CAN/DGSI 105:2022 (R2024)

1 Scope 1.1 General 1.1.1 The Standard aims to specify minimum requirements for the design and operation of Industrial Internet of Things (IIoT) devices to meet requirements for security, safety, confidentiality, integrity, and availability. NOTE: As a National Standard of Canada, this is a voluntary standard. It only applies to the organizations that decide to adopt the Standard and communicate their intention to use it for purchasing and procurement purposes. Following adoption, the Standard can be actioned through incorporation in relevant cybersecurity policies and procedures; reference in relevant purchasing and procurement processes and use in the selection of devices, equipment, or services. 1.2 Applicability 1.2.1 This Standard applies to Industrial Internet of Things (IIoT) devices. It is meant to support and complement other standards, codes of practice, guidance and best practices focusing on the cybersecurity of systems and networks. a. For the purposes of this Standard, IIoT is assumed to be a subset of IoT devices. b. IoT devices are characterized by: i. at least one transducer (either a sensor or an actuator) for interacting with the physical world; and ii. at least one network interface (including but not limited to Ethernet, Wi-Fi, Bluetooth, Long-Term Evolution or LTE, Zigbee, and Ultra-Wideband or UWB) for interacting with the digital world (NIST 2020, v). c. IIoT devices share these characteristics: they are connected to equipment used in a wide variety of industrial, commercial, and institutional settings and provide data, actuation and control functionalities. General categorization of these devices can be found in TABLE 4 in Annex A. 1.3 Intended users 1.3.1 The Standard applies to organizations planning to acquire new IIoT devices or equipment embedding IIoT devices. As such, intended users are those who have a role to play in the acquisition process; ideally a team composed of accountability centres using IIoT devices or services in operations; accountability centres managing cybersecurity policies and procedures; and accountability centres responsible for procurement and purchasing. a. Other potential users include: i. Manufacturers and vendors of IIoT devices ii. Manufacturers and vendors of equipment embedding IIoT devices iii. Manufacturers and vendors of IoT devices b. Intended uses of the standard include: i. The acquisition of new cybersafe IIoT devices ii. The acquisition of equipment embedding new cybersafe IIoT devices c. Other potential uses include: i. Contracting with organizations using IIoT devices in delivering a service ii. Assessing the vulnerability of installed devices by benchmarking them against cybersecurity requirements featured in this standard iii. Using cybersecurity requirements in the standard to acquire IoT devices 1.4 Exclusions 1.4.1 This Standard does not apply to: a. Installed devices and equipment embedding IIoT devices b. Cybersecurity systems and networks