Pragmatic Cyber Resilience: Achieving the 36 Readiness Goals with Agilicus AnyX

Executive Summary: Moving Beyond Analysis Paralysis

Critical infrastructure owners and operators in Canada face a daunting new regulatory reality. The Canadian Centre for Cyber Security’s Cyber Security Readiness Goals (CRGs), aligned with the NIST Cybersecurity Framework (CSF) 2.0, outline 36 foundational goals that demand a fundamental shift in how we protect society’s most critical systems. These goals are not merely suggestions: they represent the new benchmark for due diligence and statutory accountability under emerging mandates like the Critical Cyber Systems Protection Act (Bill C-26).

However, many organisations are trapped in “analysis paralysis,” overwhelmed by the complexity of legacy operational technology environments and the perceived risk of massive security overhauls. The Agilicus AnyX platform provides a pragmatic, identity-first path to compliance. By moving security from the network layer to the application layer, AnyX allows stakeholders to achieve material alignment with the 36 goals incrementally, without disrupting operational uptime or requiring complex firewall reconfigurations. This paper explores how a results-oriented approach to zero trust can close the compliance gap today.

The Compliance Force: The New Benchmark for Canadian Critical Infrastructure

The Cyber Security Readiness Goals represent a fundamental evolution in how the Canadian Centre for Cyber Security communicates risk. Structured around the six pillars of the NIST Cybersecurity Framework 2.0, these 36 goals create a shared language for cyber resilience across all critical infrastructure sectors, from energy and water to manufacturing and transport.

The goals are structured around the following six functions:

1. Govern (GV): Establishing cybersecurity as a primary function of enterprise risk management and board-level oversight. This function ensures that the organisation’s cybersecurity risk management strategy, expectations, and policy are established and communicated.
2. Identify (ID): Developing a comprehensive understanding of the assets, systems, and data that constitute the critical environment. This is essential for understanding the risks to the business environment and supply chain dependencies.
3. Protect (PR): Implementing safeguards to ensure the continuous delivery of critical services. This includes multi-factor authentication, network segmentation, and data encryption.
4. Detect (DE): Developing the capability to identify the occurrence of a cybersecurity event in real time through continuous monitoring.
5. Respond (RS): Taking immediate and effective action regarding a detected cybersecurity incident to limit its impact through incident triage and containment.
6. Recover (RC): Restoring capabilities or services impaired due to a cybersecurity incident with minimal downtime.

The Structural Gap: Why Legacy Tooling Fails the Resilience Test

The fundamental flaw in modern industrial security is a reliance on an obsolete architectural model: the Layer 3 virtual private network. For decades, the virtual private network has been the default answer for remote connectivity, predicated on the idea that “the network is the perimeter.” In an era of hyper-specialised supply chains and connected industrial meshes, this assumption is a primary source of statutory liability. Virtual private networks provide implicit network trust, allowing broad lateral movement and failing to provide the individual accountability required by modern standards.

The AnyX Paradigm: Shifting to Layer 7 Identity-First Access

Agilicus AnyX fundamentally re-imagines industrial access by moving the security boundary from the network layer to the application layer. This is Identity-First Access. In the AnyX architecture, there is no network-level connection between the remote user and the industrial asset. Instead, Agilicus acts as an identity-governed broker built on three unique differentiators.

Unified Authentication without Shadow Accounts

Modern resilience requires the elimination of fragmented login methods. Agilicus AnyX enables unified authentication, allowing every user—including third-party vendors—to sign in with their native corporate credentials. This provides true single sign-on without the creation of “shadow accounts” on local industrial assets. The primary benefit is automated decommissioning: when a technician stops working for your partner and their corporate account is disabled, their access to your critical infrastructure is revoked automatically and globally. This directly addresses the **Govern** and **Protect** pillars by ensuring individual accountability.

Precise Authorisation for Granular Control

Legacy systems typically offer “all-or-nothing” access. Agilicus AnyX delivers precise authorisation, moving beyond network segments to specific resource actions. Administrators can enforce read-only access for Virtual Network Computing (VNC) sessions or restrict a user to a specific Ignition project within a larger application server. This ensures that users see only what they need to do their jobs, materially satisfying the Protect pillar and the principle of least privilege access.

Seamless Access on Any Network

Agilicus provides seamless access that requires no virtual private network and no inbound port forwarding. Because the AnyX Connector initiates only outbound connections, the platform works on any network environment, including carrier-grade NAT. For the end user, there is no client software to install: they simply use their browser to reach authorised resources, removing the friction that often leads to insecure workarounds andAddressing **Protect-1** by hiding critical assets from the public internet.

Deep Dive: Mapping Agilicus AnyX to the 36 Readiness Goals

Agilicus AnyX provides a technical foundation that materially assists organisations in achieving many of the 36 Cyber Security Readiness Goals. Below is a detailed mapping of how the AnyX architecture aligns with the six NIST functions and the specific goals within the toolkit.

Govern: Establishing Accountability

The Govern pillar focuses on leadership and vendor requirements. Agilicus AnyX assists in several key areas:

• Vendor/Supplier Cyber Security Requirements (0.2): By brokering vendor access using their own corporate credentials, AnyX ensures that organisations can enforce their own security standards on third parties without the administrative overhead of managing external accounts.
• Improving Information Technology and Operational Technology Relationships (0.4): AnyX acts as a bridge between these two worlds, providing a single, identity-governed platform that satisfies the security requirements of information technology while maintaining the operational uptime required by operational technology teams.

Identify: Understanding the Environment

Identification is the first step in any security strategy. AnyX provides visibility that is often missing in flat legacy networks:

• Asset Inventory and Network Topology (1.0): The AnyX resource catalog creates a real-time, identity-governed inventory of every asset made available for access. This provides a clear view of the “attack surface” from an identity perspective.
• Third-Party Validation (1.2): AnyX’s comprehensive auditing provides the evidence required for third-party auditors to validate the effectiveness of access controls.

Protect: Hardening the Defences

This is where Agilicus AnyX provides the most significant material assistance, directly addressing over a dozen of the Protect goals:

• Revoking Credentials for Departing Employees (2.3): Unified authentication ensures that when an identity is revoked at the corporate source, it is automatically revoked in AnyX, preventing “ghost” access.
• Separating User and Privileged Accounts (2.4): Layer 7 authorisation allows for the strict separation of roles. A regular operator may have read-only VNC access, while an engineer may have full RDP access to the same station.
• Network Segmentation (2.5): AnyX implements identity-based micro-segmentation, creating ephemeral “conduits” for each session. This halts lateral movement, satisfying the core requirement of segmentation without changing the underlying network.
• Phishing-Resistant Multi-Factor Authentication (2.7): AnyX brings modern, phishing-resistant multi-factor authentication to every asset, including legacy programmable logic controllers and human-machine interfaces that do not natively support it.
• Strong Encryption (2.9): All traffic brokered by AnyX is encrypted end-to-end using TLS 1.3 and AES-256, regardless of whether the underlying protocol is encrypted.
• Limit OT Connections to Public Internet (2.18): AnyX’s outbound-only model ensures that no critical infrastructure assets are directly reachable or even visible from the public internet.
• No Exploitable Services on the Internet (2.20): By eliminating inbound ports, AnyX ensures that services like RDP or VNC are never exposed to external scanners or automated botnets.

Detect: Real-Time Visibility

The ability to detect anomalous activity is critical for critical infrastructure resilience:

• Log Collection and Central Storage (2.15, 2.16, 3.0): The AnyX “Evidence Engine” translates technical telemetry into human-readable logs (who, what, when) and streams them to security information and event management platforms like Microsoft Sentinel.
• Anomalous Activity Detection (3.3): By centralising all access events, AnyX provides the data necessary for security information and event management platforms to detect unusual patterns, such as a vendor connecting from a new location at an unusual time.

Respond: Rapid Containment

In the event of an incident, speed is essential:

• Containment and Eradication (4.4): AnyX provides an “Identity Kill-Switch.” Administrators can revoke an identity’s access globally in a single click, immediately severing all active sessions and preventing further unauthorised access without having to reconfigure firewalls or change passwords.

Recover: Orthogonal Resilience

Recovery depends on having secure access to systems even when the primary network may be compromised:

• Continuity of Operations (5.3): Agilicus provides a secure, independent path for emergency response that bypasses potentially compromised virtual private network or network infrastructure. This ensures that recovery teams can reach critical assets when they need them most.

The Pragmatic Path: A Four-Step Journey to Resilience

The most important takeaway for critical infrastructure stakeholders is that compliance is a journey, not a destination. Moving incrementally to a goal is better than analysing forever and never getting there. Agilicus AnyX is designed for incremental deployment, allowing you to secure your most critical assets first and build momentum.

• Phase 1: Secure Remote Access (Immediate Value): Replace insecure virtual private networks for third-party vendors and remote employees immediately. This provides a “quick win” in risk reduction and directly addresses several Protect goals.
• Phase 2: Authentication Hardening: Consolidate single sign-on and multi-factor authentication across the shop floor and field operations, eliminating shared accounts on legacy programmable logic controllers and human-machine interfaces.
• Phase 3: Visibility and Audit: Establish a verifiable chain of accountability for all access events, ensuring that you have the evidence required for regulatory compliance.
• Phase 4: Full Zero Trust Micro-segmentation: Refine access policies to implement granular, resource-level authorisation for all internal and external users.

Conclusion: Action is the Best Defence

The path to cyber resilience in critical infrastructure is not found through endless analysis, but through pragmatic, iterative action. The 36 Cyber Security Readiness Goals are achievable today. By starting with identity, organisations can close the compliance gap, protect their “crown jewels,” and shield leadership from statutory liability. Don’t let a perfect plan prevent an immediate improvement in your security posture. Start your journey to zero trust with Agilicus AnyX today.