Cybersecurity a priority for Canada’s pipeline industry
One of the most disruptive cyberattacks in history is drawing public attention to an issue that has long been on the radar of the Canadian pipeline industry: cybersecurity. It has been identified as one of the most serious economic and national security challenges we face, not only as an industry, but as a country.
Canada’s pipeline industry is not only aware of this threat, it is a global leader in cybersecurity and has highly sophisticated protections in place to guard its infrastructure against attacks. Transmission pipeline companies have constantly evolving programs, systems and partnerships that identify and manage cyber threats. But those responsible for these criminal acts are also becoming more sophisticated and it is a race to stay ahead.
A shared threat
The recent cyberattack on Colonial Pipeline in the United States has shown how widespread the impacts of a security breach can be. The company was forced to stop the flow of 2.5 million barrels/day of gasoline, diesel and jet fuel, causing chaos at the pumps, fuel shortages and skyrocketing gasoline prices. The ripple effect reached delivery trucks, essential vehicles like fire trucks and ambulances, and people who were simply trying to fuel up to go to work.
The incident served as a reminder of the critical role pipelines play in our society and the need to protect them. However, cybercrime is not unique to pipelines or the energy sector. Airports, telecommunications, the electrical grid, governments and health care are all vital for the health and welfare of Canadians, which makes them high-priority targets. An attack and shutdown would result in more than an inconvenience – it could be a matter of life or death.
Protecting Canada’s pipelines
While the incident in the United States could have happened anywhere, Canadians can be confident knowing this country is among the most advanced in the world when it comes to cybersecurity. The pipeline industry sees it as a key priority and has multiple layers of safeguards in place to protect Canada’s critical pipeline infrastructure.
To prevent cybercrime, we must understand the ever-evolving threat landscape. Essentially, we need to stay ahead of the bad guys. Pipeline companies, including members of the Canadian Energy Pipeline Association (CEPA), have sophisticated programs, management systems, redundancies and protocols in place to proactively guard against cyber threats.
The Canada Energy Regulator (CER) requires federally regulated companies to have detailed security management programs to protect pipelines and their operations. Companies must be able to identify security risks, have strategies to prevent issues, and develop and implement plans quickly to respond to an attack. CEPA members also utilize the National Institute of Standards and Technology (NIST) cybersecurity framework, which offers a standardized security approach for all critical infrastructure in the United States.
Working together to fight cybercrime
In the fight against cybercrime, knowledge is power and information is key. CEPA members receive intelligence from multiple sources, including the Canadian Centre for Cyber Security, RCMP, Canadian Security Intelligence Service (CSIS), Public Safety Canada and Natural Resources Canada (NRCan). CEPA members also have access to information from the US Department of Homeland Security and the Federal Bureau of Investigation (FBI).
Through NRCan, CEPA is a steering committee member of the Energy and Utilities Sector Network that includes pipelines, electrical utilities, nuclear, natural gas and other stakeholders who want to be connected on security issues, including cybercrime. NRCan also has an energy security working group with provincial governments across the country, and works closely with electricity, pipeline and other energy regulators.
Within the pipeline industry specifically, CEPA formed a working group in 2016 that deals with pipeline security issues, including in cyberspace. This group brings all CEPA members together to share, learn and coordinate with other industries and government. Members also participate in an international cyber security conference, held on an annual basis, where they collaborate with other companies from around the world.
Despite these networks and information sharing tools, a significant number of cyberattacks go unreported. A 2016 report found that only 28% of cyberattacks against businesses in the UK were reported to the police. More broadly, the FBI reported only an estimated 15% of US financial fraud crime victims report their crimes to law enforcement.
Many companies that have fallen victim to cybercrime choose to stay quiet. They may feel it shows a weakness or vulnerability, and do not want their clients, investors or general public to think the business is in jeopardy. Despite the potential optics and challenges, cyberattacks must be reported to authorities so they can take action and so the information can be used to prevent future threats. Acknowledging cybercrime is part of stopping it.
Cyberattacks affect us all
The threat of cybercrime will never go away. As technology advances, the sophistication of cybercriminals will increase. It’s up to us to work together to ensure we are advancing to stay ahead of the threats. By continuously improving, reporting and shining a light on cybercrime activity, we can protect our critical infrastructure and the people it serves.
Cyberattacks affect all of us, and they are not victimless crimes. The Colonial Pipeline incident reminded us of the importance of pipelines and what happens if the flow of energy products is interrupted – even for a short time. This issue has our full attention. The Canadian pipeline industry is on it. And we are constantly evolving to ensure a secure, reliable and resilient energy future for all Canadians.