{"id":7213,"date":"2023-08-25T14:12:38","date_gmt":"2023-08-25T14:12:38","guid":{"rendered":"https:\/\/roydadnaft.ir\/English\/?p=7213"},"modified":"2023-08-25T14:12:39","modified_gmt":"2023-08-25T14:12:39","slug":"77-of-canadian-energy-companies-lack-cybersecurity-protection-study-finds","status":"publish","type":"post","link":"https:\/\/roydadnaft.ir\/English\/7213\/","title":{"rendered":"77% of Canadian energy companies lack cybersecurity protection, study finds"},"content":{"rendered":"
\n

Industry\u2019s assets such intellectual property, trade secrets and vast amounts of customer data, need to be protected, security company report says<\/p>\n\n\n\n

Canadian energy infrastructure could be at risk due to lax company cybersecurity, a new report says. | Trans Mountain<\/p>\n\n\n\n

More than three-quarters of Canadian energy companies fail to have basic cybersecurity measures in place, a security lag that puts the country’s energy infrastructure at risk, a new study has found.<\/p>\n\n\n\n

The research, released Aug. 24 by the cybersecurity and compliance company Proofpoint, Inc., says 77 per cent of Canadian energy companies are slow to adopt forward-thinking security measures. That has put customers, staff and stakeholders at a higher risk of email-based impersonation attacks.<\/p>\n\n\n\n

\u201cAs the energy sector is key to both Canada\u2019s economy and its national security, these industry organizations have become prime targets for cyber criminals,\u201d said Jeffrey Freedman, Proofpoint Canada\u2019s vice president.<\/p>\n\n\n\n

\u201cDue to the high value of the industry\u2019s assets, such intellectual property, trade secrets, and vast amounts of customer data, it is critical that energy organizations prioritize cybersecurity measures to safeguard against potential cyber threats and protect their customers\u2019 data,\u201d he said.<\/p>\n\n\n\n

Freedman told Glacier Media the energy sector is an increasingly attractive target for both financially motivated cybercriminals and nation-state actors.<\/p>\n\n\n\n

\u201cThe Canadian Centre for Cyber Security recently advised that the financially motivated cybercrime, particularly email fraud and ransomware, is the main cyber threat facing the Canadian energy industry,\u201d he said. \u201cEnergy, some would argue, is a fundamental right and a pillar of a country\u2019s economic activity, especially in Canada.\u201d<\/p>\n\n\n\n

Proofpoint said the findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the 40 largest energy companies in Canada.<\/p>\n\n\n\n

DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals to launch phishing and email fraud attacks. The analysis authenticates the sender’s identity before allowing a message to reach its intended recipient, such as energy customers or employees.<\/p>\n\n\n\n

The protocol has three levels of protection \u2014 monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.<\/p>\n\n\n\n

The Canadian Association of Petroleum Producers (CAPP) spokesperson Jay Averill told Glacier Media that oil and natural gas producers place safety as their highest priority and that extends to cyber safety and protecting critical energy infrastructure in Canada.<\/p>\n\n\n\n

\u201cUnderstandably, cyber security is something individual members keep highly confidential so that information is not discussed collectively within CAPP,\u201d Averill said.<\/p>\n\n\n\n

Federal response<\/h3>\n\n\n\n

Canadian Energy Regulator (CER) spokeswoman Amanda Williams told Glacier Media the agency works with federal, territorial, provincial and international agencies and industry to ensure proactive measures are taken to protect people, the environment and infrastructure from cybersecurity risks.<\/p>\n\n\n\n

She said Canada\u2019s Onshore Pipeline Regulations (OPR) and the Canada Standards Association (CSA) provide a regulatory framework and mandatory requirements for cybersecurity on CER-regulated pipelines.<\/p>\n\n\n\n

Williams said CER-regulated companies are required to have a security management program in place that anticipates, prevents, manages and mitigates conditions that could adversely affect people, property or the environment. This includes having a program to be prepared in the event of cybersecurity threats.<\/p>\n\n\n\n

If a cybersecurity event led to an incident, as defined in the OPR, a regulated company would have to report the incident, and the root cause would be investigated through the CER\u2019s incident follow up process.<\/p>\n\n\n\n

\u201cWe conduct risk-informed compliance verification activities to ensure regulated companies have incorporated cybersecurity risks into their security management programs and have implemented cybersecurity countermeasures on their industrial control systems,” Williams said.<\/p>\n\n\n\n

\u201cThis helps us verify that CER-regulated companies have appropriate proactive measures in place to protect the CER and Canada\u2019s pipeline network from cyber-attacks.\u201d<\/p>\n\n\n\n

Also, Williams said new federal legislation before parliament, Bill C-26: the Critical Cyber Systems Protection Act<\/a>, proposes enhanced reporting requirements to protect critical cyber systems in Canada.<\/p>\n\n\n\n

\u201cThis legislation will impose additional requirements on CER-regulated companies,\u201d Williams said.<\/p>\n\n\n\n

BC Hydro<\/h3>\n\n\n\n

While Proofpoint said public utilities were not included in the study, BC Hydro spokesperson Kevin Aquino told Glacier Media the utility has DMARC implemented.<\/p>\n\n\n\n

\u201cWe have observed and have seen the impact of phishing attacks and we are actively monitoring them all the time to protect our customers, contractors and our business,\u201d he said, adding the provision of safe, reliability power is a priority.<\/p>\n\n\n\n

\u201cThat\u2019s why the security of our grid is so important and we are constantly working to update and enhance our cybersecurity programs to ensure our systems are protected from evolving threats,\u201d he said.<\/p>\n\n\n\n

He said the utility meets multiple industry technology standards and critical infrastructure protection requirements.<\/p>\n\n\n\n

\u201cWe also communicate with our peers and participate in industry forums such as with the Canadian Electricity Association and the Canadian Centre for Cyber Security,\u201d he said.<\/p>\n\n\n\n

Recent BC Hydro work in the area includes strengthening cybersecurity controls, performing regular penetration testing on our critical systems to test security controls, and creating a cyber operations centre so that a team is in place and ready to respond in the event of an incident.<\/p>\n\n\n\n

State-sponsored cybercrime<\/h3>\n\n\n\n

The Canadian Centre for Cyber Security recently said financially motivated cybercrime \u2014 particularly business email compromise and ransomware \u2014 is the main cyber threat facing the Canadian energy industry.<\/p>\n\n\n\n

\u201cThe oil and gas sector, in particular, will very likely continue to be targeted by state-sponsored cyber espionage for commercial or economic reasons, especially during times of geopolitical tension,\u201d Freedman said.<\/p>\n\n\n\n

\u201cNation-state actors seek trade secrets and intellectual property, mainly so they can improve their own nation\u2019s capabilities or to sabotage the operational technology networks that monitor and control critical infrastructure.\u201d<\/p>\n\n\n\n

Last year, 62, per cent of Canadian organizations reported an attempted business email compromise attack, according to Proofpoint\u2019s 2023 State of the Phish report.<\/p>\n\n\n\n

\u201cEmail authentication protocols such as DMARC are essential in fortifying defences against email fraud and safeguarding customers, staff and stakeholders from malicious attacks,\u201d Freedman said.<\/p>\n\n\n\n

\u201cWhile individuals play a crucial role in defending against email fraud, their actions also present one of the biggest vulnerabilities for organizations. DMARC remains the only technology.<\/p>\n

Updated on