Security Management for Critical Infrastructure

Alberta law takes effect on May 31st, 2025

In 2024, Alberta introduced a new regulation, Regulation 84/2024, titled “Security Management for Critical Infrastructure Regulation.” This regulation is part of the Responsible Energy Development Act and is aimed at creating comprehensive security management protocols for critical infrastructure in Alberta’s energy sector. The regulation will come into effect on May 31, 2025, making it vital for facilities in this sector to start preparing now.

What is Covered Under the Regulation?

The regulation defines critical facilities in Alberta’s energy sector as:

• • Coal processing plants
  • Mines
  • Pipelines
  • Processing plants
  • Wells
  • In situ operations

It also mandates a framework for identifying and managing security risks to these vital facilities. This includes protection against threats such as terrorist activities. The Alberta Energy Regulator (AER) plays a key role by maintaining a list of critical infrastructure and ensuring that security protocols are implemented where necessary.

What Happens if a Facility is Deemed “Critical”?

If the AER designates a facility as critical, the licensee or approval holder must be notified and is then required to establish and implement a security management program in line with the CSA Z246.1 standard—“Security Management for Petroleum and Natural Gas Industry Systems,” published by the Canadian Standards Association (CSA).

The consequences of non-compliance are severe: failure to implement CSA Z246.1 could result in a complete shutdown of the facility.

Key Steps to Comply with CSA Z246.1

Implementing CSA Z246.1 is a vital but straightforward process involving several key steps:

1. 1. Understand CSA Z246.1: Begin by familiarizing yourself with the CSA Z246.1 standard and its requirements. Recognize how it applies to your specific operations.
   2. Identify Security Risks: Assess potential security threats and vulnerabilities in your organization. This should cover physical security, cybersecurity, access control, and incident response.
   3. Create a Security Program: Develop a comprehensive security management program based on your risk assessment. This includes policies, procedures, and security practices tailored to address identified risks.
   4. Implement Security Controls: Once your risk assessment is complete, implement the necessary security controls to mitigate potential threats.
   5. Provide Regular Training: Ensure employees are regularly trained to understand security protocols and their role in compliance. Ongoing training programs are crucial.
   6. Monitor and Improve: Continuously monitor the effectiveness of your security measures. Regularly review and refine your security management program to identify gaps and make improvements.
   7. Maintain Documentation: Keep comprehensive documentation, including policies, procedures, risk assessments, training records, and incident reports. This will be essential during audits to prove compliance.
   8. Periodically Review Your Security Program: Conduct regular reviews of your security program, ensuring it remains updated and meets evolving security standards.

Cybersecurity Requirements in CSA Z246.1

While CSA Z246.1 does not dictate specific cybersecurity controls, it references several frameworks that can be leveraged to maintain a comprehensive cybersecurity strategy, ensuring your critical infrastructure is resilient against a broad range of threats. These include:

• • CIS Controls
  • US-CERT Cyber Resilience Review
  • US DOE Cybersecurity Capability Maturity Model
  • US TSA Pipeline Security Guidelines
  • NIST SP 800-82
  • American Petroleum Institute Standard 1164 (Pipeline SCADA Security)

How Consultants Can Help You Prepare for CSA Z246.1 Compliance

Preparing for a CSA Z246.1 audit can be a complex process, but working with security management consultants can make the journey easier. Consultants with experience in this space can help by:

• • Identifying Hidden Threats: Consulting experts can help identify security threats that may be overlooked internally.
  • Enabling Continuous Threat Exposure Management (CTEM): An ongoing CTEM-based program helps to assess and manage risks consistently and in real time, rather than just identifying threats passively.
  • Compliance Mapping: Validate that your program meets the requirements of CSA Z246.1 and map your compliance to frameworks like SOC2 or ISO27001 to create a simpler, integrated security management program across the organization.
  • Preparing Documentation: Collecting standardized document formats to simplify the audit process.
  • Mock Audits: Consultants can perform mock audits to simulate the process and identify areas that need improvement before the actual audit takes place.

Streamlining the Process with Modern Tools

The complexities of regulatory compliance and risk management have evolved, thanks to the advancement of modern tools and methodologies. Today, compliance and risk assessments do not need to be as cumbersome as they once were, with traditional approaches requiring lengthy consultations and delivery timelines.

Many consulting organizations, such as iON, have adopted efficient and automated tools to simplify the process. With defined deliverables and a focus on reducing business risk, it is easier than ever to enhance your security posture and meet regulatory compliance.