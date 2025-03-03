On May 31, 2025, the Alberta Security Management for Critical Infrastructure Regulation (the Regulation) will come into force and is expected to alter existing security requirements for critical resource infrastructure in Alberta. Notably, critical infrastructure facilities identified as such by the Alberta Energy Regulator will be obligated to comply with CSA Z246.1: Security Management for Petroleum and Natural Gas Industry Systems published by the Canadian Standards Association, as may be amended or replaced from time to time (the CSA Standard).

Compliance with the CSA Standard

Previously, security criteria for critical resource infrastructure were established pursuant to the Alberta Counter Terrorism Crisis Management Plan under the Emergency Management Act. Under the Regulation, the CSA Standard will now provide such criteria; and critical facilities must comply with same.

Published by CSA Group, formerly known as the Canadian Standards Association, the CSA Standard establishes criteria for security management programs in the petroleum and natural gas industry. These standards are typically updated by CSA Group every four years, with the most recent edition being released in 2021. These criteria directly address several security areas, including:

cybersecurity; information security management; physical security measures; personnel security; security risk management; and security incident management.

The most recent edition of the CSA Standard adopts certain cybersecurity requirements. With respect to such requirements, the CSA Standard states that cybersecurity measures should reflect the "characterization and risk of the information technology and industrial control systems assets that require protection."

Put simply, the CSA Standard appears to prescribe that critical facilities must account for the nature of the "information technology and industrial control systems assets" in use at the critical facility and implement measures accordingly. The CSA Standard lists, among other things, the following as items to consider in conducting this assessment: (1) an inventory of authorized hardware and software; (2) how the information technology and industrial control systems are zoned and segregated from each other; (3) how information technology and industrial control systems hosts are configured according to a baseline that reduces attack surface; and (4) whether intrusion prevention and detection methods are installed and monitored.

The Regulation permits the Alberta Energy Regulator to: (1) audit the security management programs of critical facilities; and (2) shut down or shut in a critical facility for noncompliance.

Development of the Critical Infrastructure List

The security requirements outlined above apply to any industrial facility or infrastructure that has been: (1) designated as a "critical facility" by the Alberta Energy Regulator; and (2) placed on its "critical infrastructure list." The Regulation expands the types of facilities that may be designated as critical facilities. Accordingly, facilities that may now be placed on the critical infrastructure list include:

coal or other processing plants;

in situ operations;

mines and mining operations;

pipelines;

wells; and

any related facilities.

Relevant considerations for designating critical facilities include the size, type and location of a facility, as well as its throughput and interdependency with other infrastructure.

Notably, the critical infrastructure list must remain confidential; however, facilities must be notified if they are placed on the list.

Conclusion

The coming into force of the Regulation represents an important change to the regulation of critical facilities in Alberta. Accordingly, these facilities must ensure they implement and maintain a security management program that, among other things, takes into account the degree to which information technology and industrial control systems are material to its operation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.