruptions to port-based oil storage and transportation infrastructure, disrupting oil and gas supply chains.<sup id="fn17-rf"><a class="fn-lnk" href="#fn17"><span class="wb-inv">Footnote </span>17</a></sup></li> <li>In March 2023, a ransomware attack against a Dutch shipping company resulted in data related to business contracts and employee personal information being stolen.<sup id="fn18-rf"><a class="fn-lnk" href="#fn18"><span class="wb-inv">Footnote </span>18</a></sup></li> <li>In April 2023, a ransomware attack against a United States (U.S.) shipbuilding company Fincantieri Marinette Marine resulted in short-term production delays and the unauthorized disclosure of personal information for over 16,000 individuals.<sup id="fn19-rf"><a class="fn-lnk" href="#fn19"><span class="wb-inv">Footnote </span>19</a></sup></li> </ul></div> </div> </div> <div> <h4>Data theft supports additional cybercriminal activity</h4> <p>In addition to directly defrauding or extorting victims, cybercriminals benefit from stealing and exploiting stolen organizational data to conduct further threat activity against the victim organization, its business partners, and employees. For example, stolen information related to organizational devices and networks can be used to plan additional compromises, and information on an organization’s business plans and activities can be used to craft convincing lures for phishing emails against clients and employees. Stolen information may also be sold through dark web forums to other cybercriminals, competitor organizations, or state-sponsored cyber threat actors. In a limited number of cases, cybercriminals have used network access and stolen information to facilitate physical criminal operations such as cargo theft and smuggling.<sup id="fn20-rf"><a class="fn-lnk" href="#fn20"><span class="wb-inv">Footnote </span>20</a></sup></p> </div> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="threat-state-sponsored">The threat from state-sponsored cyber actors</h2> <div class="well"> <p>The <abbr title="marine transportation sector">MTS</abbr>’s importance to Canada’s economic and strategic supply chains makes it a high-priority target for state-sponsored cyber threat activity.</p> </div> <p>State-sponsored cyber threat actors are capable of highly sophisticated threat activity that is difficult to detect and attribute and may maintain persistence within compromised environments for years before being detected.<sup id="fn21-rf"><a class="fn-lnk" href="#fn21"><span class="wb-inv">Footnote </span>21</a></sup> State-sponsored threat actors, including from the People’s Republic of China (PRC), Russia, and Iran, have consistently targeted the <abbr title="marine transportation sector">MTS</abbr> for espionage, to intimidate or project power against adversaries, and to disrupt adversary commercial and military supply chains.</p> <div> <h3>Espionage for commercial and strategic advantage</h3> <div class="well"> <p>We assess that state-sponsored cyber threat actors will very likely continue targeting the Canadian <abbr title="marine transportation sector">MTS</abbr> and supporting organizations to steal logistical and operational data that can be leveraged for economic advantage, and to steal intellectual property that can be used to support state commercial, military, and intelligence priorities.</p> </div> <p>Foreign states can exploit stolen logistical and operational information from the <abbr title="marine transportation sector">MTS</abbr>, including data on the movement of goods and people, business development plans, and other forms of proprietary information. This information may provide foreign industry competitive advantage or leveraged for economic or diplomatic advantage over Canada in bilateral relations such as trade negotiations.<sup id="fn22-rf"><a class="fn-lnk" href="#fn22"><span class="wb-inv">Footnote </span>22</a></sup> Likely targets for state-sponsored commercial espionage include port authorities, port terminal operators, shipping lines, regulators, and organizations involved in the sharing, storage, or analysis of marine transportation data.</p> <p>Stolen intellectual property and research information from Canada’s robust ship building, marine research, and innovation base can be directly leveraged by foreign states to improve the efficiency and competitiveness of foreign industry or sold to third parties to co-opt the financial gain Canadian organizations would have realized through commercializing their intellectual property. State-sponsored actors have demonstrated a particular interest in intellectual property and research information with a dual-use military application or that would otherwise support foreign state interests, even if the intent of the research is not explicitly military in nature. This may include, for example, research related to the use of drones in marine operations, improving the ability for vessels to operate in arctic conditions, or measuring and predicting environmental changes in the Arctic. Likely targets for state-sponsored espionage targeting intellectual property includes ship builders, research and innovation hubs, and university researchers.</p> <div class="panel panel-primary"> <header class="panel-heading"><h4 class="panel-title">Examples of state-sponsored activity against the marine transportation sector</h4> </header><div class="panel-body"> <ul><li>In January and February 2018, PRC threat actors stole data from an organization contracted by the U.S. Navy related to submarines and undersea warfare.<sup id="fn23-rf"><a class="fn-lnk" href="#fn23"><span class="wb-inv">Footnote </span>23</a></sup></li> <li>In March 2019, security researchers reported that PRC state-sponsored threat actors targeted over 20 universities worldwide attempting to steal maritime research with military application.<sup id="fn24-rf"><a class="fn-lnk" href="#fn24"><span class="wb-inv">Footnote </span>24</a></sup></li> <li>In March 2023, security researchers attributed malware found in several European commercial cargo shipping companies to PRC advanced persistent threat group Mustang Panda.<sup id="fn25-rf"><a class="fn-lnk" href="#fn25"><span class="wb-inv">Footnote </span>25</a></sup></li> </ul></div> </div> </div> <!–** TOP OF PAGE ******–> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div> <h3>Pre-positioning disruptive or destructive cyber capabilities</h3> <div class="well"> <p>We assess that the <abbr title="marine transportation sector">MTS</abbr> is a strategic target for disruption or destruction by state-sponsored cyber threat actors.<sup id="fn26-rf"><a class="fn-lnk" href="#fn26"><span class="wb-inv">Footnote </span>26</a></sup></p> </div> <p>However, we judge that these actors would likely only intentionally disrupt or damage Canadian marine transportation infrastructure in times of crisis and conflict between states. Disruptive or destructive cyber threat activity against the <abbr title="marine transportation sector">MTS</abbr> by state-sponsored actors may be used to intimidate and demoralize the public, to disrupt economic and strategic supply chains, or to damage or destroy marine transportation infrastructure. State-sponsored actors pre-position for this activity by identifying and gaining access to Internet-connected <abbr title="operational technology">OT</abbr> systems, or IT networks from which they can laterally move to <abbr title="operational technology">OT</abbr> systems. Once in the target network, they collect information on assets within the network to identify opportunities for disruptive or destructive action. Likely targets for state-sponsored pre-positioning and disruption include connected <abbr title="operational technology">OT</abbr> and infrastructure at major Canadian ports and supply chain bottlenecks, especially those that may be involved in military mobilization.<sup id="fn27-rf"><a class="fn-lnk" href="#fn27"><span class="wb-inv">Footnote </span>27</a></sup></p> <div class="well"> <p>We assess that state-sponsored cyber threat actors are almost certainly improving their capacity to disrupt or destroy adversary critical infrastructure through active reconnaissance including network intrusion, developing disruptive tools and techniques, and maintaining access against targets and systems of interest.</p> </div> <p>On February 7, 2024, the Cyber Centre and international partners released a joint advisory about PRC Volt Typhoon state-sponsored cyber threat actors compromising and maintaining access to U.S. critical infrastructure, including within the <abbr title="marine transportation sector">MTS</abbr>.<sup id="fn28-rf"><a class="fn-lnk" href="#fn28"><span class="wb-inv">Footnote </span>28</a></sup> The advisory assesses with high confidence that Volt Typhoon activity has aimed to pre-position cyber capabilities to “enable the disruption of <abbr title="operational technology">OT</abbr> functions across multiple critical infrastructure sectors” in the event of conflict. Volt Typhoon activity has been noted by private sector partners as early as May 2023, targeting sectors including manufacturing, government, and marine transportation. <sup id="fn29-rf"><a class="fn-lnk" href="#fn29"><span class="wb-inv">Footnote </span>29</a></sup></p> <div class="well"> <p>We assess that the direct threat to Canada’s critical infrastructure from PRC state-sponsored threat actors is likely lower than that to U.S. infrastructure. However, given the integration of the Canadian and U.S. economies, malicious activity targeting U.S. infrastructure would likely also affect Canada. For example, disruptions to U.S. ports may result in shipments being diverted to Canadian ports, straining capacity and risking supply chain disruptions.</p> </div> </div> <div> <h3>Foreign ownership</h3> <div class="well"> <p>We assess that state-sponsored cyber threat actors are likely to attempt to exploit foreign ownership connections to steal organizational data or attempt to gain network access to Canadian marine transportation organizations.</p> </div> <p>Some states, including the PRC and Russia, can legally compel their industries to cooperate with state intelligence services.<sup id="fn30-rf"><a class="fn-lnk" href="#fn30"><span class="wb-inv">Footnote </span>30</a></sup> This creates a threat that some foreign-owned digital service providers could be leveraged to access Canadian customers’ data, to access customer networks, or to deny service to customers to disrupt their operations.<sup id="fn31-rf"><a class="fn-lnk" href="#fn31"><span class="wb-inv">Footnote </span>31</a></sup></p> </div> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="treat-non-state">The threat from non-state cyber threat actors</h2> <div class="well"> <p>We assess that non-state cyber threat actors will very likely continue targeting the Canadian <abbr title="marine transportation sector">MTS</abbr> in connection to international events and conflicts, primarily though <abbr title="distributed denial-of-service">DDoS</abbr> attacks and website defacements.</p> </div> <p>Ideologically motivated non-state actors, sometimes referred to as hacktivists, have become an increasingly common feature of the cyber threat environment. In 2023, pro-Russia non-state (PRNS) actors were responsible for 2 wide-spread <abbr title="distributed denial-of-service">DDoS</abbr> attack campaigns against Canada intended to undermine Canadian support for Ukraine. These <abbr title="distributed denial-of-service">DDoS</abbr> attacks primarily affected the public facing websites of government and private organizations across the country, including within the <abbr title="marine transportation sector">MTS</abbr> and affecting several Canadian ports.<sup id="fn32-rf"><a class="fn-lnk" href="#fn32"><span class="wb-inv">Footnote </span>32</a></sup> However, <abbr title="distributed denial-of-service">DDoS</abbr> attacks by PRNS actors in September 2023 had additional disruptive effects to airports where check-in kiosks lost connectivity and caused delays. <sup id="fn33-rf"><a class="fn-lnk" href="#fn33"><span class="wb-inv">Footnote </span>33</a></sup></p> <div class="panel panel-primary"> <header class="panel-heading"><h3 class="panel-title">Distributed denial-of-service attack primer</h3> </header><div class="panel-body"> <p><strong>Volume-based <abbr title="distributed denial-of-service">DDoS</abbr> attacks</strong> disrupt access to a target system, often a public website, by flooding the server with requests to the point where it is unable to respond. Volume-based <abbr title="distributed denial-of-service">DDoS</abbr> attacks frequently rely on multiple attacker-controlled systems, often by using botnets, to provide sufficient traffic volumes to degrade the target system.</p> <p><strong>Slow <abbr title="distributed denial-of-service">DDoS</abbr> attacks</strong> use fewer, more complex requests to occupy a server’s resources and prevent legitimate users from accessing it. Slow <abbr title="distributed denial-of-service">DDoS</abbr> attack traffic can be difficult to distinguish from legitimate traffic, making it difficult to detect and mitigate.</p> <p><strong>Internet Protocol (IP) address range <abbr title="distributed denial-of-service">DDoS</abbr></strong> attacks target the full IP range of a target organization rather than being aimed towards a single server. By targeting the IP range, attackers can affect any of the target’s Internet-facing devices, including gateway devices, public facing web applications, and Internet-based interfaces for <abbr title="operational technology">OT</abbr> systems.</p> </div> </div> <p>Some non-state actors have attempted to maximize the disruptive impact of their DDoS attacks by targeting Internet-exposed IT infrastructure. This activity increases the risk that DDoS attacks will inadvertently affect other Internet-exposed systems and services, including edge devices, web-based applications such as Port Information Management Systems, and Internet-facing interfaces for connected industrial systems.</p> <p>In May 2024, the Cyber Centre and partners issued a joint advisory warning of PRNS actors targeting Internet-exposed industrial systems. These actors opportunistically identify targets using publicly available scanning tools to search for Internet-exposed systems with vulnerable configurations. For example, they may look for systems that use default or weak passwords and without multi-factor authentication.<sup id="fn34-rf"><a class="fn-lnk" href="#fn34"><span class="wb-inv">Footnote </span>34</a></sup></p> <div class="well"> <p>We assess that non-state threat actors are very likely to continue developing their capacity to disrupt Internet-exposed industrial systems, and likely that they will attempt to disrupt Internet-exposed industrial systems within Canada.</p> </div> <p>It is important to note that non-state cyber threat actors may not have the expertise to correctly identify or understand the system they have compromised, may exaggerate claims of disruptive effects, and may entirely fabricate claims that they have compromised or disrupted Internet-exposed <abbr title="operational technology">OT</abbr>. False or exaggerated claims can serve to build the reputation of the groups involved and may still have a disruptive effect by causing fear and degrading trust in the system.</p> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="outlook">Outlook</h2> <p>The cyber security of Canada’s <abbr title="marine transportation sector">MTS</abbr> is critical for Canada’s national and economic security. The <abbr title="marine transportation sector">MTS</abbr>’s economic and strategic importance to Canada also makes it a compelling target for cyber threat actors with financial, ideological, or disruptive intent. As the sector continues to digitalize its operations and its threat surface grows, cyber threat actors will have additional opportunities to compromise marine transportation organizations and new ways in which to maximize the disruptive or destructive impact of their activities. This threat is compounded by the sectors already complex and interconnected nature, which creates risk that disruptions to key organizations or systems within the <abbr title="marine transportation sector">MTS</abbr> will widely affect the safety and continuity of marine transportation operations.</p> <p>Many cyber threats can be mitigated through awareness and best practices in cyber security and business continuity. The Cyber Centre encourages all critical infrastructure network owners to take appropriate measures to protect your systems against the cyber threats detailed in this assessment.</p> <p>Please refer to the following online resources for more information and for useful advice and guidance.</p> <p><strong>General cyber threat information</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/introduction-cyber-threat-environment">An introduction to the cyber threat environment</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessments">National Cyber Threat Assessments</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/preventative-security-tools-itsap00058">Preventative security tools (ITSAP.00.058)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/defending-against-data-exfiltration-threats-itsm40110">Defending against data exfiltration threats (ITSM.40.110)</a></li> </ul><p><strong>Digitalization and connected <abbr title="operational technology">OT</abbr></strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-threat-operational-technology">Cyber threat bulletin: Cyber threat to operational technology</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protect-your-operational-technology-itsap00051">Protect your operational technology (ITSAP.00.051)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Baseline security requirements for network security zones (ITSP.80.022)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38">Network security zoning – Design considerations for placement of services within zones (ITSG-38)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/satellite-communications-itsap80029">Satellite communications (ITSAP.80.029)</a></li> </ul><p><strong>Supply chain and supplier-based threat</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-supply-chains">The cyber threat from supply chains</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/supply-chain-threats-and-commercial-espionage">Supply chain threats and commercial espionage</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071">Protecting your organization from software supply chain threats (ITSM.10.071)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-supply-chain-security-small-medium-sized-organizations-itsap00070">Cyber supply chain security for small and medium-sized organizations (ITSAP.00.070)</a></li> </ul><p><strong>Cybercrime</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/baseline-cyber-threat-assessment-cybercrime">Baseline cyber threat assessment: Cybercrime</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/ransomware">Cyber Centre ransomware overview page</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/ransomware-playbook-itsm00099">Ransomware playbook (ITSM.00.099)</a></li> </ul><p><strong>State-sponsored cyber threats</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-centre-urges-canadian-critical-infrastructure-operators-raise">Cyber threat bulletin: Cyber Centre urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity</a></li> <li><a href="https://www.cyber.gc.ca/en/news-events/joint-cyber-security-advisory-russian-state-sponsored-and-criminal-cyber-threats-critical">Joint cyber security advisory on Russian state-sponsored and criminal cyber threats to critical infrastructure</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-centre-urges-canadians-be-aware-and-protect-against-prc-cyber-threat-activity">Cyber threat bulletin: Cyber Centre urges Canadians to be aware of and protect against PRC cyber threat activity</a></li> </ul><p><strong>DDoS attacks</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/defending-against-distributed-denial-service-ddos-attacks-itsm80110">Defending against distributed denial of service (DDoS) attacks (ITSM.80.110)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protecting-your-organization-against-denial-service-attacks-itsap80100">Protecting your organization against denial-of-service attacks (ITSAP.80.100)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/distributed-denial-service-attacks-prevention-and-preparation-itsap80110">Distributed denial of service attacks – prevention and preparation (ITSAP.80.110)</a></li> </ul></section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><aside class="wb-fnote" role="note"><h2 class="text-info" id="fn">Endnotes</h2> <dl><dt>1</dt> <dd id="fn1"> <p>Global Affairs Canada, Office of the Chief Economist. <a href="https://international.canada.ca/en/global-affairs/corporate/reports/chief-economist/state-trade/2024">State of Trade 2024: Supply chains</a>. June 2024.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>2</dt> <dd id="fn2"> <p>Global Affairs Canada. <a href="https://international.canada.ca/en/global-affairs/corporate/reports/chief-economist/global-value-chains/2020-06-vulnerability">Canadian supply chain logistics vulnerability</a>. June 2021.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote </span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>3</dt> <dd id="fn3"> <p>Federal Bureau of Investigation. <a href="https://www.ic3.gov/PSA/2022/psa220504">Business Email Compromise: The $43 Billion Scam</a>. May 4, 2022.</p> <!– broken link –> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote </span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>4</dt> <dd id="fn4"> <p>Global Affairs Canada. <a href="https://www.canada.ca/en/global-affairs/news/2023/12/statement-on-russias-malicious-cyber-activity-affecting-the-united-kingdom.html">Statement on Russia’s malicious cyber activity affecting the United Kingdom. December 7, 2023.</a>. February 14, 2019.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote </span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>5</dt> <dd id="fn5"> <p>Andry Greenberg. <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/">The Untold Story of NotPetya, the Most Devastating Cyberattack in History</a>. Wired. August 22, 2018.</p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote </span>5<span class="wb-inv"> referrer</span></a></p> </dd> <dt>6</dt> <dd id="fn6"> <p>Courtney Dickson. <a href="https://www.cbc.ca/news/canada/british-columbia/t-souke-nation-marine-labs-ocean-data-climate-change-1.6540485">First Nation, tech company collaborate to prepare for climate change’s effects on harvesting waters</a>. CBC News. August 7, 2022.</p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote </span>6<span class="wb-inv"> referrer</span></a></p> </dd> <dt>7</dt> <dd id="fn7"> <p><a href="https://safety4sea.com/wp-content/uploads/2019/04/C4ADS-Above-us-only-start_Exposing-GPS-spoofing-in-Russia-and-Syria-2019_04.pdf">Above us, only stars: Exposing GPS Spoofing in Russia and Syria (PDF)</a>. C4ADS. 2019; Anatoly Kurmanaev. <a href="https://www.nytimes.com/2022/09/03/world/americas/ships-gps-international-law.html">How Fake GPS Coordinates Are Leading to Lawlessness on the High Seas</a>. The New York Times. September 3, 2022; Katie Zeng Xiaojun. <a href="https://www.riskintelligence.eu/background-and-guides/background-gnss-spoofing-in-china-and-beyond">BACKGROUND: GNSS spoofing in China and beyond</a>. RiskIntelligence. June 29, 2021.</p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote </span>7<span class="wb-inv"> referrer</span></a></p> </dd> <dt>8</dt> <dd id="fn8"> <p>Michelle Wiese Bockmann. <a href="https://www.lloydslist.com/LL1128820/Seized-UK-tanker-likely-spoofed-by-Iran">Seized UK tanker likely ‘spoofed’ by Iran</a>. Lloyd’s List. August 16, 2019.</p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote </span>8<span class="wb-inv"> referrer</span></a></p> </dd> <dt>9</dt> <dd id="fn9"> <p>Cyber Centre. <a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-supply-chains">The cyber threat from supply chains</a>. February 8, 2023</p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote </span>9<span class="wb-inv"> referrer</span></a></p> </dd> <dt>10</dt> <dd id="fn10"> <p>Cyber Centre. <a href="https://www.cyber.gc.ca/en/guidance/baseline-cyber-threat-assessment-cybercrime">Baseline Cyber Threat Assessment: Cybercrime</a>. August 28, 2023.</p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote </span>10<span class="wb-inv"> referrer</span></a></p> </dd> <dt>11</dt> <dd id="fn11"> <p>Cyber Centre. <a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2023-2024">National Cyber Threat Assessment 2023-2024</a>. October 2022.</p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote </span>11<span class="wb-inv"> referrer</span></a></p> </dd> <dt>12</dt> <dd id="fn12"> <p>Bill Toulas. <a href="https://www.bleepingcomputer.com/news/security/japans-largest-port-stops-operations-after-ransomware-attack/">Japan’s largest port stops operations after ransomware attack</a>. Bleeping Computer. July 5, 2023; Yukana Inoue. <a href="https://www.japantimes.co.jp/news/2023/07/13/national/japan-cybersecurity-improvements-ransomware/">No longer a ‘catastrophe,’ Japan’s cybersecurity could still improve</a>. The Japan Times. July 13, 2023.</p> <p class="fn-rtn"><a href="#fn12-rf"><span class="wb-inv">Return to footnote </span>12<span class="wb-inv"> referrer</span></a></p> </dd> <dt>13</dt> <dd id="fn13"> <p>Sangfor Technologies. <a href="https://www.sangfor.com/blog/cybersecurity/nagoya-port-cyber-attack-by-lockbit-ransomware">Nagoya Port Cyber Attack by LockBit Ransomware Results in Cargo Delays</a>. July 11, 2023.</p> <p class="fn-rtn"><a href="#fn13-rf"><span class="wb-inv">Return to footnote </span>13<span class="wb-inv"> referrer</span></a></p> </dd> <dt>14</dt> <dd id="fn14"> <p>Det Norske Veritas (DNV). <a href="https://www.dnv.com/news/2023/cyber-attack-on-shipmanager-servers-update-237931/">Cyber-attack on ShipManager servers – update</a>. January 23, 2023.</p> <p class="fn-rtn"><a href="#fn14-rf"><span class="wb-inv">Return to footnote </span>14<span class="wb-inv"> referrer</span></a></p> </dd> <dt>15</dt> <dd id="fn15"> <p>Jonathan Greig. <a href="https://therecord.media/ransomware-attack-on-maritime-software-impacts-1000-ships">Ransomware attack on maritime software impacts 1,000 ships</a>. The Record. January 16, 2023; Eduard Kovacs. Ransomware Attack on DNV Ship Management Software Impacts 1,000 Vessels. Security Week. January 18, 2023.</p> <p class="fn-rtn"><a href="#fn15-rf"><span class="wb-inv">Return to footnote </span>15<span class="wb-inv"> referrer</span></a></p> </dd> <dt>16</dt> <dd id="fn16"> <p>Ingrid Booth. <a href="https://www.investec.com/en_za/focus/economy/transnet-cyberattack-could-have-catastrophic-consequences.html">Transnet cyberattack could have catastrophic consequences.</a> Investec. July 28, 2021.</p> <p class="fn-rtn"><a href="#fn16-rf"><span class="wb-inv">Return to footnote </span>16<span class="wb-inv"> referrer</span></a></p> </dd> <dt>17</dt> <dd id="fn17"> <p>Joe Tidy. <a href="https://www.bbc.com/news/technology-60250956">European oil facilities hit by cyber-attacks</a>. British Broadcasting Corporation (BBC). February 3, 2022.</p> <p class="fn-rtn"><a href="#fn17-rf"><span class="wb-inv">Return to footnote </span>17<span class="wb-inv"> referrer</span></a></p> </dd> <dt>18</dt> <dd id="fn18"> <p>Jonathan Greig. <a href="https://therecord.media/royal-dirkzwager-ransomware-attack-dutch-shipping">Dutch shipping giant Royal Dirkzwager confirms Play ransomware attack</a>. The Record. March 17, 2023.</p> <p class="fn-rtn"><a href="#fn18-rf"><span class="wb-inv">Return to footnote </span>18<span class="wb-inv"> referrer</span></a></p> </dd> <dt>19</dt> <dd id="fn19"> <p>Sam Lagrone. <a href="https://news.usni.org/2023/04/20/ransomware-attack-hits-marinette-marine-shipyard-results-in-short-term-delay-of-frigate-freedom-lcs-construction">Ransomware Attack Hits Marinette Marine Shipyard, Results in Short-Term Delay of Frigate, Freedom LCS Construction</a>. U.S. Naval Institute (USNI) News. April 20, 2023; Office of the Maine Attorney General. <a href="https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/901b3d47-d21e-426e-87dd-e25266b0db96.shtml">Fincantieri Marine Group, LLC Data Breach Notification</a>. Retrieved February 16, 2024.</p> <p class="fn-rtn"><a href="#fn19-rf"><span class="wb-inv">Return to footnote </span>19<span class="wb-inv"> referrer</span></a></p> </dd> <dt>20</dt> <dd id="fn20"> <p>Charlotte Goldstone. <a href="https://theloadstar.com/freight-crime-on-the-up-as-gangs-become-more-tech-savvy/">Freight crime on the up as hangs become more tech-savvy</a>. The Load Star. January 19, 2024; Transport Asset Protection Association. <a href="https://tapaemea.org/news/a-look-at-cargo-crimes-reported-to-the-tapa-emea-intelligence-system-tis-in-the-first-nine-months-of-2023/">A look at Cargo Crimes Reported to the TAPA EMEA Intelligence System (TIS) in the First Nine Months of 2023</a>. November 30, 2023; Joseph Bernstein. <a href="https://www.buzzfeednews.com/article/josephbernstein/how-pirates-and-hackers-worked-together-to-steal-millions-of">How Pirates and Hackers Worked Together to Steal Millions of Dollars in Diamonds</a>. Buzzfeed News. March 17, 2016; Europol. <a href="https://www.europol.europa.eu/sites/default/files/documents/cyberbits_04_ocean13.pdf">Cyber Bits: Hackers deployed to facilitate drugs smuggling (PDF)</a>. June 2013.</p> <p class="fn-rtn"><a href="#fn20-rf"><span class="wb-inv">Return to footnote </span>20<span class="wb-inv"> referrer</span></a></p> </dd> <dt>21</dt> <dd id="fn21"> <p>U.S. Department of Justice. <a href="https://www.justice.gov/archives/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical">U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure</a>. January 31, 2024; U.S. Department of Justice. <a href="https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian">Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)</a>. February 15, 2024; U.S. Cybersecurity and Infrastructure Security Agency. <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a">People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection</a>. May 24, 2023.</p> <p class="fn-rtn"><a href="#fn21-rf"><span class="wb-inv">Return to footnote </span>21<span class="wb-inv"> referrer</span></a></p> </dd> <dt>22</dt> <dd id="fn22"> <p>Elaine Dezenski and David Rader. <a href="https://foreignpolicy.com/2023/09/20/china-shipping-maritime-logistics-lanes-trade-ports-security-espionage-intelligence/">How China Uses Shipping for Surveillance and Control</a>. Foreign Policy. September 20, 2023.</p> <p class="fn-rtn"><a href="#fn22-rf"><span class="wb-inv">Return to footnote </span>22<span class="wb-inv"> referrer</span></a></p> </dd> <dt>23</dt> <dd id="fn23"> <p>Ellen Nakashima and Paul Sonne. <a href="https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html">China hacked a Navy contractor and secured a trove a highly sensitive data on submarine warfare</a>. The Washington Post. June 8, 2018.</p> <p class="fn-rtn"><a href="#fn23-rf"><span class="wb-inv">Return to footnote </span>23<span class="wb-inv"> referrer</span></a></p> </dd> <dt>24</dt> <dd id="fn24"> <p>Shannon Liao. <a href="https://www.theverge.com/2019/3/5/18251836/chinese-hackers-us-servers-universities-military-secrets-cybersecurity">Chinese hackers reportedly targeted 27 universities for military secrets</a>. The Verge. March 5, 2019</p> <p class="fn-rtn"><a href="#fn24-rf"><span class="wb-inv">Return to footnote </span>24<span class="wb-inv"> referrer</span></a></p> </dd> <dt>25</dt> <dd id="fn25"> <p>Dan De Luce and Jean-Nicholas Fievet. <a href="https://www.nbcnews.com/news/world/china-linked-group-malware-spy-commercial-shipping-cargo-report-eset-rcna152129">China-linked group uses malware to try to spy on commercial shipping, new report says</a>. NBC News. May 14, 2024.</p> <p class="fn-rtn"><a href="#fn25-rf"><span class="wb-inv">Return to footnote </span>25<span class="wb-inv"> referrer</span></a></p> </dd> <dt>26</dt> <dd id="fn26"> <p>Cyber Centre. <a href="/en/guidance/cyber-threat-bulletin-cyber-threat-operational-technology">Cyber threat bulletin: Cyber threat to operational technology</a>. December 16, 2021.</p> <p class="fn-rtn"><a href="#fn26-rf"><span class="wb-inv">Return to footnote </span>26<span class="wb-inv"> referrer</span></a></p> </dd> <dt>27</dt> <dd id="fn27"> <p>Chris Demchak and Michael Thomas. <a href="https://warontherocks.com/2021/10/cant-sail-away-from-cyber-attacks-sea-hacking-from-land/">Can’t Sail Away from Cyber Attacks: ‘Sea-Hacking’ from Land</a>. War on the Rocks. October 15, 2021.</p> <p class="fn-rtn"><a href="#fn27-rf"><span class="wb-inv">Return to footnote </span>27<span class="wb-inv"> referrer</span></a></p> </dd> <dt>28</dt> <dd id="fn28"> <p>Cyber Center. <a href="/en/news-events/joint-advisory-prc-state-sponsored-actors-compromising-and-maintaining-persistent-access-us-critical-infrastructure-and-joint-guidance-identifying-and-mitigating-living-land-0">Joint advisory on PRC state-sponsored actors compromising and maintaining persistent access to U.S. critical infrastructure and joint guidance on identifying and mitigating living off the land</a>. February 7, 2024.</p> <p class="fn-rtn"><a href="#fn28-rf"><span class="wb-inv">Return to footnote </span>28<span class="wb-inv"> referrer</span></a></p> </dd> <dt>29</dt> <dd id="fn29"> <p>Microsoft Threat Intelligence. <a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/">Volt Typhoon targets US critical infrastructure with living-off-the-land techniques</a>. Microsoft Security. May 24, 2023.</p> <p class="fn-rtn"><a href="#fn29-rf"><span class="wb-inv">Return to footnote </span>29<span class="wb-inv"> referrer</span></a></p> </dd> <dt>30</dt> <dd id="fn30"> <p>U.S. Bureau of Industry &amp; Security. <a href="https://www.bis.gov/press-release/commerce-department-prohibits-russian-kaspersky-software-u.s.-customers">Commerce Department Prohibits Russian Kaspersky Software for U.S.</a> Customers. June 20, 2024</p> <p class="fn-rtn"><a href="#fn30-rf"><span class="wb-inv">Return to footnote </span>30<span class="wb-inv"> referrer</span></a></p> </dd> <dt>31</dt> <dd id="fn31"> <p>U.S. Bureau of Industry &amp; Security. <a href="https://www.bis.gov/press-release/commerce-department-prohibits-russian-kaspersky-software-u.s.-customers">Commerce Department Prohibits Russian Kaspersky Software for U.S.</a> Customers. June 20, 2024</p> <p class="fn-rtn"><a href="#fn31-rf"><span class="wb-inv">Return to footnote </span>31<span class="wb-inv"> referrer</span></a></p> </dd> <dt>32</dt> <dd id="fn32"> <p>Paul Withers. <a href="https://www.cbc.ca/news/canada/nova-scotia/port-halifax-montreal-cyberattack-website-1.6808370">Cyberattack targets websites for port authorities in Halifax, Montreal</a>. CBC News. April 12, 2023; Cyber Centre. <a href="https://www.cyber.gc.ca/en/alerts-advisories/distributed-denial-service-campaign-targeting-multiple-canadian-sectors">Alert – Distributed Denial of Service campaign targeting multiple Canadian sectors</a>. September 15, 2024; Cyber Centre. <a href="https://www.cyber.gc.ca/en/news-events/cyber-centre-statement-distributed-denial-service-campaign-targeting-multiple-canadian-sectors">Cyber Centre statement on a distributed denial of service (DDoS) campaign targeting multiple Canadian sectors</a>. September 15, 2023.</p> <p class="fn-rtn"><a href="#fn32-rf"><span class="wb-inv">Return to footnote </span>32<span class="wb-inv"> referrer</span></a></p> </dd> <dt>33</dt> <dd id="fn33"> <p>Pierluigi Paganini. <a href="https://securityaffairs.com/151149/hacking/noname-ddos-attack-canadian-airports.html">Pro-Russia hacker group NoName launched a DDoS attack on Canadian airports causing severe disruptions</a>. Security Affairs. September 21, 2023.</p> <p class="fn-rtn"><a href="#fn33-rf"><span class="wb-inv">Return to footnote </span>33<span class="wb-inv"> referrer</span></a></p> </dd> <dt>34</dt> <dd id="fn34"> <p>U.S. Cybersecurity and Infrastructure Security Agency. <a href="https://www.cisa.gov/sites/default/files/2024-05/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity-508c.pdf">Defending <abbr title="operational technology">OT</abbr> Operations Against Ongoing Pro-Russia Hacktivist Activity (PDF)</a>. May 1, 2024.</p> <p class="fn-rtn"><a href="#fn34-rf"><span class="wb-inv">Return to footnote </span>34<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="7045" about="/en/guidance/cyber-incident-reporting-guidelines-key-information-sharing-requirements-itsm00140" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>January 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.00.140</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>January 2026 | Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm00140-cyber-incident-reporting guidelines-e.pdf">Cyber incident reporting guidelines: Key information sharing requirements – ITSM.00.140 (PDF, 506 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication issued under the authority of the Head, Canadian Centre for Cyber Security (Cyber Centre). For more information, please email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on January 29, 2026.</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: January 29, 2026</li> </ol><h2 class="text-info mrgn-tp-0" id="0">Overview</h2> <p>Organizing and sharing information during a cyber incident involves a structured approach that ensures the effective communication of relevant details to the Canadian Centre for Cyber Security (Cyber Centre). The purpose of this publication is to clarify the types of information the Cyber Centre considers “actionable.”</p> </div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#1">Introduction</a></li> <li><a href="#2">Information sharing during a cyber incident</a> <ul><li><a href="#2.1">Contextual information</a></li> <li><a href="#2.2">Technical artifacts</a></li> </ul></li> <li><a href="#tab1">Table 1: Required actionable information and data artifacts</a></li> </ul><h2 class="h3">List of annexes</h2> <ul class="list-unstyled"><li><a href="#A">Annex A Pre-cyber incident</a> <ul><li><a href="#A1">Business email compromise phishing campaigns</a></li> <li><a href="#A2">Living off trusted sites techniques</a></li> </ul></li> <li><a href="#B">Annex B Recommended information sharing</a> <ul><li><a href="#B1">Threat intelligence reports</a></li> <li><a href="#B2">Indicators of compromise</a></li> <li><a href="#B3">Best practices and security recommendations</a></li> <li><a href="#B4">Vulnerability information and patches</a></li> <li><a href="#B5">Incident reports</a></li> <li><a href="#B6">Anonymous sharing mechanisms</a></li> <li><a href="#B7">Automated threat intelligence sharing platforms</a></li> <li><a href="#B8">Collaborative analysis and research</a></li> </ul></li> </ul></details></section><section><h2 class="text-info" id="1">Introduction</h2> <p>For participating entities, this publication should be shared and circulated internally for consultation and pre-approval from your executive team, including legal and operational teams. You should also share this publication with managed security service providers and ensure cross-organizational support for the approach and pre-approval of the type of information to be shared.</p> <p>In advance of a cyber incident, your organization should decide whether you can and will share these types of information to:</p> <ul><li>best inform next steps</li> <li>assist in network rebuild and recovery</li> <li>benefit the resilience of the broader cyber ecosystem. For more details, please read <a href="#A">Annex A: Pre-cyber incidents</a>.</li> </ul><p>In addition, information sharing serves as a centralized resource for gathering data on cyber threats and vulnerabilities. We recommend that your organization disseminate information amongst the members of your sector. The goal is to enable collaborative efforts to secure critical infrastructure (CI) and protect against cyber threats. The recommended aspects of intra-community information sharing are described in <a href="#B">Annex B: Recommended information sharing</a>.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="2">Information sharing during a cyber incident</h2> <p>During a cyber security incident, the participating entity could disclose artifacts to the Cyber Centre that would be used to investigate and provide clarity and enrichment to the nature of the compromise. This includes contextual information and technical artifacts.</p> <h3 id="2.1">Contextual information</h3> <p>This category includes evidence that provides context to the incident, which assists your organization in understanding the circumstances and implications of the compromise. Contextual information typically consists of user activity anomalies, communications (for example, email) and content. This information helps to provide comprehensive reporting, inform on attribution, and validate the malicious behavior.</p> <p>This might include the following information:</p> <ul><li>summary of the observed activity or incident</li> <li>information that would provide clarity regarding the form of threat (if known), such as the <ul><li>malware or denial of service</li> <li>actor involved</li> <li>motivation</li> <li>vector and impact</li> </ul></li> <li>how the attacker gained access (whether through phishing, exploiting vulnerabilities or other means)</li> <li>timeline of events leading up to, during and after the incident</li> <li>scope of the incident, including the type of systems affected and the data that was compromised, including <ul><li>what operations are impacted</li> <li>what disruptions have resulted from this compromise, including to third-party software</li> </ul></li> <li>observed network traffic details (if available)</li> <li>list of mitigations taken, if any, by the incident handlers</li> <li>current status of the incident</li> <li>list of indicators of compromise (IOCs) gathered during the investigation</li> <li>next steps to be taken</li> <li>contact information</li> </ul><h3 id="2.2">Technical artifacts</h3> <p>This category includes all data related to the technical aspects of the incident.</p> <p><a href="#tab1">Table 1: Required actionable information and data artifacts</a> details the specific types of actionable information and data artifacts that the Cyber Centre requires from your organization in the event of a cyber security incident. Additionally, the table highlights the analytical process the Cyber Centre takes to analyze the artifacts and the expected outcomes that stem from the analysis.</p> <p>It is important to note that:</p> <ul><li>Internet Protocol (IP) addresses and domains supplied as <abbr title="Indicators of compromise">IoCs</abbr> are presumed not to be owned by the organization, and that the artifacts shared with the Cyber Centre do not contain any information pertaining to Canadian individuals or persons located in Canada.</li> <li>At no time will the Cyber Centre share raw or identifying victim data with any external entity <ul><li>The Cyber Centre is bound by provisions in the <em>Communications Security Establishment Act</em> [1] and the <em>Privacy Act</em> [2] that govern our activities. CSE may also establish non-disclosure agreements (NDA) with critical infrastructure partners to protect confidential information during information sharing activities.</li> </ul></li> </ul><div class="clearfix"> </div> <div class="table-responsive"> <table class="table table-bordered" id="tab1"><caption>Table 1: Required actionable information and data artifacts</caption> <thead><tr><th class="text-center" scope="col">Technical artifacts</th> <th class="text-center" scope="col">Internal analytics process</th> <th class="text-center" scope="col">Expected outcomes</th> </tr></thead><tbody><tr><td>Suspicious/malicious <abbr title="internet protocol">IP</abbr>s</td> <td> <ul><li>Cross-reference malicious <abbr title="internet protocol">IP</abbr> with the Cyber Centre’s knowledge base to validate and provide insights, including but not limited to classified indicators</li> </ul></td> <td> <ul><li>Confirm maliciousness</li> <br /><li>Share with participating entity and the <abbr title="critical infrastructure">CI</abbr> community for action</li> <br /><li>Share any additional indicators when applicable</li> </ul></td> </tr><tr><td>Suspicious/malicious domains</td> <td> <ul><li>Cross-reference malicious domains with the Cyber Centre’s knowledge base including but not limited to classified indicators to validate and identify command and control (C2) infrastructure</li> <br /><li>Analyze the behaviour (redirection pattern, domain name system (DNS) queries) to gain insights into the types of malware being distributed through the phishing campaigns and the geographical spread of the threat</li> </ul></td> <td> <ul><li>Confirm maliciousness</li> <br /><li>Share with participating entity and the <abbr title="critical infrastructure">CI</abbr> community for action</li> <br /><li>Share with participating entity and the <abbr title="critical infrastructure">CI</abbr> community for action</li> </ul></td> </tr><tr><td>Suspicious/malicious file hashes</td> <td> <ul><li>Cross-reference malicious file hashes with the Cyber Centre’s knowledge base including but not limited to classified indicators to validate and gather the source, behaviour and associated risks</li> <br /><li>Compare the hashes of files with those of known malware for detection and identification</li> </ul></td> <td> <ul><li>Confirm maliciousness</li> <br /><li>Share with participating entity and the <abbr title="critical infrastructure">CI</abbr> community for action</li> <br /><li>Share any additional indicators when applicable</li> </ul></td> </tr><tr><td>Suspicious/malicious <abbr title="uniform resource locators">URL</abbr>s</td> <td> <ul><li>Cross-reference malicious <abbr title="uniform resource locators">URL</abbr>s with the Cyber Centre’s knowledge base including but not limited to Classified indicators to validate and understand the methods used to host and distribute malware</li> </ul></td> <td> <ul><li>Confirm maliciousness</li> <br /><li>Share with participating entity and the <abbr title="critical infrastructure">CI</abbr> community for action</li> <br /><li>Share any additional indicators when applicable</li> </ul></td> </tr><tr><td>Suspicious/malicious documents and files (malware samples)</td> <td> <ul><li>Run detection heuristics to evaluate the level of maliciousness</li> <br /><li>Cross reference to reveal tactic, techniques, and procedures (TTPs), such as the type of malware used, its motives, or its functionality and how it evades detection</li> </ul></td> <td> <ul><li>Confirm maliciousness</li> <br /><li>Reveal patterns, tactics, techniques and behaviours</li> <br /><li>Share hash value of malicious documents and files</li> <br /><li>Share with participating entity and the <abbr title="critical infrastructure">CI</abbr> community for action, to update antivirus signatures, and to refine security policies</li> </ul></td> </tr><tr><td>Security logs (event logs, system logs, access logs, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) logs, network and firewall logs, endpoint detection and response (EDR) logs, <abbr title="domain name system">DNS</abbr> and virtual private network logs, database logs and mail server logs, etc.)</td> <td> <ul><li>Analyze and apply use case and analytics that complement the commercial tooling and detect evidence of suspicious/malicious activities</li> </ul></td> <td> <ul><li>Reveal patterns, tactics, techniques, and behaviours</li> <br /><li>Reveal malicious artifacts (<abbr title="internet protocol">IP</abbr>s, domains, hashes, <abbr title="uniform resource locators">URL</abbr>s, etc.)</li> <br /><li>Share with participating entity and the <abbr title="critical infrastructure">CI</abbr> community for action</li> </ul></td> </tr><tr><td>Forensic artifacts: Disk images, memory dumps, registry entries, system drives, etc.</td> <td> <ul><li>Conduct forensic analysis to find evidence of compromise and reconstruct the timeline of events, to determine the extent of the access and exfiltration, the methods used to gain access and identity of the threat actor</li> </ul></td> <td> <ul><li>Reveal patterns, tactics, techniques, and behaviours</li> <br /><li>Reveal malicious artifacts (<abbr title="internet protocol">IP</abbr>s, domains, hashes, <abbr title="uniform resource locators">URL</abbr>s, etc.)</li> <br /><li>Share with participating entity and the <abbr title="critical infrastructure">CI</abbr> community for action</li> </ul></td> </tr></tbody></table></div> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="A">Annex A Pre-cyber incident</h2> <p>Before any confirmation that a cyber incident has occurred, the participant organization is encouraged to share information presented in the following sub-sections of this annex with the Cyber Centre. This information can:</p> <ul><li>identify gaps</li> <li>calibrate the efficiency of the detection</li> <li>increase the signal-to-noise ratio</li> <li>lower false positives to avoid alert fatigue</li> </ul><p>Your organization should also share any other information that can be used to retrace a series of events.</p> <h3 id="A1">Alert rules</h3> <p>Configuration and criteria are set within the organization’s security monitoring system, such as a security information and event management (SIEM) system or an <abbr title="Intrusion Detection System">IDS</abbr>, used to trigger alerts for potential security incidents. This includes the triggers, their thresholds, filters and correlation rules such as:</p> <ul><li>excessive login failures</li> <li>geographical irregularities</li> <li>unusual outbound traffic</li> <li>changes in file integrity</li> </ul><p>Consider implementing endpoint detection and response (EDR) or extended detection and response (XDR) system to assist in detecting and responding to anomalous system activity.</p> <h3 id="A2">Security logs</h3> <p>Digital records that capture activities and events related to <abbr title="information technology">IT</abbr> security, such as:</p> <ul><li>network devices (for example, firewalls, routers, and switches)</li> <li>servers and workstations, security appliances (for example, <abbr title="Intrusion Detection System">IDS</abbr>, <abbr title="Intrusion Prevention System">IPS</abbr>, and antivirus software)</li> <li>applications (for example, database and web server logs)</li> </ul><h2 class="text-info" id="B">Annex B Recommended information sharing</h2> <p>This annex includes the recommended information sharing best practices. By sharing various types of information, critical infrastructure community members can significantly enhance their collective cybersecurity posture, reduce the risk of cyber attacks, and respond more effectively to incidents.</p> <h3 id="B1">Threat intelligence reports</h3> <p>Threat intelligence reports offer detailed analyses of specific threats, including the <abbr title="tactic, techniques, and procedures">TTPs</abbr> used by cyber adversaries. These reports can provide insights into the</p> <ul><li>nature of the threat</li> <li>affected systems</li> <li>mitigation strategies</li> <li>recommended protective measures</li> </ul><h3 id="B2">Indicators of compromise</h3> <p><abbr title="Indicators of compromise">IoCs</abbr> are specific artifacts or pieces of information used to detect cyber threats, such as:</p> <ul><li>malicious <abbr title="internet protocol">IP</abbr> addresses</li> <li>uniform resource locators (URLs)</li> <li>file hashes</li> <li>email signatures</li> </ul><p>Sharing <abbr title="Indicators of compromise">IoCs</abbr> helps members to quickly identify and respond to potential threats.</p> <h3 id="B3">Best practices and security recommendations</h3> <p>Information on effective security measures, policies, and practices that organizations can implement to protect themselves from cyber threats. This includes configuration guidelines, security controls, and preventive strategies.</p> <h3 id="B4">Vulnerability information and patches</h3> <p>Sharing details about newly discovered vulnerabilities, potential impacts, and available patches or workarounds. This helps organizations to address vulnerabilities promptly before they can be exploited by threat actors.</p> <h3 id="B5">Incident reports</h3> <p>Summaries of security incidents experienced by members, including the nature of the incident, how it was detected, the actions taken, and lessons learned. Sharing incident reports can help others to better prepare for and respond to similar incidents.</p> <h3 id="B6">Anonymous sharing mechanisms</h3> <p>Some members may prefer to share sensitive information anonymously to protect their privacy or for legal reasons. Consider providing mechanisms for anonymous sharing, ensuring that valuable information can still be disseminated without exposing the source.</p> <h3 id="B7">Automated threat intelligence sharing platforms</h3> <p>Utilizing platforms like structured threat information expression (STIX) and trusted automated exchange of indicator information (TAXII) for the automated exchange of threat intelligence. These platforms facilitate real-time sharing of threat data in a standardized format, enabling faster detection and mitigation of threats.</p> <h3 id="B8">Collaborative analysis and research</h3> <p>Joint efforts to analyze specific cyber threats or trends, leveraging the collective expertise and resources of the energy sector members. This collaborative approach can lead to a deeper understanding of complex threats and more effective countermeasures.</p> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="732" about="/en/guidance/spotting-malicious-email-messages-itsap00100" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>January 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.100</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>January 2026 | Awareness series</strong></p> </div> </div> <p>Email is a convenient communication tool for individuals and organizations. It provides an easy way to exchange documents, images, links and various files. However, threat actors can use email for malicious purposes. They frequently target organizations and their networks to steal information. Threat actors are technologically savvy, conscious of vulnerability and aggressively agile. A successful intrusion can quickly lead to data and privacy breaches.</p> <p>As an employee, you may have access to sensitive corporate information, which can make you a target. You should be wary of malicious emails, which threat actors use to infect devices and systems to access information. Knowing how to spot malicious emails and phishing attempts can help protect your organization’s information and networks.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#threat">How threat actors use malicious emails</a></li> <li><a href="#spot">How to spot malicious emails</a></li> <li><a href="#protect">How to protect against malicious emails</a></li> <li><a href="#handle">How to handle malicious emails</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="threat">How threat actors use malicious emails</h2> <p>Threat actors use malicious emails to conduct a variety of malicious activities, including to:</p> <ul><li>steal your sign-in details or credentials</li> <li>spread malware, including viruses, ransomware and spyware, to infect your device or spread to other devices on your network</li> <li>steal your information, corrupt or damage your files</li> </ul><h3>Phishing attacks</h3> <p>Phishing is the act of sending fraudulent communications that appear to be legitimate. Phishing emails often contain malicious attachments or links to malicious websites. Threat actors carry out phishing attacks to trick you into disclosing sensitive information, such as credit card numbers, social insurance numbers or banking credentials. Phishing attacks can take the form of emails, texts or phone calls, but this publication focuses on malicious emails.</p> <p>Threat actors can be highly skilled at creating emails that look legitimate. These emails may contain company logos or trademark information. The subject lines are relevant, and the messages are pertinent. Given our desire to trust and the sheer number of emails we receive daily, it can be easy to believe the content we read in these emails, click on embedded links, or open attachments. However, the attachments may contain malicious software, and the links may direct you to malicious websites.</p> <p>Some types of malware can scan your contacts and automatically send an infected message to everyone on your contact list. Even if an email comes from someone you know, you should always think twice before clicking links or opening attachments. Configuring your email to preview emails, access links and open attachments could inadvertently allow a threat actor to:</p> <ul><li>remotely access sensitive device information</li> <li>execute malware</li> <li>use your device as a foothold to access other network resources</li> </ul><p>Phishing emails come in various forms. Common methods include:</p> <ul><li><strong>Spear-phishing</strong>: A threat actor sends emails to specific targets, such as an individual, a group or an organization. A spear-phishing email is crafted using the recipient’s personal or professional characteristics and interests. Threat actors often use publicly available information from the individual’s social media accounts. Spear-phishing emails require more effort from threat actors, but recipients are more likely to respond to the email, open attachments or click on links.</li> <li><strong>Whaling</strong>: A threat actor sends emails to high-profile individuals or senior executives. They create targeted and convincing emails by using personal information about the individual or the organization they work for. Threat actors may use publicly available information from the organization’s website or social media accounts.</li> <li><strong>Quishing</strong>: A phishing attack using malicious "quick response" (QR) codes in emails that re-directs you to a malicious website when the <abbr title="quick response">QR</abbr> code is scanned. Check the website URL to make sure it is the intended site.</li> </ul><p>Remember, <strong>no one is immune</strong>. Although anyone can be the target of phishing attacks, the following individuals are more commonly targeted:</p> <ul><li>senior executives and their assistants</li> <li>helpdesk staff</li> <li>system administrators</li> <li>users who have access to sensitive information</li> <li>users who have remote access</li> <li>users whose jobs involve interacting with members of the public</li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h2 class="text-info" id="spot">How to spot malicious emails</h2> <p>Threat actors will try to make malicious emails look legitimate. As such, it is important to know how to spot a potentially dangerous one.</p> <p>Verify the sender’s email address to confirm it matches the official address of the organization or individual they claim to be. Know how the organizations and businesses you interact with typically contact you and what type of information they may ask for. For example, a bank should never send links to online banking and ask you to login. You should always access your banking platform through its official app or website.</p> <p>Malicious emails can be difficult to identify, but there are some clues that can help you:</p> <ul><li>an unfamiliar or misspelled name or email address of the sender</li> <li>an invalid username or domain name in a sender’s email address</li> <li>altered or unprofessional company logos</li> <li>generic or odd greetings</li> <li>poor grammar or spelling</li> <li>urgent tone and direction to act quickly</li> <li>urgent messages about current "hot-button" issues related to personal or political causes, major domestic or international events or crises, or organizational challenges</li> <li>unusual requests (for example, most companies do not ask for sensitive or personal information in an email or insist that you collect a package or pay an overdue invoice)</li> </ul><p>Keep in mind that malicious emails may not always contain telltale poor grammar or spelling, particularly if they were created using generative artificial intelligence (AI) tools.</p> <p>Always be suspicious of unsolicited emails requesting personal or confidential data. Take proactive steps to verify their legitimacy before responding or supplying any information. If you receive an email requesting personal information, search for the organization’s official website and contact them using the phone number provided. This way, you can confirm if the request is genuine.</p> <h2 class="text-info" id="protect">How to protect against malicious emails</h2> <p>You can protect yourself and your organization from malicious emails by implementing the following best practices.</p> <h3>Handle suspicious emails with care</h3> <p>When in doubt, avoid opening suspicious emails and contact the sender by another means (for example, by phone) to confirm they contacted you.</p> <h3>Do not click on links, attachments or <abbr title="quick response">QR</abbr> codes in emails</h3> <p>If you are being asked to log into an account for an unsolicited reason, do not click the link, do not open attached files and avoid scanning <abbr title="quick response">QR</abbr> codes. Instead, visit the organization’s website by manually entering the URL in your web browser or by searching through a search engine.</p> <h3>Report suspicious emails</h3> <p>If you receive a suspicious email or suspect malicious activity on a work device or a work account, report the incident to your organization’s <abbr title="information technology">IT</abbr> and security teams. Follow their instructions and do not forward the email to coworkers. You can also report phishing emails to the <a href="/en">Cyber Centre</a> or the <a href="https://www.antifraudcentre-centreantifraude.ca/index-eng.htm">Canadian Anti-Fraud Centre</a>.</p> <h3>Use email filters to block malicious content and spam</h3> <p>Many email programs offer filtering capabilities that allow you to block certain addresses or only accept email from addresses in your contact list. Be careful who you share your email address with, and do not sign up for every mailing list and rewards program offered by retailers. Some businesses will sell your email address to third parties. You can create disposable or "dummy" email addresses to reduce spam. Many online email services also allow you to create email aliases that can be directed to a specific email folder instead of your main inbox.</p> <h3>Delete items in your junk folder</h3> <p>Many email platforms let you configure settings to automatically empty your junk folder after a set number of days. If you choose to do so, you should still check your junk folder so that you do not miss potentially important messages.</p> <h3>Set up client portals</h3> <p>If your organization requires clients to frequently provide information or documents, set up an online client portal to safely collect them This way, employees will not have to question every email attachment they receive.</p> <h3>Establish clear policies</h3> <p>Your organization should define clear policies on configuration settings and <abbr title="artificial intelligence">AI</abbr> use to limit the risk of malicious email messages. These should include:</p> <ul><li>installing and properly configuring a firewall and anti-malware software</li> <li>configuring a protective domain name system (DNS) on your devices, modems and routers</li> <li>enabling a software allowed list and regularly updating all software</li> <li>implementing quarantine functions in your organization’s anti-malware software</li> <li>using trusted and reputable <abbr title="artificial intelligence">AI</abbr> detector tools to verify whether content is human or <abbr title="artificial intelligence">AI</abbr>-generated</li> <li>omitting sensitive information when using <abbr title="artificial intelligence">AI</abbr> tools</li> </ul><h3>Additional best practices</h3> <ul><li>Use secure messaging portals instead of email for communicating your personal information</li> <li>Use bookmarks or a search engine to access websites rather than clicking on links</li> <li>Be suspicious of emails that are not addressed directly to you or do not use your correct name or salutation</li> <li>Do not open attachments or links from an unknown sender or if they have strange file names or multiple file extensions</li> <li>Configure your office suite to prevent macros from running without confirmation or to not run macros from email messages</li> <li>Deactivate automatic downloads and execution of attachments and images</li> <li>Configure your inbox to not load external images to mitigate the risk of tracking pixels (embedded codes in logos or images that can track your location and behaviour)</li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h2 class="text-info" id="handle">How to handle malicious emails</h2> <p>If you receive an offensive, abusive or potentially criminal message, inform your local police. Save the message as authorities may ask you to provide a copy to help with any subsequent investigations. <strong>Do not send the message to anyone else</strong>.</p> <p>If you accidently interact with a malicious email, remain calm and take the following actions:</p> <ul><li>Stop using your device</li> <li>Disable Wi-Fi or disconnect network cables so the device cannot communicate with the Internet</li> <li>Power off the device</li> <li>Contact your <abbr title="information technology">IT</abbr> security department if you are using a corporate device. They can disable accounts and other device features</li> <li>Change your password, passphrase, or PIN using a different device</li> <li>Scan the device using anti-malware software if possible</li> <li>Restore network connections only when you believe you have a clean system</li> <li>Perform any available updates and security patches on your device</li> <li>Monitor your accounts regularly for suspicious activity</li> </ul><h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></li> <li><a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a></li> <li><a href="/en/guidance/firewall-security-considerations-itsap80039">Firewall security considerations (ITSAP.80.039)</a></li> <li><a href="/en/guidance/protective-domain-name-system-itsap40019">Protective Domain Name System (ITSAP.40.019)</a></li> <li><a href="/en/guidance/how-protect-your-organization-malicious-macros-itsap00200">How to protect your organization from malicious macros (ITSAP.00.200)</a></li> <li><a href="/en/guidance/application-allow-list-itsap10095">Application allow list (ITSAP.10.095)</a></li> <li><a href="/en/guidance/cyber-security-best-practices-managing-email-itsap60002">Cyber security best practices for managing email (ITSAP.60.002)</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> </div> </div> </div> </div> </div> </article>

This publication provides tips to help your organization prepare for and recover from ransomware attacks.

<article data-history-node-id="7208" about="/en/news-events/cyber-centre-releases-ransomware-threat-outlook-2025-2027" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>

The information provided in this publication is intended to inform organizations and help them reduce the risks of ransomware attacks, lessen the impact of these attacks, and take preventative actions.

<article data-history-node-id="6940" about="/en/guidance/ransomware-threat-outlook-2025-2027" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="well well-sm"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/cse-ransomware-threat-outlook-2025-2027.pdf">Ransomware Threat Outlook 2025-2027 (PDF, 1.8 MB)</a></p> </div> <div class="clearfix"> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#1">Executive summary</a></li> <li><a href="#2">Assessment base and methodology</a></li> <li><a href="#3">Estimative language</a></li> <li><a href="#4">About the Cyber Centre </a></li> <li><a href="#5">Message from the Head of the Cyber Centre</a></li> <li><a href="#6">Key judgments</a></li> <li><a href="#7">The threat ecosystem</a></li> <li><a href="#8">The state of ransomware in Canada</a></li> <li><a href="#9">Cyber snapshots</a></li> <li><a href="#10">Myths and misconceptions</a></li> <li><a href="#11">Outlook</a></li> <li><a href="#12">Glossary</a></li> <li><a href="#13">References</a></li> </ul></details></section><h2 class="text-info" id="1">Executive summary</h2> <p>This assessment is an update to the <a href="/en/guidance/baseline-cyber-threat-assessment-cybercrime">Canadian Centre for Cyber Security’s (Cyber Centre) Baseline cyber threat assessment: Cybercrime</a>, published in 2023. It is intended to provide an update on the ransomware threat to Canada and to inform Canadian organizations about the early history of ransomware, emerging and projected trends, and ransomware’s impact on Canada and Canadian organizations. It will also debunk common myths and misconceptions on cyber hygiene and responding to cyber incidents. While this report is intended to inform Canadian organizations of all sizes, including public sector entities and critical infrastructure, all Canadians can benefit from reading this report and increasing their knowledge of the ransomware ecosystem.</p> <p>For the purposes of this assessment, ransomware generally refers to a type of malware that denies a user access to a system or data until a sum of money is paid. However, the Cyber Centre recognizes that ransomware has evolved to also include incidents where data theft and extortion are used in place of encryption.</p> <p>Ransomware emerged as an informal method of cybercrime that used basic encryption and extortion. However, it has quickly evolved over the past decades into an interconnected and sophisticated ecosystem where threat actors communicate and conduct payments through borderless online spaces that are difficult to access on the dark web.</p> <p>We assess that threat actors carrying out ransomware attacks impacting Canadian organizations are almost certainly opportunistic and financially motivated. All Canadian organizations, regardless of size or sector, are at risk of being targeted by ransomware. In addition to impacting the infrastructure, data, supply chain, and operations of organizations, a ransomware attack can also impact Canadians’ livelihoods by disrupting the critical services they depend on.</p> <h2 class="text-info" id="2">Assessment base and methodology</h2> <p>The key judgments in this assessment rely on reporting from multiple sources, both classified and unclassified. The judgments are based on the knowledge and expertise in cyber security. Defending the Government of Canada’s information systems provides the Cyber Centre with a unique perspective to observe trends in the cyber threat environment, which also informs our assessments. The Communications Security Establishment Canada’s (CSE) foreign intelligence mandate also provides valuable insight into adversary behaviour in cyberspace. While we must always protect classified sources and methods, we provide the reader with as much justification as possible for our judgments.</p> <p>Our judgments are based on an analytical process that includes evaluating the quality of available information, exploring alternative explanations, mitigating biases and using probabilistic language. We use the terms “we assess” or “we judge” to convey an analytic assessment. We use qualifiers such as “possibly,” “likely,” and “very likely” to convey probability.</p> <p>Assessments and analyses in this report are based on information available as of <strong>September 4, 2025</strong>.</p> <section><h3 class="mrgn-tp-lg" id="3">Estimative language</h3> <div class="row"> <div class="col-md-12"> <div class="panel panel-default"> <div class="panel-body"> <figure><p class="mrgn-bttm-lg">The chart below matches estimative language with approximate percentages. These percentages are not derived via statistical analysis but are based on logic, available information, prior judgments, and methods that increase the accuracy of estimates.</p> <img alt="Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/tarp-language-chart-transparent-e.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Estimative language chart </summary><ul class="list-unstyled mrgn-tp-md"><li>1 to 9% Almost no chance</li> <li>10 to 24% Very unlikely/very improbable</li> <li>25 to 39% Unlikely/improbable</li> <li>40 to 59% Roughly even chance</li> <li>60 to 74% Likely/probably</li> <li>75 to 89% Very likely/very probable</li> <li>90 to 99% Almost certainly</li> </ul></details></figure></div> </div> </div> </div> </section><div class="pull-right small text-muted mrgn-bttm-md"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <section><h2 class="text-info" id="4">About the Cyber Centre</h2> <p>The Cyber Centre is Canada’s technical and operational authority on cyber security. Part of CSE, we are the single unified source of expert advice, guidance, services, and support on cyber security for Canadians and Canadian organizations. The Cyber Centre works in close collaboration with Government of Canada departments, critical infrastructure, Canadian businesses, and international partners to prepare for, respond to, mitigate, and recover from cyber events. The Cyber Centre is outward-facing and welcomes partnerships that help build a stronger, more resilient cyberspace in Canada. In line with the National Cyber Security Strategy, the Cyber Centre represents a more cooperative approach to cyber security in Canada. The Cyber Centre helps raise Canada’s cyber security bar so that Canadians can live and work online safely and with confidence.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="5">Message from the Head of the Cyber Centre</h2> <p>At a time when cybercriminals continue to target Canadian businesses, critical infrastructure, and government systems, education on these threats has never been more important. As Canada’s national authority on cyber security, the Cyber Centre is committed to helping Canadians understand, prepare for, defend against, and respond to the digital threats that impact our economy, our institutions, and our daily lives.</p> <p>Among these threats, ransomware continues to stand out as one of the most disruptive, costly, and persistent challenges facing Canadian organizations of every size. This is why this report, the Ransomware Threat Outlook 2025 to 2027, provides a forward-looking view of the ransomware landscape we anticipate in the next 2 years. Our analysis draws on reporting from across Canada and around the world, classified intelligence from our foreign partners, and insights from the private sector. Together, these perspectives let us identify not only the tools, tactics, and procedures of today’s most prolific cybercrime operators, but also the likely trends and evolutions that will define this threat tomorrow.</p> <p>As you will read in this report, ransomware is big business. Despite some concerning trends, Canadians can rest assured that the Cyber Centre is keeping pace to address these threats and is developing new tools to defend Canadian networks and systems.</p> <p>Our objectives are clear: to equip decision makers with the knowledge they need to manage their risk, to strengthen Canada’s resilience, and to safeguard the trust Canadians place in our digital systems. Only by working together can we blunt the impact of ransomware and ensure Canada is secure and resilient in an ever-evolving cyber landscape.</p> <p>In partnership,</p> <p><strong>Rajiv Gupta</strong><br /> Head, Canadian Centre for Cyber Security</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="6">Key judgments</h2> <ul><li>The ransomware threat in Canada continues to increase and evolve quickly. Threat actors are leveraging various sophisticated tactics to carry out cybercrime. We assess that ransomware actors operating against Canadian targets are almost certainly opportunistic and financially motivated. All organizations, as well as individuals, in Canada almost certainly risk being targeted by ransomware at some point and should bolster their cyber resilience accordingly.</li> <li>Ransomware threat actors have demonstrated adaptability to changes in the digital landscape and will very likely continue leveraging advancements in areas like artificial intelligence (AI) and cryptocurrency while developing new extortion tactics to increase their financial reward.</li> <li>We assess that basic cyber hygiene practices like regular software updates, implementing multi-factor authentication (MFA) and backups, and being cautious of phishing attempts continue to help Canadians and Canadian organizations strengthen their baseline cyber threat readiness. Cyber security practices are not just an optional extension of one’s business. They are integral to protecting critical data and operations, and to safeguarding Canadians who are reliant on the services of organizations responsible for this data.</li> <li>Understanding and mitigating the ransomware ecosystem requires continued cooperation and diligence among law enforcement, government agencies, private organizations, and the Canadian public. We assess that threat actors carrying out ransomware attacks will remain a significant threat to Canada in the next 2 years.</li> </ul></section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="7">The threat ecosystem</h2> <p>Between the 1990s and the 2020s, cybercrime changed drastically, bringing about significant shifts in how threat actors and Canadians engage with one another. Understanding the evolution of ransomware provides insight into how cybercriminals take advantage of technological advancements and how changes in the ecosystem have increased the prevalence and pervasiveness of cyber threats. It also helps identify key indicators for future trends.</p> <h3>The evolution of ransomware</h3> <ul><li><strong>1989</strong>: Harvard professor, <strong>Dr. Joseph L. Popp</strong> sent around 20,000 malware-infected floppy disks that used symmetric cryptography to encrypt file names to AIDS researchers in 90 countries. Victims were instructed to send a cheque of up to $378 to a post office box in Panama to receive a decryptor disk to restore their systems. The only individuals who reportedly paid the ransom were investigators. Dr. Popp was arrested and charged with blackmail. This was one of the first documented ransomware attacks. However, following Dr. Popp’s arrest, ransomware incidents remained relatively uncommon until the widespread adoption of the Internet in the 21st century.<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup></li> <li><strong>2009</strong>: The emergence of <strong>Bitcoin</strong> in 2009 as the first decentralized cryptocurrency, and the surge in popularity of alternative cryptocurrencies in the subsequent years, significantly enhanced cybercriminals’ ability to process payments and launder money from illicit online activities. By providing threat actors with avenues for untraceable funds, Bitcoin helped ransomware become a profitable industry.<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup></li> <li><strong>2012</strong>: The <strong>Reveton</strong> ransomware was deployed as a malware that installs itself on a victim’s network when they click on a compromised website. The ransomware impersonated law enforcement agencies purporting to have seized control of the device due to the user’s supposed criminal online activity. Victims were threatened with jail time and were ordered to pay a ransom through a prepaid debit card. According to open-source reporting, the operators of Reveton sold the malware to third parties, increasing the number of victims. This marked the first reported occurrence of Ransomware-as-a-Service (RaaS).<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup></li> <li><strong>2013</strong>: The <strong>CryptoLocker</strong> ransomware first infected Windows computers in September 2013, using malicious attachments in spam and phishing emails as the primary method of delivery. CryptoLocker was one of the first ransomware variants to use sophisticated encryption. Once a device was encrypted, a ransom note would appear, ordering victims to pay a sum to regain access to their files. Cryptocurrency was included as a payment option. The FBI reports that within the first 2 months of operation, the threat actor group had amassed over USD 27 million in ransom. CryptoLocker was distributed through the GameOver Zeus botnet, which was attributed to a Russian cybercriminal. In June 2014, a multinational law enforcement collaboration announced that it successfully disrupted the GameOver Zeus botnet and seized CryptoLocker servers.<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup></li> <li><strong>2015</strong>: The group behind the <strong>SamSam</strong> ransomware emerged as the first group to consistently engage in targeted attacks against critical infrastructure and larger corporations, including government entities and healthcare organizations in the United States and Canada. This behaviour is now commonly known as “big game hunting” since critical infrastructure and other sensitive organizations are perceived to be more likely to pay larger ransom demands to avoid critical service disruptions or protect sensitive information. In 2018, 2 Iranian men were indicted in the United States on federal charges for deploying the SamSam ransomware to over 200 victims and causing over USD 30 million in losses<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup>.</li> <li><strong>2017</strong>: The May 2017 <strong>WannaCry</strong> attack was publicly identified as the fastest-spreading and largest-scale global ransomware incident at the time. Once a device was infected, WannaCry—which exploited a Microsoft vulnerability—spread rapidly through a network, infecting other vulnerable machines without human interaction. Although Microsoft had patched the vulnerability months prior, users who failed to install the update were susceptible to the attack. In a single day, the attack infected over 230,000 computers in 150 countries, bringing unprecedented global attention to ransomware.<sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup></li> <li><strong>2019</strong>: After an American security company failed to meet payment deadlines set by the <strong>Maze</strong> ransomware group, the group published around 700 MB of the company’s stolen data on their dedicated leak site to increase pressure on the company to comply with the ransom demand. This is the first known instance of a ransomware group publicly releasing victim data and using double extortion methods. Threat actors publishing sensitive corporate information also eliminated backups as an effective sole mitigation tactic<sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup>.</li> <li><strong>2020s</strong>: The popularization of <abbr title="ransomware-as-a-service">RaaS</abbr> and the development of affiliate-based business models that license malware and distribute profits has lowered the technical barriers to entry for cybercriminals. The rise of initial access brokers has also increased the efficiency of active ransomware groups. By selling network access to threat actors, these brokers reduce the time required to execute an attack. The spread of secure communication platforms and dark web marketplaces and forums has also enhanced threat actors’ ability to actively sell their services, network with cybercriminals, and engage with victims.<sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup></li> </ul><h3>The modern ransomware landscape</h3> <p>The modern ransomware landscape is a highly sophisticated and interconnected threat ecosystem that is constantly evolving. Understanding current and emerging trends in the ransomware landscape can help Canadians recognize and better prepare for ransomware risks.</p> <h4>Multi-extortion ransomware attacks</h4> <p>As Canadian organizations expand and bolster their baseline cyber resilience, cybercriminals continually look to modify and adapt their tradecraft to best extort victims across their entire supply chain. We assess that the transition from single extortion to multi-extortion methods is indicative of cybercriminals’ increased sophistication and of their motivation to increase both the impact of their attacks and the likelihood of victims paying the ransom.</p> <p>According to open-source reporting, potential multi-extortion strategies include distributed denial-of-service (DDoS) attacks and contacting third-party entities associated with an organization—including its suppliers, partners, or customers—for ransom.<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup> In addition to financial losses and sensitive data leaks, multi-extortion attacks can damage an organization’s reputation due to service outages or the revictimization of victims.</p> <h4>Exfiltration-only attacks</h4> <p>Although most ransomware groups will likely continue to use encryption in their ransomware, we assess that the trend of threat actors adopting exfiltration-only attacks is a notable shift in behaviour. In November 2024, the ransomware group Hunters International focused primarily on exfiltration-only attacks and extortion.<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup> In January 2025, Hunters International very likely rebranded to World Leaks, an extortion-based group that provides its custom-built data exfiltration tool to affiliates for them to use against victims.<sup id="fn11-rf"><a class="fn-lnk" href="#fn11"><span class="wb-inv">Footnote </span>11</a></sup> Open-source reporting attributes the growing trend toward exfiltration-only attacks to how quickly and simply these attacks can be deployed and executed compared with encryption-based attacks<sup id="fn12-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup>.</p> <h4>Evolutions in victim demography</h4> <p>Critical infrastructure and large corporations remain attractive targets for ransomware actors. However, based on recent developments in victim demography, we assess that no organization is immune to cyber incidents. Businesses with fewer cyber security resources may face more challenges in responding to sophisticated ransomware attacks.</p> <p>Ransomware actors often leverage initial access points such as unpatched software, compromised credentials, phishing, or remote desk protocol. This can generate particular vulnerabilities for entities with minimal capabilities to invest in information technology (IT) infrastructure or cyber security training for employees.<sup id="fn13-rf"><a class="fn-lnk" href="#fn13"><span class="wb-inv">Footnote </span>13</a></sup></p> <p>The impacts of ransomware—including operational downtime, supply chain delays, diminished consumer trust and recovery costs—can have serious impacts on small and medium businesses and could be the deciding factor on whether these businesses are able to remain commercially viable.<sup id="fn14-rf"><a class="fn-lnk" href="#fn14"><span class="wb-inv">Footnote </span>14</a></sup> Organizations with few internal cyber security specialists also often hire third-party managed service providers (MSPs) to handle <abbr title="information technology">IT</abbr> and information management services. Because of their expansive client networks and access to sensitive information, <abbr title="managed service providers">MSPs</abbr> are attractive targets for cybercriminals.<sup id="fn15-rf"><a class="fn-lnk" href="#fn15"><span class="wb-inv">Footnote </span>15</a></sup></p> <h4>Artificial intelligence</h4> <p>We assess that, as <abbr title="artificial intelligence">AI</abbr> becomes more sophisticated and more integrated into Canadian organizations, some cybercriminals will almost certainly adopt <abbr title="artificial intelligence">AI</abbr> capabilities to target victims and lower technical barriers to entry into the ransomware ecosystem. Threat actors have been leveraging improvements in generative <abbr title="artificial intelligence">AI</abbr>, particularly large language models, across various stages of ransomware attacks, including:</p> <ul><li>developing malware</li> <li>generating deepfakes</li> <li>automating negotiations with victims</li> <li>conducting vulnerability research</li> <li>implementing social engineering strategies</li> </ul><p>This contributes to reducing the skill and resource constraints that cybercriminals typically face.<sup id="fn16-rf"><a class="fn-lnk" href="#fn16"><span class="wb-inv">Footnote </span>16</a></sup></p> <h4>Decentralized finance and cryptocurrency</h4> <p>We assess that ransomware actors will continue to leverage cryptocurrency because of the anonymity it offers compared with mainstream financial assets. Increased regulatory pressures and law enforcement action against virtual financial crimes have further encouraged threat actors to find ways to hide their transactions.<sup id="fn17-rf"><a class="fn-lnk" href="#fn17"><span class="wb-inv">Footnote </span>17</a></sup></p> <p>Cryptocurrency helps cybercrime profits transcend borders, increasing the scope of threat actors’ illicit activities and posing challenges for law enforcement investigations. In 2023, the Financial Transactions and Reports Analysis Centre of Canada stated that the movement of proceeds derived from fraud and ransomware attacks is the most prevalent form of money laundering involving virtual currencies.<sup id="fn18-rf"><a class="fn-lnk" href="#fn18"><span class="wb-inv">Footnote </span>18</a></sup></p> <div class="well"> <h5 class="text-center mrgn-tp-sm">Virtual assets</h5> <dl class="dl-horizontal"><dt>Cryptocurrency</dt> <dd>Cryptocurrencies are digital tokens that depend on cryptographic techniques to pseudo-anonymously transfer funds through a public ledger (blockchain) that records transactions between cryptocurrency wallet addresses. Cybercriminals often use cryptocurrency like Bitcoin (BTC) for illicit transactions.<sup id="fn19-rf"><a class="fn-lnk" href="#fn19"><span class="wb-inv">Footnote </span>19</a></sup></dd> <dt>Privacy coins</dt> <dd>Privacy coins are a type of cryptocurrency that provide greater anonymity because they operate on their own blockchain to conceal users’ identities and transaction histories. Examples include Monero (XMR), Zcash (ZEC), and Dash (DASH)<sup id="fn20-rf"><a class="fn-lnk" href="#fn20"><span class="wb-inv">Footnote </span>20</a></sup>.</dd> </dl></div> <div class="well"> <h5 class="text-center mrgn-tp-sm">Obfuscation and laundering techniques</h5> <dl class="dl-horizontal"><dt>Chain hopping</dt> <dd>Chain hopping is when cybercriminals transfer funds from one blockchain to another to obfuscate the funds’ illicit origins.<sup id="fn21-rf"><a class="fn-lnk" href="#fn21"><span class="wb-inv">Footnote </span>21</a></sup></dd> <dt>Mixers</dt> <dd>Mixers are services that break links between the original and final address of cryptocurrency funds to hide the funds’ illicit origins<sup id="fn22-rf"><a class="fn-lnk" href="#fn22"><span class="wb-inv">Footnote </span>22</a></sup>.</dd> </dl></div> <h4>Geopolitical influence on ransomware</h4> <p>Geopolitical conflicts are increasingly extending into the digital environment as more governments engage in cybercrime, including ransomware, as an alternative means to retaliate against adversaries or bypass international sanctions. Cybercriminal engagement varies by state: some states provide resources and protection to cybercriminals directly while others quietly permit cybercrime as long as it aligns with their political interests and does not impact victims within their country.<sup id="fn23-rf"><a class="fn-lnk" href="#fn23"><span class="wb-inv">Footnote </span>23</a></sup></p> <p>During the Russian invasion of Ukraine in 2022, the ransomware group Conti publicly threatened to retaliate against Western countries that launched cyber attacks against Russian critical infrastructure.<sup id="fn24-rf"><a class="fn-lnk" href="#fn24"><span class="wb-inv">Footnote </span>24</a></sup> According to open-source reporting, amid ongoing conflict in the Middle East, a ransomware group linked to the Islamic Republic of Iran began offering higher proceeds to actors who engaged in cyber attacks on Iran’s adversaries.<sup id="fn25-rf"><a class="fn-lnk" href="#fn25"><span class="wb-inv">Footnote </span>25</a></sup></p> <p>The Cyber Centre continues to monitor how geopolitics impact cybercrime and the degree to which state actors engage with cybercriminals in pursuit of their countries’ strategic objectives.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="8">The state of ransomware in Canada</h2> <p>The majority of the top ransomware groups impacting Canada are almost certainly financially motivated and opportunistic. We assess that the core membership of these groups is most likely Russian speaking and operating out of the Commonwealth of Independent States (CIS), although their affiliates operate globally.</p> <p>As outlined in the Cyber Center’s <a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>, law enforcement actions and geopolitical events can cause fluctuations in cybercrime activity. However, we assess that ransomware incidents in Canada are on the rise overall and continue to increase annually across most sectors.</p> <p>Ransomware payments have fluctuated over the past 4 years, which could be a result of fewer or smaller payments made by victims combined with an increase in the total number of Canadian victims. Although most financially motivated ransomware actors operate opportunistically, Canadian critical infrastructure will likely continue to be a desirable target due to the perception that these organizations are more inclined to pay ransom demands to minimize disruptions.</p> <p>The Cyber Centre observed an increase in the number of ransomware incidents in 2024 compared with 2023. We assess that it is very likely that <abbr title="ransomware-as-a-service">RaaS</abbr> has lowered technical barriers to entry for threat actors into the ransomware ecosystem and allowed for the proliferation of sophisticated tactics, techniques, and procedures (TTPs) that are leveraged against Canadians and Canadian organizations. We assess that, due to underreporting, the number of ransomware incidents and payments is almost certainly higher than what is shown in the figures below.</p> <div class="panel panel-default"> <div class="panel-body"> <figure><figcaption class="text-center"><strong>Figure 1: Growth from 2021 of Canadian ransomware incidents known to the Cyber Centre</strong></figcaption><img alt="Growth from 2021 of Canadian ransomware incidents known to the Cyber Centre – Long description immediately follows" class="img-responsive" src="/sites/default/files/images/img-ransomware-2025-e.png" /></figure><details><summary>Long description – Figure 1: Growth from 2021 of Canadian ransomware incidents known to the Cyber Centre</summary><p>A chart indicates that, despite a small reduction in total recorded ransomware incidents in 2022, there has been a 26% average year-over-year increase from 2021 to 2024, and that average is estimated to continue through 2025.</p> </details></div> </div> <p>In 2024, the top 3 ransomware threats to Canada were:</p> <ul><li><strong>Akira:</strong> Akira is a <abbr title="ransomware-as-a-service">RaaS</abbr> group that emerged in April 2023 and is very likely connected to the disbanded ransomware group Conti.<sup id="fn26-rf"><a class="fn-lnk" href="#fn26"><span class="wb-inv">Footnote </span>26</a></sup> The group operates 2 ransomware variants. It exfiltrates victim data before encrypting victim devices and leverages stolen data to perform double extortion.<sup id="fn27-rf"><a class="fn-lnk" href="#fn27"><span class="wb-inv">Footnote </span>27</a></sup> Akira has been used to impact industries in manufacturing and telecommunications globally and in Canada.<sup id="fn28-rf"><a class="fn-lnk" href="#fn28"><span class="wb-inv">Footnote </span>28</a></sup></li> <li><strong>Play:</strong> Play is a ransomware group that emerged in June 2022 as a closed group and shifted to a <abbr title="ransomware-as-a-service">RaaS</abbr> model in November 2023. The group operates a ransomware variant by the same name and leverages a double extortion model.<sup id="fn29-rf"><a class="fn-lnk" href="#fn29"><span class="wb-inv">Footnote </span>29</a></sup> Play has been used to impact organizations in the information and technology and professional services sectors globally and in Canada.<sup id="fn30-rf"><a class="fn-lnk" href="#fn30"><span class="wb-inv">Footnote </span>30</a></sup></li> <li><strong>Medusa:</strong> Medusa is a <abbr title="ransomware-as-a-service">RaaS</abbr> group that emerged in June 2021. The group operates a ransomware variant by the same name and leverages a double extortion model. Medusa has been used to impact various critical infrastructure organizations, as well as information and communications technology sectors globally and in Canada.<sup id="fn31-rf"><a class="fn-lnk" href="#fn31"><span class="wb-inv">Footnote </span>31</a></sup></li> </ul><p>Ransomware can have severe impacts on an organization’s business operations and the security of their sensitive information. It can also damage an organization’s reputation. All of this can impact an organization’s competitiveness across its sector and within the broader Canadian economy.<sup id="fn32-rf"><a class="fn-lnk" href="#fn32"><span class="wb-inv">Footnote </span>32</a></sup></p> <h3>Canadian Survey of Cyber Security and Cybercrime</h3> <p>Statistics Canada conducts the Canadian Survey of Cyber Security and Cybercrime (CSCSC) on behalf of Public Safety Canada. This survey gathers information on the financial and operational effects of cybercrime on Canadian businesses. It also gathers information on the readiness of Canadian businesses toward implementing proactive cyber security and managing security incidents. The most recent <abbr title="Canadian Survey of Cyber Security and Cybercrime">CSCSC</abbr> data, published in October 2024, uses information gathered in 2023 from a sample of over 12,000 Canadian organizations. The survey provides key insights into the prevalence and impacts of cyber incidents, including ransomware, in addition to evolutions in security postures and procedures among Canadian businesses.<sup id="fn33-rf"><a class="fn-lnk" href="#fn33"><span class="wb-inv">Footnote </span>33</a></sup></p> <section class="panel panel-primary"><div class="panel-body center-block"> <p class="text-center"><strong>13%</strong> of businesses reporting cyber security incidents identified <strong>ransomware</strong> as the method of attack, a 2% increase since the 2021 <abbr title="Canadian Survey of Cyber Security and Cybercrime">CSCSC</abbr>.</p> </div> </section><section class="panel panel-primary"><div class="panel-body center-block"> <p class="text-center">Following an increase of CAD 200 million from 2019 to 2021, the total recovery costs associated with cyber security incidents in 2023 <strong>doubled</strong> to <strong>CAD 1.2 billion</strong>.</p> </div> </section><section class="panel panel-primary"><div class="panel-body center-block"> <p class="text-center">Approximately <strong>22% of businesses</strong> reported that formal training was provided to non-<abbr title="information technology">IT</abbr> workers to improve and progress their cyber security skills.</p> </div> </section><section class="panel panel-primary"><div class="panel-body center-block"> <p class="text-center">There was an <strong>11% decrease</strong> in organizations employing <strong>cyber security workers</strong>, primarily due to the use of third-party cyber security consultants and <abbr title="managed service providers">MSPs</abbr>.</p> </div> </section></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="9">Cyber snapshots</h2> <p>Across Canada, organizations are increasingly forced to reckon with the evolving cyber threat landscape. Ransomware can have serious consequences for business functions, supply chain management, and customer confidence when cybercriminals disrupt operations, steal or leak sensitive information.</p> <p>We assess that ransomware actors will continue to target Canada and Canadian organizations in the next 2 years. Examining publicly reported case studies of ransomware incidents can help contextualize the impacts to business functions and communities that rely on these organizations’ services. Understanding the real-life implications of ransomware can help Canadians recognize the severity of the issue and recognize how they, their businesses, and their communities may be impacted.</p> <h3>Public sector</h3> <h4>Example one</h4> <p>A Canadian entity in the public sector reported that they were the victim of a cyber security breach. The breach caused widespread technical outages, leaving services unavailable for months. Rather than pay the ransom, the entity chose to rebuild their systems.</p> <p>Following the initial detection of suspicious activity, the entity engaged with its incident response team, external security consultants, law enforcement, and legal counsel to investigate and contain the breach.</p> <p>An impact assessment revealed that threat actors initially accessed the network but remained dormant for months before exfiltrating data. The stolen data included information on staff and their dependants. The data also included information on customers, contractors, stakeholders, volunteers, and job applicants, including personal, medical, and financial information.</p> <h4>Example two</h4> <p>A Canadian public sector organization was the target of a ransomware attack that significantly disrupted operations.</p> <p>Within days, the organization contained the incident and recovered most of their services from system backups. It maintained that no ransom was paid and that, following a forensic analysis, it found no evidence that the threat actors retrieved any sensitive or personal information.</p> <p>Despite the restoration of some services, certain systems remained unusable for months after the incident. Recovery and rebuilding costs were estimated in the millions of dollars.</p> <h3>Private sector</h3> <p>Two Canadian logistics companies experienced a breach involving customers’ personal information.</p> <p>The entities reported the attack to the potentially affected parties, relevant federal authorities, and the Office of the Privacy Commissioner of Canada (OPC). The <abbr title="Office of the Privacy Commissioner of Canada">OPC</abbr> launched an immediate investigation to evaluate the effectiveness of the precautions in place to safeguard the sensitive information.</p> <p>A ransomware group claimed responsibility for the attack and alleged to have stolen a significant volume of documents.</p> <h3>Retail sector</h3> <p>A large Canadian health retailer reported a ransomware attack that forced operations to be shut down for days while systems were rebuilt.</p> <p>The organization refused to pay the ransom and deployed countermeasures to protect their networks from additional compromise. External experts and law enforcement were engaged to contain the threat and restore systems. The entity stated that the ransomware attack compromised data related to their human resources and finance departments, including some employee data.</p> <h3>Education sector</h3> <p>An education technology organization announced that a threat actor had leveraged a compromised credential for a customer support portal to gain access to sensitive data. The impacted databases contained information from millions of individuals.</p> <p>The organization reported the incident to relevant law enforcement authorities, and made the decision to pay the ransom. Despite assurances from the threat actor that the stolen information would be deleted, it was announced that the threat actor continued to contact victims in an attempt to re-extort them with the same data from the initial incident.</p> <h3>Energy sector</h3> <p>A Canadian entity in the energy sector confirmed that it was the victim of a ransomware attack that resulted in the leak of sensitive personal and banking information from many current and former customers. The entity notified all impacted customers and offered credit monitoring and identity protection at no cost.</p> <p>The entity confirmed that they did not pay the ransom demand and enacted their incident response protocols, engaging with cyber security experts to assess the impact of the attack and rebuild and restore impacted systems.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="10">Myths and misconceptions</h2> <p>A key step to Canadians bolstering their baseline resilience to cyber attacks is debunking common misconceptions and beliefs. This includes Canadians building a better understanding of their proximity to threats and the sensitivity of their personal or business information, as well as taking important steps for incident response.</p> <h3>“We’re too small to be a target”</h3> <p>We assess that any Canadian organization, small or large, can likely be susceptible to cyber threats and the impacts of ransomware. Although some ransomware groups maintain a self-proclaimed “moral code,” whereby they refrain from targeting certain organizations (for example, hospitals, charities, government agencies, religious institutions), others will target any organization.<sup id="fn34-rf"><a class="fn-lnk" href="#fn34"><span class="wb-inv">Footnote </span>34</a></sup></p> <p>Groups that are more technically sophisticated and well resourced may conduct proactive research on companies to identify those most likely to pay ransom demands. Meanwhile, other threat actors prioritize increasing dedicated leak site posts, regardless of victim size, to bolster their reputation.</p> <p>Smaller businesses often use <abbr title="managed service providers">MSPs</abbr> to manage parts of their operations, or integrate parts of their supply chains with multiple other entities. This can increase the threat surface for these businesses if those third parties experience compromises.</p> <div class="well well-sm"> <p><strong>Resources:</strong></p> <ul><li><a href="/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations">Baseline cyber security controls for small and medium organizations</a></li> <li><a href="/en/guidance/top-measures-enhance-cyber-security-small-and-medium-organizations-itsap10035">Top measures to enhance cyber security for small and medium organizations</a></li> <li><a href="/en/malicious-cyber-activity-targeting-information-technology-managed-service-providers">Malicious cyber activity targeting information technology managed service providers</a></li> </ul></div> <h3>“We don’t need all these cyber security tools and rules”</h3> <p>Every time Canadians leave their homes, it is very likely that they mitigate any potential risks by closing their windows, locking their doors, and turning on their security systems.</p> <p>Similarly, implementing basic cyber hygiene practices can significantly reduce the likelihood of ransomware attacks. Routine training and education for employees help foster personal diligence and strengthened cyber security awareness. This can have a tremendous impact in preventing common forms of entry for ransomware, including:</p> <ul><li>spoofed websites</li> <li>phishing messages</li> <li>compromised login credentials</li> </ul><p>Flagging suspicious content and taking a moment to think critically and validating URLs and email addresses as well as are simple steps that individuals can take to prevent malware infections.<sup id="fn35-rf"><a class="fn-lnk" href="#fn35"><span class="wb-inv">Footnote </span>35</a></sup> Other measures that individuals and organizations can take to protect themselves against ransomware include:</p> <ul><li>routine backups</li> <li>automatic updates</li> <li>security tools</li> </ul><div class="well well-sm"> <p><strong>Resources:</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105">Steps for effectively deploying multi-factor authentication (MFA)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/password-managers-security-itsap30025">Password managers: Security tips</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-security-hygiene-best-practices-your-organization-itsap10102">Cyber hygiene best practices for your organization</a></li> </ul></div> <h3>“Paying the ransom is the easiest way to get our data back”</h3> <p>There is no guarantee that threat actors will unlock systems or return stolen data if organizations that experience a ransomware attack pay the demanded ransom. Threat actors can copy the data and use it to revictimize an organization or its customers for more money.<sup id="fn36-rf"><a class="fn-lnk" href="#fn36"><span class="wb-inv">Footnote </span>36</a></sup></p> <p>Cyber insurance as a proactive protection measure against ransomware can encourage organizations to align their cyber security postures with insurance policy standards. However, if insurance policy documents are not properly protected on an organization’s website or systems, sophisticated ransomware actors could obtain information on coverage amounts and leverage it in ransom negotiations to maximize their payment.<sup id="fn37-rf"><a class="fn-lnk" href="#fn37"><span class="wb-inv">Footnote </span>37</a></sup></p> <h3>“I don’t run a business, so why should I care about ransomware?”</h3> <p>In the current digital landscape, countless organizations likely collect and store your sensitive information. If those corporations suffer a ransomware attack, your personal data could be indirectly compromised. A ransomware attack can lead to spillover effects that can impact Canadians, regardless of their job or their diligence with data. When cyber attacks disrupt organizations that provide essential services, they can severely limit public access to pharmaceuticals, transportation, internet services, and other critical resources.</p> <h3>“I don’t care if my data is out there—they can have it”</h3> <p>Organizations are increasingly responsible for handling immense amounts of personal data from Canadian customers, from sensitive financial details to contact information and health records. In the aftermath of a ransomware attack, threat actors often sell compromised consumer data on the dark web. Once your data has been compromised, it will very likely remain in this ecosystem. This increases your vulnerability to threats like targeted phishing email campaigns, which can then impact your clients, family, and friends.<sup id="fn38-rf"><a class="fn-lnk" href="#fn38"><span class="wb-inv">Footnote </span>38</a></sup></p> <p>Business owners should be concerned about their data security since a compromise of their information (such as intellectual property) can directly impact their reputation, financial security, and market competitiveness.</p> <section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title">Reporting ransomware</h4> </header><div class="panel-body"> <p>If you or your organization experience a ransomware attack, we advise you to report it to your local authorities, the Canadian Anti-Fraud Centre, and the Cyber Centre (through <a href="/en/incident-management">My Cyber Portal</a> or by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>).</p> <p>Reporting cyber attacks allows relevant authorities to properly investigate attacks and identify the source of the compromise to protect your organization and others from future incidents.</p> <p>Understanding the ransomware landscape in Canada depends on our comprehension of the size and nature of threat actors. By reporting cyber attacks, you help contribute to a safer, smarter Canada.</p> </div> </section></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="11">Outlook</h2> <p>We assess that ransomware will remain a significant threat to Canada, requiring substantial attention from Canadians in the coming years. As organizations become more integrated into the digital landscape, increasing exploitation opportunities for threat actors, their infrastructure and sensitive data will very likely continue to be at risk of compromise by ransomware.</p> <p>Cyber threat actors have, and will continue to, evolve their TTPs, including extortion tactics and victim demography, to increase the impact of their attacks and their opportunities to reap financial reward. However, Canadian organizations can do a lot to protect themselves from these threats. It is crucial that Canadian organizations looking to safeguard their systems and information consider cyber security at the core of everything they do. This includes implementing fundamental cyber security practices such as patching operational technology, enabling automatic updates and <abbr title="multi-factor authentication">MFA</abbr>, and encouraging secure-by-design. Canadian organizations should also take advantage of the tools available to them — such as the malware detection and analysis tool, Assemblyline, developed by the Cyber Centre — to continuously monitor their networks and stay vigilant of evolving threats.</p> <p>Continued collaboration between domestic law enforcement, the private sector, and international allies will be required to bolster understanding of the threat ecosystem and to coordinate appropriate proactive and responsive actions to prevent the global impact and spread of ransomware.</p> <p>The Cyber Centre works around the clock to detect and defend against ransomware and other similar cyber threats. One of the ways we do this is by providing pre-ransomware notifications to warn potential victims during the initial stage of a ransomware incident. Through these notifications, cyber defenders can pinpoint and stop ransomware attacks before any data is compromised. In the 2024 to 2025 fiscal year, we issued 336 pre-ransomware notifications to over 300 Canadian organizations, resulting in an economic savings of up to CAD 18 million.</p> <p>For more information on how Canadians and Canadian organizations can protect themselves against the ransomware threat and bolster their overall cyber resilience, we encourage them to consult our <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals</a>, <a href="https://www.cyber.gc.ca/en/guidance/ransomware-playbook-itsm00099">Ransomware Playbook</a>, and other <a href="https://www.cyber.gc.ca/en/guidance">cyber security guidance</a> available on the Cyber Centre website.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="12">Glossary</h2> <dl class="dl-horizontal"><dt>Artificial intelligence (AI)</dt> <dd>A subfield of computer science that develops intelligent computer programs to behave in a way that would be considered intelligent if observed in a human (for example, solve problems, learn from experience, understand language, interpret visual scenes).</dd> <dt>Big game hunting</dt> <dd>The practice of targeting critical infrastructure and other sensitive organizations because they are perceived to be more likely to pay larger ransoms to avoid critical service disruptions or to protect sensitive information.</dd> <dt>Botnet</dt> <dd>A network of computers forced to work together on the command of an unauthorized remote user. This network of compromised computers is used to attack other systems.</dd> <dt>Commonwealth of Independent States (CIS)</dt> <dd>A regional organization established in 1991 that comprises 9 member states previously part of the Soviet Union: Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan.</dd> <dt>Cryptocurrency</dt> <dd>Virtual assets that use cryptography to protect and affirm their ownership. Units of cryptocurrency are called “coins,” such as Bitcoin and Ether. Cryptocurrency transactions are generally recorded on their respective blockchains. “Tokens” represent a certain value of “coins” and can be used to buy certain goods and services. Cryptocurrencies operate on a peer-to-peer system and are not managed by a central authority like a bank, government, or country.</dd> <dt>Cyber insurance</dt> <dd>A specialized product intended to help businesses manage losses caused by computer networking threats such as data breaches and cyber extortion. Cyber insurance can cover a range of cyber events, including confidential data breaches, cyber extortion, and technology disruptions.</dd> <dt>Dark web</dt> <dd>An unindexed segment of the Internet that is only accessible through specialized software or network proxies. Due to the inherently anonymous and private nature of the dark web, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade.</dd> <dt>Decryptor</dt> <dd>A specialized tool designed to help businesses recover encrypted files without having to pay attackers for decryption keys.<sup id="fn39-rf"><a class="fn-lnk" href="#fn39"><span class="wb-inv">Footnote </span>39</a></sup></dd> <dt>Dedicated leak sites</dt> <dd>Websites where ransomware threat actors publish data stolen from companies that refuse to pay the ransom. These sites can contain sensitive information such as login credentials, intellectual property, and personal and financial data. They put victim organizations at risk of security breaches, identity theft, financial fraud, reputational damage, and legal consequences.<sup id="fn40-rf"><a class="fn-lnk" href="#fn40"><span class="wb-inv">Footnote </span>40</a></sup></dd> <dt>Deepfakes</dt> <dd>Content that has been digitally manipulated and is intended to deceive. This includes artificially generated images, audio, and videos.</dd> <dt>Distributed denial of service (DDoS)</dt> <dd>A type of cyber attack in which threat actors aim to disrupt or prevent legitimate users from accessing a networked system, service, website, or application.</dd> <dt>Double extortion</dt> <dd>When ransomware actors exfiltrate files before encrypting them and threaten to leak sensitive information publicly if the ransom is not paid.</dd> <dt>Encryption</dt> <dd>Converting information from one form to another to hide its content and prevent unauthorized access.</dd> <dt>Exfiltration</dt> <dd>The unauthorized transfer of data from a network, system, or device.<sup id="fn41-rf"><a class="fn-lnk" href="#fn41"><span class="wb-inv">Footnote </span>41</a></sup></dd> <dt>Generative <abbr title="artificial intelligence">AI</abbr></dt> <dd>A class of <abbr title="artificial intelligence">AI</abbr> models that emulate the structure and characteristics of input data to generate synthetic content. This can include images, audio, text, and other digital content.<sup id="fn42-rf"><a class="fn-lnk" href="#fn42"><span class="wb-inv">Footnote </span>42</a></sup></dd> <dt>Initial access brokers</dt> <dd>Threat actors that sell access to corporate networks.<sup id="fn43-rf"><a class="fn-lnk" href="#fn43"><span class="wb-inv">Footnote </span>43</a></sup></dd> <dt>Large language models</dt> <dd>Artificial neural networks that are trained on very large sets of language data using self- and semi-supervised learning. Large language models initially generated text via next-word prediction but can now take prompts so that users can complete sentences or generate entire documents on a given topic. Training on exceptionally large datasets allows the model to learn sophisticated linguistic structures and the biases or inaccuracies found in that data.</dd> <dt>Malware</dt> <dd>Malicious software designed to infiltrate or damage a computer system, without the owner’s consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware.</dd> <dt>Managed service providers (MSP)</dt> <dd>Companies that offer a range of information management and information technology services. This includes physical, virtual, or cloud infrastructure, as well as providers who manage stored data primarily in a virtual environment.</dd> <dt>Multi-factor authentication (MFA)</dt> <dd>A tactic that can add an additional layer of security to your devices and accounts. Multi-factor authentication requires additional verification (like a PIN or fingerprint) to access your devices or accounts. Two-factor authentication is a type of multi-factor authentication.</dd> <dt>Phishing</dt> <dd>An attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, typically for financial gain. Phishers attempt to trick users into disclosing sensitive personal data, such as credit card numbers or online banking credentials, which they may then use to commit fraudulent acts.</dd> <dt>Ransomware</dt> <dd>Type of malware that denies a user access to a system or data until a sum of money is paid.</dd> <dt>Ransomware-as-a-Service (RaaS)</dt> <dd>A core group of developers sell or lease their ransomware variant to other threat actors, called affiliates. The core developers will allow affiliates to deploy their ransomware in exchange for upfront payment, subscription fees, a cut or profits, or all 3.</dd> <dt>Social engineering</dt> <dd>The practice of obtaining confidential information by manipulating legitimate users. A social engineer will often trick people into revealing sensitive information over the phone or online. Phishing is a type of social engineering.</dd> <dt>Symmetric cryptography</dt> <dd>A cryptographic key is used to perform a cryptographic operation and its inverse operation (for example, encrypt and decrypt, create a message authentication code and verify the code).</dd> <dt>Tactics, techniques, and procedures (TTP)</dt> <dd>The behaviour of an actor. A tactic is the highest-level description of this behaviour, while techniques give a more detailed description of behaviour in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.<sup id="fn44-rf"><a class="fn-lnk" href="#fn44"><span class="wb-inv">Footnote </span>44</a></sup></dd> <dt>Vulnerability</dt> <dd>A flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization’s assets or operations.</dd> </dl></section><!–FOOTNOTE SECTION EN–><aside class="wb-fnote" role="note"><h2 class="text-info" id="13">References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>Kurt Baker, “<a href="https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/history-of-ransomware/?__cf_chl_rt_tk=UIj85aW1_uPWYtx1XhwnX2DFKanbaN4dCeUUeNt2xg4-1753969253-1.0.1.1-U_mvkOxTntsn8QDFU9C5Df73xbudYr0nkuJ6TxtGWUU">History of Ransomware</a>,” CrowdStrike, October 9, 2022; “<a href="https://www.knowbe4.com/ransomware-knowledgebase/aids-trojan">AIDS Trojan or PC Cyborg Ransomware</a>,” KnowBe4; Ryan Estes, “<a href="https://www.watchguard.com/wgrd-security-hub/secplicity-blog/dr-joseph-l-popp-jr-and-first-ever-ransomware-aids-trojan">Dr. Joseph L Popp Jr and The First-Ever Ransomware – The AIDS Trojan</a>,” WatchGuard, February 18, 2025; Kaveh Waddell, “<a href="https://www.theatlantic.com/technology/archive/2016/05/the-computer-virus-that-haunted-early-aids-researchers/481965/">The Computer Virus That Haunted Early AIDS Researchers</a>,” The Atlantic, May 10, 2016.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>“<a href="https://www.europol.europa.eu/cms/sites/default/files/documents/Europol Spotlight – Cryptocurrencies – Tracing the evolution of criminal finances.pdf">Cryptocurrencies: Tracing the evolution of criminal finances (PDF)</a>,” Europol, January 26, 2022; “<a href="/en/guidance/cyber-threat-bulletin-modern-ransomware-and-its-evolution">Cyber threat bulletin: Modern ransomware and its evolution</a>,” Canadian Centre for Cyber Security, November 30, 2020; Kurt Baker, “<a href="https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/history-of-ransomware/?__cf_chl_rt_tk=UIj85aW1_uPWYtx1XhwnX2DFKanbaN4dCeUUeNt2xg4-1753969253-1.0.1.1-U_mvkOxTntsn8QDFU9C5Df73xbudYr0nkuJ6TxtGWUU">History of Ransomware</a>,” CrowdStrike, October 9, 2022.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p>“<a href="https://arcticwolf.com/resources/blog/the-history-of-ransomware/">The History of Ransomware</a>,” Arctic Wolf, June 5, 2024; “<a href="https://www.fbi.gov/news/stories/new-internet-scam">New Internet Scam</a>,” FBI, August 9, 2012; Orlaith Traynor, “<a href="https://cybelangel.com/ransomware-story-reveton-to-maze/">From Reveton to Maze: Tracing the Evolution of Ransomware</a>,” CyberAngel, August 27, 2020.</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p>“<a href="https://www.fbi.gov/news/stories/gameover-zeus-botnet-disrupted">GameOver Zeus Botnet Disrupted</a>,” FBI, June 2, 2014; Matthew Kosinski, “<a href="https://www.ibm.com/think/topics/ransomware">What is ransomware?</a>” IBM, June 4, 2024; “<a href="https://www.fbi.gov/news/press-releases/u.s.-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware-charges-botnet-administrator">U.S. Leads Multi-National Action Against GameOver Zeus Botnet and Cryptolocker Ransomware, Charges Botnet Administrator</a>,” United States Department of Justice, June 2, 2014; “<a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-modern-ransomware-and-its-evolution">Cyber threat bulletin: Modern ransomware and its evolution</a>,” Canadian Centre for Cyber Security, November 30, 2020; “<a href="https://www.fbi.gov/news/stories/ransomware-on-the-rise">Ransomware on the Rise</a>,” FBI, January 20, 2015; Ivan Belcic, “<a href="https://www.avast.com/c-cryptolocker">What is CryptoLocker Ransomware and How to Remove it</a>,” Avast. February 27, 2020.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p>“<a href="https://www.security.com/threat-intelligence/samsam-targeted-ransomware-attacks">SamSam: Targeted Ransomware Attacks Continue</a>,” Symantec, October 30, 2018; “<a href="https://www.justice.gov/archives/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public;">Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses</a>,” United States Department of Justice, November 28, 2018; “<a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-modern-ransomware-and-its-evolution">Cyber threat bulletin: Modern ransomware and its evolution</a>,” Canadian Centre for Cyber Security, November 30, 2020; “<a href="https://www.crowdstrike.com/en-us/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/#:~:text=The%20Future%20of%20INDRIK%20SPIDER%20and%20Big%20Game%20Hunting&amp;text=Since%20they%20were%20first%20identified,be%20a%20growing%20eCrime%20threat.">Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware</a>,” CrowdStrike. November 14, 2018.</p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 6</dt> <dd id="fn6"> <p>Veronic Drake, “<a href="https://flashpoint.io/blog/the-history-and-evolution-of-ransomware-attacks/">The History and Evolution of Ransomware Attacks</a>,” Flashpoint, July 29, 2022; Martin Zugec “<a href="https://www.bitdefender.com/en-us/blog/businessinsights/the-origin-of-ransomware-exploring-the-evolution-of-one-of-cybersecuritys-most-prolific-threats">The Origin of Ransomware – Exploring the evolution of one of cybersecurity’s most prolific threats</a>,” Bitdefender. May 23, 2022; Jennifer Gregory, “<a href="https://www.ibm.com/think/x-force/wannacry-worm-ransomware-changed-cybersecurity">Wannacry: how the widespread ransomware changed cybersecurity</a>,” IBM, October 30, 2020.</p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote</span>6<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 7</dt> <dd id="fn7"> <p>Veronic Drake, “<a href="https://flashpoint.io/blog/the-history-and-evolution-of-ransomware-attacks/">The History and Evolution of Ransomware Attacks</a>,” Flashpoint, July 29, 2022; Lawrence Abrams, “<a href="https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/">Allied Universal Breached by Maze Ransomware, Stolen Data Leaked</a>,” Bleeping Computer, November 21, 2019.</p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote</span>7<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 8</dt> <dd id="fn8"> <p>“<a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-modern-ransomware-and-its-evolution">Cyber threat bulletin: Modern ransomware and its evolution</a>,” Canadian Centre for Cyber Security, November 30, 2020; “<a href="https://arcticwolf.com/resources/blog/the-history-of-ransomware/">The History of Ransomware</a>,” Arctic Wolf, June 5, 2024.</p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote</span>8<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 9</dt> <dd id="fn9"> <p>“<a href="https://www.checkpoint.com/cyber-hub/ransomware/what-is-triple-extortion-ransomware/">What is Triple Extortion Ransomware?</a>” Check Point; Kevin Poireault, “<a href="https://www.infosecurityeurope.com/en-gb/blog/threat-vectors/ransomware-trends-multi-extortion-tactics.html">Ransomware Trends: The Rise of Multi-Extortion Tactics</a>,” Infosecurity Europe. February 11, 2025; “<a href="https://www.paloaltonetworks.ca/cyberpedia/what-is-multi-extortion-ransomware#phases">What is Multi-Extortion Ransomware?</a>” Palo Alto Networks.</p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote</span>9<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 10</dt> <dd id="fn10"> <p>Mahmoud Zohdy, et al., “<a href="https://www.group-ib.com/blog/hunters-international-ransomware-group/">The beginning of the end: the story of Hunters International</a>,” Group-IB, April 2, 2025.</p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote</span>10<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 11</dt> <dd id="fn11"> <p>Mahmoud Zohdy, et al., “<a href="https://www.group-ib.com/blog/hunters-international-ransomware-group/">The beginning of the end: the story of Hunters International</a>,” Group-IB, April 2, 2025.</p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote</span>11<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 12</dt> <dd id="fn12"> <p>“<a href="https://www.lmgsecurity.com/online-extortion-is-the-new-ransomware-why-hackers-just-want-your-data/?srsltid=AfmBOor9dFI0rzm_NJrC_E7O8bwgkOFjtxrivLbtTTdDyDSA_4GjYW08">Online Extortion Is the New Ransomware: Why Hackers Just Want Your Data</a>,” LMG Security, July 10, 2025; “<a href="https://www.helpnetsecurity.com/2025/04/28/companies-impacted-ransomware-attacks/">Ransomware attacks are getting smarter, harder to stop</a>,” Help Net Security, April 28, 2025; Phil Muncaster, “<a href="https://www.infosecurity-magazine.com/news/only-fifth-ransomware-attacks/">Only a Fifth of Ransomware Attacks Now Encrypt Data</a>,” Infosecurity Magazine, February 25, 2025.</p> <p class="fn-rtn"><a href="#fn12-rf"><span class="wb-inv">Return to footnote</span>12<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 13</dt> <dd id="fn13"> <p>Jamie MacColl, et al. “<a href="https://www.rusi.org/explore-our-research/publications/occasional-papers/ransomware-victim-insights-harms-individuals-organisations-and-society">Ransomware: Victim Insights on Harms to Individuals, Organisations and Society</a>,” Royal United Services Institute, January 16, 2024.</p> <p class="fn-rtn"><a href="#fn13-rf"><span class="wb-inv">Return to footnote</span>13<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 14</dt> <dd id="fn14"> <p>Aliasgar Dohadwala, “<a href="https://www.forbes.com/councils/forbestechcouncil/2025/02/27/the-ransomware-epidemic-why-smes-are-the-new-primary-target/">The Ransomware Epidemic: Why SMEs Are the New Primary Target</a>,” Forbes, February 27, 2025.</p> <p class="fn-rtn"><a href="#fn14-rf"><span class="wb-inv">Return to footnote</span>14<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 15</dt> <dd id="fn15"> <p>“<a href="https://www.cyber.gc.ca/en/guidance/malicious-cyber-activity-targeting-information-technology-managed-service-providers">Malicious Cyber Activity Targeting Technology Managed Service Providers</a>,” Canadian Centre for Cyber Security, December 20, 2018.</p> <p class="fn-rtn"><a href="#fn15-rf"><span class="wb-inv">Return to footnote</span>15<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 16</dt> <dd id="fn16"> <p>Lucia Stanham, “<a href="https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/ai-powered-cyberattacks/"><abbr title="artificial intelligence">AI</abbr>-Powered Cyberattacks</a>,” CrowdStrike, January 16, 2025; Jambul Tologonov and John Fokker, “<a href="https://www.trellix.com/blogs/research/analysis-of-black-basta-ransomware-chat-leaks/">Analysis of Black Basta Ransomware Chat Leaks</a>,” March 18, 2025; “<a href="https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/#single-post">FunkSec – Alleged Top Ransomware Group Powered by <abbr title="artificial intelligence">AI</abbr></a>,” Check Point Research, January 10, 2025.</p> <p class="fn-rtn"><a href="#fn16-rf"><span class="wb-inv">Return to footnote</span>16<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 17</dt> <dd id="fn17"> <p>TRM Blog, “<a href="https://www.trmlabs.com/resources/blog/unmasking-embargo-ransomware-a-deep-dive-into-the-groups-ttps-and-blackcat-links">Unmasking Embargo Ransomware: A Deep Dive Into the Group’s TTPs and BlackCat Links</a>,” TRM, August 8, 2025; TRM Blog, “<a href="https://www.trmlabs.com/resources/blog/ransomware-in-2024-latest-trends-mounting-threats-and-the-government-response">Ransomware in 2024: Latest Trends, Mounting Threats, and the Government Response</a>,” TRM, October 10, 2024.</p> <p class="fn-rtn"><a href="#fn17-rf"><span class="wb-inv">Return to footnote</span>17<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 18</dt> <dd id="fn18"> <p>Jim Bronskill, “<a href="https://globalnews.ca/news/10148020/cryptocurrency-criminal-use-fintrac/">Criminal use of cryptocurrency to keep growing, Canada’s Fintrac warns</a>,” Global News, December 4, 2023.</p> <p class="fn-rtn"><a href="#fn18-rf"><span class="wb-inv">Return to footnote</span>18<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 19</dt> <dd id="fn19"> <p>“<a href="https://www.chainalysis.com/blog/2025-crypto-crime-report-introduction/">2025 Crypto Crime Trends: Illicit Volumes Portend Record Year as On-Chain Crime Becomes Increasingly Diverse and Professionalized</a>,” Chainalysis, January 15, 2025; MacKenzie Sigalos, “<a href="https://www.cnbc.com/2021/06/13/what-is-monero-new-cryptocurrency-of-choice-for-cyber-criminals.html">Why some cyber criminals are ditching bitcoin for a cryptocurrency called monero</a>,” CNBC, June 14, 2021; “<a href="https://rcmp.ca/en/gazette/cryptocurrency-expert-demystifies-digital-assets">Cryptocurrency expert demystifies digital assets</a>,” Royal Canadian Mounted Police, October 20, 2020.</p> <p class="fn-rtn"><a href="#fn19-rf"><span class="wb-inv">Return to footnote</span>19<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 20</dt> <dd id="fn20"> <p>“<a href="https://www.chainalysis.com/blog/privacy-coins-anonymity-enhanced-cryptocurrencies/">Privacy Coins 101: Anonymity-Enhanced Cryptocurrencies</a>,” Chainalysis, April 18, 2023; “<a href="https://www.europol.europa.eu/cms/sites/default/files/documents/Europol%20Spotlight%20-%20Cryptocurrencies%20-%20Tracing%20the%20evolution%20of%20criminal%20finances.pdf">Cryptocurrency: Tracing the Evolution of Criminal Finances (PDF)</a>,” Europol, January 26, 2022.</p> <p class="fn-rtn"><a href="#fn20-rf"><span class="wb-inv">Return to footnote</span>20<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 21</dt> <dd id="fn21"> <p>TRM Blog, “<a href="https://www.trmlabs.com/resources/blog/trm-phoenix-solves-crypto-investigators-chain-hopping-problem">TRM Phoenix Solves Crypto Investigators’ ‘Chain-Hopping’ Problem</a>,” TRM, August 24, 2022.</p> <p class="fn-rtn"><a href="#fn21-rf"><span class="wb-inv">Return to footnote</span>21<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 22</dt> <dd id="fn22"> <p>“<a href="https://www.europol.europa.eu/cms/sites/default/files/documents/Europol%20Spotlight%20-%20Cryptocurrencies%20-%20Tracing%20the%20evolution%20of%20criminal%20finances.pdf">Cryptocurrency: Tracing the Evolution of Criminal Finances (PDF)</a>,” Europol, January 26, 2022.</p> <p class="fn-rtn"><a href="#fn22-rf"><span class="wb-inv">Return to footnote</span>22<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 23</dt> <dd id="fn23"> <p>“<a href="https://www.spambrella.com/geopolitical-influence-on-ransomware-trends-risks/">Geopolitical Influences on Ransomware: Trends and Risks</a>,” Spambrella.</p> <p class="fn-rtn"><a href="#fn23-rf"><span class="wb-inv">Return to footnote</span>23<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 24</dt> <dd id="fn24"> <p>“<a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-threat-activity-related-russian-invasion-ukraine">Cyber threat bulletin, Cyber threat activity related to the Russian invasion of Ukraine</a>,” Canadian Centre for Cyber Security, July 14, 2022.</p> <p class="fn-rtn"><a href="#fn24-rf"><span class="wb-inv">Return to footnote</span>24<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 25</dt> <dd id="fn25"> <p>Daryna Antoniuk, “<a href="https://therecord.media/iran-ransomware-group-pay2keyi2p-israel-us-targets">Iranian ransomware group offers bigger payouts for attacks on Israel, US</a>,” The Record, July 8, 2025.</p> <p class="fn-rtn"><a href="#fn25-rf"><span class="wb-inv">Return to footnote</span>25<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 26</dt> <dd id="fn26"> <p>Daryna Antoniuk, “<a href="https://therecord.media/akira-ransomware-early-victims-conti-links">Akira ransomware compromised at least 63 victims since March, report says</a>,” The Record, July 26, 2023.</p> <p class="fn-rtn"><a href="#fn26-rf"><span class="wb-inv">Return to footnote</span>26<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 27</dt> <dd id="fn27"> <p>Steven Campbell, Akshay Suthar, Connor Belfiore, “<a href="https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/">Conti and Akira: Chained Together</a>,” July 26, 2023.</p> <p class="fn-rtn"><a href="#fn27-rf"><span class="wb-inv">Return to footnote</span>27<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 28</dt> <dd id="fn28"> <p>Ionut Arghire, “<a href="https://www.securityweek.com/akira-ransomware-drops-30-victims-on-leak-site-in-one-day/">Akira Ransomware Drops 30 Victims on Leak Site in One Day</a>,” November 19, 2024; Morgan Demboski, “<a href="https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/">Akira, again: The ransomware that keeps on taking</a>,” Sophos, December 21, 2023.</p> <p class="fn-rtn"><a href="#fn28-rf"><span class="wb-inv">Return to footnote</span>28<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 29</dt> <dd id="fn29"> <p>Ionut Arghire, “<a href="https://www.securityweek.com/fbi-aware-of-900-organizations-hit-by-play-ransomware/">FBI Aware of 900 Organizations Hit by Play Ransomware</a>,” Security Week, June 5, 2025.</p> <p class="fn-rtn"><a href="#fn29-rf"><span class="wb-inv">Return to footnote</span>29<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 30</dt> <dd id="fn30"> <p>Cj Arsley Mateo, Darrel Tristan Virtusio, Sarah Pearl Camiling, Andrei Alimboyao, Nathaniel Morales, Jacob Santos, Earl John Bareng, “<a href="https://www.trendmicro.com/en_ca/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html">Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma</a>,” Trend Micro, July 19, 2024.</p> <p class="fn-rtn"><a href="#fn30-rf"><span class="wb-inv">Return to footnote</span>30<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 31</dt> <dd id="fn31"> <p>James Coker, “<a href="https://www.infosecurity-magazine.com/news/medusa-claims-victims-2025/">Medusa Ransomware Claims 40+ Victims in 2025, Confirmed Healthcare Attacks</a>,” Inforsecurity Magazine, March 7, 2025; Jonathan Grieg, “<a href="https://therecord.media/medusa-ransomware-targeting-critical-infrastructure-orgs">CISA: More than 300 critical infrastructure orgs attacked by Medusa ransomware</a>,” The Record, March 12, 2025.</p> <p class="fn-rtn"><a href="#fn31-rf"><span class="wb-inv">Return to footnote</span>31<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 32</dt> <dd id="fn32"> <p>“<a href="https://www.cyber.gc.ca/en/guidance/introduction-cyber-threat-environment#defn-intellectual-property">An introduction to the cyber threat environment</a>,” Canadian Centre for Cyber Security, October 28, 2022.</p> <p class="fn-rtn"><a href="#fn32-rf"><span class="wb-inv">Return to footnote</span>32<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 33</dt> <dd id="fn33"> <p>“<a href="https://www23.statcan.gc.ca/imdb/p2SV.pl?Function=getSurvey&amp;SDDS=5244">Canadian Survey of Cyber Security and Cybercrime</a>,” Public Safety, October 18, 2024.</p> <p class="fn-rtn"><a href="#fn33-rf"><span class="wb-inv">Return to footnote</span>33<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 34</dt> <dd id="fn34"> <p>“<a href="https://www.ncsc.gov.uk/whitepaper/ransomware-extortion-and-the-cyber-crime-ecosystem">Ransomware, extortion and the cyber crime ecosystem</a>,” National Cyber Security Centre, September 11, 2023.</p> <p class="fn-rtn"><a href="#fn34-rf"><span class="wb-inv">Return to footnote</span>34<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 35</dt> <dd id="fn35"> <p>“<a href="https://www.getcybersafe.gc.ca/en/protect-your-business-against-ransomware#A">Protect your business against ransomware</a>,” Get Cyber Safe, January 14, 2025.</p> <p class="fn-rtn"><a href="#fn35-rf"><span class="wb-inv">Return to footnote</span>35<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 36</dt> <dd id="fn36"> <p>“<a href="https://www.cyber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-itsap00099#devices">Ransomware: How to prevent and recover</a>,” Canadian Centre for Cyber Security, April 18, 2024.</p> <p class="fn-rtn"><a href="#fn36-rf"><span class="wb-inv">Return to footnote</span>36<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 37</dt> <dd id="fn37"> <p>Anne Neuberger, “<a href="https://www.ft.com/content/3b172a2a-4be5-4ef4-87cb-7fdcdee2ad99">The ransomware battle is shifting – so should our response</a>,” Financial Times, October 4, 2024; “<a href="https://www.marsh.com/en/services/cyber-risk/insights/ransomware-a-persistent-challenge-in-cyber-insurance-claims.html">Ransomware: A persistent challenge in cyber insurance claims</a>,” Marsh, June 11, 2024.</p> <p class="fn-rtn"><a href="#fn37-rf"><span class="wb-inv">Return to footnote</span>37<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 38</dt> <dd id="fn38"> <p>Celina Aalders, “<a href="https://www.cbc.ca/news/canada/nova-scotia/cybersecurity-official-weighs-in-on-nova-scotia-power-breach-1.7560875">Canada’s cybersecurity head offers rare insight into Nova Scotia Power breach</a>,” June 14, 2025.</p> <p class="fn-rtn"><a href="#fn38-rf"><span class="wb-inv">Return to footnote</span>38<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 39</dt> <dd id="fn39"> <p>Brenda Robb, “<a href="https://www.blackfog.com/understanding-ransomware-decryptors-and-how-they-can-be-used/#toc_What_Is_a_Ransomware_Decryptor_and_How_Does">Understanding Ransomware Decryptors and How They Can Be Used</a>,” BlackFog, July 24, 2025.</p> <p class="fn-rtn"><a href="#fn39-rf"><span class="wb-inv">Return to footnote</span>39<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 40</dt> <dd id="fn40"> <p>“<a href="https://www.group-ib.com/resources/knowledge-hub/dedicated-leak-sites/">Dedicated Leak Sites (DLS): Here’s what you should know</a>,” Group-IB.</p> <p class="fn-rtn"><a href="#fn40-rf"><span class="wb-inv">Return to footnote</span>40<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 41</dt> <dd id="fn41"> <p>“<a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf">Security and Privacy Controls for Information Systems and Organizations</a>,” National Institute of Standards and Technology.</p> <p class="fn-rtn"><a href="#fn41-rf"><span class="wb-inv">Return to footnote</span>41<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 42</dt> <dd id="fn42"> <p>“<a href="https://csrc.nist.gov/glossary/term/generative_artificial_intelligence">Computer Security Resource Center Glossary</a>,” National Institute of Standards and Technology.</p> <p class="fn-rtn"><a href="#fn42-rf"><span class="wb-inv">Return to footnote</span>42<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 43</dt> <dd id="fn43"> <p>Sule Tatar, “<a href="https://arcticwolf.com/resources/glossary/what-are-initial-access-brokers/">Initial Access Brokers</a>,” Arctic Wolf.</p> <p class="fn-rtn"><a href="#fn43-rf"><span class="wb-inv">Return to footnote</span>43<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 44</dt> <dd id="fn44"> <p>“<a href="https://csrc.nist.gov/glossary/term/tactics_techniques_and_procedures">Computer Security Resource Center Glossary</a>,” National Institute of Standards and Technology.</p> <p class="fn-rtn"><a href="#fn44-rf"><span class="wb-inv">Return to footnote</span>44<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>

Drones are mobile vehicle systems that can function with varying degrees of autonomy from human operators. Depending on their design and function, they may also be called remotely operated systems, remotely piloted aircraft systems, or uncrewed ground/underwater vehicles. Understanding the risks associated with the use of drones for business or operational purposes will enhance your organization’s ability to protect your systems, data, and networks.

This publication provides guidance on the actions you should take in the critical moments after a compromise is detected to lessen the impact on your organization.

<article data-history-node-id="7066" about="/en/guidance/improving-cyber-security-resilience-through-emergency-preparedness-planning-itsm10014" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>January 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.10.014</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>January 2026 | Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.10.014-improving-cyber security-resilience-emergency-preparedness-e.pdf">Improving cyber security resilience through emergency preparedness planning – ITSM.10.014 (PDF, 695 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an <span class="text-uppercase">unclassfied</span> publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, contact the Cyber Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on January 2026.</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: January 2026</li> </ol></div> </div> <section><h2 class="text-info">Overview</h2> <p>Cyber emergency preparedness is the practice of ensuring that your organization has a strategy to prevent, respond to, and recover from cyber incidents. Implementing a cyber emergency preparedness strategy requires a collaborative effort from stakeholders across your organization. Your strategy should highlight key aspects of your emergency procedures, such as the steps your organization will take to respond to an incident, who will be contacted in case of an incident, and what resources will be required to carry out your overall plan. A cyber emergency preparedness strategy will help your organization to manage risks and improve resilience in the face of catastrophic events.</p> <p>This publication describes emergency preparedness, related to cyber security, as a strategy that encompasses an incident response plan (IRP), a business continuity plan (BCP), and a disaster recovery plan (DRP). The difference between these 3 plans is detailed in this publication, along with the justification for why your organization should develop and implement all 3 plans to improve your cyber resilience and ability to maintain business operations amid an incident or a major disruption.</p> <p>Your emergency preparedness plan should align with a relevant security risk management framework, such as:</p> <ul><li>the Cyber Centre <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33"><abbr title="information technology">IT</abbr> Security Risk Management: A Lifecycle Approach (ITSG-33)</a></li> <li>the National Institute of Standards and Technology (NIST) <a href="https://www.nist.gov/cyberframework">Cyber Security Framework</a></li> <li>the International Organization for Standardization (ISO) <a href="https://www.iso.org/standard/75652.html">ISO/IEC 27002:20122 Information security, cybersecurity and privacy protection — Information security controls</a></li> </ul><p>Integrating your emergency preparedness plan into your organization’s security framework will help improve your cyber security resiliency and provide the security assurances of confidentiality, integrity, and availability for your business assets.</p> <p>We recommend that you report cyber incidents to the Cyber Centre using our online reporting tool. We can provide your organization with cyber security advice, guidance, and services to help mitigate the impact of cyber incidents and better protect your organization from future incidents. We also encourage you to report cybercrime activities to law enforcement and fraud to the <a href="https://antifraudcentre-centreantifraude.ca/index-eng.htm">Canadian Anti-Fraud Centre</a>.</p> </section><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul><li><a href="#emergency-prep">1. Introduction to emergency preparedness</a> <ul><li><a href="#benefits-emergency-prep">1.1 Benefits of an emergency preparedness plan</a></li> <li><a href="#comparing-recovery">1.2 Comparing incident response, business continuity, and disaster recovery</a></li> </ul></li> <li><a href="#incident-response">2. Incident response planning</a> <ul><li><a href="#incident-response-considerations">2.1 What to consider before creating an incident response plan</a></li> <li><a href="#additional-consider-ot">2.2 Additional considerations for operational technology</a></li> <li><a href="#creating-incident-response">2.3 Guidance for creating an incident response plan</a></li> <li><a href="#steps-incident-response">2.4 Main steps in an incident response plan</a></li> </ul></li> <li><a href="#buisness-continuity-planning">3. Business continuity planning</a> <ul><li><a href="#disruptions-organisation">3.1 Main disruptions that can affect your organization</a></li> <li><a href="#buisness-continuity-development">3.2 Steps to developing your business continuity plan</a></li> </ul></li> <li><a href="#disaster-recovery">4. Disaster recovery plan</a> <ul><li><a href="#key-disaster-recovery">4.1 Key elements of a disaster recovery plan</a></li> <li><a href="#disaster-recovery-strategies">4.2 Types of disaster recovery strategies</a></li> </ul></li> <li><a href="#summary">5. Summary</a></li> </ul></details></section><!– Figure or header inclusion? –><section><h2 class="text-info" id="emergency-prep">1 Introduction to emergency preparedness</h2> <p>You should strive to improve your organization’s cyber security posture and resilience by proactively preparing for incidents and disruptions to anticipate and minimize operational downtime, financial losses, and reputational damage.</p> <p>Your cyber emergency preparedness strategy should include 3 comprehensive plans:</p> <ul><li>incident response plan (IRP)</li> <li>business continuity plan (BCP)</li> <li>disaster recovery plan (DRP)</li> </ul><p>This publication focuses on emergency preparedness activities related mainly to the recovery and restoration of tangible and intangible technology assets that are used for business operations and can be adversely affected by a cyber event.</p> <p>Although this publication focuses on cyber security, the recommendations align with Public Safety Canada’s (PSC) <a href="https://www.publicsafety.gc.ca/cnt/mrgnc-mngmnt/index-en.aspx">Emergency Management guidance</a> and <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2017-mrgnc-mngmnt-frmwrk/index-en.aspx">Emergency Management Framework for Canada</a>. Through national leadership in the development and implementation of policies, plans, and a range of programs, <abbr title="Public Safety Canada">PSC</abbr>’s emergency management guidance helps Canadians protect themselves from various emergencies and disasters. <abbr title="Public Safety Canada">PSC</abbr>’s approach to emergency management is based on work in 4 related areas:</p> <ul><li>prevention and mitigation</li> <li>emergency preparedness</li> <li>response to emergency events</li> <li>recovery from disasters</li> </ul><p>The <abbr title="Public Safety Canada">PSC</abbr> framework aims to guide and strengthen the way governments and partners assess risks and work together to prevent, mitigate, prepare for, respond to, and recover from the threats and hazards that pose the greatest risk to Canadians. Building on the framework, <abbr title="Public Safety Canada">PSC</abbr>’s <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/mrgncy-mngmnt-strtgy/index-en.aspx">Emergency Management Strategy for Canada: Toward a Resilient 2030</a> identifies federal, provincial, and territorial priorities that will strengthen Canada’s resilience by 2030. Potential threats include natural disasters, such as forest fires, and human-induced disasters, such as hazardous material spills. We recommend that you develop emergency preparedness strategies for these other types of threats as well.</p> <!– Sub section –> <div> <h3 id="benefits-emergency-prep">1.1 Benefits of an emergency preparedness plan</h3> <p>Disruption due to unforeseen events can have devastating impacts on your organization and its cyber security posture. Having a comprehensive cyber security emergency preparedness plan can:</p> <ul><li>lessen the severity of disruption and damage to business operations and services</li> <li>minimize recovery time and allow for rapid restoration of services</li> <li>improve security</li> <li>minimize the financial impact of the disruption</li> <li>prevent reputational damage</li> <li>potentially prevent regulatory or legal penalties, when an emergency preparedness plan is mandatory</li> <li>offer alternative ways to continue operations</li> <li>train and educate employees on emergency procedures</li> <li>help identify incidents and deploy rapid restoration of services</li> </ul></div> <!– sub section –> <div> <h3 id="comparing-recovery">1.2 Comparing incident response, business continuity, and disaster recovery</h3> <p>The 3 comprehensive plans involved in your cyber emergency preparedness strategy are your <abbr title="incident response plan">IRP</abbr>, <abbr title="business continuity plan">BCP</abbr>, and <abbr title="disaster recovery plan">DRP</abbr>. This section will compare all 3 plans and highlight the differences between each.</p> <div><!– sub sub section –> <h4>1.2.1 Incident response plan</h4> <p>An <abbr title="incident response plan">IRP</abbr> includes the processes, procedures, and documentation related to how your organization detects, responds to, and recovers from a specific incident. The plan will help minimize your organization’s downtime and overall business disruptions when faced with an incident. A robust <abbr title="incident response plan">IRP</abbr> covers various types of incidents that could impact your organization and provides step-by-step guidance on how to handle an incident, mitigate the related risks, and recover quickly. Some examples of cyber incidents that can impact your organization’s cyber security posture include:</p> <ul><li><strong>ransomware:</strong> when a type of malware locks you out of your files or systems and a threat actor demands that you pay a ransom to regain access. Payment does not guarantee you will regain access to your information</li> <li><strong>data theft:</strong> when threat actors steal information stored on servers and devices</li> <li><strong>active exploitation:</strong> when threat actors take advantage of unpatched software, hardware, or other vulnerabilities to gain control of your systems, networks, and devices</li> </ul></div> <div> <h4>1.2.2 Business continuity plan</h4> <p>A <abbr title="business continuity plan">BCP</abbr> is a specific plan to recover services most critical to an organization’s operations as quickly as possible. It is a proactive plan that describes operational procedures to help organizations ensure they can continue business operations despite a disruption. The <abbr title="business continuity plan">BCP</abbr> will identify the main assets, roles, responsibilities, and processes needed to ensure ongoing operations.</p> <p>Your <abbr title="business continuity plan">BCP</abbr> should be based on your organization’s information technology (IT) threat and risk assessment (TRA) and a business impact analysis (BIA). A <abbr title="business impact analysis">BIA</abbr> will identify the potential impact of different scenarios on your business operations. For example, a <abbr title="business impact analysis">BIA</abbr> should address the following questions:</p> <ul><li>What resources and activities are critical to continuing your business operations?</li> <li>How long can you stop operations without causing significant damage to your business?</li> <li>What are the financial implications of these interruptions?</li> </ul><p>A <abbr title="business impact analysis">BIA</abbr> outlines the projected financial costs associated with different disruptions (where applicable) so that you can make informed investments in the prevention and mitigation strategies described in your <abbr title="business continuity plan">BCP</abbr>.</p> </div> <div> <h4>1.2.3 Disaster recovery plan</h4> <p>A <abbr title="disaster recovery plan">DRP</abbr> is a formal document that defines a set of procedures and processes and the specific roles and responsibilities of key members to return the organization to its normal state after a large event.</p> <p>Most <abbr title="disaster recovery plans">DRPs</abbr> include a shift in the physical location of either server-side infrastructure (for example, changing data centres) or client-side endpoints (for example, changing offices), depending on which side suffered the disaster (for example, data centre flood or office evacuation). A <abbr title="disaster recovery plan">DRP</abbr> should also specify recovery objectives for all critical assets and steps to reduce the loss or impact to the organization.</p> <p>A <abbr title="disaster recovery plan">DRP</abbr> encompasses the main principles of an <abbr title="incident response plan">IRP</abbr> and a <abbr title="business continuity plan">BCP</abbr> and can provide guidance on what plan to execute based on the type of disruption or incident.</p> </div> <div> <h4>1.2.4 Main difference between each type of plan</h4> <p><abbr title="incident response plans">IRPs</abbr>, <abbr title="business continuity plans">BCPs</abbr>, and <abbr title="disaster recovery plans">DRPs</abbr> have much in common since they are all meant to improve your organization’s resilience, minimize impact, and keep operations running. However, they do have some key differences.</p> <p>An <strong><abbr title="incident response plan">IRP</abbr></strong> is event focused and specific to a security incident, such as a cyber attack, affecting an organization. It defines the roles and responsibilities and identifies the scope of action required to mitigate an incident (for example, a data breach, a ransomware attack, or a phishing attack). <abbr title="incident response plans">IRPs</abbr> will assist your incident response team in reducing organizational downtime.</p> <p>A <strong><abbr title="business continuity plan">BCP</abbr></strong> is a specific plan to quickly resume only the most critical operations, as defined by the <abbr title="business impact analysis">BIA</abbr>, in the event of a disaster. It will typically address which services to prioritize, identify the critical staff required to run those services, and identify an offsite location from which to set up temporary operations.</p> <p>A <strong><abbr title="disaster recovery plan">DRP</abbr></strong> is a holistic plan to return your organization to full operations after a disaster. It will address various types of disruptions, such as natural hazards, hardware and power outages, and cyber attacks.</p> <p>Each of these 3 plans share the following elements that are essential to successful identification, management, response, and recovery during an event or incident:</p> <ul><li>identifying a designated point of contact and designated team members and their alternates (in case of absences), and listing their specific roles and responsibilities</li> <li>scheduling periodic reviews to identify potential gaps in the plan and areas that need improvement</li> <li>scheduling testing for the plans by performing simulated disruptions to ensure that any gaps are fixed</li> </ul><p>Implementing these 3 plans will enhance your cyber security posture. Ensuring that you implement additional preventative security measures, such as patching and updating your <abbr title="information technology">IT</abbr> assets, will reduce your organization’s vulnerabilities and add to your incident preparedness. These additional security measures can help your organization avoid costly downtime and interruptions to your operations. In addition to developing and updating an <abbr title="incident response plan">IRP</abbr>, <abbr title="business continuity plan">BCP</abbr>, and <abbr title="disaster recovery plan">DRP</abbr>, we encourage you to enhance your cyber security posture in the following ways:</p> <ul><li>segment your networks to stop traffic from flowing to sensitive or restricted zones</li> <li>deploy firewalls to prevent unauthorized outside sources from accessing your system’s resources or moving data from one area of your network to another</li> <li>install anti-virus and anti-malware software to protect your perimeter</li> <li>update and apply patches to operating systems, software, and firmware</li> </ul></div> <!– two divs should close –></div> </section><!– top of page –><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <p><span class="clearfix"></span></p> <section><h2 class="text-info" id="incident-response">2 Incident response planning</h2> <p>Cyber threats can greatly impact your network, systems, and devices. When you have a proper plan, you will be prepared to handle incidents when they happen, mitigate the threats and associated risks, and recover quickly.</p> <p>This section will describe the preliminary elements that will help you better understand what is required to create an <abbr title="incident response plan">IRP</abbr> that is tailored to your organization. We will identify the main steps that you should consider when developing your cyber security <abbr title="incident response plan">IRP</abbr> and reference reputable guidance documentation that can assist you in developing your plan.</p> <!– sub section –> <div> <h3 id="incident-response-considerations">2.1 What to consider before creating an incident response plan</h3> <p>Developing a step-by-step <abbr title="incident response plan">IRP</abbr> can be time consuming and feel overwhelming. Although your plan will be tailored to your organization’s size, business operations, and security requirements, here are some preliminary and standard elements that organizations and businesses of all sizes should consider:</p> <!– sub sub-section –> <div> <h4>2.1.1 Conduct a threat and risk assessment</h4> <p>A <abbr title="threat and risk assessment">TRA</abbr> is a critical tool for understanding the different threats to your <abbr title="information technology">IT</abbr> systems, determining the level of risk these systems are exposed to, and recommending the appropriate level of protection.</p> <p>Before you create an <abbr title="incident response plan">IRP</abbr>, your organization should conduct a <abbr title="threat and risk assessment">TRA</abbr>. The first step to a <abbr title="threat and risk assessment">TRA</abbr> is identifying all your critical assets. Once this has been done, rank the assets according to their importance, value, and risk level. This will allow you to create a budget and identify the tools and resources required to protect your valuable assets.</p> <p>As previously mentioned, there are various types of incidents to consider when developing your <abbr title="incident response plan">IRP</abbr>. Your plan should map out a variety of incident response scenarios to address the different types of threats. Conducting a <abbr title="threat and risk assessment">TRA</abbr> will help you identify the risks and potential threats to your organizational assets, as well as the likelihood and impact of a compromise.</p> </div> <!– closing sub sub-section –> <div> <h4>2.1.2 Create a response team</h4> <p>Identify who has the qualifications to be on your response team and ensure that they understand their roles. Your response team should include employees with various qualifications and have cross-functional support from other business lines. The main goal of the response team is to coordinate resources to minimize the impact of the incident and resume business operations as soon as possible. The response team is responsible for assessing, documenting, and responding to incidents. They are also responsible for restoring your systems, recovering information, and reducing the risk of the incident reoccurring.</p> </div> <!– close sub sub-section –> <div> <h4>2.1.3 Develop policies and procedures</h4> <p>Your incident response activities need to align with your organization’s policy and compliance requirements. Your organization should develop an incident response policy that establishes the authorities, roles, and responsibilities for your incident response processes and procedures. This policy should be approved by your organization’s senior management and executives. Over time, your policies will need to be reviewed and adjusted based on your organization’s business requirements.</p> </div> <!– close sub sub-section –> <div> <h4>2.1.4 Create your communications plan</h4> <p>Your communications plan should detail how, when, and with whom your team communicates. It should also identify who is responsible for these communications. The communications plan should include a central point of contact for employees to report suspected or known incidents, and alternate methods of communication in case the primary method is impacted by the incident. Many organizations prefer to use a designated individual to communicate with the press and public during incident recovery.</p> <p>Your notification procedures are critical to the success of your incident response. Identify the key internal and external stakeholders who need to be notified during an incident. You may need to alert third parties, such as clients, suppliers, vendors, and managed service providers. Depending on the incident, you may also need to contact law enforcement or your regulating body if applicable, or consult with a lawyer for advice.</p> <p>You may also be required to report the incident to the Office of the Privacy Commissioner of Canada (OPC) or the appropriate privacy legislation to which your organization is subject. For example, if your organization is subject to the <abbr title="Office of the Privacy Commissioner of Canada">OPC</abbr>’s <em><a href="https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/">Personal Information Protection and Electronic Documents Act (PIPEDA)</a></em>, you are required to:</p> <ul><li>report to the <abbr title="Office of the Privacy Commissioner of Canada">OPC</abbr> breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals</li> <li>notify affected individuals about those breaches</li> <li>keep records of all breaches</li> </ul><p>The <abbr title="Office of the Privacy Commissioner of Canada">OPC</abbr>’s <a href="/en/privacy-topics/business-privacy/breaches-and-safeguards/privacy-breaches-at-your-business/gd_pb_201810/">What you need to know about mandatory reporting of breaches of security safeguards</a> provides an overview of what you need to know about these obligations.</p> </div> <!– sub sub-section –> <div> <h4>2.1.5 Educate your employees</h4> <p>Update your employees on current incident response planning and execution. Tailor your training programs to your organization’s business needs and requirements, as well as to your employees’ roles and responsibilities. Run a tabletop exercise with the key employees identified in the plan. Your employees’ cooperation can reduce the length of response time and facilitate the implementation of your <abbr title="incident response plan">IRP</abbr>. Employees should also be trained on how to identify and report cyber attacks such as phishing emails, spear phishing attacks, and social engineering efforts.</p> </div> </div> <!– subsection close –> <div> <h3 id="additional-consider-ot">2.2 Additional considerations for operational technology</h3> <p>Organizations that manage operational technology (OT) need to address and mitigate the risks associated with incidents that can lead to unplanned outages and impacts to both their <abbr title="information technology">IT</abbr> systems and their <abbr title="operational technology">OT</abbr> systems.</p> <p><abbr title="operational technology">OT</abbr> and industrial control systems (ICS) can add complexity to the environment and have unique constraints that need to be addressed. For example, many <abbr title="industrial control systems">ICS</abbr> are deployed without robust security controls and must run continuously, even though they use unsecure protocols and architectures. Maintaining older equipment can be challenging and vendors are often unable to provide replacements for vulnerable hardware or software, which can make it difficult to prevent and respond to <abbr title="industrial control systems">ICS</abbr> incidents.</p> <p>The following 3 Cyber Centre publications provide security advice to organizations that manage <abbr title="operational technology">OT</abbr> systems, <abbr title="industrial control systems">ICS</abbr>, and critical infrastructure:</p> <ul><li><a href="/en/guidance/protect-your-operational-technology-itsap00051">Protect your operational technology (ITSAP.00.051)</a></li> <li><a href="/en/guidance/security-considerations-industrial-control-systems-itsap00050">Security considerations for industrial control systems (ITSAP.00.050)</a></li> <li><a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a></li> </ul><p>To learn more, read the additional guidance in PSC’s <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/dvlpng-ndnt-rspns-pln/index-en.aspx#a1">Developing an Operational Technology and Information Technology Incident Response Plan</a>. This publication provides organizations that operate a component of <abbr title="operational technology">OT</abbr> in their environment with a framework that can be used to develop a joint <abbr title="information technology">IT</abbr>/<abbr title="operational technology">OT</abbr> cyber incident response plan (CIRP). The <abbr title="cyber incident response plan">CIRP</abbr> is intended to be appropriate for organization-specific business needs. The document provides a baseline approach to developing a <abbr title="cyber incident response plan">CIRP</abbr>, with specific factors to consider based on your organization’s size, function, location, and sector.</p> <p>When conducting a <abbr title="threat and risk assessment">TRA</abbr> on <abbr title="operational technology">OT</abbr> systems, it is important to consider the threats to these systems, the impact of systems vulnerabilities, and the types of risks that can cause disruptions to the operating environment.</p> <p>Here are some examples of <abbr title="operational technology">OT</abbr> vulnerabilities to consider:</p> <ul><li><strong>obsolete systems:</strong> systems and components that are no longer supported with updates by the manufacturer</li> <li><strong>unpatched software and firmware:</strong> leaves systems and devices vulnerable to known threats</li> <li><strong>peripherals:</strong> external connected devices that can be exploited to compromise systems and networks</li> </ul><p><abbr title="operational technology">OT</abbr> design typically prioritizes availability and process repeatability and reliability over data security. Compromised <abbr title="operational technology">OT</abbr> systems and devices can put critical processes at risk of failure. <abbr title="operational technology">OT</abbr> compromises can lead to the following impacts on your organization:</p> <ul><li>major accidents and disasters, like injury or loss of life</li> <li>malfunctioning equipment and disrupted processes and deliverables</li> <li>compromised intellectual property and sensitive information</li> <li>lost revenue from disrupted processes, costly repairs, or paid ransom</li> <li>damaged organizational credibility</li> <li>compromised security measures, such as emergency services</li> </ul><p>The failure of an <abbr title="operational technology">OT</abbr> device could impact an entire industrial process and the safety of operators and the wider public. Destruction and loss of services could cause serious damage to high-value systems, processes, and infrastructure.</p> <p>When developing an <abbr title="incident response plan">IRP</abbr>, it is important for organizations that are managing <abbr title="operational technology">OT</abbr> systems to understand the unique implications affecting them. This will allow for better preparation and defence against future <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> incidents and disruptions. Choose a response team that has the capabilities and resources required to address and mitigate the risks associated with <abbr title="operational technology">OT</abbr> incidents.</p> </div> <div> <h3 id="creating-incident-response">2.3 Guidance for creating an incident response plan</h3> <p>This section references trusted resources to help you develop your <abbr title="incident response plan">IRP</abbr>. For an introduction on incident response planning, preliminary requirements, and to understand why it is important for your organization, read the Cyber Centre’s <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a>.</p> <p>The Cybersecurity and Infrastructure Security Agency’s <a href="https://www.cisa.gov/sites/default/files/2024-08/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf">Cybersecurity Incident &amp; Vulnerability Response Playbooks (PDF)</a> present one playbook for incident response and one for vulnerability response. The playbooks provide a standard set of operating procedures for responding to and recovering from incidents and vulnerabilities affecting systems, data, and networks.</p> <p>For additional guidelines on incident management, read <a href="https://www.iso.org/standard/67851.html">ISO 22320:2018 Security and resilience — Emergency management — Guidelines for incident management</a>. This document is applicable to any organization and provides guidance on how to handle incidents of any type and scale.</p> <p>The 2 most-used incident response frameworks were created by the <abbr title="National Institute of Standards and Technology">NIST</abbr> and SysAdmin, Audit, Network, and Security (SANS) Institute:</p> <ul><li>The <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-61: Computer Security Incident Handling Guide (PDF)</a> is a 4-step process for incident response and it is defined as a cyclical process where ongoing improvements are made to the plan based on lessons learned throughout the incident lifecycle. The <abbr title="National Institute of Standards and Technology">NIST</abbr> incident response steps are: <ul><li>Preparation</li> <li>Detection and analysis</li> <li>Containment, eradication, and recovery</li> <li>Post-incident activity</li> </ul></li> <li>The <a href="https://www.sans.org/white-papers/33901"><abbr title="SysAdmin, Audit, Network, and Security">SANS</abbr> Institute’s Incident Handler’s Handbook</a> provides a structured 6-step process for incident response. It outlines the foundation required for organizations to build upon when developing their own incident response policies, standards, and roles and responsibilities for their response team. The 6 steps for incident response planning described in the handbook are: <ul><li>Preparation</li> <li>Identification</li> <li>Containment</li> <li>Eradication</li> <li>Recovery</li> <li>Lessons learned</li> </ul></li> </ul><p>The main difference between these 2 frameworks is that <abbr title="National Institute of Standards and Technology">NIST</abbr> combines containment, eradication, and recovery into one step, whereas the <abbr title="SysAdmin, Audit, Network, and Security">SANS</abbr> Institute framework separates them into individual steps. The reason for this is that <abbr title="National Institute of Standards and Technology">NIST</abbr> believes these 3 components may sometimes overlap and need to be addressed in conjunction with one another.</p> </div> <div> <h3 id="steps-incident-response">2.4 Main steps in an incident response plan</h3> <p>Having an <abbr title="incident response plan">IRP</abbr> helps your organization handle incidents, mitigate threats and associated risks, and recover quickly. In this section, we will outline the main steps of an <abbr title="incident response plan">IRP</abbr> and specific actions your organization will take to develop your <abbr title="incident response plan">IRP</abbr>.</p> <div> <h4>2.4.1 Preparation</h4> <p>The preparation phase should begin before the incident occurs. This is when you will need to establish the right tools and resources to implement your <abbr title="incident response plan">IRP</abbr>. This phase requires periodic reviewing and updating to address new emerging threats. In this phase, you should:</p> <ul><li>Perform a <abbr title="threat and risk assessment">TRA</abbr> to identify your most valuable assets that are critical to your business operations, including sensitive or proprietary data <ul><li>Define the type of security incidents that your organization is most likely to face and create detailed response steps for these incidents</li> <li>Implement an <abbr title="information technology">IT</abbr> asset management plan and associated policies to inventory and track all your organization’s <abbr title="information technology">IT</abbr> assets and services</li> <li>Include hardware, software, and data, indicating the level of importance, model and serial number, location, cost to replace, manufacturer, and whether it is owned or requires a subscription renewal, such as when using cloud-based software or software as a service</li> </ul></li> <li>Develop and document your security policies, standards, and procedures supporting incident response</li> <li>Develop and implement a backup plan <ul><li>Determine where you will do full, differential, or incremental backups</li> <li>Ensure your backups are stored offline</li> </ul></li> <li>Create your response team and assign roles and responsibilities to each member <ul><li>Establish a clear chain of command from the start</li> <li>Ensure that your employees are properly trained on how to execute their roles and responsibilities</li> </ul></li> <li>Define your communications plan to ensure that the proper members respond to an incident <ul><li>Include criteria for escalation</li> <li>Identify how key stakeholders and management will be informed throughout the lifecycle of the incident</li> </ul></li> <li>Create and run mock incident drills to evaluate your <abbr title="incident response plan">IRP</abbr> <ul><li>Refine and update protocols and procedures</li> <li>Ensure that the response team understands their roles and responsibilities</li> </ul></li> </ul></div> <!– sub subsection close –> <div> <h4>2.4.2 Detection and analysis</h4> <p>This is the phase where you will determine if your organization has been breached or if any of your systems have been compromised. You will need to analyze the incident and identify its type, its origin, and the extent of damaged caused. This is usually the most challenging phase of the incident response process, but it cannot be overlooked. This step is a prerequisite to containing, analyzing, and eradicating the threat.</p> <p>Incident detection can be done using automated security tools, or by receiving a notification and information from people within your organization or from external sources, such as vendors and service providers. You should create a classification system that will help you triage your response to the threat based on urgency. This will make it easier to isolate your most vulnerable systems and those that are most affected by the threat, ultimately minimizing the damage to your organization. Your organization should also verify the incident to ensure there is a true positive.</p> </div> <div> <h4>2.4.3 Containment</h4> <p>The containment step is critical. The goal is to minimize the immediate impact of the incident and to prevent it from spreading and causing further damage to other systems. This is done by isolating or removing the threat; for example, shutting down a system or replacing it completely, disconnecting it from the network, or disabling certain functions. Ensure you have a redundant system backup so that your data is safeguarded from permanent deletion. Your backup will also help you restore your business operations in a timely manner.</p> <p>Containment strategies and procedures will depend on the type of incident, the degree of damage that the incident can cause, and your operational requirements. Incident containment strategies are easier to implement if they are preestablished in the preparation phase, where your acceptable risk level would have already been defined.</p> <p>If a containment plan is delayed, the threat actor could access and compromise other systems, which could lead to further damage to your organization. The containment step should cover short-term and long-term strategies, and system backups.</p> <p>Here are some questions that can help you decide which containment strategy to implement:</p> <ul><li>What damage does this incident pose to your organization?</li> <li>How important is it to preserve the evidence?</li> <li>How much time and resources are required to implement the strategy?</li> <li>How long can you afford to shut down your systems and stop business operations?</li> <li>How effective is your strategy? Will it offer full or partial containment?</li> </ul></div> <div> <h4>2.4.4 Eradication</h4> <p>Once the incident has been contained, you need to conduct a root cause analysis to identify and remove all elements of the incident from the affected systems to prevent future compromises. The eradication phase will improve your defence strategies based on the lessons learned. In this phase, the following activities should be completed:</p> <ul><li>identify all affected systems, hosts, and services</li> <li>remove all malicious content from affected systems</li> <li>scan and wipe your systems and infected devices to prevent risk of reinfection</li> <li>identify and address all residual attack vectors to ensure other systems are not compromised</li> <li>communicate with all stakeholders to ensure they manage the incident appropriately</li> <li>harden, patch, and upgrade all affected systems</li> <li>upgrade or replace legacy systems</li> </ul></div> <div> <h4>2.4.5 Recovery</h4> <p>In the recovery phase, you will restore the affected systems and reintegrate them into your operating environment. To avoid reinfection after a cyber incident, take precautionary measures such as ensuring all malware is removed before restoring your backups. You will need to test, verify, monitor, and validate the affected systems to ensure they are running effectively. Your organization should revise and update policies, procedures, and training initiatives based on the lessons learned.</p> <p>At this phase, you will need to address the following questions:</p> <ul><li>When can systems be reintegrated into the operating environment?</li> <li>How long will the affected systems be monitored for abnormal behaviour?</li> <li>How will you test your compromised systems to ensure that they are clean?</li> <li>What tools will you use to avoid similar attacks from reoccurring?</li> </ul></div> <div> <h4>2.4.6 Post-incident activities and lessons learned</h4> <p>The goal of this phase is to analyze and document everything you know about the incident. It is important to create follow-up reports that will provide a review of what happened throughout the entire incident handling process. The report will serve as a tool to strengthen your organization’s resilience by identifying ways to improve response efforts, security measures, and components of the incident handling process.</p> <p>To help collect all pertinent information needed to generate the report, a meeting with all incident response members should be held shortly incident recovery to discuss important points, such as:</p> <ul><li>When and why did the incident occur? What triggered it?</li> <li>How did the response team perform? Did they know their roles and responsibilities?</li> <li>Does the incident team need to modify its action plan for future incidents?</li> <li>Were the documented procedures followed and were they successful in handling the incident?</li> <li>Did anything happen that may have delayed or inhibited the recovery process?</li> <li>What information or action plan would have been valuable sooner?</li> <li>How can you improve communication and information sharing with third parties?</li> <li>Can employee training be improved?</li> </ul></div> </div> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <p><span class="clearfix"></span></p> <section><h2 class="text-info" id="buisness-continuity-planning">3 Business continuity planning</h2> <p>A <abbr title="business continuity plan">BCP</abbr> is often considered a subset of the larger <abbr title="disaster recovery plan">DRP</abbr>. It is a formal document containing detailed guidelines on what your organization will need to do to quickly resume critical business operations following an unplanned disaster. Only critical services are included in the <abbr title="business continuity plan">BCP</abbr>. Non-critical functions can be addressed once the incident is fully resolved.</p> <p>The document <a href="https://www.iso.org/standard/75106.html">ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements (ISO 22301)</a> provides a framework to help organizations plan, implement, and maintain a business continuity management plan. ISO 22301 will ensure that organizations of all sizes are able to respond, recover, and continue operations after various disruptions.</p> <p>The publication <a href="https://csrc.nist.gov/CSRC/media/Events/HIPAA-2010-Safeguarding-Health-Information-Buil/documents/2-2b-contingency-planning-swanson-nist.pdf"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-34 Revision 1 – Contingency Planning Guide for Federal Information Systems (PDF)</a> offers guidance to United States federal agencies to evaluate information systems and operations to determine contingency planning requirements and priorities. The publication covers <abbr title="incident response plans">IRPs</abbr>, <abbr title="business continuity plans">BCPs</abbr>, and <abbr title="disaster recovery plans">DRPs</abbr> and can be used as a reference to help organizations develop their response and recovery strategies and procedures.</p> <!– subsection –> <div> <h3 id="disruptions-organisation">3.1 Main disruptions that can affect your organization</h3> <p>Although your <abbr title="business continuity plan">BCP</abbr> should address all types of incidents, the following threats are the most common business disruptors to consider:</p> <ul><li>natural hazards, such as hurricanes, tornadoes, earthquakes, floods, wildfires, and severe storms</li> <li>building fires</li> <li>cyber threats, such as ransomware attacks, data thefts, and distributed denial of service (DDoS) attacks</li> <li>server or utility outages, such as power outages, communication line outages, or water shutoffs</li> <li>equipment failure that can impact operations such as HVAC systems, office equipment, or manufacturing equipment</li> <li>acts of terrorism</li> <li>global pandemics such as disease outbreaks or public health emergencies such as virus outbreaks</li> <li>decreased supply due to manufacturer and vendor shutdowns or disruptions to distribution across the supply chain</li> </ul></div> <div> <h3 id="buisness-continuity-development">3.2 Steps to developing your business continuity plan</h3> <p>In this section, we will discuss the specific areas your organization will need to address when developing a <abbr title="business continuity plan">BCP</abbr>, as well as how you can ensure your <abbr title="business continuity plan">BCP</abbr> will be effective when enacted. A <abbr title="business continuity plan">BCP</abbr> allows organizations to identify their risk from various threats and the impact they would pose to business operations. A <abbr title="business continuity plan">BCP</abbr> is used to ensure organizational resilience and compliance to regulations, policies, and standards. The goal of a <abbr title="business continuity plan">BCP</abbr> is to identify all the resources and procedures required to help organizations continue critical operations and services in the event of a disaster or other disruption.</p> <p>Business continuity planning is a lifecycle approach and requires ongoing reviewing, testing, and updating. The image below, Figure 1: Business continuity planning lifecycle, depicts the 5 key steps to developing and maintaining a <abbr title="business continuity plan">BCP</abbr>.</p> </div> <div> <h3>Figure 1: Business continuity planning lifecycle</h3> <div class="panel-body"> <figure><figcaption class="text-center">Figure 1: Business continuity planning lifecycle</figcaption><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsm.10.014-business-continuity-planning-lifecycle-850×607.jpg" /></figure><details><summary>Long description – Figure 1: Business continuity planning lifecycle</summary><p>Business continuity planning lifecycle describes the 5 steps in the business continuity planning lifecycle</p> <ul><li>Initiate: Identify your organization’s goals and objectives</li> <li>Analyze: Conduct a <abbr title="threat and risk assessment">TRA</abbr> and a <abbr title="business impact analysis">BIA</abbr></li> <li>Develop and implement: Define the strategy, develop the plan, and implement it</li> <li>Communicate and integrate: Communicate your BCP to employees, stakeholders, and partners and integrate it into your organization’s policies</li> <li>Test and validate: Test your plan regularly to ensure that it remains effective and current</li> </ul></details></div> <!– insert image section, will review image as well –><!– long description write up <p> Business continuity planning lifecycle describes the 5 steps in the business continuity planning lifecycle </p> <ul> <li>Initiate: Identify your organization’s goals and objectives</li> <li>Analyze: Conduct a TRA and a BIA</li> <li>Develop and implement: Define the strategy, develop the plan, and implement it</li> <li>Communicate and integrate: Communicate your <abbr title="business continuity plan">BCP</abbr> to employees, stakeholders, and partners and integrate it into your organization’s policies</li> <li>Test and validate: Test your plan regularly to ensure that it remains effective and current</li> </ul> –> <p>The following section describes the 5 stages of the business continuity planning lifecycle.</p> <!– sub subsection start –> <div> <h4>3.2.1 Initiate: Identify the plan’s objectives, goals and response</h4> <p>The main objective of a <abbr title="business continuity plan">BCP</abbr> is to ensure that there is minimal disruption to critical business functions in the event of a disaster or incident. However, depending on your organization’s unique requirements and resources, you may have different objectives and goals. Once you have identified your objectives and goals, make sure that they are clearly communicated and accepted by your organization’s leaders. Your goals will influence your <abbr title="threat and risk assessment">TRA</abbr>, <abbr title="business impact analysis">BIA</abbr>, <abbr title="business continuity plan">BCP</abbr>, and recovery strategies.</p> <p>You will need to identify the key people and processes that will be required to ensure your goals are met. You will also need a communications plan to share these items. Create a management team with members who are knowledgeable about the different operational areas of your organization to evaluate what potential threats can lead to various levels of risks to your organization. The makeup of your team depends on your business continuity objectives and the size of your organization. There should be a designated leader to ensure that all the actions required to develop, implement, modify, and update the plan are being executed.</p> </div> <!– sub subsection close –> <div> <h4>3.2.2 Analyze: Perform the required assessments</h4> <p>After you have identified your goals and objectives, you will need to conduct a detailed <abbr title="threat and risk assessment">TRA</abbr>. It is important that your organization understands where your risks lie and the different threats that could cause interruptions to your business operations. Having this knowledge can help you determine how to reduce, mitigate, and eliminate these risks.</p> <p>Once your organization has identified possible threats, you should conduct a <abbr title="business impact analysis">BIA</abbr> to identify critical and non-critical business operations and systems and how different threats can impact various business areas. A <abbr title="business impact analysis">BIA</abbr> will identify specific threats that can impact financial and operational performance, employees, supply chains, reputation, and resources. These threats should be analyzed to determine the probability of their occurrence and their level of impact. Mitigation strategies that can reduce the likelihood of occurrence and the severity of impact should also be identified.</p> <p>Collaboration is key when conducting a <abbr title="business impact analysis">BIA</abbr>. Managers, key stakeholders, partners, and employees should all be involved in the discussions. This will give you a greater understanding of how a disaster may impact other business functions within the organization. Involving stakeholders and partners will also help them understand the risks to their business operations and identify mitigation strategies.</p> <p>Document all your findings in the <abbr title="threat and risk assessment">TRA</abbr> and <abbr title="business impact analysis">BIA</abbr> so that you can anticipate the cost and resources that will be needed to recover from a disaster or incident.</p> <p>To help you with your <abbr title="threat and risk assessment">TRA</abbr> and <abbr title="business impact analysis">BIA</abbr>, it is recommended that your organization perform a security categorization of your business activities (for example, business processes and related information assets). This helps establish the relative importance of your business activities. At the information system level, security categories of business activities serve as input for establishing security assurance requirements, selecting and tailoring security controls, and conducting <abbr title="threat and risk assessment">TRA</abbr> activities. Security categorization is a process to determine the expected injuries from threat compromise and the level of these expected injuries with respect to the security objectives of confidentiality, integrity, and availability. The result of this process is a security category for a business activity that expresses the highest levels of expected injury for all 3 <abbr title="information technology">IT</abbr> security objectives. For information and guidance on security categorization, read the Cyber Centre’s <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33"><abbr title="information technology">IT</abbr> security risk management: A lifecycle approach (ITSG-33)</a>.</p> </div> <div> <h4>3.2.3 Develop and implement: Define the strategy and create the plan</h4> <p>Once you have identified the types of risks, threats, and vulnerabilities applicable to your organization, you can begin to develop an effective <abbr title="business continuity plan">BCP</abbr>. Your plan should focus on mitigation strategies for the identified risks that will allow for the resumption of critical business operations. A comprehensive <abbr title="business continuity plan">BCP</abbr> will take each risk identified in the <abbr title="business impact analysis">BIA</abbr> and develop an appropriate response strategy to either minimize its impact on your organization’s stakeholders, operations, and assets or to mitigate it. Here are some key best practices to consider when developing your <abbr title="business continuity plan">BCP</abbr>:</p> <ul><li>identify the members of the response team and provide detailed description of their roles and responsibilities so that they can react swiftly and efficiently</li> <li>develop communication methods and recovery procedures</li> <li>identify an alternative work site and an employee relocation plan</li> <li>consolidate a list of alternate resources and suppliers</li> <li>establish an <abbr title="information technology">IT</abbr> recovery plan with assistance from the Cyber Centre publication <a href="/en/guidance/developing-your-it-recovery-plan-itsap40004">Developing your <abbr title="information technology">IT</abbr> recovery plan (ITSAP.40.004)</a></li> <li>establish policies to be implemented during a disaster, emergency, or incident</li> <li>determine the budget that will need to be allocated to the various activities in your plan</li> <li>identify timeframes in which services and business operations need to be available</li> <li>identify the resources that will be required to ensure prioritization and a quick and relevant response</li> <li>create reports to share with stakeholders</li> <li>provide staff with awareness training and educate them on the various risks and emergency preparedness and response strategies</li> <li>document the plan, validate it, share it with management and organization leaders, and gain their approval</li> <li>store the documented <abbr title="business continuity plan">BCP</abbr> in a secure location that is accessible if the <abbr title="business continuity plan">BCP</abbr> is enacted</li> </ul></div> <div> <h4>3.2.4 Communicate and integrate: Develop policies and communication protocols</h4> <p>Once your <abbr title="business continuity plan">BCP</abbr> has been developed, it should be communicated to your employees and stakeholders and integrated into your organization’s policies. It should be easily accessible to allow the response team to best coordinate their efforts. You should also develop a detailed communications and external public relations plan to provide guidance on how to communicate with staff, investors, and the media to avoid the spread of misinformation.</p> <p>Your <abbr title="business continuity plan">BCP</abbr> should include effective communication strategies for both internal members and external stakeholders. Clear communication within your organization during a crisis will reassure your employees that you are taking the required steps to respond and recover. Communication with external stakeholders, suppliers, and customers is also vital to minimize reputational damage and to maintain your organization’s integrity.</p> <p>The communication process should include protocols and procedures to ensure that the appropriate protective actions are taken and the right people are being alerted. Pre-drafted messages can facilitate and speed up communication in the event of a crisis.</p> </div> <div> <h4>3.2.5 Test and validate: Periodic testing to validate your plan</h4> <p>The risks to your organization are not static and are likely to change over time. Your business operations and priorities may also change. As a result, your <abbr title="business continuity plan">BCP</abbr> must be re-evaluated and tested regularly so that it remains effective and updated. A robust <abbr title="business continuity plan">BCP</abbr> requires continuous improvement with ongoing analysis, testing, validation, and implementation. You should conduct simulations and live exercises to assess your response team’s level of preparedness and to identify weak points. You can choose from various types of exercises to test your plan, such as seminars, tabletop exercises, and live exercises. Use the lessons learned from your exercises and tests to update your <abbr title="business continuity plan">BCP</abbr>. A checklist to ensure that each part of your plan is working properly is also beneficial.</p> <p>Your <abbr title="business continuity plan">BCP</abbr> testing practices should:</p> <ul><li>evaluate awareness and training information and protocols. Ensure that protocols are current and that regular training sessions are offered to employees and response team members</li> <li>test, evaluate, and validate the technical solutions and steps identified in the <abbr title="business continuity plan">BCP</abbr>. Ensure that solutions and steps are still effective and update them if required</li> <li>test, evaluate, and validate the recovery procedures established in the <abbr title="business continuity plan">BCP</abbr>. Ensure that the procedures are aligned with your organization’s current operational and business requirement and threat landscape</li> </ul></div> </div> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <p><span class="clearfix"></span></p> <section><h2 class="text-info" id="disaster-recovery">4 Disaster recovery plan</h2> <p>A <abbr title="disaster recovery plan">DRP</abbr> looks at every aspect of your organization that might be affected, such as assets, infrastructure, human resources, and business partners. Your <abbr title="disaster recovery plan">DRP</abbr> should identify your critical and non-critical business operations. It should include recovery requirements, procedures, and detailed instructions for each critical function. This will ensure the protection of assets and business operations to meet regulatory requirements and minimize downtime.</p> <p>The <abbr title="disaster recovery plan">DRP</abbr> should define strategies to minimize the impact of a disaster and to recover <abbr title="information technology">IT</abbr> assets and services as quickly as possible to ensure continuation of critical operations.</p> <p>A disaster, regardless of its nature, can have devastating impacts on your organization. The longer the recovery time, the greater the potential damage. Therefore, it is important to have a good <abbr title="disaster recovery plan">DRP</abbr> that will ensure a quick recovery, regardless of the type of disaster.</p> <p>A <abbr title="disaster recovery plan">DRP</abbr> should be organized by type of disaster and location and should provide step-by-step instructions that can be easily implemented.</p> <p>The Cyber Centre’s publication Developing your <abbr title="information technology">IT</abbr> recovery plan (ITSAP.40.004) identifies important elements and steps that can assist with the development of your <abbr title="disaster recovery plan">DRP</abbr>. It also describes how a recovery plan can improve your organization’s overall resilience and cyber security posture. Consulting other resources to develop your <abbr title="disaster recovery plan">DRP</abbr>, such as IBM’s <a href="https://www.ibm.com/docs/en/i/7.3.0?topic=system-example-disaster-recovery-plan">Disaster recovery plan template</a> or <a href="https://www.iso.org/standard/27031">SO/IEC 27031:2025 Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity</a> can also be beneficial.</p> <p>In the next section, we will describe the key elements of a <abbr title="disaster recovery plan">DRP</abbr>. As previously mentioned, there are some similarities between an <abbr title="incident response plan">IRP</abbr> and a <abbr title="disaster recovery plan">DRP</abbr>. Although there will be some repetition in the next section, it is important to reiterate these key elements as they shape the <abbr title="disaster recovery plan">DRP</abbr>.</p> <div> <h3 id="key-disaster-recovery">4.1 Key elements of a disaster recovery plan</h3> <p>In this section, we will discuss specific areas that your organization will need to address when developing a <abbr title="disaster recovery plan">DRP</abbr>. These steps will return your organization to full operations after a disaster.</p> <div> <h4>4.1.1 Create a disaster recovery team</h4> <p>The goal of the disaster recovery team is to assess, document, and respond to incidents; restore systems; recover information; and reduce the risk of the incident reoccurring. The plan should clearly identify the name and contact information of the individuals who are responsible for the different areas of the disaster recovery process. This will help streamline communications once recovery efforts are underway.</p> <p>The team members should be well trained on disaster recovery and should understand their respective roles and responsibilities. Members should have various qualifications and cross-functional support from other business lines. Since incidents are unpredictable and require immediate response, designate backup responders to act during any absences when an incident occurs. Critical responsibilities include:</p> <ul><li>identifying a plan owner who will lead the recovery process with the support of organization leaders and managers</li> <li>building a communications plan that addresses key considerations for communicating essential information to key stakeholders and the media</li> <li>implementing systems backup and maintenance to ensure business continuity</li> </ul></div> <div> <h4>4.1.2 Maintain an inventory of all your <abbr title="information technology">IT</abbr> assets and identify the most critical</h4> <p>To have an effective <abbr title="disaster recovery plan">DRP</abbr>, you will need to maintain an accurate and up-to-date inventory of your <abbr title="information technology">IT</abbr> assets. Your inventory should include a list of hardware, software, and information assets, as well as their location. Your assets should be categorized based on their criticality to your business operations. Your most critical assets include sensitive and proprietary data, and assets that are mandatory for your business operations. The criticality should be compared to the risk probability and resiliency of the asset when faced with disasters. This will allow you to better anticipate and manage risks.</p> <p>Your organization should rank assets from most critical to least critical to define the scope of your <abbr title="disaster recovery plan">DRP</abbr>. Ensure that your <abbr title="disaster recovery plan">DRP</abbr> addresses your critical high-risk assets first, including your sensitive data. Sensitive data may be subject to compliance requirements, such as the <a href="https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-privacy-act/"><em>Privacy Act</em></a>, which governs the Government of Canada, or <abbr title="Personal Information Protection and Electronic Documents Act">PIPEDA</abbr>, which covers how private sector organizations handle personal information. Your <abbr title="disaster recovery plan">DRP</abbr> should identify how your sensitive data will be protected and securely backed up.</p> </div> <div> <h4>4.1.3 Understand the risk tolerance of your organization</h4> <p>To support your disaster management and recovery efforts, you should identify and document the potential risks to your organization and your tolerance to these risks. When you understand your risk tolerance, your organization will be better equipped to develop recovery strategies for various disasters. Your <abbr title="disaster recovery plan">DRP</abbr> should include various events, such as natural hazards, power outages, cyber attacks, ransomware, insider threats, and failure of critical equipment.</p> <p>Here are a few key actions to help identify your risks tolerance:</p> <ul><li>list your critical business operations</li> <li>understand your business operations that handle sensitive data</li> <li>identify the assets, including data, that are valuable to your organization</li> <li>know your geographical location and infrastructure; this will help you determine whether you need cloud backup, one or multiple storage sites, and backup servers</li> </ul></div> <div> <h4>4.1.4 Identify critical operations</h4> <p>Your <abbr title="disaster recovery plan">DRP</abbr> should identify what business operations are considered critical to your organization. To help identify your critical operations, consider the following questions:</p> <ul><li>What components of your business are so important that your organization will not survive if immediate access is removed?</li> <li>What sensitive information or data do you store that, if lost or compromised, you would likely face legal repercussions and reputational damage?</li> <li>What patents, intellectual property, or proprietary business information do you need to safeguard to maintain your reputation in the industry and to protect your business?</li> </ul><p>By understanding what is most valuable to your organization, you will be better equipped to implement strategies in your <abbr title="disaster recovery plan">DRP</abbr> that will ensure your organization remains resilient in the event of a disaster.</p> </div> <div> <h4>4.1.5 Develop disaster recovery procedures</h4> <p>A major component of a <abbr title="disaster recovery plan">DRP</abbr> is documented in step-by-step recovery procedures. These procedures will describe how your organization will respond to various disasters. When faced with unexpected catastrophic events, your organization will have very little time to react. Having documented disaster recovery procedures will ensure that your response team knows exactly how to respond to minimize the damage and avoid prolonged downtime. These procedures should cover, at a minimum, the following elements:</p> <ul><li><strong>emergency response procedures</strong> will include the steps required to effectively respond to emergency situations, to help minimize damages to your organization, and to protect your employees</li> <li><strong>business operations backup procedures</strong> will ensure minimal disruption to your organization’s critical business operations</li> <li><strong>procedures identifying disaster recovery actions</strong> will help your organization restore your operating environment, including systems, networks, devices, and important information and data following a disaster</li> </ul></div> <div> <h4>4.1.6 Identifying recovery time objective and recovery point objective</h4> <p>Recovery time objective (RTO) and recovery point objective (RPO) are the metrics used to determine your downtime and data loss tolerance, respectively.</p> <p><abbr title="recovery time objective">RTO</abbr> is the pre-established maximum amount of downtime your organization can tolerate without causing damage. This can be measured in minutes, hours, days, or weeks. <abbr title="recovery time objective">RTO</abbr> is the planned time and level of service needed to meet the system owner’s minimum expectations.</p> <p>You will need to create different <abbr title="recovery time objective">RTO</abbr> categories since some business operations will require shorter recovery time and some may be less critical for the survival of your organization. Important factors to consider when establishing <abbr title="recovery time objective">RTO</abbr> include:</p> <ul><li>cost-benefit analysis related to restoring operations</li> <li>cost for mitigation</li> <li>level of complexity of the recovery process</li> <li>time and resources required to return to normal operations</li> <li>critical asset ranking and risk prioritization for strategic recovery</li> </ul><p><abbr title="recovery point objective">RPO</abbr> is the maximum amount of data your organization can tolerate losing before causing impactful harm. <abbr title="recovery point objective">RPO</abbr> is measured in units of time. It is basically the amount of time from the start of the outage to your last valid data backup.</p> <p>For some organizations, data turnover may be low and an <abbr title="recovery point objective">RPO</abbr> of days or even weeks may be tolerable. For organizations with a high data transaction volume, hours or even minutes of missing data may be intolerable. The <abbr title="recovery point objective">RPO</abbr> can be used as a metric to understand how frequently and where you should be backing up your important data and information. Some transactional databases may be configured to synchronously copy data to disaster recovery sites. This ensures no data is lost, but results in significantly slower transaction speeds and considerable expense.</p> <p>When considering the business impact of a disaster, the sum of the time between the <abbr title="recovery point objective">RPO</abbr> (back in time from the disaster) and the <abbr title="recovery time objective">RTO</abbr> (forward in time from the disaster) gives an idea of how much lost business is designed into the <abbr title="disaster recovery plan">DRP</abbr>. <abbr title="recovery time objectives">RTOs</abbr> and <abbr title="recovery point objectives">RPOs</abbr> should be reviewed and updated regularly since they are likely to change depending on the threat landscape and any changes to your business objectives and operations.</p> </div> <div> <h4>4.1.7 Establish a disaster recovery site</h4> <p>A <abbr title="disaster recovery plan">DRP</abbr> should indicate where your organization’s assets will be relocated if a disaster occurs. Recovery sites are usually in remote locations. They are used to help restore <abbr title="information technology">IT</abbr> infrastructure and other business-critical operations during an incident.</p> <p>It is important that you document the various characteristics of these physical facilities, including location, heating, cooling, power, fire response, and security controls.</p> <p>Establishing a recovery site can be costly. If your organization lacks the financial resources to have its own recovery site, consider engaging a service provider that can host your remote infrastructure, provide a <abbr title="disaster recovery plan">DRP</abbr> in cloud, or provide Disaster Recovery as a Service (DRaaS). We will expand on these options in the next section.</p> <p>There are 3 types of disaster recovery sites to choose from, depending on your business priorities.</p> <!– oh gosh we are really going to level 5 hhh –> <div> <h5>4.1.7.1 Hot sites</h5> <p>A hot site is a fully functional backup site with the same <abbr title="information technology">IT</abbr> infrastructure as your primary site. It functions the same as your primary site and is always kept running in case of downtime. Data synchronization is ongoing to reduce the risk of data loss. The benefit of a hot site is that it can nearly eliminate downtime.</p> </div> <div> <h5>4.1.7.2 Warm sites</h5> <p>A warm site is a back-up site with network connectivity and some equipment installed. A warm site requires setup time before it can function at full capacity. Data synchronization occurs less frequently, which can result in some data loss.</p> </div> <div> <h5>4.1.7.3 Cold sites</h5> <p>A cold site is used to store backups of systems or data, but with little equipment installed. More time and resources will be required to set up and restore business operations. Data synchronization can be a difficult and lengthy process, and there is a higher risk of data loss if servers need to be transferred from your primary site to the cold site.</p> </div> </div> <!– sub subsection –> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <p><span class="clearfix"></span></p> <div> <h4>4.1.8 Test and maintain your disaster recovery plan</h4> <p>Your organization should test your <abbr title="disaster recovery plan">DRP</abbr> regularly to ensure that your documented procedures are effective and up to date. A <abbr title="disaster recovery plan">DRP</abbr> is an ongoing process that must be reviewed continuously to ensure it aligns with changes to your risk environment, business operations, and technologies.</p> <p>By testing your <abbr title="disaster recovery plan">DRP</abbr> regularly, you can ensure that you meet your response goals while identifying any areas that may need improvement. By testing your plan, you can:</p> <ul><li>verify the effectiveness of the recovery documentation and recovery sites</li> <li>provide reassurance that your organization will be able to withstand disasters</li> <li>ensure that your data is being replicated correctly and can be recovered easily from your backups</li> <li>review lessons learned from past incidents and include additional mitigation actions in your <abbr title="disaster recovery plan">DRP</abbr></li> <li>flag areas in the <abbr title="disaster recovery plan">DRP</abbr> that need updating</li> <li>update training requirements for your response team to ensure they are informed of changes and are well prepared to implement the <abbr title="disaster recovery plan">DRP</abbr></li> </ul><p>There are several types of <abbr title="disaster recovery plan">DRP</abbr> tests you can use:</p> <!– level 5 again –> <div> <h5>4.1.8.1 Checklist testing</h5> <p>Checklist testing will ensure that the recovery procedures are comprehensive and account for all the resources and response members that are required to execute each step of the plan.</p> </div> <div> <h5>4.1.8.2 Tabletop testing</h5> <p>The main purpose of a tabletop test is to ensure that your response team understands the processes and procedures in your <abbr title="disaster recovery plan">DRP</abbr> and that they are aware of their responsibilities and roles. Tabletop testing will allow all response team members to meet and discuss a simulated disruption. They can discuss the actions required to manage the fine details of the disaster, including the aftermath. This will help ensure that all necessary resources are available as indicated in the <abbr title="disaster recovery plan">DRP</abbr>. A tabletop test will also determine if your <abbr title="disaster recovery plan">DRP</abbr> is efficient and will reveal strengths and flaws, which will allow you to address any issues with the <abbr title="disaster recovery plan">DRP</abbr> before an actual event occurs.</p> </div> <div> <h5>4.1.8.3 Walkthrough testing</h5> <p>A walkthrough test is a dry run test to help identify any issues. It is a step-by-step review of the <abbr title="disaster recovery plan">DRP</abbr> to ensure that the response team members understand their roles, are aware of all the steps of the plan, and have been updated on any changes to the plan since the last review.</p> </div> <div> <h5>4.1.8.4 Parallel testing</h5> <p>A parallel test is when a recovery system is used to restore a system without interrupting any business operations. This is a step-by-step review of each plan component and will help identify gaps, weaknesses, or overlooked details that might present roadblocks during real execution.</p> </div> <div> <h5>4.1.8.5 Full interruption testing</h5> <p>A full interruption test is the most disruptive test. The main system is taken down and the response team attempts to recover it. This is a more thorough and time-consuming test. It is also risky since it can lead to disruptions to business operations and expensive downtime. In some cases, this type of test may not be feasible due to public safety or regulatory concerns.</p> </div> <div> <h5>4.1.8.6 Simulation testing</h5> <p>A simulation test will help the response team know what to do when a disaster occurs. It involves role-playing the <abbr title="disaster recovery plan">DRP</abbr> based on a specific disaster scenario. It should incorporate all steps in the <abbr title="disaster recovery plan">DRP</abbr> and ensure that the documented procedures are clear with no ambiguity.</p> </div> <!– level 5 end –></div> <!– level 4 end –></div> <!– level 3 close –> <div> <h2 class="text-info" id="disaster-recovery-strategies">4.2 Types of disaster recovery strategies</h2> <p>In the previous section, we discussed setting up disaster recovery sites to help protect your organization’s <abbr title="information technology">IT</abbr> infrastructure and critical operations. We listed the 3 types of disaster recovery sites (hot, warm, and cold) to choose from, based on your business priorities, resources, and risk tolerance. Aside from these options, there are several other disaster recovery strategies to choose from depending on your organization’s <abbr title="information technology">IT</abbr> infrastructure, business operations, resources, budget, and critical assets. Here are some examples of backup and recovery methods you can explore.</p> <div> <h3>4.2.1 Network disaster recovery</h3> <p>Network connectivity is critical for your organization’s external and internal communication, application access, and data sharing. Network disaster recovery procedures specify how network services will be restored in the event of a network disruption, what resources will be required, and how access to backup data and storage sites will be ensured. Depending on your organization’s requirements, your network disaster recovery may include recovery procedures such as:</p> <ul><li>local area networks (LAN)</li> <li>wide area networks (WAN)</li> <li>wireless networks</li> <li>network-based applications and services</li> <li>failed devices that can lead to network interruptions, such as routers, switches, gateways, modems</li> </ul><p>There are various reasons why network disruptions can occur, including human error, natural or physical disasters, and cyber attacks like DDoS.</p> </div> <div> <h3>4.2.2 Virtualized disaster recovery</h3> <p>Your organization can use virtual machines in an offsite location or the cloud to back up certain operations or data, or even to replicate your entire <abbr title="information technology">IT</abbr> infrastructure (servers, storage, operating systems, software, applications, and data). Using virtualization for disaster recovery can offer the following benefits:</p> <ul><li>automate some disaster recovery processes and allow online operations to be restored faster</li> <li>reduce your <abbr title="information technology">IT</abbr> footprint</li> <li>support frequent replication and enable seamless failover</li> <li>allow your infrastructure to operate from any location</li> </ul></div> <div> <h3>4.2.3 Disaster recovery in the cloud</h3> <p>Disaster recovery in the cloud offers services and strategies to store backup data, applications, and other resources in cloud storage rather than in a physical location. Disaster recovery in the cloud can be more than just a backup solution, it can provide automatic workload failover to the cloud platform so that organizations can restore their backups to either on-premises or cloud environments. This enables business continuity and quick recovery when disruption occurs.</p> <p>Disaster recovery in the cloud automates many recovery processes and can be scaled to meet business requirements. It is commonly offered as a software as a service solution and can be a more affordable option for organizations with limited financial resources.</p> <p>Using disaster recovery in the cloud offers the following additional benefits:</p> <ul><li>flexible pricing models, such as on-demand or pay-as-you-go</li> <li>no single point of failure when using the cloud since you can pay to back up data across multiple geographical locations</li> <li>lower disaster recovery capital costs since you will not need to purchase duplicate hardware or software or a physical backup site</li> <li>enhanced compliance with regulatory requirements</li> <li>assurance that your business operations will be restored with minimized data loss, in accordance with your service level agreement (SLA)</li> </ul></div> <div> <h4>4.2.4 Disaster recovery as a service</h4> <p><abbr title="Disaster Recovery as a Service">DRaaS</abbr> is disaster recovery hosted by a third-party service provider or public cloud infrastructure. It is a solution that enables replication and hosting of physical or virtual servers, allowing failover for on-premises or cloud computing environments.</p> <p>Depending on the <abbr title="service level agreement">SLA</abbr> between the <abbr title="Disaster Recovery as a Service">DRaaS</abbr> provider and the customer, the following solutions can be acquired:</p> <ul><li>monitoring, implementing, and managing the entire <abbr title="disaster recovery plan">DRP</abbr> and helping clients recover their <abbr title="information technology">IT</abbr> infrastructure and return to normal business operations</li> <li>ensuring guaranteed recovery times for critical <abbr title="information technology">IT</abbr> resources</li> <li>offering backup and disaster recovery tools to customers who want to set up and implement disaster recovery solutions on site</li> <li>providing an infrastructure as a service solution, which is a type of cloud service that offers essential computing, storage, and networking resources on demand, on a pay-as-you-go basis</li> </ul></div> <div> <h4>4.2.5 Backup as a service</h4> <p>Backup a service is a service offered by a third-party provider and is also known as online backup or cloud backup. The service provider can store your data remotely in the cloud and manage all the backup and recovery infrastructure.</p> </div> <div> <h4>4.2.6 Storage replication</h4> <p>Storage replication copies your data in real time from one location to another over a storage area network, <abbr title="local area networks">LAN</abbr> or <abbr title="wide area networks">WAN</abbr>. Storage replication is referred to as synchronous replication since the replication is done in real time. Your organization can also use asynchronous replication, which creates copies of data according to a defined schedule.</p> </div> </div> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <p><span class="clearfix"></span></p> <section><h2 class="text-info" id="summary">5 Summary</h2> <p>The advice provided in this publication is meant to help strengthen your organization’s resilience through emergency preparedness. Your emergency preparedness strategy should encompass an <abbr title="incident response plan">IRP</abbr>, a <abbr title="business continuity plan">BCP</abbr>, and a <abbr title="disaster recovery plan">DRP</abbr>. While the objectives of the 3 plans differ, they all strive to do the following:</p> <ul><li>protect and safeguard your critical assets and business operations</li> <li>respond to incidents</li> <li>recover from disasters as quickly as possible</li> </ul><p>Remember that an <abbr title="incident response plan">IRP</abbr> focuses on a specific incident occurrence and the actions required to respond to the incident, whereas a <abbr title="disaster recovery plan">DRP</abbr> focuses on restoring your organization’s <abbr title="information technology">IT</abbr> infrastructure after a disastrous event occurs. The objective of both plans is to help your organization return to normal business operations as quickly as possible.</p> <p>The main principles of an <abbr title="incident response plan">IRP</abbr> and a <abbr title="disaster recovery plan">DRP</abbr> fall under the umbrella of a <abbr title="business continuity plan">BCP</abbr>. A <abbr title="business continuity plan">BCP</abbr> is a holistic approach to handling disruptions with the objective of maintaining your organization’s operations throughout the event lifecycle.</p> <p>Identifying your organization’s critical assets and business operations will help you identify the requirements and guide the plan development process. Through effective planning and practice, your organization will be well prepared, ready to recover, and able to maintain operations efficiently. This will minimize the impacts, interruptions, costs, and damages of any future disruption, incident, or disaster.</p> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="634" about="/en/guidance/developing-your-it-recovery-plan-itsap40004" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>January 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.40.004</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>January 2026 | Awareness series</strong></p> </div> <!–ENGLISH Intro paragraph plus pdf download–> <div class="col-md-12 mrgn-tp-lg"> <p class="mrgn-tp-sm">Unplanned outages, cyber attacks, and natural disasters can happen unexpectedly. Your organization may lose information or experience downtime that disrupts or stops critical business functions. Unplanned downtime is expensive and could have a lasting impact on your business. To ensure continued operations with minimal downtime, your organization should have an <abbr title="information technology">IT</abbr> recovery plan as part of your overall business continuity approach. The <abbr title="information technology">IT</abbr> recovery plan should identify critical data, applications, and processes, and define how your organization will recover <abbr title="information technology">IT</abbr> services that support business operations, products, and services.</p> <section><h2 class="h3 text-info">On this page</h2> <ul><li><a href="#1">Know your business disruption tolerance</a></li> <li><a href="#2">Identify your critical business functions, applications, and data</a></li> <li><a href="#3">Create your <abbr title="information technology">IT</abbr> recovery plan</a></li> <li><a href="#4">Choose your recovery strategy </a></li> <li><a href="#5">Test your <abbr title="information technology">IT</abbr> recovery plan</a></li> <li><a href="#6">Learn more</a></li> </ul></section></div> </div> <div class="clearfix"> </div> <p>Your <abbr title="information technology">IT</abbr> recovery plan should clearly identify and document what needs to be recovered, when, where, and by whom.</p> <p>In general, there are 3 types of plans you should consider developing for your business. These plans take into consideration major events that could cause an unplanned outage and require a recovery response.</p> <ul><li><strong>Incident response plan:</strong> Event-focused plan, specific to a security incident like a cyber attack affecting an organization</li> <li><strong>Business continuity plan:</strong> Specific plan to quickly resume only the most critical operations, as defined by a business impact analysis, in the event of a disaster</li> <li><strong>Disaster recovery plan:</strong> Holistic plan to return your organization to full operations after a disaster</li> </ul><h2 class="text-info" id="1">Know your business disruption tolerance</h2> <p>To develop an effective recovery plan, you should tailor it to address the impact an incident would have on your organization. Your plan should also specify the level of disruption your organization is willing to accept if an incident occurs. There are 3 key measures to consider in your plan:</p> <ul><li><strong>Maximum tolerable downtime:</strong> The total length of time that a process can be unavailable without causing significant harm to your business</li> <li><strong>Recovery point objective:</strong> The measurement of data loss that is tolerable to your organization</li> <li><strong>Recovery time objective:</strong> The planned time and level of service needed to meet the system owner’s minimum expectations</li> </ul><h2 class="text-info" id="2">Identify your critical business functions, applications, and data</h2> <p>Your plan should identify your organization’s critical data, applications, and functions. Critical data may include financial records, proprietary assets, and personal data.</p> <p>Critical applications are the systems that run your key business functions and are imperative to your business. These are the systems that must be restored immediately for business continuity in the event of an unplanned outage.</p> <p>To identify critical business functions, applications, and data, you should conduct a risk assessment to identify threats and vulnerabilities. Run through specific scenarios (such as a cyber attack, significant power outage, or natural disaster) to identify key participants and stakeholders. Reviewing these scenarios will also help you address significant risks, develop mitigation strategies, and identify the recovery time and effort.</p> <p>Conduct a business impact analysis (BIA) to predict how disruptions or incidents will harm your operations, business processes and systems, and finances. During your <abbr title="business impact analysis">BIA</abbr>, you should also assess the data that you collect and the applications that you use to determine their criticality and choose priorities for immediate recovery.</p> <h2 class="text-info" id="3">Create your <abbr title="information technology">IT</abbr> recovery plan</h2> <p>Complete to the following steps when creating your organization’s <abbr title="information technology">IT</abbr> recovery plan.</p> <ol><li>Identify stakeholders, including clients, vendors, business owners, systems owners, and managers</li> <li>Identify your response team members, as well as their roles and responsibilities</li> <li>Take inventory of all your hardware and software assets</li> <li>Identify and prioritize critical business functions, applications, and data</li> <li>Set clear recovery objectives</li> <li>Define back-up and recovery strategies</li> <li>Test your plan regularly</li> <li>Develop a communications plan to inform key stakeholders</li> <li>Develop a training program for employees to ensure that everyone is aware of their roles, responsibilities, and the order of operations during an unplanned outage</li> <li>Engage with managed service providers if required to identify areas in which they can assist you with your recovery efforts</li> </ol><h2 class="text-info" id="4">Choose your recovery strategy</h2> <p>There are several options to consider when implementing your recovery strategy, but you should choose a recovery strategy that meets your business needs and security requirements.</p> <h3>Hot, warm, or cold site</h3> <ul><li><strong>Hot site</strong> <ul><li>back-up site with the same servers and equipment as your primary site</li> <li>functions the same as your primary site and is always kept running in case of downtime</li> <li>data synchronization occurs within minutes to hours, reducing the risk of data loss</li> </ul></li> <li><strong>Warm site</strong> <ul><li>back-up site with network connectivity and some equipment installed</li> <li>requires setup to function at the full capacity of your primary site</li> <li>data synchronization occurs less frequently, which can result in some data loss</li> </ul></li> <li><strong>Cold site</strong> <ul><li>back-up site with little to no equipment</li> <li>requires more time and resources to set up and restore business operations</li> <li>data synchronization can be a difficult and lengthy process as servers need to be migrated from your primary site, resulting in a higher risk of data loss</li> </ul></li> </ul><h3>Storage replication</h3> <p>Storage replication copies your data in real time from one location to another over a Storage Area Network, Local Area Network or a Wide Area Network. Since it is done in real time, it is referred to as synchronous replication. You can also use asynchronous replication, which creates copies of data according to a defined schedule.</p> <h3>Disk mirroring</h3> <p>Disk mirroring replicates data on 2 or more disk hard drives. Disk mirroring automatically switches your critical data to a standby server or network when your main system experiences unplanned downtime. If you are unable to restore your systems, you can use the mirror copy. It is important that the mirrored copy is backed up to a separate server or location that is unaffected by the outage.</p> <h3>Cloud vs. on-premises recovery</h3> <p>With a cloud-based recovery platform, you can connect easily from anywhere with a variety of devices. You can back up your data frequently, and it can be less expensive than purchasing and maintaining an on-premises platform because you pay for the space you need as you need it. Using the cloud can also reduce or eliminate the need for a separate offsite recovery site.</p> <h2 class="text-info" id="5">Test your <abbr title="information technology">IT</abbr> recovery plan</h2> <p>Testing is critical. You can identify inconsistencies and address areas that need revision. Be sure to use a test environment to avoid business interruptions. Some example test strategies include:</p> <ul><li><strong>Checklist:</strong> Read through and explain the steps of the recovery plan</li> <li><strong>Walkthrough:</strong> Walk through the steps without enacting them</li> <li><strong>Simulation:</strong> Use a simulated incident or disaster to familiarize the recovery team with their roles and responsibilities</li> <li><strong>Parallel test:</strong> Set up and test recovery systems to see if they can perform operations to support key processes. You keep your main systems in full production mode</li> <li><strong>Cutover test:</strong> Your recovery systems are set up to assume all your business operations, and you disconnect primary systems. This type of test causes business interruptions and requires additional planning</li> </ul><h2 class="text-info" id="6">Learn more</h2> <ul><li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002)</a></li> <li><a href="/en/guidance/have-you-been-hacked-itsap00015">Have you been hacked? (ITSAP.00.015)</a></li> <li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> <li><a href="/en/guidance/cyber-security-tips-remote-work-itsap10116">Cyber security tips for remote work (ITSAP.10.116)</a></li> <li><a href="/en/guidance/benefits-and-risks-adopting-cloud-based-services-your-organization-itse50060">Benefits and risks of adopting cloud-based services in your organization (ITSE.50.060)</a></li> <li><a href="/en/guidance/cyber-security-considerations-consumers-managed-services-itsm50030">Cyber security considerations for consumers of managed services (ITSM.50.030)</a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a></li> <li><a href="/en/guidance/developing-your-business-continuity-plan-itsap10005">Business continuity plan (ITSAP.10.005)</a></li> <li><a href="/en/guidance/improving-cyber-security-resilience-through-emergency-preparedness-planning-itsm10014">Improving cyber security resilience through emergency preparedness (ITSM.10.014)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="735" about="/en/guidance/developing-your-incident-response-plan-itsap40003" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>January 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.40.003</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>January 2026 | Awareness series</strong></p> </div> <p>Your incident response plan (IRP) includes the processes, procedures, and documentation related to how your organization detects, responds to, and recovers from a specific incident. Cyber threats, natural disasters, and unplanned outages are examples of incidents that can impact your network, systems, and devices. With a proper plan, you will be prepared to handle incidents when they happen, mitigate the threats and associated risks, and recover quickly. While this publication is written in the context of cyber incidents, its guidance can assist your organization in developing an incident response plan for various types of incidents.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#before">Before creating an incident response plan</a></li> <li><a href="#types">Types of incidents</a></li> <li><a href="#steps">Main steps in your incident response plan</a></li> <li><a href="#services">In-house or professional services</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="before">Before creating an incident response plan</h2> <p>Before you create an <abbr title="incident response plan">IRP</abbr>, identify the information and systems of value to your organization. Determine the types of incidents you might face, such as ransomware or distributed denial of service attacks, and the appropriate responses. Consider who is best qualified to be a member of your response team. You should also determine how you will inform your organization of the plan and the associated policies and procedures.</p> <h3>Conduct a threat and risk assessment</h3> <p>A threat and risk assessment (TRA) is a process that helps you identify your critical assets and how these assets can be compromised. Your <abbr title="threat and risk assessment">TRA</abbr> will assess the level of risk these threats pose to your assets so that you can develop and prioritize your response efforts. Some questions to answer during the <abbr title="threat and risk assessment">TRA</abbr> include:</p> <ul><li>what data is valuable to your organization?</li> <li>which business areas handle sensitive data?</li> <li>what controls do you currently have in place?</li> <li>can this lead to a privacy breach for your organization?</li> </ul><p>For more information on <abbr title="threat and risk assessments">TRAs</abbr>, read <a href="/en/tools-services/harmonized-tra-methodology">Harmonized <abbr title="threat and risk assessment">TRA</abbr> Methodology (TRA-1)</a>.</p> <h3>Create your response team</h3> <p>The purpose of your team is to assess, document, and respond quickly to incidents. The goal is to restore your systems, recover information, and reduce the risk of the incident reoccurring.</p> <p>Your team should include employees with various qualifications and have cross-functional support from other business lines.</p> <p>Roles to consider for your incident response team include:</p> <ul><li>critical path personnel</li> <li>security practitioners</li> <li><abbr title="information technology">IT</abbr> or cyber security specialists</li> <li>project engineers for operational technology (OT) environments</li> <li>legal</li> <li>management</li> </ul><p>Cyber incidents in particular are unpredictable and require immediate response. Ensure your response team has alternate means of contact, such as mobile phones or out of band email. Each member of your team should also have a backup contact in case they cannot be reached or are unavailable.</p> <h3>Develop your policies and procedures</h3> <p>Your incident response activities need to align with your organization’s policy and compliance requirements.</p> <p>Write an incident response policy that establishes the authorities, roles, and responsibilities for your incident response procedures and processes. This policy should be approved by your organization’s senior management.</p> <h3>Educate your employees</h3> <p>Provide training to employees that explains your incident response plan, policies, and procedures. Tailor your training programs to your organization’s business needs and requirements, and to your employees’ roles and responsibilities.</p> <p>Update your employees on current incident response planning and execution. A well-trained and informed workforce can defend against incidents.</p> <h3>Create your communications plan</h3> <p>Your communications plan should detail how, when, and with whom your team communicates. This plan should include a central point of contact for employees to report suspected or known incidents.</p> <p>Your notification procedures are critical to the success of your incident response. Identify the key internal and external stakeholders who will be notified during an incident. You may have to alert third parties, such as clients and managed service providers. Depending on the incident, you may need to contact law enforcement or consider engaging a lawyer for advice. You may also need to contact your media team.</p> <h2 class="text-info" id="types">Types of incidents</h2> <p>Your organization can face many different incidents. Some examples include:</p> <h3>Ransomware</h3> <p>Ransomware is a type of malware that locks you out of files or systems until you pay a ransom to a threat actor. Payment does not guarantee that you will regain access to your information.</p> <h3>Data theft</h3> <p>Data theft occurs when threat actors steal information stored on servers and devices. The data is most commonly accessed using stolen user credentials. Advanced persistent threats (APTs) refer to threat actors that are highly sophisticated and skilled. <abbr title="Advanced persistent threats">APTs</abbr> are able to use advanced techniques to conduct complex and protracted campaigns in pursuit of their goals. The <abbr title="Advanced persistent threat">APT</abbr> designator is usually reserved for nation states or very proficient organized crime groups.</p> <h3>Active exploitation</h3> <p>Active exploitation takes advantage of unpatched software, hardware, or other vulnerabilities to gain control of your systems, networks, and devices. These attacks can go unnoticed before you have the opportunity to apply a patch or update. Your plan should provide instructions for mitigating active exploitation, such as temporarily suspending Internet access or ceasing online activity.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h2 class="text-info" id="steps">Main steps in your incident response plan</h2> <p>Your <abbr title="incident response plan">IRP</abbr> should identify the objectives, stakeholders, responsibilities, communication methods, and escalation processes used throughout the incident response lifecycle. Keep the plan simple and flexible. Test, revisit, and revise your incident response plan annually to keep it effective.</p> <p>Follow the incident response lifecycle steps below to structure your <abbr title="incident response plan">IRP</abbr>.</p> <h3>Preparation</h3> <ol><li>Start with a statement of your management’s commitment to the project. Perform a risk assessment to identify your organization’s most valuable assets that are critical to your business operations</li> <li>Define the security incidents your organization is most likely to face and create detailed response steps for these incidents</li> <li>Lay out the objectives of your incident response strategy, as well as your related policies, standards, and procedures. Your policy should include performance measures, the incident data that you collect over time (for example, the number of incidents and time spent per incident)</li> <li>Define your goals to improve security, visibility, and recovery</li> <li>Develop and implement a reliable backup process to create copies of your data and systems to help you restore them during an outage</li> <li>Have a detailed strategy for updating and patching your software and hardware. Use this strategy to track and fix vulnerabilities and mitigate the occurrence and severity of incidents</li> <li>Create your response team and assign roles and responsibilities to each member</li> <li>Define your communications plan and identify how key stakeholders and management will be informed throughout the incident. You should have multiple communication mechanisms in place, this may be valuable during an incident</li> <li>Develop exercises to test your plan and response. You can revise and improve your plan using your test results</li> </ol><h3>Detection and analysis</h3> <p>Monitor your networks, systems, and connected devices to identify potential threats. Produce reports regularly and document events and potential incidents. Analyze these occurrences and determine whether you need to activate your <abbr title="incident response plan">IRP</abbr>. Determine the frequency and intensity of your monitoring.</p> <p>Although it is impossible to have a step-by-step guide for every incident, you should be prepared to handle incidents that use common attack vectors.</p> <p>In the event of a breach or compromise, analyze the incident, including its type, its origin, and the extent of the damage caused. All facts about the incident should be documented. When an incident is detected, analyzed, and prioritized, your incident response team should notify the appropriate stakeholders so that everyone that needs to be involved is informed.</p> <h3>Containment</h3> <p>Containment is crucial for your organization’s recovery. The primary goal is to minimize business impact.</p> <p>Gain an understanding of the issue so you can contain the threat and apply effective mitigation measures.</p> <p>An effective mitigation measure for an <abbr title="information technology">IT</abbr> environment may include deactivating connectivity to your systems and devices to block the threat actor from causing further damage. It might be necessary to isolate all systems and suspend employee access temporarily to detect and stop further intrusions.</p> <p>Containment strategies and procedures will depend on the type of incident, the degree of damage the incident can cause, and your operational requirements. Refer to your organization’s incident containment strategies, established in the preparation phase.</p> <p>When dealing with an incident, the risk assessment completed in the preparation phase should help you define your acceptable risk so that you can develop your containment strategies accordingly.</p> <h3>Eradication</h3> <p>Conduct a root cause analysis to identify and remove all elements of the incident from the affected systems and complete the following actions:</p> <ul><li>Identify all affected systems, hosts, and services</li> <li>Remove all malicious content from affected systems</li> <li>Scan and wipe your systems and devices</li> <li>Identify and address all residual attack vectors</li> <li>Communicate with stakeholders to ensure appropriate management of the incident</li> <li>Harden, patch, and upgrade all affected systems</li> <li>Upgrade or replace legacy systems</li> </ul><h3>Recovery</h3> <p>Restore and reintegrate the affected systems back into your operating environment.</p> <ul><li>Ensure any malware is removed before restoring your backups</li> <li>Test, verify, monitor, and validate affected systems to ensure they are running effectively</li> <li>Revise and update policies, procedures, and training initiatives</li> </ul><h3>Post-incident activities and lessons learned</h3> <p>Review the root cause of the incident and collaborate with the response team to determine what can be improved. Evaluate your incident response processes and highlight what went well and what areas require improvement. Create a lessons learned document that details how you will adjust and improve your plan for future incidents. The results of the lessons learned should be used to improve detection methods and prevent repeated incidents.</p> <h2 class="text-info" id="services">In-house or professional services</h2> <p>When developing your <abbr title="incident response plan">IRP</abbr>, determine which actions and services you can conduct internally and which actions you will outsource. Professional services can be retained to assist with incident response initiatives, such as developing your plan, determining your backup processes, and monitoring and patching your systems. Outsourcing incident response for <abbr title="operational technology">OT</abbr> incidents or other specialized environments can be costly, and it is important to plan for these scenarios.</p> <h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> <li><a href="/en/guidance/developing-your-it-recovery-plan-itsap40004">Developing your <abbr title="information technology">IT</abbr> recovery plan (ITSAP.40.004)</a></li> <li><a href="/en/guidance/have-you-been-hacked-itsap00015">Have you been hacked? (ITSAP.00.015)</a></li> <li><a href="/en/guidance/preventative-security-tools-itsap00058">Preventative security tools (ITSAP.00.058)</a></li> <li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002)</a></li> <li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> <li><a href="/en/guidance/cyber-security-considerations-consumers-managed-services-itsm50030">Cyber security considerations for consumers of managed services (ITSM.50.030)</a></li> <li><a href="/en/guidance/improving-cyber-security-resilience-through-emergency-preparedness-planning-itsm10014">Improving cyber security resilience through emergency preparedness (ITSM.10.014)</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> </div> </div> </div> </div> </div> </article>

In the event of a cyber incident or natural disaster, your organization will need a business continuity plan (BCP) to resume its most critical business operations quickly. Your BCP will identify the risks from various threats and the impact they would have on your organization.

This joint guidance outlines the desirable end-states that organizations should achieve when designing connectivity into OT environments. The end-states are intended as goals rather than minimum requirements.

This publication provides some information on the potential risks and mitigation measures associated with generative AI.