Alberta introduces cybersecurity requirements for critical energy infrastructure

On May 31, Alberta’s Security Management for Critical Infrastructure Regulation (the Regulation), came into force. This Regulation forms part of the Responsible Energy Development Act and requires certain critical facilities selected by the Alberta Energy Regulator to implement a security management program in accordance with CSA Z246.1, Security Management for Petroleum and Natural Gas Industry Systems (the CSA Standard). The Regulation grants broad powers to the Alberta Energy Regulator to audit a critical facility’s security management program and issue orders where the program is found to be non-compliant with the CSA Standard.

What is a critical facility?

The Regulation applies to “critical facilities” included on the “critical infrastructure list” that will be developed and maintained by the Alberta Energy Regulator.  The types of facilities that can be placed on the list include:  

• a coal processing plant
• an in situ operation
• a mine
• a mining operation
• a pipeline
• a processing plant
• a well

In determining whether a facility should be placed on the list, the Alberta Energy Regulator will consider factors such as the size and type of facility, the proximity of a facility to people and property, a facility’s throughput, and the interdependency of a facility with other infrastructure. The Alberta Energy Regulator will notify operators if their facilities have been included on the list.

What does the Regulation require?

The Regulation requires critical facilities to implement a security management program in accordance with the CSA Standard. 

The CSA Standard sets out certain criteria for establishing a security management program that ensures security threats are effectively identified and managed. In particular, facilities must develop and implement security risk management processes to identify and classify security risks specific to their operations. For the identified risks, the CSA Standard outlines certain measures facilities must take across several key areas of security, including:

• Cybersecurity
• Information Security
• Personnel Security
• Physical Security

Cybersecurity Requirements 

Notably, the latest edition of the CSA Standard introduced a dedicated section on cybersecurity. Under this section, facilities must implement cybersecurity measures that reflect the risk profile of both information technology (IT) and industrial control systems (ICS). IT refers to systems used for business functions other than operational process control. ICS refers to systems used to monitor and control industrial equipment.

The CSA Standard sets out specific considerations when developing and implementing cybersecurity measures for the security management program: 

• Asset Inventory: Maintain an inventory of authorized hardware and software
• Acceptable Use Policies: Implement acceptable use policies to govern the use of IT and ICS assets
• Access Control: Apply the principle of least privilege for administrative and user rights
• Network Segmentation: Segregate the IT and ICS networks from one another and the Internet
• Boundary Protection: Implement protections to monitor and control unauthorized communications
• Secure Configuration: Configure IT and ICS hosts to a baseline that reduces attack surface
• Patch Management: Manage installations, changes and patches through established procedures
• Access Restrictions: Establish means to prevent unauthorized access to IT and ICS networks
• Intrusion Detection: Install and monitor intrusion prevention and detection methods on both IT and ICS networks
• Backup and Recovery: Ensure systems are regularly backed up and recovery processes are tested

How is the Regulation enforced?

The Regulation grants the Alberta Energy Regulator broad powers to audit a critical facility’s security management program and enforce its compliance with the CSA Standard. If the Alberta Energy Regulator determines that a facility has failed to implement a compliant program, it may order the development of such a program. In more serious cases, the Alberta Energy Regulator has the power to order the shutdown of the facility and set the terms under which the facility may re-commence operations.

Takeaways

The Alberta Energy Regulator has not yet published a list of critical facilities that the Regulation applies to.  However, given the serious consequences of non-compliance, operators of critical infrastructure facilities that may fall within the scope of the Regulation should familiarize themselves with the CSA Standard, assess their current security postures, and ensure a documented security management program is in place that reflects the security risks specific to their operations and is compliant with the CSA Standard.