Introduction
Across the Canadian Arctic, energy is inseparable from survival. Electricity and heat in northern regions are not matters of convenience but conditions of life and death. Extreme cold, prolonged winter darkness, and geographic isolation demand reliable, predictable, and secure power systems. Yet today, most northern and Arctic communities and virtually all major industrial operations remain dependent on diesel generation. This dependence comes at staggering operational, financial, environmental, and security costs.

As Canada looks to new technologies to reduce these burdens, small modular reactors (SMRs) have emerged as a promising complement or alternative to diesel-based microgrids. Their ability to deliver long-lived, emissions-free, high-capacity power makes them technologically suitable for mines, remote communities, and strategic sites. The 2018 Canadian Roadmap for Small Modular Reactors[1] formally recognized this potential, emphasizing the importance of “remote deployment,� “security,� and anchoring Canadian leadership in advanced manufacturing, cybersecurity, materials science, and remote operation.

However, replacing diesel with SMRs will not simply substitute one energy source for another. Rather, it will transform the underlying critical infrastructure interdependencies that northern operations depend upon. Diesel’s foremost dependency is transportation. SMRs, particularly when deployed in remote regions, shift that dependency toward telecommunications—specifically, toward secure, resilient, and sovereign digital networks capable of enabling remote monitoring, diagnostics, control, and emergency response.

This shift presents a challenge Canada is not yet prepared for. °ä²¹²Ô²¹»å²¹â€™s telecommunications systems already exhibit deep structural vulnerabilities.

Do we as Canadians have control over our own telecommunications CI?
Canadian critical infrastructures generally, not just the artic infrastructures, are heavily exposed to vulnerabilities associated with cross-border telecommunications flows and ownership. For instance, the largest business input to Canadian financial services is what Statistics Canada calls “Computer and Design Servicesâ€�—an amalgam of cloud and software services; 50% of these services are imported, and 80% of those imports come from the United States.[2]Ìý At a higher level, 50% of Canadian-to-Canadian internet connection-paths leave Canada and then return in what is called a ‘boomerangâ€� route, making them subject to interception or denial of service; another 50% of Internet Exchange Points (network junctions – IXPs) used by Canadians to reach each other are outside Canada, and therefore vulnerable to further at-will surveillance or disruption.[3] Finally, 100% of all CDNs used to scale and deliver critical services such as e-government, online banking, news, and media for Canadian consumers are under the control of foreign entities, and ultimately foreign governments[4].

Legislative threats from trading partners underscore this risk. The Cloud Act from 2018[5] gives the U.S. government authority to obtain digital data controlled by U.S.-based tech corporations, regardless of whether that data is in motion or stored, on servers at home or on foreign soil. In 2023, the European Council confirmed agreement with the European Parliament on new rules to improve cross-border access to “e-evidence�, giving European governments abilities akin to those granted by the U.S. Cloud Act[6]. As little as a year ago, the prospect of CI like datacentres, cloud-services, IXPs or CDNs being deliberately compromised or disabled sounded far-fetched to most Canadians. Recent history has shown that the previously unthinkable can no longer be dismissed.

These vulnerabilities have implications not only for privacy or financial transactions but increasingly for national security, particularly when critical systems such as SMRs become reliant on remote operation and real-time digital control flows.

To deploy SMRs safely and securely in northern Canada, telecommunications resiliency, security, and sovereignty must be elevated to foundational infrastructure requirements—not afterthoughts.

The Cost and Fragility of Diesel Dependence
Diesel generation has long been the default solution in the Arctic because it is simple, familiar, and comparatively easy to deploy. Yet its limitations are well documented:
1. Diesel dominates Arctic imports.
In many northern regions, diesel fuel accounts for 18% to 32% of the total value of all imports. Every litre must be transported thousands of kilometres by truck, barge, or winter road[7].
2. Diesel supply chains are brittle.
Marine shipping windows are narrow, highly weather-dependent, and subject to unpredictable disruption. Winter roads are increasingly unstable due to climate change. The result is over-provisioning, stockpiling, and high distribution costs—all of which strain community finances and industrial margins.
3. Diesel is prohibitively expensive.
A single large mine site can spend $10 million per year on diesel fuel alone, excluding generator maintenance, replacement capital, and environmental mitigation. Over a 40-year project life, the total cost of diesel-based power can exceed half a billion dollars for a single industrial site. [8]
4. Diesel has environmental and social impacts.
Beyond greenhouse gas emissions, diesel leaks and storage risks impose environmental burdens on fragile Arctic ecosystems and require costly remediation.

Together, these challenges create powerful incentives to transition toward alternative baseload power systems—motivating current interest in SMRs.

Why SMRs for the North?
SMRs offer several advantages uniquely suited to remote and Arctic deployment:
-Long refuelling intervals (5–20 years depending on design)
-High energy density relative to logistical footprint
-Continuous baseload output suitable for mines, communities, and defence installations
-Compatibility with district heating and industrial process needs
-Potential co-location with hydrogen production or mineral processing

The Canadian SMR Roadmap explicitly highlights remote and mining use cases, arguing that SMRs could enhance energy independence and reduce reliance on imported diesel.

However, these advantages come with structural requirements that differ markedly from diesel-based systems. SMRs, especially those deployed in remote locations, depend on specialized technical oversight, continuous environmental and performance monitoring, and rapid access to nuclear engineering expertise. These requirements cannot be met through on-site staffing alone in remote territories. Instead, modern SMR operating models rely on:
-Remote monitoring
-Remote diagnostics
-Remote operator-support

These features reduce the need for on-site nuclear specialists but dramatically increase the importance of telecommunications.

The New Dependency: Telecommunications Instead of Transportation
Where diesel depends on transportation infrastructure, SMRs depend on telecommunications infrastructure. The shift is not trivial: it alters security assumptions, supply-chain risks, regulatory needs, and emergency-response planning.
1. Resilience: More than a Single Satellite Link
Today, northern telecommunications overwhelmingly rely on a small number of satellite providers. While low-Earth orbit (LEO) constellations, such as Telesat Lightspeed[9], promise improved reliability, satellite systems remain vulnerable to:
-Jamming
-Space weather
-Orbital congestion
-Foreign manufacturer influence
-Ground station outages

For SMRs, redundancy must be engineered to the level used in aviation or defence:
-Two independent satellite providers at minimum
-Preferably triple-redundant architectures, including
-Satellite + terrestrial fibre + microwave, where feasible
-Independent routing paths
-Geopolitically diverse uplinks

Emerging fibre projects, including the Eastern Arctic Underwater Fibre Optic Network[10] and the Kivalliq Hydro-Fibre Link[11], offer important opportunities. The proposed Kivalliq link—a 1,200-kilometre transmission–fibre corridor from Churchill, Manitoba to Nunavut—would deliver both power and broadband capacity to Arviat, Whale Cove, Rankin Inlet, Chesterfield Inlet, and Baker Lake. Its value extends beyond community broadband; it could become critical enabling infrastructure for SMR deployments in Nunavut and surrounding regions[12].

2. Security: SMRs Require Quantum-Safe Remote Operations
If SMRs are to be monitored and controlled remotely, the cybersecurity posture of their communications networks becomes mission-critical.

The National Quantum Strategy (2022)[13] warns that quantum computing threatens widely used public-key cryptography. When these algorithms fail, attackers may:
-Masquerade as authorized operators
-Intercept confidential messages
-Inject or alter messages
-Jam or otherwise deny service

For SMRs, such risks cannot be tolerated. Communications systems must be:
-Encrypted end-to-end using quantum-safe or cryptographically agile algorithms
-Designed to fail safely on communication loss
-Audited under nuclear-grade cybersecurity standards (e.g., CSA N290.7:21[14])
-Verified through supply-chain security assessments, with restrictions on foreign-state influence

Satellite operators, equipment vendors, and network providers must demonstrate that their systems cannot be subject to manipulation by foreign intelligence or commercial interests.

3. Sovereignty: Control over the Infrastructure Underpinning Safety
Telecommunications sovereignty is not merely a commercial or privacy concern—it is a national-security imperative when critical systems rely on remote digital links.

As mentioned earlier:
-50% of Canada-to-Canada internet paths “boomerang� through the U.S. or Europe.
-50% of Canadian internet exchange points (IXPs) used for domestic routes are located outside Canada.
-100% of the content delivery networks (CDNs) used by Canadian governments, banks, and critical services are foreign-owned.
-U.S. and European providers are subject to the CLOUD Act or EU e-evidence laws, enabling lawful access to Canadian data.

For SMRs, such dependencies create unacceptable risk:
-Remote control links could be intercepted or manipulated outside Canadian jurisdiction.
-Data routing through foreign networks introduces exposure to foreign surveillance.
-Outages or traffic shaping by foreign providers could degrade operational integrity.
-Canada would lack effective recourse in the event of a geopolitical dispute.

In effect, SMRs cannot rely on telecommunications channels that Canada does not control. Sovereign operation requires:
-Canadian-owned satellite solutions, or
-Canadian-controlled terrestrial fibre, or
-At minimum, routing architectures that ensure Canadian-only pathways for operational data.

Telecommunications as the Zero-Order Requirement
A critical insight emerges from comparing SMR requirements with the realities of northern telecommunications:
Canada currently lacks the resilient, secure, and sovereign digital infrastructure needed to support remote nuclear power.

This is not a sequencing dilemma; it is a mathematical order-of-operations problem.

Telecommunications must come first. SMRs must come second.

Canada has historically underestimated the strategic role of telecommunications infrastructure in national security. Control over communications infrastructure was once considered a core instrument of wartime sovereignty; exemplified by the British cutting German telegraph cables in 1914 to shape geopolitical outcomes[15]. The modern equivalents are data centres, cloud services, satellite networks, IXPs, and CDNs, all of which Canada relies on but few of which Canada controls.

SMRs introduce a new category of infrastructure that depends on secure telecommunications, thereby increasing the importance of regaining sovereign control over digital networks.

Conclusion
SMRs offer transformative potential for northern development, mining, community energy independence, and national sovereignty. But their success hinges on an critical infrastructure foundation Canada has not yet built.
To realize the benefits of SMRs in the Arctic, Canada must first invest in:
1. Resilient telecommunications
-Multi-path, redundant satellite and terrestrial systems
-Infrastructure that is hardened against interference, weather, and foreign influence
2. Secure telecommunications
-End-to-end quantum-safe encryption
-Verified and trusted supply chains
3. Sovereign telecommunications
-Canadian-domiciled routing
-Canadian ownership or operational control of critical links
-Digital autonomy for remote industrial and nuclear operations

Without these capabilities, SMRs cannot be safely or securely deployed in northern Canada. The sequence is unambiguous: telecommunications first—then SMRs.
Ìý


[1] https://smrroadmap.ca/wp-content/uploads/2018/11/SMRroadmap_EN_nov6_Web-1.pdf
[2] https://www150.statcan.gc.ca/n1/en/catalogue/15-207-X
[3] https://pulse.internetsociety.org/en/ixp-tracker/country/CA/
[4] https://www.wmtips.com/technologies/cdn/country/ca/
[5]
[6] https://www.consilium.europa.eu/en/press/press-releases/2023/01/25/electronic-evidence-council-confirms-agreement-with-the-european-parliament-on-new-rules-to-improve-cross-border-access-to-e-evidence/
[7] Ibid. StatsCan
[8] /cipser/smrsecurityblog-2/is-going-nuclear-good-for-critical-resource-extraction/
Ìý
[9] https://www.telesat.com/leo-satellites/
[10] https://krg.ca/en-CA/assets/Council/2024/May/EAUFON.pdf
[11] https://nukik.ca/khf/
[12] https://www.theglobeandmail.com/business/article-kivalliq-hydro-fibre-link-arctic-sovereignty-nunavut-major-projects/
[13] https://ised-isde.canada.ca/site/national-quantum-strategy/en/canadas-national-quantum-strategy
[14] https://www.csagroup.org/store/product/2428461/
[15] https://en.wikipedia.org/wiki/Zimmermann_telegram

The post Small Modular Reactors to Power Northern Development Require New Approaches to Infrastructure Security appeared first on CIPSER.

Tyson Macaulay, CISA, CEI LEL

Deputy Director, National Centre for Critical Infrastructure Protection, Security and Resilience

Up to the late 1500’s ships weren’t built to a plan. Craftsmen applied apocryphal guidelines and drew lines on the floor to eyeball dimensions. This approach had clear drawbacks for fleets of conquest or commerce: ships were harder to reproduce, maintain, and supply; performance and stability varied widely; hidden structural weaknesses regularly slipped through construction; and standardized spares and repairs were impossible.

This made operational risk high. Starting in the 16th century, ship-building methods became standardized: mathematical hull geometry, and naval classifications emerged making safety, quality and resilience measurable and visible. Data from Lloyd’s insurance going back to the 1600’s show substantial reductions in losses to life and property as formal standards emerged.

In Canada today, critical infrastructure protection (CIP) still resembles that pre-plan era of shipbuilding: deciding what counts as “critical� within the ten official sectors is more craft than science. The consequence is predictable: perceptions of risks vary widely, regulatory expectations are uneven, and national-level situational awareness is blurry when it most needs to be sharp. Jurisdictions are often left to their instincts, and CI owners/operators often apply very different methods; some rely on institutional memory and ad hoc thresholds. The result for public safety and national security is inconsistency: an asset type can be considered “critical� but also invisible to interdependency analyses that should tie the whole system together.

The ten defined CI sectors in Canada are a useful policy scaffolding: Energy, Finance, Telecommunications, Food, Water, Health, Transportation, Manufacturing, Safety, and Government. But the practical determination of who is “in� or “out� of each sector often looks like a shipwright’s chalk lines on the floor: mutable, subjective, and difficult to defend under stress. Some industries fall into grey zones; intuitively critical under some conditions but not all. That ambiguity bleeds into regulation, emergency planning and cross-border coordination, where counterpart definitions abroad can be both different and tighter. A taxonomy that cannot be applied consistently cannot be managed consistently.

The drawbacks of metaphorical chalk lines for CI sector definitions are not merely academic. Regulators need to know exactly whom they regulate and why. During a crisis, decision makers must justify the order in which lifeline resources like power, bandwidth, medicines, or fuel are triaged and restored. Ideally, they make decisions using criteria that will survive public scrutiny and after-action review. Similarly, post-incident reporting needs clean definitions to compare events across time and regions, to see whether regulations work and where dependencies may be changing. Without methodical definitions, we generate noise: incomparable risk registers, incompatible outage and recovery metrics, and assessments that cannot be pooled or trended.

A prime case in point is Bill C-8 “An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts� which establishes a cyber protection regime for federally regulated CI sectors, namely Telecommunications, Finance, Energy, and Transportation. The policy intent is sound: align oversight with systemic risk, sharpen reporting duties, and develop detailed regulatory guidance. But to be maximally effective, the instrument needs a crisp, modern, quantitative scoping logic. One that reflects how CI sectors are composed and how goods and services are delivered in 2025; considering layered platforms, cross-border supply-chains, and shared infrastructure that does not map neatly onto legacy sector definitions. If scope rests on dated or vague definitions, we will regulate the core while the systemic risk remains in the unseen edges.

Consider “Telecommunications,â€� last operationally framed in the early 2000’s to include radio, television broadcasting, and print media in a time when carrier networks moved voice, video and data mostly separately versus everything based on Internet Protocols today. Two decades on, the sector has changed tremendously. Where do industries like data centres, cloud platforms, and AI clusters sit? Such questions become important when up to 50% of the cloud and software-as-a-service consumed by Canadian CI (Finance in particular) are imported and controlled by entities outside Canada. Figure 1 below visualizes how imports of “Computer design and related servicesâ€� account for the largest single input into the Financial service industry in Ontario (°ä²¹²Ô²¹»å²¹â€™s financial hub) – 50% of these critical services are imports, delivered through cross-border trade dependencies.

Figure 1: BS5415 – Computer Systems Design and service – Financial Industries in Ontario 2022

Another major consideration in the area of Telecommunications CI: there are no Canadian-owned Content Delivery Networks (CDN). Yet those CDNs underpin the service delivery of almost all e-government portals, online banking, and cultural (CBC, CTV) platforms. Over 65% of Canadians in 2024 relied on a mix of online streaming and legacy “linear TV�, while another 20%+ of Canadian only streamed content via these CDNs. (Source: ThinkTV) If our CI definitions miss these realities, we create rules and regulations with diminished effectiveness.

Like modern ships, CI definitions must be grounded in reliable systems, not rules of thumb. With clear definitions, Canada can apply quantitative supply-chain metrics from Statistics Canada to identify which industries and regions are truly consequential under different impact scenarios. In parallel, we should explore additional indicators of CI interdependence for correlation with supply-chain metrics. For instance, the sensitivity of data flows, geographic proximity or distinctions between goods and services. With more than one indicator available, correlations (or lack of) will begin to expose the strengths and gaps in both definitions and measurement. Ultimately, these metrics turn intuition into evidence, making “criticality� a testable, reproducible property rather than a label assigned by tradition.

The same logic applies to risk assessment. Today, municipal and provincial emergency management offices expend heroic effort, but their outputs rarely interlock: differing templates, scales, hazard taxonomies, and consequence categories frustrate analysis across jurisdictions. A nationally standardized toolkit with common CI definitions, hazard libraries, and risk scales would let assessments be rolled up and aggregated. When every risk assessment and after-action report speaks the same language, trends emerge and controls can be prioritized by evidence, not anecdote. Standardization is not centralization; it is the grammar that allows a federation to reason collectively.

Call to action

First, treat Bill C-8 as a once-in-a-generation chance to replace chalk lines with mathematics. Use the legislative refresh to embrace a systematic, quantitative methodology for defining CI membership rooted in trusted measures like Statistics °ä²¹²Ô²¹»å²¹â€™s econometrics. By this path, regulatory scope, security targets, and emergency management practices can all rest on the same defensible foundation. When the “whoâ€� of CI definitions are founded on metrics and modeled consequences, stakeholders can regulate, plan and invest quickly and with confidence.

Second, work with Canadian standards bodies to publish a canon for risk assessment, definitions, data standards, scoring scales, dependency questions, and reporting templates. At that point, federally and provincially mandated assessments can be compiled, trended, and compared coast-to-coast-to-coast. This is how we turn thousands of local efforts into national intelligence: using interoperable methods, open guidance, and a commitment to measure what matters the same way everywhere. As in the evolution from chalked floor lines to naval architecture, the payoff is practical: fewer surprises, faster recovery, and a resilient, more prosperous Canada.

The post C-8’s Opportunity: Replace Chalk Lines with Metrics appeared first on CIPSER.

We are very pleased to announce that Tyson Macaulay has accepted an appointment of Deputy Director of the National Centre for Critical Infrastructure Protection, Security and Resilience (NC-CIPSeR).

Tyson, a ÐÓ°ÉÔ­´´ alumnus,Ìý brings decades of experience in cybersecurity, critical infrastructure interdependencies, standards development, and national resilience, and has been a trusted advisor to governments, industry, and academia across Canada and internationally. His thought leadership and commitment to collaboration will be instrumental in advancing NC-CIPSeR’s mission: strengthening °ä²¹²Ô²¹»å²¹â€™s critical infrastructure through research, innovation, collaboration and education.

In this role, Tyson will work closely with our Advisory Panel, support our strategic direction, lead key initiatives, and mentor the next generation of researchers and practitioners. We are fortunate to have his expertise and vision guiding NC-CIPSeR as we establish our Board of Directors and build out our certificate program, engage in meaningful projects with our partners and expand our work across the country.

Learn more about Tyson Macaulay

Please join us in welcoming Tyson to this important role!

The post Leadership Announcement – Tyson Macaulay Deputy Director NC-CIPSeR appeared first on CIPSER.

Exploring CII Through a Novel Taxonomy

CIBC Presentation | September 2025 by Tyson Macaulay, CISA, P.Eng CIE LEL

National Center for Critical Infrastructure Protection, Security and Resilience (NC-CIPSeR)

tyson.macaulay@alumni.carleton.ca

This session explores Critical Infrastructure Interdependency (CII) through real-world case studies from the U.S. and Canada with a focus on financial industries and cross-border interdependencies. Attendees will learn how cyber connectivity and economic indicators are correlated and can forecast cascading impacts across industries and CI sectors. The session highlights how to improve risk management and resilience planning, including an overview of a new risk assessment taxonomy and methodology for CII from ÐÓ°ÉÔ­´´ University’s National Centre for Critical Infrastructure Protection, Security and Resilience

Critical Infrastructure Interdependency (CII) through Canada and US financial case studies – Macaulay

Access Tyson Macaulay’s Presentation for CIBC – September 2025.

The post Critical Infrastructure Interdpendencies (CII) through Canada/US Financial Case Studies appeared first on CIPSER.

Are We Ready? Rethinking Information Sharing for CI in Canada

Laura Rovina | July 2025

What is Critical Infrastructure Protection?

Critical Infrastructure (CI) protection is integral to the safety and security of Canadian citizens. The interconnected and interdependent nature of CI sectors means that effective communication and collaborative efforts between infrastructure owners, operators, and government agencies are paramount. This underscores the need for enhanced information sharing and coordination among these various stakeholders, specifically focusing on intelligence sharing capacities and their effectiveness in bolstering CI resilience. Amongst other reports, the Government of Canada’s Intelligence Priorities 2024 Report has highlighted the importance of intelligence, and strategic information sharing with government decision-makers, provincial and municipal authorities, business partners, and the public.[1]

Why is Information Sharing Crucial for Critical Infrastructure?

Critical infrastructure in Canada is managed through a shared responsibility between federal, provincial, and municipal governments, along with private-sector owners and operators. As the complexities surrounding CI evolve, the need for robust, intergovernmental, and cross-sector collaboration has become more pressing, with information sharing playing a key role in building resilience and ensuring effective responses to potential threats.[2]The process of sharing intelligence between different levels of government, CI sectors, and operators remains complex and fraught with challenges.

Challenges in Existing Information Sharing Models

Current communication methods for threat intelligence sharing in the private sector are often restrictive and reactive. For example, when alerts are issued, they are often directed at individual businesses and only occur after a threat has already materialized, reducing their usefulness in preventing attacks.  These alerts are not designed to support real-time threat response by the private sector. [3]

Inconsistencies exist amongst information sharing networks across all the CI sectors and within individual subsectors. There is a lack of concentration of responsibilities, information and authority across the sectors and different jurisdictions.[4] This fragmentation impedes the ability of stakeholders to respond effectively to threats in a timely and coordinated manner.

Is a Formalized Threat Intelligence Exchange A Part of the Solution?

The Business Continuity Council (BCC) has called on the Canadian government to establish a formalized threat intelligence exchange, similar to the U.S. Domestic Security Alliance Council (DSAC).[5] DSAC members benefit from direct engagement with senior leaders from the FBI and the Department of Homeland Security providing members with tailored threat intelligence, a space for exchanging best practices, and a platform to solve shared problems.[6] Could Canada benefit from a platform where both public and private sectors collaborate more effectively, enhancing overall CI protection and resilience?

Conclusion

As threats to critical infrastructure grow more sophisticated, it is essential for the Canadian government, alongside private-sector owners and operators, to adapt their information-sharing practices. The question remains: What is needed to enhance the effectiveness of information sharing in °ä²¹²Ô²¹»å²¹â€™s CI sectors? Is the answer a unified platform, a shared network, or regional information hubs? Perhaps a combination of these approaches will provide the most effective solution. Regardless of the exact model, it is clear that enhanced information sharing is essential for the resilience of °ä²¹²Ô²¹»å²¹â€™s critical infrastructure and the safety of its citizens.

[1] Privy Council. (2024). . Government of Canada.

[2] National Sector Forum -Action Plan for Critical Infrastructure 2021-2023.

[3] Hyder, G. (2025). Modernizing to Protect Canada from Economic Security Threats. Business Council of Canada.

[4] Public Safety Canada. (2022). .

[5]Bronskill, J. (2024). . Global News.Ìý

[6] Domestic Security Alliance Council. (n.d.). Home. U.S. Department of Homeland Security. DSAC Facts Sheet. dsac-fact-sheet-111523.pdf

The Path Forward

Global instability doesn’t have to divide us—it can unite us around a common purpose. By safeguarding critical infrastructure, Canada can ensure its resilience, protect its economy, and demonstrate leadership on the world stage.  Leadership of Canada doesn’t have to come from the Prime Minister – it can start with every citizen, municipality and agency, taking ownership and being involved in helping to protect Canada.

This is not a time to rest. It’s a time to lead, innovate, and collaborate with agency. There are impressive examples where Canadians demonstrate brave leadership, along with dedicated, smart and strategic approaches – especially when the stakes are high.  Engagement that fuels unity will be the key moving forward. NC-CIPSeR is dynamic and forging ahead with our partners. We are moving strategically with purpose and agency.

Learn more about our efforts to protect °ä²¹²Ô²¹»å²¹â€™s critical infrastructure and how you can get involved.

The post Are We Ready? Rethinking Information Sharing for CI in Canada appeared first on CIPSER.

Modeling a Trade War: Critical Infrastructure Dependency on China.

Summary:

What would the impact of a Chinese trade war be on Canadian (and similarly U.S.) Critical Infrastructure (CI), from a national security and policy perspective?

The following Canadian critical infrastructure sectors and industries appear most vulnerable to a protracted trade war (> 2 months – typical factory-to-consumer shipping time) with China:

• Food sector (Crop, Fruit, Seafood)

• Health sector (Hospital and Pharmaceuticals)

• Manufacturing (Aerospace and Chemicals)

• Telecommunications and Transportation dependency on non-critical (by definition) Chinese export industries creates a blind spot

COVID-19 created unprecedented trade disruptions in 2020. Countries wanted to trade but public safety concerns threw up complex and variable trade impediments.  During the COVID period in 2020, Canadian trade with the U.S. dropped by 11% from 2019, Mexico dropped 21%, and trade with the Rest of the World (ROW) was down 10%. Yet, trade with China grew by 1% between 2019 and 2020. A similar pattern is seen in the United States, where Chinese export industries saw the smallest decline of the top three trading partners and the ROW. See Table 1 below in $CDN.  This possibly reflects the unclear relationship that many countries have with Chinese trade: Chinese goods are not easily substituted based on their low price, the economies of scale and industrial policies behind those prices.    

Table 1: National imports 2019-2023, Canada and United States on $CDN.

But what if the price of Chinese goods suddenly changed, making them not just expensive but unaffordable? What happens in a trade war: intentional trade impediments that throttled shipments of (mostly goods) from China for an unforeseeable period?

Pointedly from a national security and policy perspective, what would the impact of a Chinese-Canada trade war be on Canadian Critical Infrastructure (CI)?

There are clear supply-chain relationships and dependenciesbetween Chinese export industries and importing Canadian CI.  In 2023, China exported $63 Billion CDN to Canada. Figure 1 looks at the largest 9 export industries from China to Canada:industries worth over half a billion CDN$ or more in 2023. This is what people tend to focus on and where the tweets and sound bites cluster around the risks of a trade war.

In Figure 1,2 and 3 below, the Chinese export industry on the left sends goods or services to the consuming industry on the right, which can be using the goods for creating more goods or services (Intermediate consumption) or a form of final consumption (like personal consumption or capital investments). The thickness of each bar represents the proportional value of the Chinese export industry, the curved lines connecting the industries indicates the fraction of that value flowing to importing Canadian consumer (intermediate industry or final). The codes next the Industry names are the standardized North American Industry Classification System (NAICS) employed by StatsCan and the U.S. Bureau of Economic Analysis.

As seen in Figure 1 below, none of the top export industries from China to Canada are considered “critical” under existing Public Safety Canada (PSC) definitions. By looking at the supply relationships of these top export industries, the picture changes with at least 2 CI industries showing a dependency (highlighted in red) because of their supply dependency on non-critical industrial imports from China: Telecommunications, Information and Cultural Industries and Hospitals. The “B” code for Telecommunications indicates that these inputs are used for intermediate consumption – used in the delivery of telecom-related services, such as the CI “Mâ€� code (final consumption capital investment) of Information and Cultural Industries which includes CI such as telecom networks, internet and datacenters. The “GS” code stands in Hospitals stands for “Government Services” (in Canada’s socialized medical system), which is intermediate consumption supporting the direct final consumption of health services by Canadian citizens (a separate final consumption code).

Figure 1: Top Exports by Industry from China to Canada 2023(Source: StatsCan)

In Figure 2 below, only Critical Infrastructure (CI) industrial exports from China are shown, using PSC definitions for CI industries. These industries used between $500M to $60M of Chinese imports in 2023. By looking at direct supply relationships, we can understand how Chinese imports relate to intermediate and final consumption of Canada’s critical industries.

When a CI-filter is applied, the CI dependencies of Canadian Import Industries (the right side) cluster differently than in Figure 1. The Food sector appears to be the most impacted, with both final consumption (P codes) and Intermediate industries (B codes) showing dependency on Chinese imports. The Health sector seems to be the next most affected, with Hospitals and Pharmaceuticals (both final and intermediate consumption) among the highest importers of Chinese goods. Meanwhile, the critical Manufacturing industries like Aerospace have started to show up in the analysis, as well as Provincial Governments (as intermediate buyers of Pharmaceuticals). Also of significance is the absence of the Telecommunications sector, a symptom of being dependent on nominally non-critical industries.  This in part shows the need to not merely assess CI risks based on import industries in isolation.

In sum:

• Food sector shows most dependency

• Health significant dependency

• Manufacturing and Government show limited dependencies

• Telecommunications (in Figure 1) dependencies DISAPPEAR because of dependency on non-critical (by definition) Chinese export industries.

Figure 2: Top CI Exports by industry from China to Canada 2023 (Source: StatsCan)

In Figure 3 below, the next order of indirect industrial dependencies is shown on the far right. This last relationship–layer used a minimum value of $60M for imported Chinese goods for the purposes of creating their own goods and services (intermediate consumption). By looking at indirect supply relationships, we can see even more hard-to-assess dependencies associated with Chinese exports to Canada and the implications for industries and citizens.

By looking at indirect dependencies on Chinese export industries, we find:

• Food sector shows additional dependencies

• Health sector shows additional dependencies

• Manufacturing (which includes Basic Chemicals by PSC definition) and Government show accumulating dependencies

• Telecommunications sector dependencies on Chinese export industries remain obscured, if filtering on CI exports directly.

Figure 3: Top CI export cascades by industry from China to Canada 2023 (Source: StatsCan)

Figure 4 below provides a view of indirect supply chain relationships from non-critical Chinese exports and Canadian CI.  Telecommunications and Hospital show dependency on Chinese exports, but in turn possess downstream dependencies on more CI.  In the case of Telecommunications, a clear feedback loop back into the Telecommunications industry is exposed, which is typical in all CI sectors: there is substantial intra-sector and intra-industry dependency.  The focus of consumption also changes when considering this indirect cascading dependency; specifically, final consumption comes back into play as it did in Figure 1 with Information and Cultural industries.  For instance, the “Mâ€� code for Transportation and Warehousing includes capital investments in transport CI such as Air, Rail, Truck and Marine infrastructure as well as energy CI such as pipelines.  Additional cascading CI vulnerabilities are seen in Manufacturing CI (Aerospace) as well as both Federal and Provincial government services.

By looking at indirect dependencies on technically non-critical Chinese export industries, we find:

Figure 4: Indirect industrial dependency on Chinese exports to Canada 2023 (Source: StatsCan)

A final note about the cascading effects on Health.  Figure 4 shows a direct relationship  between hospitals and the Offices and Physicians and Dentists.  These have not been flagged as CI because they are not included in available CI definitions, and the practical consideration that many such offices exist in retail spaces which create significant challenges of scope, scale and manageability.

References

Source:
Source:
See:

The post Modeling a Trade War: Critical Infrastructure Dependency on China appeared first on CIPSER.

What Are Small Modular Reactors (SMRs)? Canada’s Next Energy Frontier

As Canada advances toward a cleaner energy future, Small Modular Reactors (SMRs) are quickly emerging as a transformative technology—not just for their ability to deliver low-carbon energy, but for their potential to strengthen sovereignty, resilience, and security in remote and strategically important regions. In particular, SMRs are being explored as a reliable power source for Arctic communities and northern military installations, where traditional infrastructure is limited and energy dependency presents national security risks.

In this new blog series, the National Centre for Critical Infrastructure Protection, Security, and Resilience (NC-CIPSeR) will explore the implications of SMR deployment from a security and risk perspective. The series begins with a foundational overview of SMRs and builds toward more complex questions around cybersecurity, regulatory gaps, and national resilience.

What Are SMRs?

Small Modular Reactors (SMRs) are advanced nuclear reactors designed with a smaller footprint and modular construction, allowing for scalable deployment and enhanced safety features. Unlike traditional large-scale nuclear reactors, SMRs can be manufactured in factories and transported to sites, making them particularly suitable for remote locations.

Why SMRs Matter for Canada

• 
  

  Energy Security: SMRs offer a stable and reliable power source, reducing dependence on fossil fuels and enhancing energy independence, especially in isolated regions.

  
  
• 
  

  Arctic Sovereignty: Deploying SMRs in the Arctic supports Canada’s strategic interests by providing energy to remote military bases and communities, reinforcing presence and sovereignty in the North.

  
  
• 
  

  Environmental Benefits: As low-carbon energy sources, SMRs contribute to Canada’s climate goals by reducing greenhouse gas emissions.

  
  
• 
  

  Economic Development: The modular nature of SMRs can stimulate local economies through job creation in manufacturing, construction, and maintenance.

  
  

� Security and Resilience Considerations

While SMRs present numerous benefits, their deployment also introduces new challenges:

• 
  

  Cybersecurity Risks: The integration of digital systems in SMRs necessitates robust cybersecurity measures to protect against potential threats.

  
  
• 
  

  Regulatory Frameworks: Existing nuclear regulations must evolve to address the unique aspects of SMRs, ensuring safety and security without hindering innovation.

  
  
• 
  

  Infrastructure Integration: Incorporating SMRs into existing energy grids and infrastructure requires careful planning to maintain system resilience.

  
  

Join the Conversation

This blog series aims to delve deeper into these topics, providing insights and fostering discussions on the role of SMRs in Canada’s energy landscape. We invite policymakers, industry experts, researchers, and the public to engage with us as we explore the future of SMRs.

Stay tuned for our upcoming posts, where we’ll examine:

• 
  

  The different types of SMRs and their applications

  
  
• 
  

  Cybersecurity challenges specific to SMRs

  
  
• 
  

  Regulatory considerations and the path forward

  
  

For more information and to follow the series, visit our SMR Security Blog.

The post What Are Small Modular Reactors (SMRs)? Canada’s Next Energy Frontier appeared first on CIPSER.

NC-CIPSeR and Canadian Blood Services: Partners for Life – Strengthening Critical Infrastructure Resilience Through Lifesaving Contributions

At NC-CIPSeR, we are proud to announce our official participation in Canadian Blood Services’ Partners for Life Program, reinforcing our commitment to not only safeguarding °ä²¹²Ô²¹»å²¹â€™s critical infrastructure but also to strengthening the health and resilience of our communities.

Why Blood Donation Matters to Critical Infrastructure Resilience

Critical infrastructure resilience isn’t just about protecting physical assets – it’s about safeguarding the people who operate, maintain, and rely on these essential systems. In times of emergency – whether natural disasters, cyberattacks, or public health crises – °ä²¹²Ô²¹»å²¹â€™s healthcare infrastructure plays a vital role in our collective response and recovery.

By partnering with Canadian Blood Services, NC-CIPSeR is helping to ensure °ä²¹²Ô²¹»å²¹â€™s blood supply remains strong, ready to meet the needs of hospitals, emergency services, and communities across the country. This direct link between public health and emergency preparedness highlights the importance of proactive, whole-of-society approaches to resilience.

A Commitment to Lifesaving Generosity

As part of this initiative, NC-CIPSeR’s volunteers, researchers, partners, and broader network are invited to become regular blood, plasma, and platelet donors under the NC-CIPSeR Partners for Life team. This isn’t just about individual contributions – it’s about collective impact. Every donation strengthens the critical supply chain of life-saving products that underpin °ä²¹²Ô²¹»å²¹â€™s emergency medical response capacity.

We are encouraging all members of the NC-CIPSeR community, from students and faculty at ÐÓ°ÉÔ­´´ University to our industry and government partners, to register as part of our Partners for Life team and commit to regular donations.

How to Join NC-CIPSeR’s Partners for Life Team

1. Visit and create an account (or sign in if you already have one).
2. Link your account to NC-CIPSeR’s Partners for Life team using our unique team ID: NATIO125815 or can the QR code below.
3. Book your donation appointment and be sure to log your donation under the NC-CIPSeR team.

Together, we can demonstrate how °ä²¹²Ô²¹»å²¹â€™s critical infrastructure professionals – the very people responsible for protecting our essential systems – also have a direct role to play in protecting and saving lives.

The Lifesaving Link Between Blood and Resilience

In the critical infrastructure space, we often talk about supply chain resilience, interdependencies, and the importance of preparedness. °ä²¹²Ô²¹»å²¹â€™s blood supply is, in itself, a critical supply chain – one that depends entirely on the generosity and foresight of everyday Canadians.

By actively participating in this program, NC-CIPSeR and its network can model the very resilience we advocate for, demonstrating the power of collective action in building stronger, healthier, and more prepared communities.

Join Us Today

We invite everyone across the NC-CIPSeR ecosystem – from researchers and students to practitioners and policymakers – to join this meaningful initiative. By donating blood, plasma, or platelets, you’re not only making a personal contribution to °ä²¹²Ô²¹»å²¹â€™s healthcare resilience – you’re reinforcing the vital connection between health security and critical infrastructure protection.

National Centre for Critical Infrastructure Protection, Security and Resilience has partnered with Canadian Blood Services to help make a difference for patients in Canada. Join our team and help save lives. (You can be on multiple teams!) ÌýJoin today by scanning the QR code below:

The post NC-CIPSeR and Canadian Blood Services: Partners for Life appeared first on CIPSER.

Securing °ä²¹²Ô²¹»å²¹â€™s Arctic: A Strategic Imperative for Multi-Use, Multi-User Infrastructure in a New Era of Geopolitical Threats

°ä²¹²Ô²¹»å²¹â€™s Arctic has shifted from a remote frontier to a critical national and international security flashpoint. A recent assessment from the Canadian Security Intelligence Service (CSIS) underscores that °ä²¹²Ô²¹»å²¹â€™s Arctic is being actively targeted by adversaries seeking to exploit the region’s sparse infrastructure, fragile environment, and limited surveillance capabilities (Tunney, 2024). This increased attention aligns with broader trends of climate change accelerating access to new Arctic shipping routes, growing interest in resource extraction, and expanded military footprints by both Russia and China.

Canada now faces a strategic imperative: will we actively shape the future of the Arctic through resilient, integrated infrastructure and governance models, or leave it vulnerable to external forces – for another few decades?

Multi-Use, Multi-User Infrastructure: A Modern Arctic Model

The need for multi-use, multi-user infrastructure in °ä²¹²Ô²¹»å²¹â€™s Arctic infrastructure that serves overlapping military, civilian, Indigenous, scientific, and economic purposes is clear. Through ÐÓ°ÉÔ­´´â€™s IPIS/NPSIA’s Critical Infrastructure Risk Assessment course (CIRA) we’re exploring the deployment of Small Modular Nuclear Reactors (SMRs) at Arctic military bases, providing clean, reliable, resilient power for military readiness, community development, and research support. This type of infrastructure is adaptable to emergency response, economic activity, and national defence and enhances sovereignty while contributing to regional sustainability and security.

This aligns directly with the Canadian Department of National Defence’s (2019) Arctic and Northern Policy Framework, which highlights the need for dual-use infrastructure that strengthens both security and community resilience. The framework stresses that Arctic security is inseparable from the well-being of Arctic communities, underscoring the importance of integrated planning where defence infrastructure also serves economic, social, and environmental purposes (Canadian Department of National Defence, 2019).

Revisiting the Dome: Historical Lessons in Resilient Arctic Design

This vision for multi-purpose Arctic hubs isn’t new. In 1958, Canadian planners envisioned a concrete-domed town in Iqaluit, fully enclosed to withstand Arctic weather while supporting military and civilian populations alike (CBC News, 2014). While technologically impractical today, the underlying concept of infrastructure designed for both strategic defence and community sustainability remains relevant. The Arctic’s future lies in dual-purpose, climate-adapted infrastructure that integrates military, research, economic, and community needs.

Emerging Threat Environment: Urgent Need for Action

The Standing Senate Committee on National Security, Defence and Veterans Affairs (SECD) 2023 Arctic Security Report paints a sobering picture: climate change, increased foreign presence in Arctic waters, and Russia’s Arctic military buildup have dramatically raised the regions vulnerability. New threats include hypersonic missiles, long-range cruise missiles, and advanced cyber operations, many of which could exploit gaps in °ä²¹²Ô²¹»å²¹â€™s surveillance and response infrastructure (SECD, 2023).

The U.S. Department of Defense (2022) Arctic Strategy echoes these concerns, stressing that the Arctic is now an operational theatre for strategic competition, requiring enhanced domain awareness, military presence, and dual-purpose infrastructure capable of supporting both security and local resilience (U.S. Department of Defense, 2022). Both Canadian and U.S. strategies emphasize the critical need for multi-domain awareness and infrastructure that can simultaneously support military operations and community well-being.

Human Security and Infrastructure: A Broader Definition of Sovereignty

Traditional, southern-centric models of critical infrastructure planning designed for urban environments doesn’t work in the Arctic. Major Daniel Arsenault (2022) argues that critical infrastructure protection in the Arctic must shift to a human security framework, where infrastructure resilience is directly tied to the safety, health, and economic well-being of Arctic residents (Arsenault, 2022). In this model, a failure in critical infrastructure isn’t just a technical gap, it’s a sovereignty vulnerability, creating openings for adversaries to exploit.

This thinking aligns with the Canadian Northern Corridor concept described by Katharina Koch (2022). Her work stresses that piecemeal, project-by-project approaches to Arctic infrastructure have failed precisely because they overlook regional diversity, Indigenous knowledge, and holistic planning needs (Koch, 2022). A coordinated, pan-Canadian corridor strategy, designed with Indigenous leadership and grounded in community needs, is essential for resilient, sustainable infrastructure that supports sovereignty and development.

Differentiating the North: Avoiding One-Size-Fits-All

One of °ä²¹²Ô²¹»å²¹â€™s greatest Arctic policy failures has been the application of southern-designed, one-size-fits-all solutions to vastly different regions. As Koch (2022) notes, the Arctic and Northern Policy Framework (2019) called for exactly this shift,  moving from Ottawa-imposed projects to co-developed, regionally tailored solutions grounded in Indigenous governance and traditional knowledge (Koch, 2022; Canadian Department of National Defence, 2019).

The Standing Senate Committee also highlighted that Indigenous participation must be embedded in all Arctic security and infrastructure initiatives, ensuring that infrastructure investments contribute to self-determination, cultural preservation, and economic opportunity, not just national defence (SECD, 2023).

Whole-of-Society Arctic Resilience: A National Priority

°ä²¹²Ô²¹»å²¹â€™s future Arctic infrastructure must embody whole-of-society resilience, where every investment serves multiple purposes:

• Military surveillance and domain awareness.
• Emergency response and climate disaster management.
• Sustainable energy and economic development.
• Community health, housing, and connectivity.
• Scientific research on climate change and environmental monitoring.

This multi-use, multi-user approach isn’t just good governance, it’s a strategic necessity in an era where Arctic sovereignty, climate adaptation, and economic opportunity are fundamentally intertwined.

The Path Forward: Canada at a Crossroads

As CSIS has warned, the Arctic is already a strategic target (Tunney, 2024). The only question is whether Canada will proactively build the infrastructure and partnerships needed to project strength, resilience, and stewardship or whether we will leave the door open for another couple of decades for adversaries to exploit our gaps.

At NC-CIPSeR, we believe the time to act is now, and we invite partners from government, industry, Indigenous communities, and academia to join us in these conversations.

__________

References

Arsenault, D. (2022). Waiting for black swans: Why critical infrastructure in the Arctic needs a new security approach. Canadian Forces College.

Canadian Broadcasting Corporation. (2014, September 17). Under the dome: 1958 plan for Iqaluit was town under concrete shell. CBC News.

Canadian Department of National Defence. (2019). Arctic and northern policy framework: Safety, security, and defence chapter. Government of Canada.https

Koch, K. (2022). Differentiating the Canadian North for coherent infrastructure development. The School of Public Policy, University of Calgary.

Standing Senate Committee on National Security, Defence and Veterans Affairs. (2023). Arctic security under threat: Urgent needs in a changing geopolitical and environmental landscape.

Tunney, C. (2024, March 4). Adversaries see opportunities to exploit strategically valuable Arctic, CSIS says. CTV News.

U.S. Department of Defense. (2022). Department of Defense Arctic strategy.

The post Securing °ä²¹²Ô²¹»å²¹â€™s Arctic: A Strategic Imperative for Multi-Use, Multi-User Infrastructure appeared first on CIPSER.

Unraveling the Complexity: How Canada Can Build a Clearer, Stronger Approach to Critical Infrastructure Risk Assessment

By Perry Steckly

This is simply a conversation starter.

At NC-CIPSeR, a question we often hear is: “Does Canada have a standard way to assess risk?� The answer, like the risks themselves, is far from simple. With so many risk assessment tools and frameworks in use across the country, determining the most effective methodology becomes part of the challenge.

The Current Reality: A Patchwork System

Canada has built a solid foundation for managing risk to critical infrastructure and communities — but it remains a patchwork of tools, frameworks, and strategies, each operating in isolation or for sector-specific purposes.

Key elements of °ä²¹²Ô²¹»å²¹â€™s current risk management framework include:

• °ä²¹²Ô²¹»å²¹â€™s All-Hazards Risk Assessment (AHRA) process and Harmonized Threat and Risk Assessment (HTRA) process, which consider all types of risks — natural, technological, and human-caused (Public Safety Canada, 2018).
• The Sendai Framework for Disaster Risk Reduction, which Canada has embraced as part of its international disaster risk reduction commitments (United Nations Office for Disaster Risk Reduction, 2015).
• The Emergency Management Strategy for Canada: Toward a Resilient 2030, which aligns federal, provincial, and territorial efforts (Public Safety Canada, 2018).
• ISO 31000, adopted as °ä²¹²Ô²¹»å²¹â€™s national risk management standard, which offers principles and guidelines for organizational risk management (BSI Group, n.d.) and approved by the Standards Council of Canada.

On paper, this is an impressive set of tools — but in practice, there is no single, unifying approach that brings all of these frameworks together into a coherent, consistent method to assess, compare, and communicate risk across the country.  Provinces struggle with the same challenge.

Why This Matters — And Where the Gaps Are

The 2023 National Risk Profile (NRP) highlighted the evolving risks Canada faces — from wildfires to cyber-attacks to pandemics (Public Safety Canada, 2023). It also emphasized the importance of evidence-based, whole-of-society risk assessments. However, the NRP is not a standardized risk methodology itself — it’s more of a snapshot in time, shaped by the tools, data, and processes currently in use across provinces, territories, and sectors.

This fragmentation leads to several challenges:

• Inconsistent Data: Different jurisdictions and sectors assess risk differently, making national comparisons difficult.
• Siloed Knowledge: There is limited integration between sectors — meaning the energy, transportation, and health sectors may assess risks independently, without seeing potential cascading interdependencies.
• Difficulty Prioritizing Resources: Without a nationally comparable risk picture, it’s hard to ensure that investments, programs, and policy decisions are targeting the right vulnerabilities.

How can Canada leverage the thousands of risk assessments happening across the country whether they are in the critical infrastructure sectors, municipal hazard assessments, corporate enterprise risk programs, or sector-specific regulatory filings? Canada needs a clear roadmap that moves from fragmented, isolated assessments toward a nationally harmonized, analyzable and comparable system allowing for both local customization and provincial and national-level measurement.

Can We Learn from Others? Absolutely.

Countries like the United Kingdom, Australia, and the United States have each taken steps toward national standardization of risk assessment, with varying degrees of success.

• The UK National Risk Register uses a common risk methodology across government departments, ensuring national comparability (Cabinet Office, 2023).
• Australia’s National Emergency Risk Assessment Guidelines (NERAG) provide a flexible but consistent process that has been adopted across most states and territories (Australian Institute for Disaster Resilience, 2020).
• The U.S. National Institute of Standards and Technology (NIST) has become a global leader in setting technical standards, including frameworks for cybersecurity risk management (NIST, 2018).

The common thread? These countries all have some form of a centralized body responsible for developing, maintaining, and updating risk assessment methodologies, ensuring cross-jurisdictional and cross-sector consistency.

A Path Forward for Canada — And a Role for NC-CIPSeR

Canada already has the building blocks — from the National Risk Profile to the Sendai Framework to ISO 31000. What we lack is a central, science-driven entity responsible for weaving these elements together into a coherent, adaptable, and widely adopted national risk assessment standard.

The National Bureau of Standards (NBS) was established in the United States on March 3, 1901, to address the growing need for consistent standards and measurements to support industrial growth, scientific progress, and public safety. As the U.S. economy became more complex, inconsistent measurements and technical standards were creating barriers to trade, innovation, and infrastructure development. NBS provided a trusted, central authority for establishing reliable standards across industries, ensuring fairness in commerce, enhancing product safety, and fostering innovation. In 1988, NBS was renamed the National Institute of Standards and Technology (NIST), reflecting its expanded role in advancing technology, cybersecurity, and critical infrastructure protection (NIST, 2021).

The National Bureau of Standards was charged with:

• Developing and maintaining national standards of measurement.
• Providing calibration services to industry and government.
• Conducting scientific research to improve measurement science.
• Supporting industry and government agencies with standard reference materials (SRMs) and technical expertise.

This is where NC-CIPSeR could play a leadership role.  Consider the above but directly related to critical infrastructure risk assessments.

We propose the creation of a “NIST for Riskâ€� in Canada — a Centre of Excellence, a national platform for developing, evolving, and promoting standardized risk assessment methodologies tailored to °ä²¹²Ô²¹»å²¹â€™s critical infrastructure and emergency management needs. Our foundational focus on research, innovation, collaboration and education is a strong start.

This would:

• Ensure consistent data collection and risk analysis across sectors and jurisdictions.
• Support evidence-based decision-making, both for routine planning and emergency response.
• Identify and assess cross-sector interdependencies, ensuring cascading risks are properly understood.
• Provide a trusted, neutral space where government, industry, academia, and Indigenous communities can collaborate on risk data and best practices.

Moving from Fragmentation to Integration

NC-CIPSeR’s work, including Project CANVAS, is already focused on collecting, visualizing, and analyzing threat and hazard data across Canada (We’re just starting). Or our Intelligence Hub (repository) a curated and evolving knowledge center designed to support decision-makers, researchers, and industry leaders working to protect °ä²¹²Ô²¹»å²¹â€™s critical infrastructure. By bringing together national strategies, threat assessments, sector-specific reports, and historical insights, the Hub serves as both a reference library and a real-time intelligence platform, helping users navigate emerging risks and uncover solutions.

But tools, documents and information aren’t enough — what’s needed is a cultural shift toward standardized, collaborative risk assessment at all levels.  Canadians should talk about critical infrastructure, risk assessments and national security in a common, well-understood, consistent language.

We invite our partners across sectors, government, and academia to join us in shaping this conversation. Together, we can:

• Define core risk assessment principles and minimum data requirements.
• Pilot integrated risk assessments that cross sectoral and jurisdictional boundaries.
• Continue research into the efficacy of risk assessments across hazards.
• Standardize data collection and management processes.
• Develop training and knowledge-sharing programs to build a consistent risk culture across Canada.
• Modern Knowledge translation

The time to move from fragmented risk management to a truly national, integrated risk approach is now.

References 

Australian Institute for Disaster Resilience. (2020). National Emergency Risk Assessment Guidelines (NERAG). Retrieved from

BSI Group. (n.d.). ISO 31000:2018 risk management guidelines. Retrieved from

Cabinet Office. (2023). National risk register 2023. Government of the United Kingdom. Retrieved from

National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity. Retrieved from

National Institute of Standards and Technology. (2021). ÐÓ°ÉÔ­´´ NIST: Our history. Retrieved from

Public Safety Canada. (2018). Emergency management strategy for Canada: Toward a resilient 2030. Retrieved from

Public Safety Canada. (2023). National risk profile – Canada 2023. Retrieved from

United Nations Office for Disaster Risk Reduction. (2015). Sendai framework for disaster risk reduction 2015-2030. Retrieved from

Further Reading

For those interested in a deeper dive into the challenges and opportunities associated with standardizing risk assessment methodologies for critical infrastructure, several academic and institutional studies offer valuable insights.

The European Commission’s Joint Research Centre (2015) proposed a comprehensive risk assessment process tailored specifically for critical infrastructure protection across EU member states, emphasizing the need for harmonized methodologies to improve cross-border resilience. Similarly, Linkov et al. (2014) introduced the concept of resilience metrics in critical infrastructure protection, advocating for frameworks that integrate risk, resilience, and adaptive capacity into a unified decision-making process.

Aven (2016) explored the foundations and practicalities of risk assessments for critical infrastructures, focusing on how uncertainty, complexity, and interdependencies challenge standardization efforts. Giannopoulos et al. (2012) examined the influence of transnational challenges and cognitive biases on the adoption of risk assessment methodologies in critical infrastructure sectors, highlighting the socio-technical barriers to harmonization.

In the cyber domain, Kure, Islam, & Mouratidis (2020) reviewed cyber resilience risk assessment methods, identifying gaps between traditional risk assessments and the evolving cyber threat landscape.

Additionally, Oughton, Tyler, & Ingirige (2019) reviewed critical infrastructure protection approaches and emphasized the importance of responsiveness to rapidly evolving modeling landscapes, a key consideration when designing dynamic and adaptive risk frameworks. Meanwhile, the United Nations Security Council Counter-Terrorism Committee (2021) compiled a compendium of good practices for protecting critical infrastructure from terrorist attacks, reinforcing the need for consistent, threat-informed, and adaptable risk assessment methodologies in high-threat environments.

Collectively, these works highlight both the necessity and complexity of developing unified risk assessment standards for critical infrastructure. They emphasize that such standards must balance consistency and flexibility, allowing organizations to adapt to emerging threats and sector-specific risks while ensuring national comparability and effective decision-making.

The post Unraveling the Complexity: How Canada Can Build a Clearer, Stronger Approach to Critical Infrastructure Risk Assessment appeared first on CIPSER.