SUMMARY
Industrial control system1 help control industrial processes. ICS are widely used in Alberta’s oil and gas industry and are generally controlled by instructions received from information technology devices.
ICS devices are part of the critical infrastructure the oil and gas industry uses to produce and safely deliver energy products to provincial, national and international markets. The industry uses ICS to control pumps and valves and to detect leaks in pipeline operations, for example. These control systems help to ensure oil and gas reaches Albertans, refineries and other markets efficiently, safely and securely. Therefore, IT security must be carefully considered when designing and using ICS.
We decided to audit ICS because we believe Albertans may be at risk if ICS are unsecured or do not meet minimum IT security standards. Oil and gas operators with inter-provincial or international operations may already follow international ICS IT security standards. However, the Alberta government does not currently require provincially regulated oil and gas operators to meet ICS IT security standards.
What we examined
We examined the roles the Department of Energy, Alberta Energy Regulator and the Department of Justice and Solicitor General have to:
- assess risks to Alberta caused by possibly unsecured ICS used in provincially regulated oil and gas infrastructure
- assess whether provincially regulated oil and gas operators have adequate IT security standards for their ICS
Overall conclusion
The Department of Justice and Solicitor General has assessed the threat of attack on Alberta’s oil and gas industry through ICS and concluded that it is low. However, no Alberta government entity has assessed the impact of an attack if one were to occur.
What we found
The Department of Energy manages Alberta’s non-renewable resources and protects the interests of Albertans. The department has not assessed IT security risks to ICS in Alberta’s oil and gas infrastructure.