Alberta officials discuss cyber threats to oil, gas infrastructure

The report noted that the Alberta government does not require provincially regulated oil-and-gas operators to meet minimum IT security standards for the systems that control pumps, valves and other key oil-and-gas equipment. There are standards for utilities, but electrical operators aren’t required to comply with those until October of next year.

Although the threat of an attack on the oil-and-gas industry was found to be low, the auditor general report says there’s been no government assessment of what the impact would be if a cyberattack were to occur.

Energy Minister Marg McCuaig-Boyd says her department accepts the auditor general’s recommendations.
“Our energy industry is crucial to the economic livelihood of our province and we want to help make sure it remains as protected as possible from cyber attacks,” she said in a statement.

“I have asked the department to work with regulators and other areas of government to meet and determine next steps. Those meetings will begin in the coming weeks.”

The auditor general’s report said if systems are not secure, “they can be misused to cause damage to critical infrastructure (e.g. oil wells, pipelines and refineries), resulting in harm to Albertans or the environment.”

“We recommend that the Department of Energy and Alberta Energy Regulator work together to determine whether a further assessment of threats, risks and impacts to industrial control systems used in provincially regulated oil and gas infrastructure would benefit Alberta.”

The impact of a potential cyber attack in the oilpatch could be serious, but it’s unlikely to look like something out of a Hollywood blockbuster, said Nick Martyn, CEO of RiskLogik.
RiskLogik works with clients to map out and mitigate risks, whether they’re potential cyber attacks or natural disasters.

Martyn said disrupting the flow of natural gas on a pipeline during the winter, for instance, “would be a huge inconvenience, but it wouldn’t be catastrophic.”

Ryan Wilson, chief technology officer at Toronto-based IT firm Scalar Decisions Inc., said the industry’s work shouldn’t stop at complying with any minimum standards the government ends up putting in place.

Companies also have a duty to shareholders to do everything possible to protect their business from threats, he said.

“It’s really up to organizations themselves to take it one step further and not only focus on compliance, which is that bare minimum that you have to do, but really approach it from a risk-management perspective.”

Mark Nunnikhoven, a vice-president at global IT security firm Trend Micro, said Canadian energy firms are among the best in the world when it comes to protecting themselves from cyber threats.

However, they face a unique challenge: the infrastructure is built to stay in place for decades upon decades.
“While they’re kept up to date on a somewhat regular basis, they were designed and deployed for a very different type of environment,” said Nunnikhoven.

“Most of these systems are working on models that were designed conceptually 20-something years ago and the IT industry is very different now versus 20 years ago.”