What Is CSA-C22.1-18 and How Is It Linked to Cybersecurity?

What Is CSA-C22.1-18 and How Is It Linked to Cybersecurity?

  • Post author:
  • Reading time:5 mins read

The CSA-C22.1-18 is Part 1 of the 24th edition of the Canadian Electrical Code (CE Code), a National Standard published in 2018 by the Canadian Standards Association (CSA) to install and maintain electrical equipment. The 2018 CE Code is a regulatory requirement. It is enforced within every Canadian Province and Territory, except for Quebec, which currently uses the 2015 CE Code as the basis for the Quebec Electrical Code. 

The CE Code’s primary objective is to establish safety standards for installing and maintaining electrical systems and equipment in Canada and ensuring that these systems are operated safely. 

This article provides an overview of the recent 2018 changes to the Canadian Electrical Code and how cybersecurity requirements may apply.

About Canadian Electrical Code 

The CE Code was first published in 1927 and is an essential component of Canada’s electrical safety system. It applies to all electrical work and electrical equipment at all voltages and is meant to keep installers, operators, facility owners, and the public safe from avoidable electrical hazards. It is updated every three (3) years to incorporate technical changes, industry best practices, and data on incidents and hazards. 

In Canada, Provinces and Territories are responsible for the health and safety of their citizens. They have individual legislation that includes the adoption and enforcement of codes and standards for electrical safety. This legislation specifies that electrical equipment cannot be sold or offered for sale unless it bears an approval mark. The CE Code defines that a piece of equipment is “approved” if certified by a Certification Body accredited by the Standards Council of Canada.

The CE Code applies to all electrical installations and equipment operating at buildings and premises, including factory-made transportable and non-transportable structures and self-propelled marine vessels parked for periods exceeding five months and connected to a shore electric supply.

The CE Code does not apply in the following installations:

  • Communication, or community antenna distribution system
  • Equipment used in the operation of electric railways and are energized exclusively from circuits that supply power to mechanical devices or systems.
  • Equipment used for railway signaling and railway communication purposes
  • Aircraft
  • Electrical systems onboard ships which are regulated under Transport Canada

High-level Layout of the Canadian Electrical Code 

The CE Code is divided into sections that are labeled with an even number. Sections 0, 2, 4, 6, 8, 10, 12, 14, 16, and 26 include rules that apply to installations in general, while the remaining sections are supplementary and deal with installation methods in specific locations or situations. The rules in the supplementary sections of the Code amend or supersede the rules in the general sections.

The following table provides a high-level overview of the CE Code.


How is the 2018 Canadian Electrical Code linked to Functional Safety?

The 2018 CE Code incorporates the new CSA process safety standards, making them mandatory and enforceable across Canada for electrical equipment installed under this code.

Appendix A to the Code, titled “Safety standards for electrical equipment,” is a normative (mandatory) section of the CSA-C22.1-18 standard and lists the standards used to certify electrical equipment being approved under the CE Code. 

Among others, Appendix A refers to the following standards: 

  • CAN/CSA-C22.2 No. 61508-1:17 (Canadian adoption of IEC 61508): Functional safety of electrical/electronic/programmable electronic safety related systems — Part 1: General requirements
  • CAN/CSA-C22.2 No. 61511-1:17 (Canadian adoption of ISA/IEC 61511): Functional safety — Safety instrumented systems for the process industry sector — Part 1: Framework, definitions, system, hardware and application programming requirements

For equipment to be approved under the CE Code provisions, it needs to be installed for use within the design parameters and purpose for which it was manufactured and certified. In addition, the designation of applicable standards or parts of standards to a particular product is made by the accredited certification organization (CO). If the CO determines that the aforementioned functional safety standards are applicable, the CE Code requires the electrical equipment to be: 

  • Approved as compliant to functional safety certification standards, as evidenced by the applied mark of an accredited (CO)
  • Inspected as compliant with the functional safety certification standards 

How is the 2018 Canadian Electrical Code linked to Cybersecurity? 

Both the functional safety standards CAN/CSA-C22.2 No. 61508-1:17 and CAN/CSA-C22.2 No. 61511-1:17 have cybersecurity requirements (see IEC 61508 and ISA/IEC 61511), which refer to the ISA/IEC 62443 series of standards.

This relationship between the functional safety standards and the cybersecurity standards means that if electrical equipment has a cyber-enabled component, it needs to satisfy both the following requirements to be compliant with the 2018 CE Code:

  • Maintain compliance with the functional safety standards CAN/CSA-C22.2 No. 61508-1:17 and CAN/CSA-C22.2 No. 61511-1:17
  • Maintain compliance with the cybersecurity requirements of ISA/IEC 62443 

Is the cybersecurity of your industrial facility compliant with CSA-C22.1-18?

To demonstrate and ensure compliance of your cybersecurity posture with the provisions of the CE Code, you will need to evaluate and answer the following questions: 

  • Has a cybersecurity risk assessment been carried out to identify threats and vulnerabilities to the electrical equipment?
  • Does the design and implementation of the electrical equipment provide the necessary resilience against cybersecurity risks? 
  • Are there protections against unauthorized or unintended cyber modifications?
  • Are there controls to ensure the correct information has been transferred, and the system’s integrity is not compromised? This one applies to electrical equipment and systems where data is being transferred or exchanged.

How ORIGNIX helps

ORIGNIX delivers bespoke cybersecurity engineering services for inherently safer design and operation of industrial processes. We utilize systematic cyber and operational risk assessment using well-established techniques and templates. Our cyber Process Risk Assessment (cyberPRA) methodology is based on ISA/IEC 62443 and IEC 61511 (part of the ISC 61508 umbrella) industry standards. The assessment identifies potential gaps, hazards, vulnerabilities, independent protection layers associated with engineered industrial processes at plant facilities. The identified cyber risks are prioritized based on realistic cost-benefit analysis.

To learn how our customers benefit, visit our website.

Authors note: This blog was co-authored between Saif Shariff and Anastasios Arampatzis.