On May 31, 2025, the Alberta Security Management for Critical Infrastructure Regulation (the Regulation) will come into force and is expected to alter existing security requirements for critical resource infrastructure in Alberta. Notably, critical infrastructure facilities identified as such by the Alberta Energy Regulator will be obligated to comply with CSA Z246.1: Security Management for Petroleum and Natural Gas Industry Systems published by the Canadian Standards Association, as may be amended or replaced from time to time (the CSA Standard).
Previously, security criteria for critical resource infrastructure were established pursuant to the Alberta Counter Terrorism Crisis Management Plan under the Emergency Management Act. Under the Regulation, the CSA Standard will now provide such criteria; and critical facilities must comply with same.
Published by CSA Group, formerly known as the Canadian Standards Association, the CSA Standard establishes criteria for security management programs in the petroleum and natural gas industry. These standards are typically updated by CSA Group every four years, with the most recent edition being released in 2021. These criteria directly address several security areas, including:
The most recent edition of the CSA Standard adopts certain cybersecurity requirements. With respect to such requirements, the CSA Standard states that cybersecurity measures should reflect the "characterization and risk of the information technology and industrial control systems assets that require protection."
Put simply, the CSA Standard appears to prescribe that critical facilities must account for the nature of the "information technology and industrial control systems assets" in use at the critical facility and implement measures accordingly. The CSA Standard lists, among other things, the following as items to consider in conducting this assessment: (1) an inventory of authorized hardware and software; (2) how the information technology and industrial control systems are zoned and segregated from each other; (3) how information technology and industrial control systems hosts are configured according to a baseline that reduces attack surface; and (4) whether intrusion prevention and detection methods are installed and monitored.
The Regulation permits the Alberta Energy Regulator to: (1) audit the security management programs of critical facilities; and (2) shut down or shut in a critical facility for noncompliance.
The security requirements outlined above apply to any industrial facility or infrastructure that has been: (1) designated as a "critical facility" by the Alberta Energy Regulator; and (2) placed on its "critical infrastructure list." The Regulation expands the types of facilities that may be designated as critical facilities. Accordingly, facilities that may now be placed on the critical infrastructure list include:
Relevant considerations for designating critical facilities include the size, type and location of a facility, as well as its throughput and interdependency with other infrastructure.
Notably, the critical infrastructure list must remain confidential; however, facilities must be notified if they are placed on the list.
The coming into force of the Regulation represents an important change to the regulation of critical facilities in Alberta. Accordingly, these facilities must ensure they implement and maintain a security management program that, among other things, takes into account the degree to which information technology and industrial control systems are material to its operation.
If you would like to discuss how your organization is prepared to comply with the Regulation, we invite you to contact one of the authors.