The bill defines a “cybersecurity incident” as an incident that may interfere with the continuity or security of a vital service or system or the confidentiality, integrity or availability of a vital system. After establishing a cybersecurity program, designated operators must notify the appropriate regulator immediately in writing that their cybersecurity program is in place and make it available to the regulator. The CSP must outline reasonable steps to: identify and manage cybersecurity risks protect critical cyber systems from being compromised detect and minimize the impact of cybersecurity incidents and to do anything prescribed by the regulations. Organizations must establish and implement cybersecurity programs that should list their responsibilities (e.g., mitigating supply chain and third-party risks, reporting cybersecurity incidents, ensuring compliance with cybersecurity orders and keeping a record of all relevant actions). Having a Cyber Security Program (“CSP”).What are some of the bill’s key aspects to which organizations should pay attention? We list the top three below: All operators under this definition must establish a cybersecurity program that meets the four purposes outlined above, and notify and provide the regulator with its program. If passed, the Act will apply to a class of operators who carry on work subject to federal jurisdiction, and the regulator for this class. The bill uses the term “critical cyber systems” to include designated services or systems, of interprovincial or international pipelines and power line systems or nuclear energy systems. Among other things, it proposed to enact the Critical Cyber Systems Protection Act, which aims to protect against cyber threats to Canadian critical infrastructure. Over the summer, the Canadian federal government proposed Bill C-26 (the “bill”), which focuses on cyber threats to critical infrastructure. It should therefore not come as a surprise that the proposed new law tabled by the federal government seeks to ensure organizations in the energy sector are as cyber resilient as they can be. Organizations that prepare, test and invest regularly will typically recover quicker and experience less impactful negative effects. Studies show a direct correlation between the level of preparation and the severity of the impacts flowing from a significant cybersecurity incident. While the concept of resiliency may seem self-evident, it is premised on regular preparation and testing. In the context of cybersecurity, resiliency is measured on two key metrics: firstly, the ability to reduce the “downtime” as much as possible and secondly, to ensure the incident’s “impact” is limited (i.e., the attackers can’t go too deep and cause damage that makes a timely recovery difficult or impossible). ![]() The term “resiliency” is often used to describe an organization’s ability to quickly recover from a significant disruptive event. For the energy sector, a cyber-attack could result in immediate operational disruption, impacting upstream and downstream players alike.Īs organizations focus on the “how” to effectively respond to a cyber-attack, the one overarching theme that should underpin their cybersecurity strategy should be building strong cyber resiliency. In Canada, the energy sector is deemed a “critical infrastructure” (just as in the United States), meaning if it were ever compromised (in part or in its entirety), such an event could have multiple cascading negative effects on other parts of the economy and society more generally. The criticality of the energy sector to society cannot be overstated. While everyone agrees it’s not a question of “if” but rather “when” an organization will be a cyber-attack victim, the focus in our view should be on the “how” – meaning how an organization responds. ![]() However, one thing is clear: organizations that prepare and invest in cyber readiness materially mitigate the negative impacts flowing from a major cybersecurity incident. An added complexity for the energy sector is it is deemed a “critical infrastructure” by governments – making it not only an attractive target for criminal cyber gangs, but also sophisticated state-sponsored actors. The challenge with cybersecurity is attacker tactics are constantly evolving, thereby requiring organizations to be constantly vigilant and if possible, one step ahead of the attackers. This is particularly true given some of the high-profile cyber-attacks seen in recent years that have grabbed not only media headlines, but also resulted in operational disruption, financial losses and legal exposure. For the energy sector, cybersecurity has been a top-of-mind issue for some time.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |