The Colonial oil and gas pipeline network ransomware attack in the United States in May 2021 shows how widespread a ransomware attack can affect critical infrastructure. CHRIS BLOOMER, CEO of the Canadian Energy Pipeline Association, posted on naturalgasworld.com on June 16 that the Canadian energy pipeline industry and related departments assessed the incident, saying that Canada’s pipeline industry Strong cybersecurity measures have been put in place and have shown considerable confidence in this.
One of the most devastating cyberattacks in history is drawing public attention to a longstanding concern for the Canadian pipeline industry: cybersecurity. It has been identified as one of the most serious economic and national security challenges facing Canada, not only as an industry but as a country.
While the incident has brought cybercrime back into the spotlight, it’s nothing new for Canada’s pipeline industry. Members of the Canadian Energy Pipeline Association (CEPA) have highly complex systems and strategic partnerships to protect their critical energy infrastructure and the tens of millions of people who depend on energy every day. Under federal regulations, pipeline operators must have detailed security management plans that allow them to identify security risks, prevent problems, and quickly develop and implement plans should an attack occur. The Canadian Energy Regulator (CER) conducts regular inspections and audits to confirm that companies have these plans.
Not only is Canada’s pipeline industry aware of this threat, but it is a global leader in cybersecurity and has highly sophisticated safeguards in place to protect its infrastructure from attack. Pipeline companies continue to develop programs, systems and partnerships to identify and manage cyber threats. But these pipeline-targeting criminals are also becoming more sophisticated, and it’s a race to stay ahead.
Common perception: Cyber attacks are a common threat to critical infrastructure
The article argues that the recent cyberattack on the Colonial Pipeline in the United States shows how widespread the impact of security breaches is. The company was forced to stop supplying 2.5 million barrels a day of gasoline, diesel and jet fuel, leading to chaos at filling stations, fuel shortages and soaring gasoline prices. The ripple effect ripples through delivery trucks, fire trucks, ambulances and other basic means of transport, as well as those who just want to refuel and get to work.
This incident reminds the Canadian pipeline industry that pipelines play an important role in the economy and society and that they need to be protected. However, cybercrime is not unique to the pipeline or energy sector. Airports, telecommunications, power grids, government and healthcare are all critical to the health and welfare of Canadians, making them priority targets. Attacking and shutting down would be more than an inconvenience – it could be a matter of life and death.
Some industry experts believe that the cascading impact of cyber attacks on the pipeline industry is not the biggest. Some industries will be hit by cyberattacks that go far beyond gas shortages and panic buying. Power grid shutdowns during heatwaves, gas supply interruptions during cold snaps, or long-term interruptions to phone service can all pose serious health and safety risks.
Protection first: Canadian pipeline network security is an absolute priority
While events in the US could happen anywhere, Canadians can confidently know that Canada is one of the most advanced countries in the world when it comes to cybersecurity. The pipeline industry considers this a key priority and has multiple layers of protection in place to protect Canada’s critical pipeline infrastructure.
To prevent cybercrime, we must understand the evolving threat landscape. Essentially, we need to get ahead of the bad guys. Pipeline companies, including members of the Canadian Energy Pipeline Association (CEPA), have well-established programs, management systems, redundancies and protocols to proactively protect against cyber threats.
The Canadian Energy Regulator (CER) requires federally regulated companies to have detailed safety management plans to protect pipelines and their operations. Companies must be able to identify security risks, have strategies to prevent problems, and quickly develop and implement plans to respond to attacks. CEPA members also utilize the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, which provides a standardized approach to security for all critical U.S. infrastructure.
Natural Resources Canada (NRCan) works directly with Canada’s pipeline industry through its Energy and Utilities Sector Network, which includes electric utilities, nuclear, natural gas, pipelines and other stakeholders in the energy sector. Through this network and other working groups, NRCan and its partners address critical security issues facing the energy industry.
“Even before the Colonial Pipeline ransomware incident, we had a demonstration of the ransomware for our stakeholders,” said Piercy, who leads NRcan’s internal expert group. “We’re focused on a Canada-wide approach that gives industry and companies the tools they need to protect themselves.” Reports, workshops, emergency response drills, task forces and regular meetings are some of the tools NRCan provides to industry. It also works closely with provincial governments and regulators.
Intelligence Support: Combating Cybercrime Together
In the fight against cybercrime, knowledge is power and information is the key. CEPA members obtain intelligence from multiple sources, including the Canadian Cyber Security Centre, the Royal Canadian Mounted Police, the Canadian Security Intelligence Service (CSIS), the Public Safety Agency of Canada, and Natural Resources Canada (NRCan). CEPA members also have access to intelligence from the U.S. Department of Homeland Security and the Federal Bureau of Investigation (FBI).
Through NRCan, CEPA is a Steering Committee member of the Energy and Utilities Sector Network, a network of pipelines, electric utilities, nuclear power, natural gas and others who want to connect with each other on security issues including cybercrime Stakeholders. NRCan has also established an energy security working group with provincial governments across the country and works closely with electricity, pipeline and other energy regulators.
In the pipeline industry in particular, CEPA established a working group in 2016 to deal with pipeline security issues, including cyberspace security. This group brings together all CEPA members to communicate, learn and coordinate with other industries and governments. Members also participate in the annual international cybersecurity conference, where they collaborate with other companies from around the world.
There is a team of experts within NRCan working to protect Canada’s energy infrastructure from cyberattacks. The group is LED by Chris Piercey, director of cyber and energy security policy and outreach. “Keeping these systems running is a matter of life and death,” Piercy said. “When you take that perspective, it helps us focus on where we really need to put our efforts. The pipeline and the energy sector are the top priorities.” Piercy’s team helps bridge the gap between Canada’s tech cybercrime experts and the energy industry gaps and build connections. Its goal is to provide the energy industry, including pipeline companies, with the information and tools needed to identify cyber threats, protect assets and respond to potential attacks.
Enhanced reporting: Recognize the dangers of unreported cyber incidents
Despite these networking and information-sharing tools, a large number of cyberattacks go unreported. A 2016 report found that in the UK, only 28% of cyberattacks against businesses were reported to the police. More broadly, the FBI reports that only about 15 percent of U.S. financial fraud victims report their crimes to law enforcement.
Many companies that have fallen victim to cybercrime choose to remain silent. They may feel this is an obvious vulnerability or weakness and don’t want their customers, investors or the general public to think the business is in jeopardy. Despite the potential challenges, cyberattacks must be reported to the authorities so they can take action that can use this information to prevent future threats. Acknowledging cybercrime is part of stopping it.
Mobilization: Cyberattacks affect us all
The threat of cybercrime will never go away. As technology improves, the sophistication of cybercriminals will increase. The industry has a responsibility to work together to ensure Canada moves forward in the face of threats. Protect the nation’s critical infrastructure and those it serves by continually improving, reporting, and exposing cybercriminal activity. Efforts must continue to stay ahead of criminals.
Cybercrime will continue to be an ongoing problem. Recent cyberattacks have shown the wide-ranging impact and disruption they can cause. Companies and governments in Canada and the United States will study this incident closely and will learn lessons to continuously improve the security of critical infrastructure and systems. Canada’s pipeline industry won’t let its guard down. CEPA members will continue to ensure the safety, reliability and resiliency of pipelines and operations, including protection from cyberattacks.
Cyberattacks affect everyone, and they are not crimes without victims. The Colonial Pipeline ransomware incident is a reminder of the importance of pipeline operations and what can happen if the flow of energy products is disrupted – even for a short period of time. This issue has attracted sufficient attention from all quarters. Canada’s pipeline industry is also in the mix. The energy industry is constantly evolving to ensure a safe, secure and resilient energy future for all Canadians.
The Links: G104SN03-V1 NL10276BC28-27E