Building cyber resiliency in the energy sector

Introduction

For the energy sector, cybersecurity has been a top-of-mind issue for some time. This is particularly true given some of the high-profile cyber-attacks seen in recent years that have grabbed not only media headlines, but also resulted in operational disruption, financial losses and legal exposure. The challenge with cybersecurity is attacker tactics are constantly evolving, thereby requiring organizations to be constantly vigilant and if possible, one step ahead of the attackers. An added complexity for the energy sector is it is deemed a “critical infrastructure” by governments – making it not only an attractive target for criminal cyber gangs, but also sophisticated state-sponsored actors.

However, one thing is clear: organizations that prepare and invest in cyber readiness materially mitigate the negative impacts flowing from a major cybersecurity incident. While everyone agrees it’s not a question of “if” but rather “when” an organization will be a cyber-attack victim, the focus in our view should be on the “how” – meaning how an organization responds.

Building cyber resiliency

The criticality of the energy sector to society cannot be overstated. In Canada, the energy sector is deemed a “critical infrastructure” (just as in the United States), meaning if it were ever compromised (in part or in its entirety), such an event could have multiple cascading negative effects on other parts of the economy and society more generally. For the energy sector, a cyber-attack could result in immediate operational disruption, impacting upstream and downstream players alike.

As organizations focus on the “how” to effectively respond to a cyber-attack, the one overarching theme that should underpin their cybersecurity strategy should be building strong cyber resiliency. The term “resiliency” is often used to describe an organization’s ability to quickly recover from a significant disruptive event. In the context of cybersecurity, resiliency is measured on two key metrics: firstly, the ability to reduce the “downtime” as much as possible and secondly, to ensure the incident’s “impact” is limited (i.e., the attackers can’t go too deep and cause damage that makes a timely recovery difficult or impossible).

While the concept of resiliency may seem self-evident, it is premised on regular preparation and testing. Studies show a direct correlation between the level of preparation and the severity of the impacts flowing from a significant cybersecurity incident. Organizations that prepare, test and invest regularly will typically recover quicker and experience less impactful negative effects. It should therefore not come as a surprise that the proposed new law tabled by the federal government seeks to ensure organizations in the energy sector are as cyber resilient as they can be.

What Is Bill C-26?

Over the summer, the Canadian federal government proposed Bill C-26 (the “bill”), which focuses on cyber threats to critical infrastructure. Among other things, it proposed to enact the Critical Cyber Systems Protection Act, which aims to protect against cyber threats to Canadian critical infrastructure. The bill uses the term “critical cyber systems” to include designated services or systems, of interprovincial or international pipelines and power line systems or nuclear energy systems.

If passed, the Act will apply to a class of operators who carry on work subject to federal jurisdiction, and the regulator for this class. All operators under this definition must establish a cybersecurity program that meets the four purposes outlined above, and notify and provide the regulator with its program.

What are some of the bill’s key aspects to which organizations should pay attention? We list the top three below:

• Having a Cyber Security Program (“CSP”). Organizations must establish and implement cybersecurity programs that should list their responsibilities (e.g., mitigating supply chain and third-party risks, reporting cybersecurity incidents, ensuring compliance with cybersecurity orders and keeping a record of all relevant actions).
  
  The CSP must outline reasonable steps to: identify and manage cybersecurity risks; protect critical cyber systems from being compromised; detect and minimize the impact of cybersecurity incidents and to do anything prescribed by the regulations. After establishing a cybersecurity program, designated operators must notify the appropriate regulator immediately in writing that their cybersecurity program is in place and make it available to the regulator.
• Reporting cybersecurity incidents. The bill defines a “cybersecurity incident” as an incident that may interfere with the continuity or security of a vital service or system or the confidentiality, integrity or availability of a vital system. If a designated operator suspects a cybersecurity incident has occurred, it is required to immediately report the incident to Canada’s national cryptologic agency, the Communications Security Establishment (the “CSE”), followed immediately by notifying the appropriate regulator. In turn, the regulator may request a copy of the incident report from the designated operator or CSE. Unlike most privacy breach reporting obligations, reporting is based on a suspected or actual compromise of critical systems as opposed to the information contained on the critical system.
• Cost of non-compliance. To promote compliance, organizations that contravene or fail to comply with the bill are subject to enforcement measures and penal consequences, including administrative monetary penalties of up to $1 million per violation for an individual and up to $15 million per violation in any other case. For a continuing or repeated violation, each day of such continuation or repeated activity constitutes a separate violation.

Broadly speaking, the bill mirrors the requirements outlined by the Cybersecurity and Infrastructure Security Agency (“CISA”) in the United States. This is not surprising given the level of integration between the Canadian and American economies, especially in the energy sector.

Accordingly, while the bill is before Parliament and not currently law, it is likely to be adopted in 2023 with a coming into force date to be determined.

What should businesses do now?

Notwithstanding that the bill is not currently in force, organizations should, regardless, be reviewing and revising their cybersecurity strategies first and then assessing the sufficiency of their plans. Looking at the US requirements coming from CISA, there is good guidance on what Canadian authorities will be expecting from the organizations in the energy sector going forward.