Canadian Centre for Cyber Security Events

<article data-history-node-id="659" about="/en/guidance/steps-address-data-spillage-cloud-itsap50112" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.50.112</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> </div> <!–pdf download–> <p>In our interconnected digital world, the security of data stored in the cloud is more critical than ever. Data spillage, or the unintended exposure of sensitive information, can have far-reaching consequences for individuals and organizations.</p> <p>Data spillage occurs when sensitive information is placed on information systems that are not authorized to process or store the information. It can also happen when data is made available to an unauthorized individual. For example, a spill occurs if secret data is transferred or made available on an unclassified network.</p> <p>This publication outlines the essential steps your organization should follow to effectively manage and mitigate data spillage incidents in cloud environments. These steps will help you ensure that sensitive data remains secure and private.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#identify">Step 1: Identify the data spill</a></li> <li><a href="#contain">Step 2: Contain the data spill</a></li> <li><a href="#alert">Step 3: Alert your stakeholders of the data spill</a></li> <li><a href="#Remediate">Step 4: Remediate the data spill</a></li> <li><a href="#Considerations">Considerations to enhance your cyber security posture in the cloud</a></li> <li><a href="#Disposal">Appropriate disposal of IT equipment</a></li> </ul><section><h2 class="text-info" id="identify">Step 1: Identify the data spill</h2> <p>Swiftly identifying a data spillage incident is crucial for limiting the potential damage. Recognizing unauthorized data exposure is vital to identifying data spillage. This can occur in various ways, such as misplaced emails, unsecured cloud storage or misplaced physical devices. Early detection is key and is dependent on robust monitoring systems and awareness of data flows within an organization. This allows you to quickly assess the nature, scope, and potential impact of the data spill.</p> <p>Take the following actions to effectively triage and assess the damage caused by a data spill:</p> <ul><li>What information was compromised? <ul><li>Understanding the type of data—whether personal, financial, or confidential—helps determine the severity of the spill</li> </ul></li> <li>Where was the information moved? <ul><li>Identifying the unintended location(s) of the data can guide the containment strategy</li> </ul></li> <li>How was the information moved? <ul><li>Understanding the method of transfer, such as USB or email, can provide insights into the nature and potential spread of the spill</li> </ul></li> <li>Who was the information sent to? <ul><li>Knowing who received the spilled data is essential for containment and remediation efforts</li> </ul></li> <li>Where did the information come from? <ul><li>Tracing the origin of the spilled data helps identify potential vulnerabilities within the system</li> </ul></li> <li>When did the spill occur? <ul><li>Determining the timing of the spill can affect the response strategy and potential impact assessment</li> </ul></li> </ul><p>Early identification depends on a comprehensive understanding of these aspects and allows your organization to respond effectively and mitigate the impacts of data spillage.</p> </section><p><span class="clearfix"> </span></p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="contain">Step 2: Contain the data spill</h2> <p>The immediate containment of a data spill is critical to preventing further unauthorized access or distribution. This step requires your organization to secure the spilled data by removing it from unsecured locations or restricting access to it. In cloud environments, containment may also involve working with cloud service providers (CSPs) to leverage their tools and capabilities for securing data. A rapid response is essential to seal off vulnerabilities and limit data proliferation.</p> <p>To effectively contain a data spill, consider the following:</p> <h3>Utilize platform functions</h3> <p>Employ available cloud platform functions to delete the affected files and any known copies from your system. If the spill involves email, recall the message if possible.</p> <h3>Direct recipients</h3> <p>For all forms of data, including email, contact the recipients directly and instruct them not to forward or access the data. Ask all recipients to delete the spilled information from their environments and to empty their recycle bins.</p> <h3>Challenges containing data in the cloud</h3> <p>Recognize the unique challenges of containing data spillages in cloud environments, including:</p> <ul><li>verifying the complete removal of spilled data post-cleanup</li> <li>determining whether data has been compromised once the spilled data has been exposed</li> </ul><p>These steps underscore the complexity of managing data spillage in cloud services and the importance of swift, strategic actions to mitigate risks effectively.</p> </section><p><span class="clearfix"> </span></p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="alert">Step 3: Alert your stakeholders of the data spill</h2> <p>After the data spillage is identified and contained, it’s crucial to promptly alert the appropriate internal and external stakeholders. Effective communication ensures a coordinated response to the incident and helps mitigate potential damage.</p> <p>To ensure a comprehensive alert protocol, consider the following actions:</p> <h3>Internal reporting</h3> <p>Immediately contact your IT service desk to report the spillage. If the IT service desk is designated as the remediation authority, they will triage the incident following your organization’s security incident management process. If not, it will escalate the incident to the appropriate remediation authority.</p> <h3>Report to management</h3> <p>Inform your management chain of the incident, regardless of the type of breach. They will provide support, direction for the remediation effort and to respond to any inquiries as required.</p> <h3>Secure communication with cloud service providers</h3> <p>When involving <abbr title="cloud service providers">CSP</abbr>s, use secure communication methods. Ensure that cleared <abbr title="cloud service providers">CSP</abbr> personnel have located and deleted all possible copies of the data (if this is included in your service agreement). If secure communication methods and cleared personnel are not readily available, assess the benefits versus the risks of contacting the <abbr title="cloud service providers">CSP</abbr> with your manager.</p> <h3>External notifications</h3> <p>Depending on the nature of the data and the spillage, external notifications may be required. This includes notifying affected individuals, regulatory bodies or other stakeholders as dictated by law, regulation or policy.</p> <h4>Additional information for government departments and critical infrastructure sectors</h4> <p>For Government of Canada departments and critical infrastructure sectors, external notifications involve reporting breaches directly to the Canadian Centre for Cyber Security (Cyber Centre) by phone at 1-833-CYBER-88 (<a href="tel:+1-833-292-3788">1-833-292-3788</a>) or online at <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="6e494caa-d595-4273-ad70-ba2d1543af6e" href="/en/incident-management">Report a cyber incident</a>.</p> <!– –> <h4>Government of Canada departments</h4> <p>In addition to reporting the incident to the Cyber Centre, follow your department’s incident response procedures and the <a href="https://www.canada.ca/en/government/system/digital-government/online-security-privacy/security-identity-management/government-canada-cyber-security-event-management-plan.html">Government of Canada Cyber Security Event Management Plan (GC CSEMP)</a>.</p> <h4>Critical infrastructure sectors</h4> <p>In addition to reporting the incident to the Cyber Centre, consult Public Safety’s action-oriented guidance in <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2016-fndmntls-cybr-scrty-cmmnty/index-en.aspx">Fundamentals of Cyber Security for Canada’s CI community</a> for more information.</p> <h4>Privacy</h4> <p>If a data spill impacts or potentially impacts the privacy of Canadians, <a href="https://www.priv.gc.ca/en/report-a-concern/">report the spill to the Office of the Privacy Commissioner</a>.</p> <span class="clearfix"> </span> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="Remediate">Step 4: Remediate the data spill</h2> <p>After containing the spill and notifying the relevant parties, your focus should shift to remediation. This involves not only addressing the immediate impacts of the spill but also implementing measures to prevent future incidents. Effective remediation depends on a thorough investigation to understand the root causes of the spillage.</p> <p>For a comprehensive remediation process, consider the following actions:</p> <h3>Work with your cloud service provider</h3> <p>Engage with your <abbr title="cloud service providers">CSP</abbr> to ensure the spill is fully contained and to leverage their expertise in cleaning up the spill. This includes utilizing platform functions for data clean-up, such as removing tags and pointers or employing crypto-shredding.</p> <h3>Manage device and cloud space</h3> <p>Recall, destroy, and replace any affected mobile devices, servers or portions of the cloud tenant space that contained the spilled data. Crypto-shredding can be an effective method for ensuring the data is irrecoverable.</p> <h3>Review policies and procedures</h3> <p>Analyze the incident to identify any weaknesses in current policies and procedures. Update these to incorporate lessons learned from the spillage, focusing on improving data management, transfer, and storage practices.</p> <h3>Engage stakeholders</h3> <p>Ensure all stakeholders, including <abbr title="cloud service providers">CSP</abbr>s and any external organizations involved, are informed of the remediation actions and progress. Coordination with these parties is essential for a holistic approach to remediation.</p> </section><p><span class="clearfix"> </span></p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="Considerations">Considerations to enhance your cyber security posture in the cloud</h2> <p>To enhance your overall cyber security posture in the cloud, your organization should consider the following:</p> <h3>Responsibility and collaboration</h3> <p>Understand that the legal responsibility for data security remains with the data owner, even in cloud environments. Effective collaboration with <abbr title="cloud service providers">CSP</abbr>s and clear internal policies are crucial for protecting data.</p> <h3>Awareness and training</h3> <p>Educating personnel on the risks of data spillage and proper data-handling techniques is essential for preventing data spills. Regular training can significantly reduce the likelihood of future incidents. To view the full list of Cyber Centre courses, please visit <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8835c939-543a-4cde-806c-370702ed4826" href="/en/education-community/learning-hub">The Learning Hub</a>.</p> <h3>Continuous improvement</h3> <p>Adopting a posture of continuous improvement, learning from past incidents, and updating policies accordingly are vital steps in enhancing an organization’s data security measures.</p> </section><section><h2 class="text-info" id="Disposal">Appropriate disposal of IT equipment</h2> <p>Proper disposal reduces the risk of threat actors exploiting residual data that is left on IT equipment with electronic memory or data storage media. This advice is applicable when considering data spillages using cloud services. Consult <a href="/en/guidance/it-media-sanitization-itsp40006">IT media sanitization (ITSP.40.006)</a> for additional advice on properly disposing of IT media.</p> </section></div> </div> </div> </div> </div> </article>

This joint guidance outlines the process for OT owners and operators to create an asset inventory and OT taxonomy.

<article data-history-node-id="715" about="/en/guidance/introduction-cloud-computing-itsap50110" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.50.110</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <p>Cloud computing is the on-demand delivery of IT resources over the Internet. Think of it as a network of companies that sell computing power, which customers can access online.</p> <p>With cloud computing, users can access technology services, such as computing power and storage, as needed from a cloud service provider (CSP). This reduces the need for organizations to own and maintain physical servers and data centres.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#bcc">Benefits of cloud computing</a></li> <li><a href="#lm">Learn more</a></li> </ul><h2 class="text-info" id="bcc">Benefits of cloud computing</h2> <p>Cloud computing allows for convenient, on demand access to a shared pool of configurable computing resources. Cloud computing offers many benefits to organizations.</p> <h3>Performance</h3> <p><abbr title="cloud service providers">CSPs</abbr> offer scalable resources that adjust to match your business growth and handle peak demand efficiently. They provide optimal computing power to your organization and ensure you have the latest high-performance hardware by regularly updating their systems.</p> <h3>Accessibility and productivity</h3> <p>Leveraging cloud computing can enable users to securely access data and applications anywhere, anytime. Users can access their files, email or applications from anywhere. Documents can be shared among users while remaining in a central location. This improves collaboration across teams in various locations and boosts productivity, leading to more agile and responsive business operations.</p> <h3>Reliability</h3> <p>Cloud computing makes data back-ups, disaster recovery and business continuity easier and less expensive because data can be mirrored at multiple sites on the <abbr title="cloud service provider">CSP</abbr>’s network.</p> <h3>Cost efficiency</h3> <p>Organizations can avoid capital expenses associated with purchasing equipment and software, as well as the operational costs of running an on-premises environment. Cloud computing shifts the financial burden from large, up-front investments to a more manageable, pay-as-you-go model. It aligns the costs with actual usage and business demands.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="mrgn-tp-md text-info" id="lm">Learn more</h2> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/models-cloud-computing-itsap50111">Models of cloud computing (ITSAP.50.111)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/steps-address-data-spillage-cloud-itsap50112">Steps to address data spillage in the cloud (ITSAP.50.112)</a></li> <li><a href="https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/cloud-adoption-strategy-2023-update.html">Treasury Board of Canada Secretariat’s Government of Canada Cloud Computing</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="716" about="/en/guidance/models-cloud-computing-itsap50111" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.50.111</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12"> <p>Cloud service providers (CSPs) offer 3 service models and 4 deployment models. Service models provide customers with options to access a <abbr title="Cloud service providers">CSP</abbr>’s services, while deployment models offer customers different ways of using them. This publication provides an overview of the different models of cloud computing, allowing you to choose the best option for your organization.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#service-model">Service models</a></li> <li><a href="#deployment-model">Deployment models</a></li> <li><a href="#learn-more">Learn more</a></li> </ul><h2 class="mrgn-tp-lg text-info" id="service-model">Service models</h2> <p>Cloud computing has changed how organizations and individuals use technology. The service models offered to customers define the specific types of services provided by <abbr title="Cloud service providers">CSP</abbr>s.</p> <h3>Software as a Service</h3> <p>Software as a Service (SaaS) is a software distribution model in which customers purchase a service to use applications hosted by a <abbr title="Cloud service providers">CSP</abbr>. The service is made available for use over the Internet. Some well-known examples of <abbr title="Software as a Service">SaaS</abbr> include Google Workspace and Microsoft 365.</p> <p><abbr title="Software as a Service">SaaS</abbr> is a popular service model as it:</p> <ul><li>allows access to software from any device with an Internet connection</li> <li>includes <abbr title="Cloud service providers">CSP</abbr> upkeep of the software</li> </ul><h3>Platform as a Service</h3> <p>Platform as a Service (PaaS) provides developers with a cloud platform to build, deploy and manage applications without the complexity of maintaining the underlying infrastructure. This service model enables efficient application development through managed hosting environments. With <abbr title="Platform as a Service">PaaS</abbr>, developers can focus on their application’s functionality rather than its operation.</p> <p>Popular <abbr title="Platform as a Service">PaaS</abbr> examples include Microsoft Azure App Service and Salesforce’s Force.com. These platforms streamline the development and deployment processes, enabling faster and more secure application delivery.</p> <p><abbr title="Platform as a Service">PaaS</abbr> providers perform the following security actions to better secure applications against emerging threats:</p> <ul><li>Security updates</li> <li>Compliance monitoring</li> <li>Threat detection</li> </ul><h3>Infrastructure as a Service</h3> <p>Infrastructure as a Service (IaaS) provides scalable computing resources like servers, storage and networking over the Internet. This service model enables users to develop, run and manage applications on the <abbr title="Cloud service providers">CSP</abbr>’s hardware. Examples of IaaS include Amazon Web Services (AWS) offerings like EC2 and S3.</p> <h2 class="mrgn-tp-md text-info" id="deployment-model">Deployment models</h2> <p>Deployment models describe the access, size, and ownership of the cloud infrastructure.</p> <h3>Public cloud</h3> <p>The public cloud model offers services over the Internet, making the <abbr title="Cloud service providers">CSP</abbr>’s infrastructure and resources accessible to anyone. It’s managed externally and is separated from the customer’s in-house <abbr title="Information Technology">IT</abbr> infrastructure.</p> <h3>Private cloud</h3> <p>The private cloud model provides a dedicated environment for a single entity, ensuring exclusive access and control over the infrastructure. It offers enhanced security and privacy, as it can be hosted and managed either onsite by the customer or offsite by the <abbr title="Cloud service providers">CSP</abbr>. The private cloud is tailored to meet the needs of the customer, allowing greater control over computational resources and customized security measures. This model is ideal for organizations that require strict security and data privacy or that have specific regulatory compliance needs.</p> <h3>Community cloud</h3> <p>The community cloud model is a dedicated environment shared among multiple organizations with similar privacy, security and regulatory needs. It allows organizations to utilize a common infrastructure.</p> <h3>Hybrid cloud</h3> <p>The hybrid cloud combines different cloud types (public, private or community), while maintaining their distinct characteristics. These cloud types are interconnected for seamless data and application mobility. Each member cloud remains a unique entity but is bound to the others through standardized or proprietary technology. This allows applications and data to be transferred easily among members.</p> <h2 class="mrgn-tp-md text-info" id="learn-more">Learn more</h2> <p>For more information on the different service and deployment models, see the <a href="https://csrc.nist.gov/pubs/sp/800/145/final">National Institute of Standards and Technology (NIST) Special Publication 800-145 The NIST Definition of Cloud Computing</a>.</p> <p>To learn more about cloud computing, read the following publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/what-cloud-computing-itsap50110">Introduction to cloud computing (ITSAP.50.110)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/steps-address-data-spillage-cloud-itsap50112">Steps to address data spillage in the cloud (ITSAP.50.112)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cloud-network-security-zones-itsp80023">Cloud network security zoning (ITSP.80.023)</a></li> </ul></div> </div> </div> </div> </div> </div> </div> </article>

Scattered Spider is a cyber criminal group that targets large organizations and their contracted information technology help desks.

<article data-history-node-id="680" about="/en/guidance/security-considerations-critical-infrastructure-itsap10100" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>July 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.10.100</strong></p> </div> </div> <!–DESKTOP END–><!–MOBILE –> <div class="hidden-lg hidden-md text-center"> <p><strong>July 2025 | Awareness series</strong></p> </div> <!–MOBILE END –> <p>Critical infrastructure (CI) plays a role in the delivery and support of the necessities of daily life. This includes commonly used utilities and services, such as water, energy and banking. Disruptions to <abbr title="critical infrastructure">CI</abbr> could lead to failure of essential services, endanger public safety or result in loss of life. This publication provides information on how <abbr title="critical infrastructure">CI</abbr> sectors can be compromised and what security measures can be implemented to mitigate the risks.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#sectors">Critical infrastructure sectors</a></li> <li><a href="#impact">How cyber attacks impact critical infrastructure</a></li> <li><a href="#threats">The main threats to critical infrastructure</a></li> <li><a href="#protect">How to protect your sector from cyber attacks</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="sectors">Critical infrastructure sectors</h2> <p><abbr title="critical infrastructure">CI</abbr> refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. <abbr title="critical infrastructure">CI</abbr> is often interconnected and interdependent within and across provinces, territories and national borders.</p> <p>The <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx">National strategy for critical infrastructure</a> identifies the following 10 <abbr title="critical infrastructure">CI</abbr> sectors:</p> <ul><li>energy and utilities</li> <li>finance</li> <li>food</li> <li>government</li> <li>health</li> <li>information and communication technology</li> <li>manufacturing</li> <li>safety</li> <li>transportation</li> <li>water</li> </ul><h3>Operational technology and industrial control systems as potential threat targets</h3> <p>Operational technology (OT) refers to computing systems used to automate industrial processes and operations in many different sectors. Industrial control systems (ICS) are a major subset within <abbr title="operational technology">OT</abbr> that allows <abbr title="critical infrastructure">CI</abbr> providers to remotely monitor the processes and control the physical devices in their infrastructure.</p> <p><abbr title="operational technology">OT</abbr> systems that have to be connected to the Internet or other networks and systems are attractive targets to threat actors who are focused on <abbr title="operational technology">OT</abbr> disruption.</p> <h2 class="text-info" id="impact">How cyber attacks impact critical infrastructure</h2> <p>Cyber attacks on a <abbr title="critical infrastructure">CI</abbr> can have serious and devastating consequences. Some of the impacts can include:</p> <ul><li>interruption of essential services, such as electricity, water and natural gas</li> <li>disruption in the production and supply of food and medical supplies</li> <li>loss of public trust and confidence in the economy, national security and defence, and the democratic processes</li> <li>damage to environment and risk to public health from chemical spills, toxic waste discharges or hazardous air emissions</li> <li>lost revenue, reputational risks, job losses or legal consequences for companies and employees</li> <li>disruption to hospital operations, or even compromised medical devices, that could lead to loss of life</li> <li>damage to <abbr title="critical infrastructure">CI</abbr> components that could disrupt, destroy or degrade processes and operations</li> </ul><h2 class="text-info" id="threats">The main threats to critical infrastructure</h2> <p>Cyber threats to <abbr title="critical infrastructure">CI</abbr> sectors can involve stealing mission-critical information, locking sensitive files or leaking proprietary or sensitive information. Damage to <abbr title="critical infrastructure">CI</abbr> can threaten national security, public safety and economic stability.</p> <p>Threat actors may target <abbr title="critical infrastructure">CI</abbr> sectors for financial gain. Some <abbr title="critical infrastructure">CI</abbr> sectors, such as healthcare and manufacturing, are popular targets because their owners and operators cannot withstand loss of sensitive information and long-term disruption of essential services. These <abbr title="critical infrastructure">CI</abbr> sectors often have significant financial resources to pay ransom.</p> <p>Insider threat actors may target <abbr title="critical infrastructure">CI</abbr> for personal reasons, such as an act of revenge by disgruntled former employees or customers.</p> <p>State-sponsored cyber threat actors may target <abbr title="critical infrastructure">CI</abbr> sectors to collect information in support of broader strategic goals like influencing public opinion or policy development.</p> <p>The following are some examples of the threats to <abbr title="critical infrastructure">CI</abbr>.</p> <h3>Ransomware</h3> <p>Ransomware is a type of malware that denies users access to systems or data until a sum of money is paid. Other types of malware (for example, wipers and spyware) are used to target <abbr title="critical infrastructure">CI</abbr> by infiltrating or damaging connected systems.</p> <h3>Denial-of-Service attack</h3> <p>A denial-of-service (DoS) attack is any activity that makes a service unavailable for use by legitimate users or that delays system operations and functions. A threat actor could make large parts of a <abbr title="critical infrastructure">CI</abbr> sector unavailable and cause potentially catastrophic failure.</p> <h3>Insider threats</h3> <p>An insider threat is when anyone who has or had knowledge of or access to an organization’s infrastructure and information and uses it, either knowingly or inadvertently, to cause harm. Insider threats can have a significant impact on a <abbr title="critical infrastructure">CI</abbr> sector and its business functions.</p> <p>These threats can cause a temporary or permanent loss of visibility and control within the <abbr title="critical infrastructure">CI</abbr> processes and <abbr title="operational technology">OT</abbr>. Loss of control can prevent operators from being able to issue commands to mitigate malicious interference. This can result in uncontrolled damage and shutdown of system components, requiring hands-on operator intervention on the <abbr title="operational technology">OT</abbr>.</p> <h2 class="text-info" id="protect">How to protect your sector from cyber attacks</h2> <p><abbr title="critical infrastructure">CI</abbr> network operators can reduce their risks of cyber attacks by implementing the following security measures.</p> <h3>Isolate <abbr title="critical infrastructure">CI</abbr> components and services</h3> <p>Implement firewalls, virtual private networks (VPNs) and multi-factor authentication (MFA) for remote access connections with corporate networks. When using <abbr title="operational technology">OT</abbr>, test manual controls to ensure critical functions will remain operable if your network is unavailable or untrusted. Use secure administrative workstations to separate sensitive tasks and accounts from non‑administrative computer uses, such as email and web browsing. Implement network security zones to control and restrict access and data communication flows to certain components and users. <abbr title="operational technology">OT</abbr> systems should be on an isolated network and not connected to the Internet.</p> <h3>Enhance your security posture</h3> <p>Implement offline backups that are tested frequently to ensure you can recover quickly in the event of an incident.</p> <h3>Adopt a risk-based approach with updates</h3> <p>Evaluate your system requirements with vulnerability management to determine necessary updates. Many updates might be unnecessary to implement and could pose potential risks to your <abbr title="operational technology">OT</abbr> environment. Some vendors issue emergency patches to address critical security vulnerabilities, so it is important to keep informed of what your system might require.</p> <h3>Develop an incident response plan</h3> <p>Include the processes, procedures and documentation related to how your organization detects, responds to and recovers from cyber attacks in your incident response plan. Have a plan specifically for <abbr title="operational technology">OT</abbr> and ensure the critical system components can operate safely in manual mode. Test and revise the plan periodically to ensure critical functions and operations continue in case of system disruptions or unexpected downtime.</p> <h3>Train your employees</h3> <p>Educate your employees on the importance of cyber security best practices, such as identifying phishing, using strong passphrases and reporting incidents as soon as they are detected. Have clearly defined standard operating procedures for security practices and acceptable use of process control systems that interface directly with control of systems and environments.</p> <h3>Monitor organizational activities</h3> <p>Collect, analyze and store records that are associated with user actions on information systems. Enable logging to better investigate issues or events. Monitor traffic at your Internet gateways and establish baselines of normal traffic patterns. Highly sophisticated threat actors may influence or coerce employees (for example, using social engineering, bribery, blackmail or intimidation) to help them compromise security. To guard against these actors, enhance your insider threat monitoring and consider implementing a two-person rule when performing critical administrative functions.</p> <p>For more security measures to consider, read the Cyber Centre’s <a href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-sector cyber security readiness goals toolkit</a>.</p> <h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP 30.030)</a></li> <li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> <li><a href="/en/guidance/how-protect-your-organization-insider-threats-itsap10003-0">Protect your organization from insider threats (ITSAP.10.003)</a></li> <li><a href="/en/guidance/ransomware-playbook-itsm00099">Ransomware playbook (ITSM.00.099)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="692" about="/en/guidance/security-considerations-when-developing-and-managing-your-website-itsap60005" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>July 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.60.005</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>July 2025 | Awareness series</strong></p> </div> <p>Your website is a critical component of your business. It provides access to your services and visibility for your products. However, cyber threats can compromise your website, harming your business operations, revenue and reputation. To reduce the likelihood and impact of threats, you should develop and maintain your website with security in mind. This publication provides some security and privacy protection measures to get you started.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#ctw">Common threats to websites</a></li> <li><a href="#dmws">Developing and managing your website securely</a></li> <li><a href="#rci">Reporting a cyber incident</a></li> <li><a href="#lm">Learn more</a></li> </ul><h2 class="text-info" id="ctw">Common threats to websites</h2> <p>Beware of the following common threats when developing and maintaining your website.</p> <h3>Injection attack</h3> <p>Injection attack is a general term for any exploitation in which a threat actor presents an untrusted input, such as malicious code, into a system to modify operations or data.</p> <p>Common examples of injection attacks include:</p> <ul><li><strong>Structured query language (SQL) injection:</strong> <abbr title="Structured query language">SQL</abbr> injection occurs when a threat actor inputs malicious code in the SQL statements through web page input. This typically happens when your website asks a user to log in or provide information. <abbr title="Structured query language">SQL</abbr> statements manage the database server and, if successful, the threat actor can bypass authentication measures.</li> <li><strong>Cross-site scripting (XSS):</strong> A threat actor uses <abbr title="Cross-site scripting">XSS</abbr> to compromise a web server and inject malicious code into trusted websites. When users visit the website, their browsers execute the script, putting cookies, session tokens, or sensitive information at risk. <abbr title="Cross-site scripting">XSS</abbr> attacks exploit the trust that a user has in a website.</li> </ul><h3>Cross-site request forgery attack</h3> <p>Cross-site request forgery (CSRF) is an attack that tricks users into executing unwanted actions in their browsers, such as logging out, downloading account information or uploading a site cookie. <abbr title="Cross-site request forgery">CSRF</abbr> attacks exploit the trust that a website has in a user’s browser.</p> <h3>Denial-of-service attack</h3> <p>A denial-of-service attack aims to overwhelm a website with unnecessary traffic. This floods the server and can make services unavailable to actual users. A distributed denial-of-service (DDoS) attack uses multiple bots or botnets on a single target to cause an even greater disruption.</p> <h3>Adversary-in-the-middle attack</h3> <p>Adversary-in-the-middle (AitM) is an attack that intercepts the communication between two systems. This could be between a user and website server. The intention is to steal or change data within that communication. The threat actor can pretend to be one or both legitimate communicating parties to gain access to sensitive information. They can insert themselves between the two parties and alter communications. Use of certificate-based Hypertext Transfer Protocol Secure (HTTPS) will validate your website to users and establish a confidential channel to mitigate <abbr title="Adversary-in-the-middle">AitM</abbr> attacks.</p> <h3>Malware attack</h3> <p>Any attack that distributes malicious software to cause harm, spread infections, or steal sensitive data. Malware can hide and linger on your website unnoticed and can negatively impact any user that visits your site. Examples of malware include viruses, trojans, ransomware and keyloggers.</p> <h3>Credential stuffing attack</h3> <p>A credential stuffing attack happens when threat actors use previously stolen credentials to try to log into an account. They continue their attempts until a match is found.</p> <p>If your website is compromised, your organization is not the only one at risk; threat actors can also target your supply chain, affiliated organizations, and customers. To learn more about risks to supply chains, see <a href="https://www.cyber.gc.ca/en/guidance/supply-chain-security-small-and-medium-sized-organizations-itsap00070">Cyber supply chain security for small and medium-sized organizations (ITSAP.00.070)</a> and <a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-supply-chains">The cyber threat from supply chains</a>.</p> <h3>Brute force attacks</h3> <p>Brute force attacks are when threat actors use excessive login attempts with any number of character combinations to log into a system or network.</p> <div class="clearfix"> </div> <div class="well well-sm"> <h2 class="text-info mrgn-tp-sm">Impact of artificial intelligence</h2> <p>Artificial intelligence (AI) is a fast-growing and complex technology that can increase website functionality but can also complicate and challenge common cyber security measures. <abbr title="Artificial intelligence">AI</abbr> and generative <abbr title="artificial intelligence">AI</abbr> can be used by threat actors to intensify website attacks by quickly creating code, extracting large amounts of data, and spreading malware. However, <abbr title="artificial intelligence">AI</abbr> can also boost security measures against these attacks.</p> <p>This publication does not go into detail about <abbr title="artificial intelligence">AI</abbr>, but it is important to stay well informed about <abbr title="artificial intelligence">AI</abbr>’s development. Consult our guidance on <a href="https://www.cyber.gc.ca/en/guidance/artificial-intelligence-itsap00040">artificial intelligence</a> to learn more.</p> </div> <h2 class="text-info" id="dmws">Developing and managing your website securely</h2> <p>Your website is the gateway between the Internet and your organization. Threat actors can exploit website vulnerabilities and misconfigurations to steal, alter, or delete sensitive data. This includes:</p> <ul><li>vendor portals</li> <li>customer data</li> <li>sales leads</li> <li>operational and financial information</li> </ul><p>Stay one step ahead by reviewing the following aspects of your website. If you’re using a web service, you should discuss each of the topics below with your service provider.</p> <h2 class="text-info">Secure your web architecture</h2> <p>Secure your website’s architecture, including its elements, relationships, selected components and design principles. You should also apply principles like segregation and redundancy.</p> <p>Segregate your web service components. If one component is compromised, the other components are protected because they have been segregated. You should also segregate your application server and database to protect sensitive data.</p> <p>You should design your website to add redundancies in your web service components (replicate them). With redundancies, you can ensure that your operations continue if one component fails.</p> <p>Require the use of <abbr title="Hypertext Transfer Protocol Secure">HTTPS</abbr> by default on your website and configure Transport Layer Security (TLS) to be used between all web service components. This ensures that sensitive data, like authentication data and propriety information, is encrypted in transit. <abbr title="Hypertext Transfer Protocol Secure">HTTPS</abbr> uses the <abbr title="Transport Layer Security">TLS</abbr> protocol to encrypt and authenticate web page visits.</p> <h2 class="text-info">Implement strong authentication</h2> <p>Authentication refers to the mechanisms used to validate a user’s identity.</p> <p>Implement a strong password and passphrase policy that includes multi-factor authentication (MFA) for additional security. Never send passwords in plaintext over the Internet. Instead, use hashes and encryption.</p> <p><strong>Hashing</strong> is a one-way function. It involves converting the data into a unique, fixed-length hash value. Hashing is a key component of cryptographic techniques used by browsers and systems to protect the integrity of transmitted data.</p> <p><strong>Encryption</strong> is scrambling data in a certain way that only someone with the corresponding key can decipher it. This is a two-way function. Encryption makes use of a cipher, a type of algorithm, to scramble the data.</p> <p>After a threshold of unsuccessful login attempts or other suspicious behaviour, lock accounts and delay logins. Ensure you have a secure account recovery process. See <a href="https://www.cyber.gc.ca/en/guidance/developing-your-it-recovery-plan-itsap40004">Developing your IT recovery plan (ITSAP.40.004)</a> to learn more.</p> <h2 class="text-info">Define access control</h2> <p>Access controls define who can access what resources on your website and restrict what information they can see and use. Define specific access controls and implement the principle of least privilege to ensure that users only have the access needed to carry out their authorized functions.</p> <p>Consider all web application access control layers, such as the Open Systems Interconnection (OSI) model’s application and presentation layers, data layer and network layer. Consider using the following types of permissions:</p> <ul><li>URL based</li> <li>file system and server</li> <li>application business logic (what the user can do)</li> </ul><p>Identify access control layers in your coding standards and rigorously test them before deploying your web services.</p> <h2 class="text-info">Assess your service providers</h2> <p>If using a service provider, you may not have access to the infrastructure or control over the associated security functions. However, even when using a service provider, your organization is still legally responsible for protecting the confidentiality and integrity of your data.</p> <p>Before contracting a service provider, review their data security and privacy protection capabilities and policies. Clearly define your organization’s and your service provider’s roles and responsibilities regarding security. You can use the sections in this document to guide your discussion with a service provider on their security capabilities.</p> <h2 class="text-info">Validate inputs</h2> <p>Input validation is the process of verifying that users and applications can only input properly formed data, such as in fields, forms, or queries.</p> <p>All inputs on your website should be considered untrusted. Validate inputs within your web services, including:</p> <ul><li>client browsers</li> <li>web application firewalls</li> <li>web servers</li> <li>databases</li> <li>application business logic</li> </ul><p>You should validate inputs as early as possible during the process to reduce strain on your servers. Test input validation during your development process.</p> <p>Inputs should also be controlled. Enforce expected input lengths to prevent invalid values and limit free-form inputs to minimize the risk of script injection. Hide <abbr title="Structured query language">SQL</abbr> error messages from end users, as these messages contain valuable information about your database.</p> <h2 class="text-info">Review your security configurations</h2> <p>Although vendor recommended security configurations generally provide a good baseline, these defaults may not provide the level of security needed to protect your systems and data from cyber threats. Be sure to review configurations to identify any vulnerabilities such as:</p> <ul><li>unused ports or web services</li> <li>unprotected files</li> <li>unprotected directories</li> </ul><p>You should turn off directory browsing, as it provides insight on your website’s structure. Remove any unnecessary web operation files, such as source code or backup files that could contain passwords.</p> <p>Deactivate browser credential caching. Although credential caching is convenient for users, it can put sensitive information at risk.</p> <p>You should implement configuration management to promote secure coding and maintain baselines across your organization.</p> <h2 class="text-info">Manage your sessions securely</h2> <p>A session is an exchange of information between two or more entities, such as two devices or a user and a web server. Session management is the process of initiating, controlling, maintaining, and ending these exchanges. If sessions aren’t managed securely, threat actors can interrupt or hijack sessions to intercept data or impersonate authenticated users.</p> <p>Randomize your session identifiers to prevent threat actors from inferring session identifier sequences. Session identifiers should have an acceptable minimum length to protect against brute force attacks.</p> <p>Store sensitive session tracking data on web service servers with an appropriate retention period and destroy it at the expiry date. Expire session data when a user logs out or is inactive for a specified time.</p> <p>Session cookies, also known as in-memory cookies, allow users to be recognized while they navigate the website, for example, items will stay in their carts while they’re shopping. Use the secure cookie attribute to prevent cookies from being sent over an unencrypted channel.</p> <h2 class="text-info">Secure your operations</h2> <p>Once your website is running, you need to prevent, identify, and respond to cyber threats and incidents. If possible, you should continuously monitor website activity for anomalous behaviours, such as repeated login or injection attempts. For example, in credential stuffing attacks, threat actors use leaked or stolen credentials and “stuff” them into login pages of other websites until matches are found.</p> <p>To promote the ongoing security and functionality of your web services, implement a patch management process to acquire, test, and install patches and updates on your systems and devices. Be sure to patch underlying systems, content management systems, web applications and plug-ins. Include a security.txt file on your website. It provides a clear and standardized way for security researchers to report vulnerabilities. Security .txt files ensure that critical issues are communicated promptly and securely to your organization. This proactive approach helps protect your users and your organization by facilitating faster responses to potential threats.</p> <p>You should also promote security awareness within your organization and with your customers. By being transparent about the steps that you are taking to protect data, you can foster trust with your partner organizations, supply chain and customers.</p> <div class="well well-sm mrgn-tp-lg"> <h2 class="mrgn-tp-sm" id="rci">Reporting a cyber incident</h2> <p>If your organization is a victim of fraud, contact your local police and file a report online through the <a href="https://antifraudcentre-centreantifraude.ca/report-signalez-eng.htm" rel="external">Canadian Anti-Fraud Centre’s online reporting system</a> or by phone at 1-888-495-8501. Report cyber incidents online via the Cyber Centre’s <a href="https://portal-portail.cyber.gc.ca/en/report/">My Cyber Portal</a>.</p> </div> <h2 class="text-info" id="lm">Learn more</h2> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/security-considerations-your-website-itsm60005">Security considerations for your website (ITSM.60.005)</a></li> <li><a href="https://cyber.gc.ca/en/guidance/website-defacement-itsap00060">Website defacement (ITSAP.00.060)</a></li> <li><a href="https://cyber.gc.ca/en/guidance/managing-and-controlling-administrative-privileges-itsap10094">Managing and controlling administrative privileges (ITSAP.10.094)</a></li> <li><a href="https://cyber.gc.ca/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts with multi-factor authentication (ITSAP.30.030)</a></li> <li><a href="https://cyber.gc.ca/en/guidance/protecting-your-organization-against-denial-service-attacks-itsap80100">Protecting your organization against denial of service attacks (ITSAP.80.100)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/distributed-denial-service-attacks-prevention-and-preparation-itsap80110">Distributed denial-of-service attacks—prevention and preparation (ITSAP.80.110)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protect-your-organization-malware-itsap00057">Protect your organizations from malware (ITSAP.00.57)</a></li> <li><a href="https://www.cyber.gc.ca/en/identity-credential-and-access-management-icam-itsap30018">Identity, credential, and access management (ICAM) (ITSAP.30.018)</a></li> <li><a href="https://owasp.org/www-project-top-ten/">Top 10 Web Application Security Risks</a> (Open Worldwide Application Security Project)</li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6556" about="/en/news-events/advisory-north-korean-information-technology-workers" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>

<article data-history-node-id="6527" about="/en/guidance/cyber-threat-bulletin-iranian-cyber-threat-canada-israel-iran-conflict" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><h2 class="text-info">Overview of cyber threat to Canada from Iran</h2> <p>On June 13, 2025, the State of Israel (Israel) launched military strikes against the Islamic Republic of Iran (Iran). On June 22, 2025, the United States (U.S.) carried out precision airstrikes on Iranian nuclear facilities.</p> <p>After the U.S. operation against Iran, the U.S. Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the Department of Defense Cyber Crime Center, the National Security Agency, and the Department of Homeland Security warned of potential retaliatory cyber threat activity against U.S. critical infrastructure and other U.S. entities by Iranian-affiliated cyber actors.<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup></p> <p>It is very unlikely that Canada’s critical infrastructure and other Canadian networks are a priority target for retaliatory Iranian cyber threat activity. Canada was not a party to the U.S. and Israeli strikes against Iran. However, we assess that Canada would likely be an indirect or collateral victim of Iranian cyber threat activity that is intended to target the U.S. In addition, Iran will likely continue to engage in cyber-enabled transnational repression against individuals in Canada that the Iranian regime considers a threat, especially those advocating for regime change in Iran.</p> <h2 class="text-info">Threat activity</h2> <ul><li>Iranian state-sponsored cyber threat actors conduct disruptive cyber-enabled information operations to further Iran’s geopolitical objectives and the regime’s interests. Iran has developed a network of hacktivist personas and social media channels that exploit these disruptive events to intimidate Iran’s opponents and shape public opinion.<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup></li> <li>Iranian state-sponsored cyber threat actors opportunistically target poorly secured critical infrastructure (CI) networks and internet-connected devices around the world, including those associated with the water and energy sectors.<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup> Iranian cyber threat actors have performed denial of services attacks, attempted to manipulate industrial control systems, and accessed networks to encrypt, wipe, and leak data.<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup></li> <li>Pro-Iran hacktivists conduct cyber threat activity against Iran’s rivals, but often overstate their impact. In response to the U.S. airstrikes on Iranian nuclear sites, pro-Iran hacktivist groups claimed to have conducted distributed denial-of-service (DDoS) attacks against websites associated with the U.S. military, U.S. defence companies and U.S. financial institutions.<sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup></li> <li>It is very unlikely that Canada’s critical infrastructure and other Canadian networks are a priority target for retaliatory cyber threat activity by Iranian state-sponsored cyber threat actors or pro-Iran hacktivists. However, Canada would likely be an indirect or collateral victim of Iranian cyber threat activity that is intended to target the U.S. This threat is elevated due to North American interconnectivity in key CI sectors, such as energy and transportation.</li> <li>Iranian cyber-enabled transnational repression will likely remain a threat to Canada. Iranian state-sponsored cyber threat actors likely conduct cyber espionage against individuals in Canada that the Iranian regime considers a threat, such as political activists, journalists, and human rights advocates.<sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup> In the aftermath of the conflict, we assess that Iranian cyber threat actors will likely target opponents abroad, especially those advocating for regime change in Iran.<sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup></li> </ul><div class="well"><strong>Iranian state-sponsored cyber threat group compromises Israeli-made devices</strong> <p>Between November 2023 and January 2024, an Iranian Revolutionary Guard Corps (IRGC) cyber unit using the persona CyberAv3ngers conducted a global campaign that targeted and defaced poorly secured, Israeli-made devices used in critical infrastructure. One victim was a municipal water authority in the U.S. that used default passwords.<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> This activity was likely conducted in response to the Israel-Hamas conflict.</p> </div> <h2 class="text-info">Characteristics of Iranian cyber threat activity</h2> <div> <h3>Compelling social engineering</h3> <p>Iranian cyber threat groups are particularly sophisticated in combining social engineering with spear phishing, using these efforts to target public officials and gain access to government networks and private sector organizations globally.<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup> Iranian social engineering efforts focus on using professional interactions on social media platforms to gain information about organizations related to Iran’s political, economic and military interests, particularly in the aerospace, energy, defence, security, and telecommunications sectors. <sup id="fn9a-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup></p> </div> <div> <h3>Exploiting known vulnerabilities</h3> <p>Iranian cyber threat actors exploit known vulnerabilities to gain initial access to systems, and then leverage this access for follow on operations such as data exfiltration or encryption, ransomware, and extortion.<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup> Iranian cyber threat actors opportunistically identify targets using publicly available scanning tools to search for internet-exposed systems with vulnerable configurations, for example devices using default or weak passwords and without multi-factor authentication.<sup id="fn11-rf"><a class="fn-lnk" href="#fn11"><span class="wb-inv">Footnote </span>11</a></sup></p> </div> <div> <h3>Disruptive and destructive cyber attacks</h3> <p>Iranian cyber threat actors typically conduct DDoS attacks and website / device defacements to temporarily disrupt target networks. They also deploy ransomware and destructive wiper malware and conduct hack-and-leak operations against compromised targets.<sup id="fn12-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup></p> </div> <h2 class="text-info">Useful resources</h2> <p>Refer to the following online resources for more information and useful advice and guidance.</p> <h3>Reports and advisories</h3> <ul><li>Canada’s threat assessments <ul><li><a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a></li> </ul></li> <li>Advisories and partner publications <ul><li><a href="/en/guidance/targeted-manipulation-irans-social-engineering-and-spear-phishing-campaigns">Targeted manipulation: Iran’s social engineering and spear phishing campaigns</a></li> <li><a href="https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure">Enhanced Visibility and Hardening Guidance for Communications Infrastructure</a></li> </ul></li> </ul><h3>Advice and guidance</h3> <ul><li><a href="/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals (CRGs): Securing Our Most Critical Systems</a></li> <li><a href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-Sector Cyber Security Readiness Goals Toolkit</a></li> <li><a href="/en/guidance/security-considerations-edge-devices-itsm80101">Security Considerations for Edge Devices</a></li> <li><a href="/en/guidance/security-considerations-your-website-itsm60005">Security considerations for your website</a></li> <li><a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 IT security actions to protect Internet connected networks and information</a></li> <li><a href="/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Top 10 IT security action items: No.2 patch operating systems and applications</a></li> <li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication</a></li> <li><a href="/en/guidance/defending-against-distributed-denial-service-ddos-attacks-itsm80110">Defending against distributed denial of service (DDoS) attacks</a></li> </ul><h2 class="text-info">About this document</h2> <h3>Contact</h3> <p>For follow up questions or issues please Canadian Centre for Cyber Security (Cyber Centre) at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> <h3>Assessment base and methodology</h3> <p>The key judgements in this assessment rely on reporting from multiples sources, both classified and unclassified. The judgements are based on the Cyber Centre’s knowledge and expertise in cyber security. Defending the Government of Canada’s information systems provides the Cyber Centre with a unique perspective to observe trends in the cyber threat environment, which also informs our assessments. CSE’s foreign intelligence mandate provides us with valuable insight into adversary behavior in cyberspace. While we must always protect classified sources and methods, we provide the reader with as much justification as possible for our judgements.</p> <p>Our key judgements are based on an analytical process that includes evaluating the quality of available information, exploring alternative explanations, mitigating biases and using probabilistic language. We use terms such as “we assess” or “we judge” to convey an analytic assessment. We use qualifiers such as “possibly”, “likely”, and “very likely” to convey probability.</p> <p>The contents of this document are based on information available as of June 27, 2025.</p> <div class="panel panel-default col-md-12"> <div class="panel-body"> <figure><figcaption class="mrgn-bttm-md"><strong>Estimative language</strong></figcaption><p class="mrgn-bttm-lg">The chart below matches estimative language with appropriate percentages. these percentages are not derived via statistical analysis, but are based on logic, available information, prior judgements, and methods that increase the accuracy of estimates.</p> <img alt="Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/tarp-language-chart-transparent-e.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Estimative language chart </summary><ul class="list-unstyled mrgn-tp-md"><li>1 to 9%  Almost no chance</li> <li>10 to 24%  Very unlikely/very improbable</li> <li>25 to 39% Unlikely/improbable</li> <li>40 to 59% Roughly even chance</li> <li>60 to 74% Likely/probably</li> <li>75 to 89% Very likely/very probable</li> <li>90 to 99% Almost certainly</li> </ul></details></figure></div> </div> <!–FOOTNOTE SECTION EN–> <aside class="wb-fnote" role="note"><h2 id="reference">References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>U.S. Department of Homeland Security, “<a href="https://www.dhs.gov/ntas/advisory/national-terrorism-advisory-system-bulletin-june-22-2025">National Terrorism Advisory System Bulletin – Issued June 22, 2025,</a>” June 22, 2025; Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest">Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest</a>,” June 27, 2025.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a">IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities</a>,” December 18, 2024; Counter Threat Unite Research Team, “<a href="https://www.secureworks.com/blog/iranian-cyber-av3ngers-compromise-unitronics-systems">Iranian Cyber Av3ngers Compromise Unitronics Systems</a>,” Secureworks, December 7, 2023.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p>Canadian Centre for Cyber Security, “<a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>,” October 30, 2024.</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p>Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a">IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities</a>,” December 18, 2024; U.S. Department of Homeland Security, “<a href="https://www.dhs.gov/ntas/advisory/national-terrorism-advisory-system-bulletin-june-22-2025">National Terrorism Advisory System Bulletin – Issued June 22, 2025</a>,” June 22, 2025; Andy Greenberg, “<a href="https://www.wired.com/story/cyberav3ngers-iran-hacking-water-and-gas-industrial-systems/">CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide</a>,” Wired, April 14, 2025.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p>Canadian Centre for Cyber Security, “<a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>,” October 30, 2024; Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a">Iranian State Actors Conduct Cyber Operations Against the Government of Albania</a>,” September 23, 2022.</p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 6</dt> <dd id="fn6"> <p>Cyble, “<a href="https://cyble.com/blog/hacktivists-launch-ddos-attacks-at-us-iran-bombings/">Hacktivists Launch DDoS Attacks at U.S. Following Iran Bombings</a>,” June 24, 2025.</p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote</span>6<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 7</dt> <dd id="fn7"> <p>Canadian Centre for Cyber Security, “<a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>,” October 30, 2024.</p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote</span>7<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 8</dt> <dd id="fn8"> <p>CBC News, “<a href="https://www.cbc.ca/news/world/iran-internal-crackdown-1.7570782">Iranian government turns to internal crackdown with arrests, executions</a>,” June 25, 2025.</p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote</span>8<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 9</dt> <dd id="fn9"> <p>Canadian Centre for Cyber Security, “<a href="/en/guidance/targeted-manipulation-irans-social-engineering-and-spear-phishing-campaigns">Targeted manipulation: Iran’s social engineering and spear phishing campaigns</a>,” December 20, 2024.</p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote</span>9<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 10</dt> <dd id="fn10"> <p>Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a">Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities</a>,” November 19, 2021.</p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote</span>10<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 11</dt> <dd id="fn11"> <p>Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a">Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations</a>,” September 14, 2022.</p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote</span>11<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 12</dt> <dd id="fn12"> <p>Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a">Iranian State Actors Conduct Cyber Operations Against the Government of Albania</a>,” September 23, 2022.</p> <p class="fn-rtn"><a href="#fn12-rf"><span class="wb-inv">Return to footnote</span>12<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>

Process by which a commercial organization may become an approved Common Criteria testing lab

<article data-history-node-id="6471" about="/en/guidance/roadmap-migration-post-quantum-cryptography-government-canada-itsm40001" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>June 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.40.001</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>June 2025 | Management series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.40.001-migration-post-quantum-cryptography-government-canada-e.pdf">Roadmap for the migration to post-quantum cryptography for the Government of Canada – ITSM.40.001 (PDF, 635 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:cryptography-cryptographie@cyber.gc.ca">cryptography-cryptographie@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on June 23, 2025</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: June 23, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#0">Overview</a></li> <li><a href="#1">1 Introduction</a></li> <li><a href="#2">2 Stakeholders and planning</a></li> <li><a href="#3">3 Execution phases</a> <ul><li><a href="#3.1">3.1 Preparation</a> <ul><li><a href="#3.1.1">3.1.1 Roles and responsibilities</a></li> <li><a href="#3.1.2">3.1.2 Financial planning</a></li> <li><a href="#3.1.3">3.1.3 Education strategy</a></li> <li><a href="#3.1.4">3.1.4 Procurement policies</a></li> <li><a href="#3.1.5">3.1.5 Plan approaches for identification</a></li> </ul></li> <li><a href="#3.2">3.2 Identification</a></li> <li><a href="#3.3">3.3 Transition</a></li> </ul></li> <li><a href="#4">4 Milestones and deliverables</a></li> <li><a href="#5">5 Governance and coordination</a> <ul><li><a href="#5.1">5.1 Relevant Government of Canada governance bodies</a></li> <li><a href="#5.2">5.2 Reporting on progress</a></li> <li><a href="#5.3">5.3 Additional resources and support</a></li> </ul></li> </ul></details></section><section><h2 class="text-info" id="0">Overview</h2> <p>Every organization managing information technology (IT) systems must migrate cyber security components to become quantum-safe. This will help protect against the cryptographic threat of a future quantum computer. The Cyber Centre recommends the adoption of standardized post-quantum cryptography (PQC) to mitigate this threat.</p> <p>This publication outlines the Cyber Centre’s recommended roadmap for the Government of Canada (GC) to migrate non-classified <abbr title="information technology">IT</abbr> systems<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> to use <abbr title="post-quantum cryptography">PQC</abbr>, including milestones, deliverables, and guidance for departmental planning and execution.</p> <p>Milestones and deliverables for federal departments and agencies are as follows:</p> <ul><li>April 2026: Develop an initial departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> <li>Beginning April 2026 and annually after: Report on <abbr title="post-quantum cryptography">PQC</abbr> migration progress</li> <li>End of 2031: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of high priority systems</li> <li>End of 2035: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of remaining systems</li> </ul></section><section><h2 class="text-info" id="1">1 Introduction</h2> <p>The Cyber Centre recommends organizations managing <abbr title="information technology">IT</abbr> systems migrate to use <abbr title="post-quantum cryptography">PQC</abbr> in order to replace public-key cryptography vulnerable to a future quantum computer<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup>. All instances of public-key cryptography must be migrated to secure <abbr title="Government of Canada">GC</abbr> <abbr title="information technology">IT</abbr> systems and Canadians’ data against this threat.</p> <p>The United States’ National Institute of Standards and Technology (NIST) has worked globally with cryptographic experts to standardize <abbr title="post-quantum cryptography">PQC</abbr> algorithms that can replace existing vulnerable public-key cryptography. Cyber Centre recommendations for <abbr title="post-quantum cryptography">PQC</abbr> algorithms are provided in <a href="https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP 40.111)</a>. As standards for network security protocols support <abbr title="post-quantum cryptography">PQC</abbr> algorithms, the Cyber Centre will update the <a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a> publication. Vendors are incorporating <abbr title="post-quantum cryptography">PQC</abbr> in their products to rapidly meet the needs of government and industry.</p> <p>The <abbr title="post-quantum cryptography">PQC</abbr> migration within the <abbr title="Government of Canada">GC</abbr> will require significant commitment and take several years. The Cyber Centre is working with Treasury Board of Canada Secretariat (TBS) and Shared Services Canada (SSC) to prepare necessary updates to <abbr title="Government of Canada">GC</abbr> guidance, support and policy. Departments will need to clearly understand their cryptography usage. <abbr title="information technology">IT</abbr> infrastructure, both hardware and software, and data will need to be analyzed across the entire enterprise. Starting the <abbr title="post-quantum cryptography">PQC</abbr> migration early is important to leverage existing <abbr title="information technology">IT</abbr> lifecycle budgets as much as possible.</p> <p>This publication is the Cyber Centre’s recommended roadmap for the migration of non-classified <abbr title="information technology">IT</abbr> systems within the <abbr title="Government of Canada">GC</abbr> to use <abbr title="post-quantum cryptography">PQC</abbr>. It outlines the stakeholders, execution phases, milestones and governance involved in this <abbr title="Government of Canada">GC</abbr>-wide cyber security activity. The intention is to provide key activities and timelines that will assist in coordination of departmental planning activities for migrating to <abbr title="post-quantum cryptography">PQC</abbr> across the <abbr title="Government of Canada">GC</abbr>. It is aimed at directors and managers of <abbr title="information technology">IT</abbr> systems in federal departments and agencies and decision makers accountable for the migration to <abbr title="post-quantum cryptography">PQC</abbr>.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="2">2 Stakeholder and planning</h2> <p>The Cyber Centre is the lead technical authority for information technology (IT) security in the <abbr title="Government of Canada">GC</abbr><sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup>. As part of Canada’s cryptologic agency, the Communications Security Establishment Canada, the Cyber Centre:</p> <ul><li>promotes awareness of the quantum computing threat to cryptography to <abbr title="Government of Canada">GC</abbr> departments</li> <li>provides guidance on cryptographic recommendations, such as the use of <abbr title="post-quantum cryptography">PQC</abbr></li> <li>provides recommendations on incorporating cryptography into a strong cyber security posture</li> </ul><p>The Cyber Centre will continue to provide relevant advice and guidance to support <abbr title="Government of Canada">GC</abbr> departments and agencies in the migration to <abbr title="post-quantum cryptography">PQC</abbr>.</p> <p><abbr title="Treasury Board of Canada Secretariat">TBS</abbr> is responsible for establishing and overseeing a whole-of-government approach to security management, including cyber security, through policy leadership, strategic direction, and oversight. In May 2024, <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> published the <a href="https://www.canada.ca/en/government/system/digital-government/online-security-privacy/enterprise-cyber-security-strategy.html">Government of Canada’s Enterprise Cyber Security Strategy</a> identifying a key action to transition <abbr title="Government of Canada">GC</abbr> systems to use standardized <abbr title="post-quantum cryptography">PQC</abbr> to protect <abbr title="Government of Canada">GC</abbr> information and assets from the quantum threat. <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> will issue the necessary policy instruments to require responsible officials to establish a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan as well as report on progress under existing departmental reporting processes.</p> <p><abbr title="Shared Services Canada">SSC</abbr> manages <abbr title="information technology">IT</abbr> infrastructure and services on behalf of many of the departments and agencies across the <abbr title="Government of Canada">GC</abbr>. Due to its critical role in modernizing <abbr title="Government of Canada">GC</abbr> systems, <abbr title="Shared Services Canada">SSC</abbr> is already engaged in developing a plan for the migration to <abbr title="post-quantum cryptography">PQC</abbr> and is working directly with the Cyber Centre and <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> to advise on the feasibility of implementation.</p> <p>Federal departments and agencies in the <abbr title="Government of Canada">GC</abbr> are accountable for managing cyber security risks in their program areas. Departments and agencies will be responsible for maintaining software hosted on <abbr title="Shared Services Canada">SSC</abbr>-managed <abbr title="information technology">IT</abbr> infrastructure, and any <abbr title="information technology">IT</abbr> infrastructure that is managed separately from <abbr title="Shared Services Canada">SSC</abbr>, including contracted cloud services. Departments and agencies will be required to develop a tailored departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan that covers the migration of systems for which they are responsible to use <abbr title="post-quantum cryptography">PQC</abbr>. Departments and agencies will be responsible for executing that plan, as well as tracking and reporting on progress. This publication contains the initial considerations that can be used to develop a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan, but additional guidance and support will be provided by <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr> and the Cyber Centre.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="3">3 Execution phases</h2> <p>This roadmap outlines 3 recommended phases to implement the <abbr title="post-quantum cryptography">PQC</abbr> migration. These phases will likely overlap.</p> <h3 id="3.1">3.1 Preparation</h3> <p>During the preparation phase, departments and agencies will be responsible for developing a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan to migrate systems for which they are responsible to use <abbr title="post-quantum cryptography">PQC</abbr>. To develop this plan, we recommend establishing a committee and identify a dedicated migration lead. The committee should consist of stakeholders throughout the organization and should include at least one member from senior management to ensure executive buy in and support. In addition to technical areas responsible for managing <abbr title="information technology">IT</abbr> systems, we recommend the inclusion of stakeholders from non-technical areas such as finance, project management, procurement and asset management.</p> <p>The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan needs to be continually revised and expanded upon during the execution of the subsequent phases. The initial version of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan should establish the individuals responsible for the following:</p> <ul><li>execution of the plan</li> <li>financial planning</li> <li>education strategy to inform staff on the quantum threat and the progress of this migration within the organization</li> <li>procurement policies for new equipment</li> <li>approaches for the identification of vulnerable systems to build an inventory for transition</li> </ul><h4 id="3.1.1">3.1.1 Roles and responsibilities</h4> <p>The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must identify individuals responsible for various tasks in the execution of the plan. Ultimately, the Designated Official for Cyber Security (DOCS) is accountable for mitigating the quantum risk to cyber security. We recommend the <abbr title="Designated Official for Cyber Security">DOCS</abbr>, or a delegated executive official, be assigned the role of <abbr title="post-quantum cryptography">PQC</abbr> Migration Executive Lead to provide:</p> <ul><li>oversight</li> <li>accountability</li> <li>executive support for the execution of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> </ul><p>The coordination and cross-departmental engagement may be performed by a <abbr title="post-quantum cryptography">PQC</abbr> Migration Technical Lead. The Technical Lead would be responsible for facilitating coordination across the organization which may include service delivery, network management and <abbr title="information technology">IT</abbr> procurement, as well as other areas pertinent to the migration. The committee established to develop the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan may be repurposed for managing the execution of the plan.</p> <h4 id="3.1.2">3.1.2 Financial planning</h4> <p>Departments and agencies should expect that many existing <abbr title="information technology">IT</abbr> systems may need to be replaced, or new service contracts put into place to support <abbr title="post-quantum cryptography">PQC</abbr>. The execution of the <abbr title="post-quantum cryptography">PQC</abbr> migration will have staffing impacts that may require new hiring, external contractors, or the realignment of roles that could affect other projects or work activities. The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must have a cost estimate that includes resource allocation to complete the execution. The initial version of plan will not be comprehensive in its cost estimation, but the financial estimates can be refined as the identification and transition phases proceed.</p> <p>The costs associated with this <abbr title="post-quantum cryptography">PQC</abbr> migration may be reduced by utilizing existing IT equipment lifecycles and system modernization plans. To do so, it is critical to perform the initial phases of this plan quickly to identify where these cost efficiencies can be leveraged. Delays resulting in rushed procurement will increase costs.</p> <h4 id="3.1.3">3.1.3 Education strategy</h4> <p>It is important that staff across the organization are aware of the quantum threat and the impact it may have on the systems they use or are responsible for. The <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> GCxchange platform will be leveraged to share artifacts with departments and agencies, including material produced by the Cyber Centre, such as presentations and publications for a variety of audiences. The Cyber Centre’s Learning Hub will provide course material to educate on the quantum threat to cryptography. Senior executives must be briefed to be aware of the impact the migration to <abbr title="post-quantum cryptography">PQC</abbr> will have on their operations.</p> <p>As the <abbr title="post-quantum cryptography">PQC</abbr> migration progresses, it’s important to keep senior executives informed of developments and progress, including any emerging challenges or roadblocks that teams may face.</p> <h4 id="3.1.4">3.1.4 Procurement policies</h4> <p>To maximize the lifetime of new systems, departments and agencies should ensure new procurements have requirements that support <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre strongly recommends that systems employ established cyber security standards. Following standards provides assurance of independent security review and promotes interoperability to avoid vendor lock-in. Some cyber security standards are still being revised to support <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre is updating Guidance for securely configuring network protocols (ITSP.40.062) as <abbr title="post-quantum cryptography">PQC</abbr> support is finalized in standards. It is expected that support for <abbr title="post-quantum cryptography">PQC</abbr> may not be currently available in some product categories.</p> <p>The Cyber Centre has recommended contract clauses for systems containing cryptographic modules. These are available upon request and will be made more widely available. In general, departments and agencies should consider the following best practices for procurements:</p> <ul><li>contracts have clauses to ensure that the vendor will include support for <abbr title="post-quantum cryptography">PQC</abbr> that is compliant with Cyber Centre recommendations in Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</li> <li>cryptographic modules have been certified by the <a href="https://www.cyber.gc.ca/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program</a></li> <li>support for <a href="https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">cryptographic agility</a> to allow for future configuration changes</li> </ul><p>The earlier <abbr title="post-quantum cryptography">PQC</abbr> is included in procurement clauses, the lower the costs departments will face during the migration.</p> <h4 id="3.1.5">3.1.5 Plan approaches for identification</h4> <p>The next phase in this roadmap is the identification of where cryptography is used in <abbr title="information technology">IT</abbr> systems. Sometimes called cryptographic discovery, this identification is necessary to create an inventory of systems that need to be transitioned. The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must include the approaches that will be undertaken to identify systems and build this inventory. More detail on identification is provided in the next section.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="3.2">3.2 Identification</h3> <p>Identifying where and how cryptography is used is a critical step in the process to migrate to <abbr title="post-quantum cryptography">PQC</abbr>. Systems using cryptography will include:</p> <ul><li>network services</li> <li>operating systems</li> <li>applications</li> <li>code development pipelines</li> <li>all physical <abbr title="information technology">IT</abbr> assets, such as <ul><li>server racks</li> <li>desktops</li> <li>laptops</li> <li>mobile telephones</li> <li>network appliances</li> <li>printers</li> <li>voice over Internet Protocol telephony</li> <li>hardware security modules</li> <li>smart cards</li> <li>hardware tokens</li> </ul></li> </ul><p>These may be hosted on-premises, within contracted <abbr title="information technology">IT</abbr> platforms, or a cloud service provider, or under employee possession. The scope is wide, thus making identification a challenging task.</p> <p>The information gathered in this phase will be used to create an inventory that should include the following information per system:</p> <ul><li>system components employing cryptography</li> <li>vendor and product version for each of the components</li> <li>security controls that rely upon the identified cryptography<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup></li> <li>applicable network security zones</li> <li>current cryptographic configurations</li> <li>hosting platform</li> <li>system dependencies</li> <li>relevant service contracts and expiry dates</li> <li>expected refresh year for the system or its components</li> <li>responsible departmental point of contact</li> <li>if the system should be prioritized for migration</li> </ul><p>Other technical information may be relevant to include in the inventory. The Cyber Centre will provide additional guidance to departments as experience grows within the <abbr title="Government of Canada">GC</abbr>.</p> <p>Departments must identify systems that are a high priority for migrating to <abbr title="post-quantum cryptography">PQC</abbr>. Systems protecting the confidentiality of information in transit over public network zones<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup> may be at risk earlier than expected due to the harvest now, decrypt later (HNDL) threat. A <abbr title="harvest now, decrypt later">HNDL</abbr> threat is when a threat actor intercepts encrypted information, stores it and then decrypts it in the future, when sufficiently powerful quantum computers exist. It is recommended that any systems susceptible to a <abbr title="harvest now, decrypt later">HNDL</abbr> threat be a high priority for migrating to <abbr title="post-quantum cryptography">PQC</abbr>. Other considerations include the information lifespan, support for cryptographic agility, and the impact of compromise. It may be valuable to complete a risk assessment for the quantum threat to ensure that systems are properly prioritized.</p> <p>Discovery of systems containing vulnerable cryptography should utilize multiple methodologies. Leveraging existing <abbr title="information technology">IT</abbr> service management (ITSM) processes within the organization may be an efficient way to produce an initial departmental inventory. Lifecycle and change management committees should have much of the information needed for an inventory system entry. However, in practice, ITSM maturity may vary across departments.</p> <p>Software tools and services will be necessary to complete cryptographic discovery. This may leverage existing cyber security services, such as security information and event management (SIEM) solutions, network monitoring and inspection, and endpoint detection and response (EDR) technologies. These services may require configuration changes, third-party plugins, or additional filters to identify the use of cryptography. Independent tools for cryptography discovery will employ technology for scanning networks, hosts, log files, or source code. The <a href="https://www.cse-cst.gc.ca/en/accountability/transparency/reports/communications-security-establishment-annual-report-2023-2024#9-1-1">Cyber Centre’s sensors program</a> is a tool expected to assist departments in identification. Additional guidance on cryptographic discovery tools and services will be provided to departments by the <abbr title="information technology">IT</abbr> Security Tripartite, which includes <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr>, and the Cyber Centre.</p> <p>It is important to not be overwhelmed in completing the discovery and to begin with an initial, incomplete inventory with actions to iteratively improve the data.</p> <p>During the identification phase, departments should use the inventory to engage relevant <abbr title="information technology">IT</abbr> vendors and contractors to determine their plans to implement <abbr title="post-quantum cryptography">PQC</abbr> in their products and services. Understanding which system components will be eligible for upgrades versus replacement will assist in the next phase of developing a transition plan.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="3.3">3.3 Transition</h3> <p>The transition phase leverages the inventory created in the identification phase to plan and execute system upgrades, replacement, tunnelling, and/or isolation.</p> <p>In addition to the inventory data, the plan must consider departmental resources for identifying and assessing solutions, performing necessary procurements, testing, and deployment. The plan for each system will typically require multiple stages and should be integrated with existing <abbr title="information technology">IT</abbr> change management processes to ensure proper preparation including:</p> <ul><li>an impact assessment</li> <li>a rollback playbook</li> <li>a staging environment for testing changes</li> <li>monitoring to validate successful operation post-transition</li> </ul><p>For each system, technical teams must identify and assess solutions to incorporate <abbr title="post-quantum cryptography">PQC</abbr> or otherwise mitigate the quantum threat. The availability of <abbr title="post-quantum cryptography">PQC</abbr>-capable products may be limited in the early stages, but vendors are rapidly adopting <abbr title="post-quantum cryptography">PQC</abbr> as updates to protocol standards are completed. Solutions should meet all the procurement requirements established in the Preparation phase (<a href="#3.1.4">Procurement policies 3.1.4</a>).</p> <p>Many systems will need to maintain backwards compatibility to allow for continued operation with non-transitioned systems for a period of time. The first stage for a system transition may be to support the use of <abbr title="post-quantum cryptography">PQC</abbr>, followed by a second stage to disable the vulnerable, legacy cryptography.</p> <p>It may not be feasible to transition some legacy systems to use <abbr title="post-quantum cryptography">PQC</abbr> without a full system replacement. To meet migration milestones, it may be necessary to isolate such systems on the network or to tunnel traffic within a <abbr title="post-quantum cryptography">PQC</abbr>-protected encapsulation layer. Such decisions should be made during the transition phase planning.</p> <p>Early versions of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan may offer limited detail on the transition phase; however, this section should be expanded as identification efforts progress.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="4">4 Milestones and deliverables</h2> <p>Milestones and deliverables for federal departments and agencies are as follows:</p> <ul><li>April 2026: Develop an initial departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> <li>Beginning April 2026 and annually after: Report on <abbr title="post-quantum cryptography">PQC</abbr> migration progress</li> <li>End of 2031: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of high priority systems</li> <li>End of 2035: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of remaining systems</li> </ul><p>These milestones for the completion of migrations implies that quantum-vulnerable algorithms are disabled, isolated or tunnelled. That is, rather than just supporting <abbr title="post-quantum cryptography">PQC</abbr>, the quantum risk has been mitigated. It will be critical for departments and agencies to create, revise and follow their departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan to migrate systems as early as possible to meet the milestone dates.</p> <p>More information on expectations for reporting progress is given in the next section.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="5">5 Governance and coordination</h2> <h3 id="5.1">5.1 Relevant Government of Canada governance bodies</h3> <p>Departments and agencies are accountable for managing cyber security risks in their program areas. However, <abbr title="Government of Canada">GC</abbr>-wide initiatives, such as this migration to <abbr title="post-quantum cryptography">PQC</abbr>, requires a whole-of-government approach managed at the enterprise level in accordance with accountabilities outlined under the <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> policy instruments.</p> <p>The <abbr title="information technology">IT</abbr> Security Tripartite consists of the <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr>, and the Cyber Centre. The tripartite is a centralized body that provides advice, guidance, oversight, and direction on <abbr title="Government of Canada">GC</abbr>-wide cyber security initiatives such as the <abbr title="Government of Canada">GC</abbr> migration to <abbr title="post-quantum cryptography">PQC</abbr>. The tripartite supports departments and agencies under <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> authorities.</p> <p>The <abbr title="Government of Canada">GC</abbr> Enterprise Architecture Review Board (<abbr title="Government of Canada">GC</abbr> EARB) provides a governance mechanism to assess if proposed enterprise systems are aligned to the <abbr title="Government of Canada">GC</abbr> Enterprise Architecture Framework. The framework ensures business, information, application, technology, security, and privacy architecture domains meet the <a href="https://www.canada.ca/en/government/system/digital-government/policies-standards/service-digital-target-enterprise-architecture-white-paper.html">Service and Digital Target Enterprise Architecture</a>. Cyber security requirements, such as compliance to the Cyber Centre’s cryptographic recommendations, are part of the <abbr title="Government of Canada">GC</abbr> Target Enterprise Architecture which is aligned with overall <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> strategic direction and <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> policy instruments.</p> <p>The <abbr title="Government of Canada">GC</abbr> has interdepartmental Quantum Science and Technology (S&amp;T) Coordination Committees at senior executive levels to synchronise efforts and maintain Canada’s leadership in quantum S&amp;T. These committees oversee the federal government’s actions supporting <a href="https://ised-isde.canada.ca/site/national-quantum-strategy/en/canadas-national-quantum-strategy">Canada’s National Quantum Strategy</a> (NQS), including the <abbr title="National Quantum Strategy">NQS</abbr> roadmap on quantum communication and post-quantum cryptography.</p> <h3 id="5.2">5.2 Reporting on progress</h3> <p>Monitoring the progress of the <abbr title="Government of Canada">GC</abbr> migration to <abbr title="post-quantum cryptography">PQC</abbr> is essential for effective activity oversight and governance. This ensures accountability and the completion of milestones. <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> oversees compliance to its policy instruments in accordance with the Treasury Board <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=17151">Framework for Management of Compliance</a>. It also tracks progress on the departmental plan on service and digital which includes cyber security, as required under the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32603">Policy on Service and Digital</a>. Reporting on departmental progress and on the activities needed to complete the migration to <abbr title="post-quantum cryptography">PQC</abbr> will be requested and collected by <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> as part of the annual submissions for the departmental plan on service and digital.</p> <h3 id="5.3">5.3 Additional resources and support</h3> <p>The <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> GCxchange platform will be leveraged to share artifacts with federal departments and agencies to assist in the migration to <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre will continue to publish guidance and recommendations for organizations on the <a href="https://cyber.gc.ca/">Cyber Centre website</a>.</p> <p>Please use the Cyber Centre contact information at the top of this page to request more information on the quantum threat, <abbr title="post-quantum cryptography">PQC</abbr>, or this roadmap.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><!–FOOTNOTE SECTION EN–><aside class="wb-fnote" role="note"><h2 id="reference">References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>Non-classified <abbr title="information technology">IT</abbr> systems are those that do not contain, transfer, or otherwise handle classified information. In the Government of Canada, non-classified systems manage UNCLASSIFIED, PROTECTED A, and PROTECTED B information. For classified systems and systems handling PROTECTED C information, departments must contact the Cyber Centre to obtain advice on migrating commercial equipment.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>For more information on the quantum computing threat to cryptography, read the publication <a href="https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a></p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p><a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=16578">Treasury Board Secretariat of Canada’s Policy on Government Security</a></p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p><a href="https://www.cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33"><abbr title="information technology">IT</abbr> security risk management (ITSG-33): Annex 3A – Security control catalogue</a></p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p><a href="https://www.cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Baseline security requirements for network security zones (ITSP.80.022)</a></p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6554" about="/en/news-events/joint-advisory-cyber-officials-warn-canadians-malicious-campaign-impersonate-high-profile-public-figures" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>

The Canadian Centre for Cyber Security (Cyber Centre) and the United States’ Federal Bureau of Investigation (FBI) is warning Canadians of the threat posed by People’s Republic of China (PRC)

<article data-history-node-id="6456" about="/en/news-events/cyber-centre-advice-securing-operational-technology-systems" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) is warning Canadian organizations to defend their operational technology (OT) and industrial control systems (ICS) from malicious cyber actors.</p> <p>The Cyber Centre is aware of ongoing attempts by non-state malicious cyber actors to discover and compromise poorly secured, internet-connected <abbr title="operational technology">OT</abbr> and <abbr title="industrial control systems">ICS</abbr> that provide critical services to Canadians. The motivations of malicious actors vary, including geopolitical reasons, financial gain, notoriety or a combination.</p> <p>Once they have compromised a system, these actors attempt to change device configurations and manipulate system settings. This can affect physical processes such as changing pressurization or disabling alarms and safety controls.</p> <p>This activity demonstrates reckless intent and complete disregard for real-world harm with the potential to impact the health and safety of Canadians. The Cyber Centre calls on all Canadian organizations who operate <abbr title="operational technology">OT</abbr> and <abbr title="industrial control systems">ICS</abbr> to protect their systems.</p> <p>Recent guidance from the United States’ Cybersecurity and Infrastructure Security Agency (CISA) addresses cyber threats to <abbr title="operational technology">OT</abbr> systems. The Cyber Centre strongly recommends critical infrastructure providers take the recommended steps to defend their <abbr title="operational technology">OT</abbr> assets:</p> <ul><li>Remove <abbr title="operational technology">OT</abbr> connections to the internet</li> <li>Change default passwords immediately</li> <li>Secure remote access to <abbr title="operational technology">OT</abbr> networks</li> <li>Segment <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> networks</li> <li>Practice and maintain the ability to operate <abbr title="operational technology">OT</abbr> systems manually</li> </ul><p>Read the full factsheet: <a href="https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology">Primary Mitigations to Reduce Cyber Threats to Operational Technology</a>.</p> <p>We encourage any Canadian organizations who believe they may have been targeted by cyber threat activity to contact the Cyber Centre by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> or by phone <a href="tel:+18332923788">1-833-CYBER-88</a>.</p> <p>For more information, consult the following Cyber Centre guidance: <a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a> and <a href="https://www.cyber.gc.ca/en/cyber-security-readiness">Cyber Security Readiness</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6423" about="/en/news-events/chairs-statement-g7-cybersecurity-working-group-meeting" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>Canada, under the leadership of the Communications Security Establishment Canada (CSE) and Public Safety Canada, hosted the G7 Cybersecurity Working Group (Working Group) from May 12 to 13, 2025, in Ottawa, to discuss shared issues on cyber security and emerging technology.</p> <p>The Working Group was established in 2024 under Italy’s G7 leadership and is composed of the principals in national cyber security agencies or roles across the G7. The Working Group acts as a cyber security community of practice for the G7, and is built on shared values, shared interests and a shared vision for the future of cyberspace.</p> <p>The speed, scale and intensity of current challenges in cyberspace are unparalleled, and coordinated efforts among G7 like-minded nations are needed to meet these challenges, namely through the following objectives:</p> <ul><li>Enhancing cooperation on cyber security, through the exchange of views and information, sharing threat analysis and advancing strategies to address current and emerging challenges, including security for <abbr title="artificial intelligence">AI</abbr> and <abbr title="artificial intelligence">AI</abbr> for cyber security</li> <li>Promoting dialogue on guidelines, standards and approaches that contribute to shaping the best practices for cyber security nationally and internationally</li> <li>Fostering long-term resilience for new and emerging technologies that have an impact on cyber security such as quantum computing</li> </ul><p>During the in-person Working Group meeting in Ottawa, representatives met to discuss a series of workstreams on which the group has agreed to collaborate during Canada’s 2025 G7 presidency. This included:</p> <ul><li>Reflecting the shared vision of the group through the preparation and group endorsement of a <a href="https://www.acn.gov.it/portale/en/w/una-visione-condivisa-del-g7-sull-inventario-dei-software-dell-ia">“Food for Thought” paper on a Software Bill of Materials for Artificial Intelligence (SBOM for AI)</a>. The paper reflects a mutual recognition of the fast-paced nature of this space and the need to consider similar initiatives underway in other fora to avoid duplication.</li> <li>Agreeing to advance an initiative to address the cyber security of Internet of Things (IoT) products, taking into account both the technical and non-technical nature of cyber threats. The working group has since released a <a href="https://www.nisc.go.jp/pdf/press/G7_Statement_on_IoT_Security.pdf">statement on <abbr title="Internet of Things">IoT</abbr> security (PDF, 140 KB)</a>, hosted on Japan’s National Cybersecurity Office website.</li> <li>Renewing a commitment to advocate for a well-planned transition to Post-Quantum Cryptography and to further explore joint technical cyber advisories to leverage the Working Group’s collective voices on cyber security matters.</li> <li>Agreeing to exchange ideas and lessons learned from policy levers for incentivising cyber security.</li> <li>Discussing the need to protect our respective critical infrastructure and improve the collective cyber resilience of essential services and systems. This work is vital to serving citizens, maintaining economic stability and national security. Through these discussions on safeguarding critical infrastructure, the Working Group seeks to mitigate risks, minimize disruptions, and enhance our ability to respond to and recover from cyber threats.</li> <li>Sharing ideas and best practices to build up the cyber security skill set, foster public-private partnerships, and continue to promote secure-by-design principles in various engagements. Developing these skills and engaging in collaboration are crucial to respond effectively to evolving threats, ensuring resilience, and fostering innovation. Further, adopting secure-by-design practices will reduce the attack surface and enhance overall cyber resilience.</li> </ul><p>The Working Group plans to continue these efforts throughout the rest of the Canadian G7 presidency in 2025, including having a second meeting in fall 2025 to review progress and finalize the work prior to transitioning the presidency of the Working Group to France for 2026.</p> <p>Sami Khoury, Principal and Co-Chair<br /> G7 Cybersecurity Working Group<br /> Communications Security Establishment Canada</p> <p>Colin MacSween, Co-Chair<br /> G7 Cybersecurity Working Group<br /> Public Safety Canada</p> </div> </div> </div> </div> </div> </article>