Skip to main content

The Regulator is recommending oil and gas operators take action to enhance awareness of risks to critical infrastructure.

DATE ISSUED: March 29, 2022

EFFECTIVE DATE: Immediately

Canadian and U.S. cyber security experts have advised critical infrastructure operators to act with extreme vigilance as the threat of malicious actions targeting the energy sector is presently at a heightened level.

The BC Energy Regulator (Regulator) recommends oil and gas operators take the following actions:

  • Improve awareness of emerging threats. This may include subscribing to alerts and bulletins issued by the Canadian Centre for Cyber Security (Cyber Centre). Industry can request to be added to the distribution by emailing energy-par-energie-dl@cyber.gc.ca.
  • Be informed of and follow best practices for ensuring overall security, such as:
    • CSA Z246.1 Security management for petroleum and natural gas industry systems
    • API 1164 Pipeline Control Systems Cybersecurity
    • ANSI/CAN/UL 2900-1:2017, Software Cybersecurity for Network-Connectable Products
    • NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security
  • Review the most recent alerts for network devices and software on the U.S. Cyber Security and Infrastructure Security Agency (CISA) at https://www.cisa.gov/uscert/ncas and their Known Exploited Vulnerabilities Catalog
  • Ensure your systems are updated / patched, and any vendors providing updates have a robust security process in place, including chain-of-custody management for physical network devices.
  • Participate in training and discussion sessions offered by Natural Resources Canada and the Canadian Centre for Cyber Security (Cyber Centre) by emailing cespo-plemce@nrcan-rncan.gc.ca

The Cyber Centre maintains a publications database (Publications - Canadian Centre for Cyber Security) with helpful information searchable by sector.

Reporting cyber incidents and suspicious cyber activity to the Cyber Centre (at https://cyber.gc.ca/en/incident-management) can assist that agency to improve safety by providing cyber security advice, guidance and services. Please note that such reports should always be made from a network or device separate from any potentially compromised system.

The Regulator has been engaging with industry regarding proposed regulatory requirements relating to security management and those discussions will continue.

The Regulator will also be conducting a brief survey of permit holders on cyber risk and what additional supporting resources and guidance may be useful in protecting oil and gas operations from targeted or random cyber crime.

If you have any questions regarding this Industry Bulletin, please contact:

Peter Dalton
Director, Security and Management
BC Energy Regulator
Peter.Dalton@bcogc.ca
250-794-5231