Publication
Road to COP29: Our insights
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Global | Publication | février 2023
For the energy sector, cybersecurity has been a top-of-mind issue for some time. This is particularly true given some of the high-profile cyber-attacks seen in recent years that have grabbed not only media headlines, but also resulted in operational disruption, financial losses and legal exposure. The challenge with cybersecurity is attacker tactics are constantly evolving, thereby requiring organizations to be constantly vigilant and if possible, one step ahead of the attackers. An added complexity for the energy sector is it is deemed a “critical infrastructure” by governments – making it not only an attractive target for criminal cyber gangs, but also sophisticated state-sponsored actors.
However, one thing is clear: organizations that prepare and invest in cyber readiness materially mitigate the negative impacts flowing from a major cybersecurity incident. While everyone agrees it’s not a question of “if” but rather “when” an organization will be a cyber-attack victim, the focus in our view should be on the “how” – meaning how an organization responds.
The criticality of the energy sector to society cannot be overstated. In Canada, the energy sector is deemed a “critical infrastructure” (just as in the United States), meaning if it were ever compromised (in part or in its entirety), such an event could have multiple cascading negative effects on other parts of the economy and society more generally. For the energy sector, a cyber-attack could result in immediate operational disruption, impacting upstream and downstream players alike.
As organizations focus on the “how” to effectively respond to a cyber-attack, the one overarching theme that should underpin their cybersecurity strategy should be building strong cyber resiliency. The term “resiliency” is often used to describe an organization’s ability to quickly recover from a significant disruptive event. In the context of cybersecurity, resiliency is measured on two key metrics: firstly, the ability to reduce the “downtime” as much as possible and secondly, to ensure the incident’s “impact” is limited (i.e., the attackers can’t go too deep and cause damage that makes a timely recovery difficult or impossible).
While the concept of resiliency may seem self-evident, it is premised on regular preparation and testing. Studies show a direct correlation between the level of preparation and the severity of the impacts flowing from a significant cybersecurity incident. Organizations that prepare, test and invest regularly will typically recover quicker and experience less impactful negative effects. It should therefore not come as a surprise that the proposed new law tabled by the federal government seeks to ensure organizations in the energy sector are as cyber resilient as they can be.
Over the summer, the Canadian federal government proposed Bill C-26 (the “bill”), which focuses on cyber threats to critical infrastructure. Among other things, it proposed to enact the Critical Cyber Systems Protection Act, which aims to protect against cyber threats to Canadian critical infrastructure. The bill uses the term “critical cyber systems” to include designated services or systems, of interprovincial or international pipelines and power line systems or nuclear energy systems.
If passed, the Act will apply to a class of operators who carry on work subject to federal jurisdiction, and the regulator for this class. All operators under this definition must establish a cybersecurity program that meets the four purposes outlined above, and notify and provide the regulator with its program.
What are some of the bill’s key aspects to which organizations should pay attention? We list the top three below:
Broadly speaking, the bill mirrors the requirements outlined by the Cybersecurity and Infrastructure Security Agency (“CISA”) in the United States. This is not surprising given the level of integration between the Canadian and American economies, especially in the energy sector.
Accordingly, while the bill is before Parliament and not currently law, it is likely to be adopted in 2023 with a coming into force date to be determined.
Notwithstanding that the bill is not currently in force, organizations should, regardless, be reviewing and revising their cybersecurity strategies first and then assessing the sufficiency of their plans. Looking at the US requirements coming from CISA, there is good guidance on what Canadian authorities will be expecting from the organizations in the energy sector going forward.
Publication
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023