A February 2016 Report from the Auditor General of Alberta raises concerns about the fact that neither the Alberta Energy Regulator (AER) nor the Alberta Department of Energy (Energy Alberta) have assessed the threats, risks and impacts to industrial control systems (ICS) used by participants in the oil and gas industries. As explained in the Report, ICS are used by industry participants to control and monitor important industrial processes used to produce and safely deliver energy products to market. For example, ICS are used to control pumps and valves, and detect leaks in pipeline operations. As noted by the Auditor General, if ICS in the oil and gas industries are not secure, they can be misused to cause damage to critical infrastructure, resulting in damage to Albertans or the environment.
The Auditor General’s Report highlights that IT security standards have been created for ICS in the electricity distribution and transmission industry in Alberta. These standards, which will be mandatory in September 2017, were approved by the Alberta Utilities Commission (AUC) in a recent Application from the Alberta Electric System Operator (AESO) for approval of 11 recommended new Critical Infrastructure Protection (CIP) reliability standards. The AUC approved the new CIP standards (adopted from similar standards in the United States) in a September 2015 Decision.
The Auditor General has recommended that Energy Alberta and AER work together to determine whether assessment of threats risks and impacts to ICS in the oil and gas industries would benefit Alberta. In response (as described here), the Alberta Minister of Energy has indicated that meetings will be convened with regulators to other areas of government to determine next steps to ensure that the energy industry remains as protected as possible from cyberattacks. Presumably, this will then lead to meetings and consultations with industry participants to determine the best course of action.