Under new Alberta regulations, oil and gas companies operating critical infrastructure must implement security management programs in anticipation of a cybersecurity incident. These new requirements are in direct response to threat actors targeting organizations due to their increasing reliance on digital technology and resulting vulnerability to disruptions to operations.

On May 31, 2025, the Security Management for Critical Infrastructure Regulation, Alta Reg 84/2024 (the “Regulation”) came into force under Alberta’s Responsible Energy Development Act, SA 2012, c R-17.3, making it essential for any critical facilities in the oil and gas industry to implement security management programs in compliance with the Regulation. The Regulation aims to strengthen security measures for critical facilities in the event of terrorist activity.

Who is affected?

The Alberta Energy Regulator (“AER”) is responsible for creating a list of critical facilities, which includes:

  • coal processing plants;
  • mines
  • mining operations;
  • pipelines;
  • processing plants;
  • wells; and
  • in situ operations.[1]

In identifying these critical facilities, the AER may consider the size and type of the facility, its proximity of to people and property, its throughput and interdependency with other infrastructure, and environmental factors.[2] The AER must also notify the licensees or approval holders of these critical facilities that they are on the critical infrastructure list, and the list is kept confidential and inaccessible unless permitted by the AER.[3]

What must critical facilities do to comply with the Regulations?

Once notified by the AER, licensees or approval holders of critical facilities must then establish and implement a security management program in accordance with CSA Z246.1, the Security Management for Petroleum and Natural Gas Industry Systems standards published by the Canadian Standards Association (the “Standards”). The Standards provide critical facility operators with further details on creating or refining their security management programs.

The Standards published in 2021 included cybersecurity measures to replace its previous clause on information technology and industrial control system security. The cybersecurity considerations listed within the Standards recognize the susceptibility of information technology and industrial control systems to digital attacks and their vulnerabilities to threats, including mandatory maintenance of inventory of authorized hardware and software; minimal access through administrative and user rights; boundary protection to monitor unauthorized communications; and regular testing of system backup, restoration, and recovery.[4]

Audits and failure to comply

The Regulation allows the AER to audit the security management program of any critical facilities to ensure compliance with the Standards.[5] If the AER finds that the critical facility has failed to comply, it may order a security management program to be implemented or, more severely, order the critical facility to shut down until specific terms of the order are followed.[6]

Key Takeaways

  • Most, if not all, petroleum and natural gas industry systems are “critical facilities” that are impacted by the Regulations and must have compliant security management programs that are compliant with the Standards
  • Failure to comply may result in an order to implement a security management program or facility shut down.
  • To protect against cybersecurity threats, all oil and gas companies should have a cybersecurity program in place to protect critical infrastructure. This includes developing acceptable use policies and software procedures to protect information from the time of creation to final disposition.
  • All personnel with access to information should be provided security training and awareness on a regular basis to improve threat recognition and response, surveillance, and security practices. The Standards suggest that such sessions should be conducted within every 24-month period.[7]

[1] The Regulation, s 1(c).

[2] The Regulation, s 2(2).

[3] The Regulation, s 2(3)-(4).

[4] The Standards, s 7.2.2.

[5] The Regulations, s 3(5).

[6] The Regulations, s 3(2).

[7] The Standards, s 8.3.2.

For more information on this topic, please contact Kelly Osaka or other members of the Dentons Privacy and Cybersecurity group. The author would like to thank Emily Zheng, Student-at-Law in Dentons’ Calgary office.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, ,
Kelly Osaka

About Kelly Osaka

Kelly Osaka is a member of the Litigation and Dispute Resolution group and the Privacy and Cybersecurity practice group. In particular, her practice focuses on shareholder disputes, class actions, privacy law claims and regulatory investigations. Kelly has appeared as counsel before all levels of court in Alberta and British Columbia, as well as the Alberta Securities Commission, the Investment Industry Regulatory Organization of Canada, and the Office of the Information and Privacy Commissioner.

Full bio

RELATED POSTS