More than three-quarters of Canadian energy companies fail to have basic cybersecurity measures in place, a security lag that puts the country's energy infrastructure at risk, a new study has found.
The research, released Aug. 24 by the cybersecurity and compliance company Proofpoint, Inc., says 77 per cent of Canadian energy companies are slow to adopt forward-thinking security measures. That has put customers, staff and stakeholders at a higher risk of email-based impersonation attacks.
“As the energy sector is key to both Canada’s economy and its national security, these industry organizations have become prime targets for cyber criminals,” said Jeffrey Freedman, Proofpoint Canada’s vice president.
“Due to the high value of the industry’s assets, such intellectual property, trade secrets, and vast amounts of customer data, it is critical that energy organizations prioritize cybersecurity measures to safeguard against potential cyber threats and protect their customers’ data,” he said.
Freedman told Glacier Media the energy sector is an increasingly attractive target for both financially motivated cybercriminals and nation-state actors.
“The Canadian Centre for Cyber Security recently advised that the financially motivated cybercrime, particularly email fraud and ransomware, is the main cyber threat facing the Canadian energy industry,” he said. “Energy, some would argue, is a fundamental right and a pillar of a country’s economic activity, especially in Canada.”
Proofpoint said the findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the 40 largest energy companies in Canada.
DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals to launch phishing and email fraud attacks. The analysis authenticates the sender's identity before allowing a message to reach its intended recipient, such as energy customers or employees.
The protocol has three levels of protection — monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.
The Canadian Association of Petroleum Producers (CAPP) spokesperson Jay Averill told Glacier Media that oil and natural gas producers place safety as their highest priority and that extends to cyber safety and protecting critical energy infrastructure in Canada.
“Understandably, cyber security is something individual members keep highly confidential so that information is not discussed collectively within CAPP,” Averill said.
Federal response
Canadian Energy Regulator (CER) spokeswoman Amanda Williams told Glacier Media the agency works with federal, territorial, provincial and international agencies and industry to ensure proactive measures are taken to protect people, the environment and infrastructure from cybersecurity risks.
She said Canada’s Onshore Pipeline Regulations (OPR) and the Canada Standards Association (CSA) provide a regulatory framework and mandatory requirements for cybersecurity on CER-regulated pipelines.
Williams said CER-regulated companies are required to have a security management program in place that anticipates, prevents, manages and mitigates conditions that could adversely affect people, property or the environment. This includes having a program to be prepared in the event of cybersecurity threats.
If a cybersecurity event led to an incident, as defined in the OPR, a regulated company would have to report the incident, and the root cause would be investigated through the CER’s incident follow up process.
“We conduct risk-informed compliance verification activities to ensure regulated companies have incorporated cybersecurity risks into their security management programs and have implemented cybersecurity countermeasures on their industrial control systems," Williams said.
“This helps us verify that CER-regulated companies have appropriate proactive measures in place to protect the CER and Canada’s pipeline network from cyber-attacks.”
Also, Williams said new federal legislation before parliament, Bill C-26: the Critical Cyber Systems Protection Act, proposes enhanced reporting requirements to protect critical cyber systems in Canada.
“This legislation will impose additional requirements on CER-regulated companies,” Williams said.
BC Hydro
While Proofpoint said public utilities were not included in the study, BC Hydro spokesperson Kevin Aquino told Glacier Media the utility has DMARC implemented.
“We have observed and have seen the impact of phishing attacks and we are actively monitoring them all the time to protect our customers, contractors and our business,” he said, adding the provision of safe, reliability power is a priority.
“That’s why the security of our grid is so important and we are constantly working to update and enhance our cybersecurity programs to ensure our systems are protected from evolving threats,” he said.
He said the utility meets multiple industry technology standards and critical infrastructure protection requirements.
“We also communicate with our peers and participate in industry forums such as with the Canadian Electricity Association and the Canadian Centre for Cyber Security,” he said.
Recent BC Hydro work in the area includes strengthening cybersecurity controls, performing regular penetration testing on our critical systems to test security controls, and creating a cyber operations centre so that a team is in place and ready to respond in the event of an incident.
State-sponsored cybercrime
The Canadian Centre for Cyber Security recently said financially motivated cybercrime — particularly business email compromise and ransomware — is the main cyber threat facing the Canadian energy industry.
“The oil and gas sector, in particular, will very likely continue to be targeted by state-sponsored cyber espionage for commercial or economic reasons, especially during times of geopolitical tension,” Freedman said.
“Nation-state actors seek trade secrets and intellectual property, mainly so they can improve their own nation’s capabilities or to sabotage the operational technology networks that monitor and control critical infrastructure.”
Last year, 62, per cent of Canadian organizations reported an attempted business email compromise attack, according to Proofpoint’s 2023 State of the Phish report.
“Email authentication protocols such as DMARC are essential in fortifying defences against email fraud and safeguarding customers, staff and stakeholders from malicious attacks,” Freedman said.
“While individuals play a crucial role in defending against email fraud, their actions also present one of the biggest vulnerabilities for organizations. DMARC remains the only technology.
