The Suncor Energy Centre is pictured in downtown Calgary, Alta., Friday, Sept. 16, 2022. Federal officials gave leaders of major energy and utility firms a secret-level briefing on cybersecurity threats, one element of a concerted government effort to underscore the serious risks to the sector. THE CANADIAN PRESS/Jeff McIntosh
OTTAWA – Federal security officials have been briefing leaders of major energy and utility firms on cyberthreats, one element of a concerted government effort to underscore the serious risks to the sector.
A newly disclosed Public Safety Canada memo reveals a secret-level June meeting was part of a strategy to raise awareness among company executives about the dangers from malicious cyberactivity – reaching beyond the technical experts who already know about the risks.
The memo, obtained by The Canadian Press through the Access to Information Act, says the confidential discussion was co-hosted by Public Safety, Natural Resources Canada and the Communications Security Establishment, Canada’s cyberspy agency.
The CSE’s Canadian Centre for Cyber Security said in an assessment this year that financially motivated cybercrime – particularly business email compromise and ransomware – was almost certainly the main cyberthreat facing the Canadian oil and gas sector.
It also said the sector would likely continue to be targeted by state-sponsored cyberespionage for commercial or economic reasons.
“At risk are proprietary trade secrets, research, and business and production plans.”
The Public Safety memo, prepared in early summer, notes Nunavut’s energy corporation and Calgary-based Suncor Energy were targeted in cyberattacks this year.
The memo says Public Safety is exploring additional approaches that will include more engagement with industry, academia, and provinces and territories – including an information and threat-sharing forum.
The vision, as with the June briefing, “is to reach company executives, as opposed to only the technical experts who are already aware of the risks,” the memo adds.
“Engaging with company executives is critical to embed security across the business ecosystem and ensure a collective approach to strengthening our cyber resilience.”
The June briefing also included industry associations, regulators and other government departments. Among the participants was Enbridge’s chief information officer, who took part virtually, the company said.
“We have a dedicated team of cybersecurity experts and a robust cybersecurity program in place that provides 24/7 monitoring against cyberthreats,” Enbridge said.
“To further mitigate threats, we collaborate with governments and regulatory agencies, and take part in external events to learn and share information on how we can improve our defences.”
While the memo mentions a single briefing that took place June 21, CSE spokeswoman Robyn Hawco said the Cyber Centre and Natural Resources arranged “targeted threat info briefings for energy sector CEOs at a number of secure facilities across the country.”
“This allowed the Cyber Centre to share more information than we can release in a public report. This speaks to the level of trust and co-operation that we have built up with our partners in the energy sector.”
Cybersecurity legislation now before Parliament would introduce the Critical Cyber Systems Protection Act, establishing a regulatory framework to strengthen security in federally regulated sectors including energy.
The legislation will help prevent malicious cyberactivity from undermining Canada’s interprovincial and international pipeline and power line systems, Public Safety said.
Several civil society groups have called for changes to the cybersecurity bill, saying it would undermine privacy, accountability and judicial transparency.
The legislation would authorize the Canada Energy Regulator to monitor compliance and enforce obligations.
The June session prompted the then-CEO of the energy regulator, Gitane De Silva, to request a meeting with the deputy minister of Public Safety and the chief of the CSE to further discuss “how the three organizations can continue to work together, and what the role of the CER should be.”
De Silva, who has since left the regulator, declined to comment.
Amanda Williams, a spokeswoman for the regulator, said it has met with companies it oversees and “confirmed expectations with respect to cybersecurity.”
The CSE’s Cyber Centre shares advice and guidance about cybersecurity best practices as well as information that helps providers assess risks.
Hawco said the centre also has two ongoing collaborations with energy sector partners that involve two-way information sharing about cyberthreats affecting the sector – the Blue Flame Program, with the Canadian Gas Association, and the Lighthouse initiative, led by Ontario’s Independent Electricity System Operator.
“Under these programs, participating organizations share network data with the Cyber Centre and receive customized threat reports in return,” she said. “We are working with industry associations to expand and enhance these programs.”
This report by The Canadian Press was first published Nov. 25, 2023.