Energy infrastructure is an attractive target for cyberattacks but the experts needed to protect critical electricity grids and pipelines are in short supply, according to the federal government.
Canada — and most of the world — is facing a shortage of cybersecurity professionals across all sectors which could reach 85 million workers by 2030, according to the World Economic Forum white paper published earlier this year.
This shortage is “particularly acute” for the energy sector, according to a Natural Resources Canada briefing note Canada’s National Observer obtained through a federal access-to-information request.
As the brief CrowdStrike outage on July 19 demonstrated, electronically managed energy systems and utilities underpin much of our day-to-day lives and the operation of other important infrastructure, like healthcare, transportation and financial systems. A successful cyberattack can have serious consequences. Though the July outage was not a cyberattack but rather a security update gone wrong, the 2021 ransomware attack on the U.S.’s Colonial Pipeline resulted in a hefty ransom payment and forced the company to shutdown portions of the pipeline, causing panic and gas shortages.
Canada hasn’t yet experienced an attack at that scale, but the Canadian Centre for Cyber Security says the oil and gas sector (and other energy systems) will likely continue to be targeted and “the fact that there are not enough qualified people just makes it that much harder to keep them safe and secure,” said Ian L. Paterson, CEO of Plurilock, a Canadian cybersecurity company.
A 2019 Statistics Canada survey found about a quarter of all Canadian oil and gas organizations reported a cyber incident. This was the highest of any critical infrastructure sector.
Smaller incidents have occurred over the years. Last June, a cyberattack at Suncor Energy shut down credit and debit card payments at its Petro-Canada gas stations. Suncor confirmed the attackers accessed the contact information of Petro-Points members. Last November, Trans-Northern Pipelines, an Ontario-based gas company, experienced a cyber incident and a ransomware gang claimed to have stolen 183 GB of unspecified data. A company spokesperson told Canada’s National Observer the incident impacted “a limited number of internal computer systems” and was “quickly contained.” It did not answer a question about how much data or what type was accessed.
This increase is happening now, in part because more and more systems are connected to the internet, explains Sebastian Fischmeister, a professor of electrical and computer engineering and computer science at the University of Waterloo.
“Traditionally, control systems, like in critical infrastructure, [were] not connected to the general internet or company networks,” Fischmeister said. “Now that systems are connected to the internet, they’re much more susceptible to cyber attacks.”
Data from S&P Global shows 2022 was a record year for cybersecurity incidents targeting the energy sector (including oil and gas, electricity and nuclear power), yet there’s a shortage of experts with the know-how to defend against and respond to attacks.
In the cybersecurity world, energy infrastructure — like electricity grids and fossil fuel pipelines — belongs to a category known as “safety critical systems” which means an operational failure can hurt people, the environment or cause significant economic or property damage, Fischmeister explained..
“If there is a defect in there, if something goes wrong, it can go really bad,” Fischmeister said.
Other examples of safety critical systems include medical devices, aircraft, robotics and automotive systems, added Fischmeister, who has studied this area for 25 years.
It’s hard for the government to find personnel with the right skillset because you need electrical and computer engineering expertise on top of computer science — the latter of which is the typical background for a cybersecurity professional, Fischmeister said.
For example, when you have a virus on your computer, and your computer security system finds the virus, the natural immediate response is to isolate the system and shut it down. This traditional, universal response trained in computer science and cybersecurity does not apply to safety critical systems, Fischmeister said.
“Safety critical systems are processes in operation; you cannot just immediately stop everything and halt everything … you need different training, you need a different mentality.”
Just like an airplane can’t simply stop functioning in midair for a reboot, for a pipeline a cybersecurity worker needs to know everything about its controls and operations: understanding all the different segments and components, how the timing works of opening valves and operating pumps and knowing all the nitty gritty details of the hardware, on top of cybersecurity and network knowledge.
Because workers need this expertise on the electrical and mechanical components and operation of critical infrastructure, it naturally reduces the number of people that want to take those steps to be fully qualified — particularly at government wages, Fischmeister said.
“It’s a unique background that you need and government usually cannot compete on the salary with industry, by far.”
Fischmeister couldn’t share exact figures but confidently said the private sector pays “50 per cent or more” than the Canadian government and potentially in U.S. dollars.
These highly qualified professionals are in high demand and some of his graduate program students get hired by companies a year and a half before they’ve even completed their schooling, he added.
The global talent shortage of cybersecurity professionals could reach 85 million workers by 2030, according to a World Economic Forum white paper published earlier this year. This projection is not specific to critical infrastructure, rather cybersecurity as a whole.
In an emailed statement, Natural Resources Canada outlined some of the federal government’s efforts to attract existing cybersecurity experts and develop new ones.
Employment and Social Development Canada led a program between 2018 and 2021 that created more than 1,000 student work placements in cyber security, to help students develop job-ready skills and employers to identify talent to support their future hiring needs.
The federal government noted it supports private sector-led initiatives, including a national cyber security competition aimed at engaging university students in the field of cyber security.
The U.S. and Canada’s respective cyber security agencies discussed cyber workforce strategies last November, according to the briefing note.
The U.S. Department of Energy has a program specifically focused on bolstering cybersecurity expertise in the energy sector in 2016. Its CyberForce program seeks to develop new talent with hands-on and virtual competitions, resources, career fairs and other learning resources.
The Natural Resources Canada briefing note states that electricity grids and pipelines are the two big sectors in which Canada and the U.S. are collaborating, due to the “highly integrated” North American energy system. This includes 34 electricity transmission lines and 74 oil and gas pipelines which are critical to both countries’ economies, according to the briefing note.
Cyber threat actors likely view Canada as an intermediate target through which they can impact the US electricity sector, according to the Canadian Centre for Cyber Security’s 2020 report on cyber threats to Canada’s electricity sector. The integrated nature of the energy systems means attacks on the U.S. grid could potentially impact the Canadian electricity sector.
In February, the U.S. Department of Energy announced US$45 million for more than a dozen projects to protect its power grid, electric utilities, pipelines, and renewable energy generation sources like wind or solar from cyberattacks.
Following the release of a 2023 report on cyber threats to the oil and gas sector, the Canadian Centre for Cyber Security and Natural Resources Canada held “targeted threat info briefings” for energy sector CEOs at a number of secure facilities across the country to share information that couldn’t be released publicly, the centre told Canada’s National Observer in an emailed statement.