CSE’s evolved Security Review Program

About CSE and the Canadian Centre for Cyber Security

The Communications Security Establishment (CSE) is Canada’s national cryptologic agency, responsible for providing advice and guidance on all aspects of cyber security to Government of Canada departments and agencies. The launch of CSE’s Canadian Centre for Cyber Security (Cyber Centre) in 2018 helped the department build even stronger security partnerships between government and industry with the shared goal of raising the overall cyber security bar in Canada’s telecommunications sector.

CSE’s Cyber Centre applies the full depth of its security experience and works with a range of partners, domestically and internationally, to continually find ways to increase the security of the telecommunication networks that Canada relies on.

Protecting Canada’s telecommunications critical infrastructure

CSE and its partners at Public Safety Canada (PS), Innovation, Science, and Economic Development (ISED) and the Canadian Security Telecommunications Advisory Committee (CSTAC) actively engage with Canadian telecommunications service providers (TSPs) and key equipment suppliers to help ensure the security of Canadian critical telecommunications infrastructure.

Securing telecommunications networks from cyber threats protects the backbone for how Canadians communicate, work, and live online. Since 2013, CSE’s Security Review Program (SRP) has helped Canadian TSPs mitigate cyber security risks, including supply chain risks from designated equipment and services, such as Huawei and ZTE, in their 3G/4G/LTE networks.

The SRP is a collaborative program between government and industry which, to date, has led to:

  • The restriction of designated products from use for sensitive functions in Canadian networks.
  • The restriction of designated products from GC network contracts.
  • The restriction on the use of outsourced managed services from designated providers in Canadian networks.
  • Assurance testing in CSE qualified third-party laboratories for designated products used for less-sensitive functions in Canadian networks; and
  • Annual architecture reviews to provide tailored technical advice and guidance to TSPs, resulting in year-over-year increases in the adoption of cyber security controls and best practices.

5G and the evolution of CSE’s Security Review Program

Mobile networks have become an increasingly critical part of telecommunications infrastructure. 5G will provide the underlying infrastructure upon which new applications, services, and other critical infrastructure will depend.

Given CSE’s mandate for cyber security and information assurance, the Cyber Centre will leverage and evolve the SRP (eSRP) to support Canadian TSPs in securing critical elements of Canada’s 5G networks and the broader telecommunications system. The eSRP will apply more broadly to help industry improve the cyber security and resilience of Canada’s telecommunications networks and consider risks from all key suppliers.

The Cyber Centre will continue to take a collaborative approach that provides Canada with a strong, balanced, foundation of knowledge and expertise from both a GC and industry perspective, enabling TSPs to mitigate cyber threats and establish resilient telecommunications networks for the benefit of all Canadians.

eSRP: Program activities

The Cyber Centre will continue to work in partnership with TSPs to implement this program on a collaborative basis. Cooperative engagement with TSPs, as well as proactive outreach to key suppliers of products and services, allows for innovative and adaptable approaches to cyber security and resilience in the face of rapidly changing technology and emerging threats.

The eSRP will continue with the same pillars of activity as the existing program, including restrictions on low-confidence products and services, deployment assessments, architecture reviews, and collaboration on cyber security controls to increase the resilience of telecommunications networks across Canada.

New activities will include the following:

  • Engage key suppliers of critical telecommunications products and services, to establish new partnerships focused on building confidence in the products and services deployed in Canadian TSP infrastructure.
  • Develop assurance activities or mitigation strategies for supplier equipment if there is an assessed cyber security gap.
  • Share threat-related information and mitigation advice and guidance to support TSPs in establishing resilient telecommunications networks regardless of suppliers selected; and
  • Collaborate with industry to develop robust cyber security controls regardless of suppliers selected.

Additional information on program activities

Supplier confidence assessments

The current SRP focuses on the supply chain risk posed by products and services from designated suppliers (e.g. Huawei). Going forward, the eSRP will engage all key suppliers present in the Canadian market to establish new partnerships focused on building confidence in the products and services deployed in Canadian telecommunications infrastructure.

The program will apply rigorous new supplier assessment criteria to ensure that mitigation measures correspond to increasingly complex cyber security threats across the sector. The focus will be on suppliers that provide products and services used in the most critical areas of the telecommunications infrastructure, starting with, but not limited to, securing critical elements of Canada’s 5G networks, including the radio access network, the backhaul to the core network, and the core network for mobility services.

These new supplier confidence assessments will allow for a tiered approach to assurance activities based on supplier confidence levels, where program requirements will decrease as supplier confidence increases. While the current third-party laboratory assurance testing will remain in place for certain low-confidence suppliers, the program will also develop novel assurance and mitigation strategies to address assessed cyber security gaps for supplier equipment.

TSP architecture reviews

As a result of CSE’s existing SRP, annual evaluations of Canadian telecommunications service providers’ architectures have shown year-over-year improvements in the adoption of cyber security best practices. The eSRP will continue these annual architecture reviews to identify security gaps and work collaboratively with TSPs to improve the overall security in the telecommunications sector.

The eSRP will continue to collaborate with Canadian TSPs to propose cyber security best practices and baseline controls across their networks (e.g. CSTAC Security Best Practices for Canadian TSPs), for any equipment or service, not solely in relation to the presence of low-confidence supplier products.

Product deployment assessments

When a TSP proposes a new product, upgrades, or new functions to an existing product/service from a low-confidence supplier for use in Canada, CSE/Cyber Centre conducts a product deployment assessment, based on its unique and specialized understanding of the cyber threat landscape.

A deployment assessment is ideally performed prior to, or early in the procurement process. The deployment assessment evaluates the cyber security risks in the product, the deployment context, and the controls proposed by the TSP. The risk mitigation measures recommended as part of the assessment will ensure, as per Canadian industry-defined standards, a baseline level of cyber security is present in TSP activities. It also provides multiple layers of recommended mitigations to offset risks in scenarios where equipment originating from a low-confidence supplier is proposed for deployment.

The eSRP will expand assessments to consider the deployment of products from key suppliers, with a focus on the most important and sensitive areas of the telecommunications infrastructure. The deployment assessment identifies risks and provides recommended mitigations to ensure a resilient network/service.

Cyber resilience approach

In order to adapt to changes in technology in the telecommunications sector, particularly with the transition to 5G, the eSRP will expand its focus beyond the supply chain risk posed by certain suppliers to consider the overall cyber security and resilience of all critical elements of Canada’s telecommunications system.

The program will promote a spectrum of activities that will promote resilience in the telecoms sector. It will continue its work on prevention and risk mitigation, enhance collaboration and governance mechanisms, build capacity to better understand risk, and increase competency in preparedness, detection, response, and forward-looking recovery planning. This will include an increased focus on threat briefings with links to recommended mitigations as well as collaborative industry workshops for capability development.

Canadian Telecoms Security Recommendations

The eSRP will create a catalogue of Canadian Telecoms Security Recommendations that contain technology reference architectures (e.g., 5G Non-Standalone and Standalone), sharing-threat related information for each architecture, and recommend cyber security controls to mitigate these threats.

The eSRP will continue consultation with TSPs and CSTAC’s Canadian Telecom Cyber Protection (CTCP) Working Groups to ensure ongoing collaboration on security initiatives and awareness of threat related information. The Cyber Centre will also promote the adoption of global standards that recommend robust cyber security controls that lead to an increase in confidence and resilience in global telecommunications systems.

Implementation

CSE has already began increased collaboration within CSTAC’s various working groups to define reference architectures, threat models, and mitigations to be shared with all Canadian TSPs as industry-standard baseline requirements. We will continue to work with international partners to promote global standards that raise the common baseline for cyber security and increase confidence in global telecommunications systems.

Additional information

Date modified: