Public Safety Committee on Feb. 8th, 2024

Yes, certainly, I can clarify my remarks.

The energy sector is a target; there's no question. In answering the question, generally, there is no reporting requirement on cybersecurity incidents currently to the Canada Energy Regulator. What we do is work closely with regulated companies and the cyber centre, and we encourage voluntary reporting between our company and the cyber centre, and they create non-disclosure agreements.

They collect information, and they will share that information out to industries in a form that is not disclosing details of what those incidents were. That's, I guess, what this bill would do. It would strengthen that mandatory reporting and allow us to get access to that information more freely than now.

I think the way the situation is now, in terms of reporting to the CER, there is no mandatory cybersecurity reporting, unless it meets a definition in the onshore pipeline regulations for another type of incident, such as operation beyond design, or something more significant.

That information is reported voluntarily to the cyber centre, and again, they produce reports. It may be a question for the cyber centre. They do produce threat risk reports and they distribute them within our industry and more broadly, so that certainly companies do have information or access to it to take measures to put the right mitigation in place.

I certainly think that, through the bill, it could be more structured and more formalized. Then those mechanisms would be in place to share that information officially. As you can appreciate, some of this information comes with some cautions in terms of how widely it can be shared due to confidentiality.

Again, we do have relationships, informally, with the cyber centre and with other federal departments and agencies to get that information. Through our compliance verification activities, we do look at companies' programs and systems to make sure that they are doing everything they can, that they are connected with the cyber centre and getting the latest threat and risk briefings, and that they are taking the measures they can take.

That's a pipeline that was in the United States, so non-officially but certainly through various working relationships that we have with our staff in different departments, we've learned about that incident. However, I'm not prepared to comment on the details of that.

As I mentioned in the opening remarks, the proposed legislation is very well aligned with what we already have in place. At the CER, we already have a robust regulatory framework that involves inspection officers, inspection officer orders, the issuing of non-compliances, the use of administrative monetary penalties, and the conduct of inspections. Companies are already well familiar with the need to have cybersecurity programs in place in order to detect and prevent the threats.

In terms of the overall impact on the CER-regulated industry in terms of cost, I think that some of that detail needs to be determined through the development of regulations, which have not yet been developed or proposed. With regard to the other part of it, I would point to the fact that what the bill is proposing is, in large part, a formalization of the powers and the oversight framework that we have in place, but extending it further so that it formalizes, as Mr. Finley noted earlier, the reporting relationships, the information gathering and the sharing of that on the government side.

Thanks again for the follow-up.

To clarify, what we see already with respect to our relationships with industry is a patchwork of voluntary interrelationships with respect to reporting, usage and gathering of information.

When I use the word “formalize”, I'm saying that this is a beneficial aspect of this bill. I think industry is well prepared to implement the aspects of the bill associated with that. It will strengthen our ability as a government to prevent cyber-threats and assist our regulated industry to detect and mitigate any potential cyber-threats in the future.

With respect to the comments of Electricity Canada and the chilling effect, our experience with respect to the pipeline industry and threats to the environment, safety and other areas has been that clarity around reporting—which I expect would be something that will be developed in the regulations—not so much sets a floor, but helps with the expectations around that.

I think that any time you can bring consistency and clarity to a sector, it's a benefit and it's a benefit for everyone.

At the CER, we have a long history of implementing our regulatory framework with respect to the onshore pipeline regulations and other regulations. The usage of things to help with the clarity around reporting requirements, such as event reporting guidelines and other directives and guidance materials, is welcomed by industry and helps them understand the expectations of the regulator. I think that, overall, it strengthens the protections in an industry. I do see that as an aspect of the particular requirements in this bill.

The regulations, as I noted earlier, are still to be developed. Should the bill pass, I'm looking forward to working with the lead departments and agencies on this bill to provide advice.

Not being the lead on the development of this, I would prefer to say that regulations are an area that provides some flexibility in terms of development going forward and any amendments that might be required in the future, rather than having to amend legislation.

I don't know if I can speak to the specific situation that you're describing, but what I would suggest is that the coordination and co-operation that we have with our counterparts in the United States, such as the Pipeline and Hazardous Materials Safety Administration, which regulates pipelines, have been very good.

Consistency of definitions is definitely something that is welcomed by industry. Consistency and a coherent regulatory framework are, I would say, a welcome development when a network can be put in place.

I'll say a few words, and then I'll turn it over to my colleague, Mr. Finley, to colour that in a little bit.

It ranges. It goes from the person in the basement to a nation-state actor.

I think earlier, when we were discussing incidents and reporting, one of the distinctions that the CER drew was the difference between an attack on an information technology network—that is the network that provides your email and stores your documents and passwords—and then the operational technology network, which is the systems that are used to operate pipeline valves and other systems. To date, there has been no successful attack that we're aware of in Canada in the CER's regulated industry on an operational network. Within your information technology networks—the ones with passwords, etc.—yes, those have happened quite frequently.

Mr. Finley, did you want to colour that in a little bit?

Yes, as my colleague mentioned, the majority of attacks are on IT networks; they're ransomware, typically by cybercriminals and nation-states. We don't have all of that information at our fingertips, but that is the kind of information that we work closely on with the Canadian Centre for Cyber Security, which does collect that information.