Canada’s energy sector should take immediate notice: the federal government has enacted sweeping cyber security legislation through Bill C26 that directly targets operators of critical energy infrastructure. The Critical Cyber Systems Protection Act establishes mandatory requirements for “designated operators” of critical cyber systems – with energy facilities, including interprovincial pipelines, nuclear power plants, and other energy infrastructure specifically within federal jurisdiction and likely to face designation.Who is AffectedBill C26 applies to federally regulated sectors, with Canada’s energy industry standing out as a primary focus. This includes operators of interprovincial and international pipelines (oil, gas, and petroleum products), nuclear energy facilities, uranium mines and mills, offshore oil and gas operations in federal waters, and energy projects involving interprovincial power lines. The legislation also covers telecommunications, banking, transportation, and other critical infrastructure sectors.Critically for the energy sector, the legislation explicitly addresses supply chain risks. Tertiary suppliers and manufacturers providing products, services, or components to energy infrastructure operators will face heightened scrutiny and potential compliance requirements. Equipment manufacturers, control system vendors, and service providers to the energy industry should expect significant impact.Core RequirementsEnergy operators designated under C26 must establish comprehensive cyber security programs within 90 days of designation. These programs must identify and manage organizational cyber security risks, with particular emphasis on supply chains and third-party products and services – areas of heightened concern for energy infrastructure given the specialized nature of industrial control systems and SCADA networks.The programs must protect systems from compromise, detect cyber security incidents, and minimize impacts when breaches occur. Operators must maintain detailed records of all cyber security measures, conduct regular program reviews, and notify regulators of material changes in ownership, supply chains, or third-party relationships. Any cyber security incident must be reported to the Communications Security Establishment within 72 hours.Supply Chain Implications for Energy SectorA critical provision in C26 requires operators to immediately mitigate any cyber security risks identified in their supply chains or third-party products and services. For energy operators relying on specialized equipment from international suppliers or legacy industrial control systems, this presents significant challenges. Suppliers and manufacturers may face sudden demands to modify products, provide security documentation, or even be replaced if deemed a security risk.Government PowersUnder C26, the Governor in Council can issue binding “cyber security directions” requiring operators to comply with specific security measures. These directions are confidential – operators cannot disclose their existence or contents except when necessary for compliance.AdvertisementThe Canadian Energy Regulator, Canadian Nuclear Safety Commission, and other federal regulators have authority to enter facilities, examine records and systems, order internal audits, and issue compliance orders requiring operators to stop non-compliant activities or implement corrective measures.PenaltiesBill C26 establishes substantial fines: up to $1 million for individuals and $15 million for organizations per violation. Directors and officers who authorize violations can be held personally liable. Violations continuing over multiple days constitute separate offenses for each day.Action Items for Energy SectorEnergy operators should immediately inventory their cyber systems, assess supply chain vulnerabilities, and begin developing compliance programs. Equipment suppliers and service providers to the energy industry should prepare for due diligence requests and document their security practices. Legal review of existing supply contracts is essential to address new regulatory obligations under C26. (ICE TORONTO)

Fonte notizia: https://www.cpecn.com/