Canada’s top technical authority on cybersecurity is working closely with Suncor Energy Inc. SU-T in the aftermath of a high-profile systems breach at the oil and gas giant.
The Canadian Centre for Cyber Security – which leads Canada’s federal response to cybersecurity incidents – said Wednesday it can’t disclose details of the cybersecurity incident that caused payment systems at many of Suncor’s Petro-Canada locations across the country to go down last week.
Sami Khoury, head of the centre, said Suncor is still working to mitigate the damage, and sharing information too soon may compromise those efforts.
“We have reached out to Suncor and we are working with them, and we are sharing information with the rest of the [oil and gas] sector to better protect themselves,” Mr. Khoury told reporters in a media briefing.
“But at this point the mitigation is still ongoing, and I am unable to provide additional details about the nature of the incident.”
Suncor, one of Canada’s largest oil and gas firms, issued a news release a week and a half ago to say that it had “experienced a cybersecurity incident.”
The confirmation followed days of public speculation and complaints on social media from customers unable to use credit or debit cards at the company’s chain of Petro-Canada gas stations in multiple major Canadian cities, or access car wash services.
Suncor has not provided details about the type of cyberattack that occurred or whether any of its other operations were affected. As of late last week, the company’s Petro-Canada payment systems had largely been restored.
The Canadian Centre for Cyber Security is part of the federal Communications Security Establishment, which provides the government of Canada with information technology security and foreign signals intelligence.
It has been warning for years that Canada’s energy sector is an attractive target for cybercriminals. In fact, just days before the Suncor security breach was made public, the centre published a report on the cyber threat facing the country’s oil and gas industry.
Mr. Khoury said the report’s release had been planned for months, and its timing with relation to the Suncor cyberattack was purely coincidental. He said its message – that the oil and gas sector attracts “more than its share” of attention from cybercriminals – is important for the industry as a whole to hear.
He added that in addition to the report, the Centre for Cyber Security also recently hosted a briefing for high-level senior executives within the energy industry.
“By and large, companies are mindful of the cybersecurity threat and are putting investments in place to mitigate it, but it’s important to recognize that the threat is constantly evolving, and those investments need to keep up,” Mr. Khoury said.
“It’s not a one-time solution.”
The Centre for Cyber Security says Canada’s oil and gas sector is an attractive target because of the high value of the industry’s assets and “the degree of customer dependence on the industry’s products.”
Ransomware attacks, conducted by cybercriminals motivated purely by financial gain, are by far the likeliest type of cyber threat oil and gas companies face, Mr. Khoury said. In recent years, ransomware attacks have grown significantly in both volume and sophistication.
In 2021, a ransomware attack successfully targeted the Colonial Pipeline, the largest pipeline system for refined oil products in the U.S. It was the largest cyberattack on oil infrastructure in the history of the United States, and forced the company to temporarily halt pipeline operations.
State-sponsored or state-aligned cybercriminals – including those with ties to Russia, China, North Korea and Iran – also pose a risk to the sector, Mr. Khoury said. An cyberattack of this type would likely be for the purpose of industrial sabotage or espionage.
Mr. Khoury said a state-sponsored cyberattack aimed at disrupting the flow of oil and gas in this country is highly unlikely, except in the case of outright hostilities between Canada and another nation.
“But the threat is real, and critical infrastructure providers must prepare for it,” he said.
Statistics Canada survey data shows about 25 per cent of Canadian oil and gas companies reported a cyber “incident” in 2019, the highest proportion of any critical infrastructure sector.
Some experts have said the Suncor systems breach will likely cost the company millions of dollars before it is resolved.
According to a report by IBM, the global average cost to companies of a data breach hit an all-time high in 2022 of US$4.35 million, a 13 per cent increase from 2020.
In the United States, the average cost to companies of a data breach in 2022 was US$9.44 million.