The federal government says energy infrastructure is an attractive target for cyberattacks, but there is a shortage of the experts needed to protect critical power grids and pipelines.
A World Economic Forum white paper released earlier this year said Canada, and most of the world, faces a shortage of cybersecurity professionals across all sectors, a number that could reach 85 million by 2030.
The shortage is “particularly severe” in the energy sector, according to a Natural Resources Canada report obtained by National Observer through a federal freedom of information request.
Get your daily news from Canada’s National Observer
As the brief CrowdStrike outage on July 19th showed, electronically managed energy systems and utility services underpin much of our daily lives and the operation of other critical infrastructures such as healthcare, transportation and financial systems. A successful cyberattack can have serious consequences. While the July outage was the result of a failed security update, not a cyberattack, a ransomware attack on the US Colonial Pipeline in 2021 resulted in a large ransom being paid, forcing the company to shut down part of the pipeline and causing panic and gas shortages.
While Canada has yet to experience an attack on that scale, the Canadian Cyber Security Centre said the oil and gas sector (and other energy systems) will likely continue to be targeted, and “the lack of qualified talent makes it even more difficult to keep those sectors safe and secure,” said Ian L. Patterson, CEO of Canadian cybersecurity company Pluriloc.
According to a 2019 Statistics Canada survey, nearly a quarter of Canadian oil and gas organizations reported cyber incidents, the highest rate among critical infrastructure sectors.
Smaller incidents have occurred in recent years. Last June, a cyberattack on Suncor Energy halted credit and debit card payments at the company’s Petro Canada gas stations. Suncor acknowledged that attackers accessed contact information for Petro Points members. Last November, Ontario-based gas company Trans Northern Pipeline was hit by a cyberattack in which a ransomware gang claimed to have stolen 183GB of unspecified data. A company spokesman told Canada’s National Observer that the incident affected “a limited number of internal computer systems” and was “quickly contained.” The company did not respond to questions about the amount or type of data that was accessed.
Sebastian Fischmeister, a professor of electrical and computer engineering and computer science at the University of Waterloo, explains that this increase is happening now in part because more and more systems are being connected to the internet.
“Traditionally, control systems such as critical infrastructure have [were] “Previously, the systems were not connected to the general internet or to the corporate network,” Fischmeister says. “Now that they’re connected to the internet, they’re more vulnerable to cyberattacks.”
According to data from S&P Global, 2022 was a record year for cybersecurity incidents targeting the energy sector (which includes oil and gas, power and nuclear power), but there is a shortage of experts with the know-how to defend against and respond to attacks.
In the cybersecurity world, energy infrastructure like power grids and fossil fuel pipelines belong to a category known as “safety-critical systems,” meaning operational failure could cause harm to people or the environment or significant economic or property damage, Fischmeister explained.
“If there’s a flaw or something goes wrong, things could go horribly wrong,” Fischmeister said.
Other examples of safety-critical systems include medical devices, aircraft, robotics and automotive systems, added Fischmeister, who has studied the field for 25 years.
Fischmeister said finding people with the right skill set is difficult for the government, as it requires expertise in electrical and computer engineering in addition to computer science, the typical background for cybersecurity professionals.
For example, if a computer has a virus and a computer security system detects it, the obvious immediate response is to isolate and shut down the system. This traditional, universal response, trained in computer science and cybersecurity, doesn’t apply to safety-critical systems, Fischmeister said.
“Safety-critical systems are running processes. You can’t just shut everything down or interrupt it. It requires different training, a different mindset.”
Just as an airplane cannot be taken offline in the air for a restart, in the case of a pipeline, a cybersecurity officer needs to know everything about the control and operation of the pipeline, including understanding all of the different segments and components, how valves open and pumps operate when, and knowing all the granular details of the hardware, in addition to cybersecurity and networking knowledge.
Because the workers require expertise in electrical and mechanical components and operating critical infrastructure, fewer people will naturally be willing to take those steps to become fully qualified, especially at civil service wages, Fischmeister said.
“This requires a special background and government generally cannot compete with industry on salaries.”
Fischmeister declined to give an exact figure, but said he was confident the private sector was paying “50 per cent more” than the Canadian government, and that the amount could be in U.S. dollars.
These highly qualified professionals are in high demand, with some graduate students being hired by companies as much as a year and a half before they finish school, he added.
According to a World Economic Forum white paper published earlier this year, the global talent shortage of cybersecurity professionals could reach 85 million by 2030. This prediction isn’t specific to critical infrastructure, but applies to cybersecurity as a whole.
In an emailed statement, Natural Resources Canada outlined some of the federal government’s efforts to attract existing cybersecurity experts and develop new ones.
Employment and Social Development Canada led a program to create work experiences for more than 1,000 students in the cybersecurity field between 2018 and 2021, helping students gain employable skills and helping employers identify the talent they need to meet future hiring needs.
He noted that the federal government supports private sector-led initiatives such as a national cybersecurity competition aimed at engaging university students in the cybersecurity field.
According to the report, the U.S. and Canadian cybersecurity agencies discussed their cyber workforce strategies in November last year.
The U.S. Department of Energy is implementing a program in 2016 specifically focused on strengthening cybersecurity expertise in the energy sector. The department’s CyberForce program aims to develop new talent with hands-on and virtual competitions, resources, job fairs and other learning resources.
The North American energy system is “highly integrated,” and the two biggest areas of cooperation between Canada and the U.S. are power grids and pipelines, according to a Natural Resources Canada report. This includes 34 power transmission lines and 74 oil and gas pipelines that are vital to each country’s economy, according to the report.
According to a 2020 report on cyber threats to the Canadian electricity sector published by the Canadian Cyber Security Centre, cyber threat actors likely view Canada as an intermediate target to impact the U.S. electricity sector. Given the integrated nature of the energy system, attacks on the U.S. power grid could impact the Canadian electricity sector.
In February, the U.S. Department of Energy announced $45 million for more than 10 projects to protect power grids, utilities, pipelines and renewable energy sources like wind and solar from cyberattacks.
Following the release of its 2023 report on cyber threats to the oil and gas industry, the Canadian Centre for Cybersecurity and Natural Resources Canada hosted “targeted threat intelligence briefings” for energy industry CEOs at several secure facilities across the country to share information that cannot be made public, the centre said in an emailed statement to Canada’s National Observer.
Natasha Browski / Local Journalism Initiative / Canada’s National Observer