CAN/DGSI 105:2022 (R2024)
1 Scope
1.1 General
1.1.1 The Standard aims to specify minimum requirements for the design and operation of Industrial
Internet of Things (IIoT) devices to meet requirements for security, safety, confidentiality,
integrity, and availability.
NOTE: As a National Standard of Canada, this is a voluntary standard. It only applies to the
organizations that decide to adopt the Standard and communicate their intention to use it for
purchasing and procurement purposes. Following adoption, the Standard can be actioned
through incorporation in relevant cybersecurity policies and procedures; reference in relevant
purchasing and procurement processes and use in the selection of devices, equipment, or
services.
1.2 Applicability
1.2.1 This Standard applies to Industrial Internet of Things (IIoT) devices. It is meant to support and
complement other standards, codes of practice, guidance and best practices focusing on the
cybersecurity of systems and networks.
a. For the purposes of this Standard, IIoT is assumed to be a subset of IoT devices.
b. IoT devices are characterized by:
i. at least one transducer (either a sensor or an actuator) for interacting with the
physical world; and
ii. at least one network interface (including but not limited to Ethernet, Wi-Fi,
Bluetooth, Long-Term Evolution or LTE, Zigbee, and Ultra-Wideband or UWB)
for interacting with the digital world (NIST 2020, v).
c. IIoT devices share these characteristics: they are connected to equipment used in a wide
variety of industrial, commercial, and institutional settings and provide data, actuation
and control functionalities. General categorization of these devices can be found in
TABLE 4 in Annex A.
1.3 Intended users
1.3.1 The Standard applies to organizations planning to acquire new IIoT devices or equipment
embedding IIoT devices. As such, intended users are those who have a role to play in the
acquisition process; ideally a team composed of accountability centres using IIoT devices or
services in operations; accountability centres managing cybersecurity policies and procedures;
and accountability centres responsible for procurement and purchasing.
a. Other potential users include:
i. Manufacturers and vendors of IIoT devices
ii. Manufacturers and vendors of equipment embedding IIoT devices
iii. Manufacturers and vendors of IoT devices
b. Intended uses of the standard include:
i. The acquisition of new cybersafe IIoT devices
ii. The acquisition of equipment embedding new cybersafe IIoT devices
c. Other potential uses include:
i. Contracting with organizations using IIoT devices in delivering a service
ii. Assessing the vulnerability of installed devices by benchmarking them against
cybersecurity requirements featured in this standard
iii. Using cybersecurity requirements in the standard to acquire IoT devices
1.4 Exclusions
1.4.1 This Standard does not apply to:
a. Installed devices and equipment embedding IIoT devices
b. Cybersecurity systems and networks
SDO:
DGSI
Language:
English
ICS Codes:
25.040.40;
35.030
Status:
Standard
Publish date:
2022-10-31
Standard Number:
CAN/DGSI 105:2022 (R2024)