Energy infrastructure is an attractive target for cyberattacks but the experts needed to protect critical electricity grids and pipelines are in short supply, according to the federal government.
Canada — and most of the world — is facing a shortage of cybersecurity professionals across all sectors which could reach 85 million workers by 2030, according to the World Economic Forum white paper published earlier this year.
This shortage is “particularly acute” for the energy sector, according to a Natural Resources Canada briefing note Canada’s National Observer obtained through a federal access-to-information request.
As the brief CrowdStrike outage on July 19 demonstrated, electronically managed energy systems and utilities underpin much of our day-to-day lives and the operation of other important infrastructure, like healthcare, transportation and financial systems. A successful cyberattack can have serious consequences. Though the July outage was not a cyberattack but rather a security update gone wrong, the 2021 ransomware attack on the U.S.’s Colonial Pipeline resulted in a hefty ransom payment and forced the company to shutdown portions of the pipeline, causing panic and gas shortages.
Canada hasn’t yet experienced an attack at that scale, but the Canadian Centre for Cyber Security says the oil and gas sector (and other energy systems) will likely continue to be targeted and “the fact that there are not enough qualified people just makes it that much harder to keep them safe and secure,” said Ian L. Paterson, CEO of Plurilock, a Canadian cybersecurity company.
A 2019 Statistics Canada survey found about a quarter of all Canadian oil and gas organizations reported a cyber incident. This was the highest of any critical infrastructure sector.
Smaller incidents have occurred over the years. Last June, a cyberattack at Suncor Energy shut down credit and debit card payments at its Petro-Canada gas stations. Suncor confirmed the attackers accessed the contact information of Petro-Points members. Last November, Trans-Northern Pipelines, an Ontario-based gas company, experienced a cyber incident and a ransomware gang claimed to have stolen 183 GB of unspecified data. A company spokesperson told Canada’s National Observer the incident impacted “a limited number of internal computer systems” and was “quickly contained.” It did not answer a question about how much data or what type was accessed.
This increase is happening now, in part because more and more systems are connected to the internet, explains Sebastian Fischmeister, a professor of electrical and computer engineering and computer science at the University of Waterloo.
“Traditionally, control systems, like in critical infrastructure, [were] not connected to the general internet or company networks,” Fischmeister said. “Now that systems are connected to the internet, they're much more susceptible to cyber attacks.”
Data from S&P Global shows 2022 was a record year for cybersecurity incidents targeting the energy sector (including oil and gas, electricity and nuclear power), yet there’s a shortage of experts with the know-how to defend against and respond to attacks.
In the cybersecurity world, energy infrastructure — like electricity grids and fossil fuel pipelines — belongs to a category known as “safety critical systems” which means an operational failure can hurt people, the environment or cause significant economic or property damage, Fischmeister explained..
“If there is a defect in there, if something goes wrong, it can go really bad,” Fischmeister said.
Other examples of safety critical systems include medical devices, aircraft, robotics and automotive systems, added Fischmeister, who has studied this area for 25 years.
It’s hard for the government to find personnel with the right skillset because you need electrical and computer engineering expertise on top of computer science — the latter of which is the typical background for a cybersecurity professional, Fischmeister said.
For example, when you have a virus on your computer, and your computer security system finds the virus, the natural immediate response is to isolate the system and shut it down. This traditional, universal response trained in computer science and cybersecurity does not apply to safety critical systems, Fischmeister said.
“Safety critical systems are processes in operation; you cannot just immediately stop everything and halt everything … you need different training, you need a different mentality.”
Just like an airplane can’t simply stop functioning in midair for a reboot, for a pipeline a cybersecurity worker needs to know everything about its controls and operations: understanding all the different segments and components, how the timing works of opening valves and operating pumps and knowing all the nitty gritty details of the hardware, on top of cybersecurity and network knowledge.
Because workers need this expertise on the electrical and mechanical components and operation of critical infrastructure, it naturally reduces the number of people that want to take those steps to be fully qualified — particularly at government wages, Fischmeister said.
“It's a unique background that you need and government usually cannot compete on the salary with industry, by far.”
Fischmeister couldn’t share exact figures but confidently said the private sector pays “50 per cent or more” than the Canadian government and potentially in U.S. dollars.
These highly qualified professionals are in high demand and some of his graduate program students get hired by companies a year and a half before they’ve even completed their schooling, he added.
The global talent shortage of cybersecurity professionals could reach 85 million workers by 2030, according to a World Economic Forum white paper published earlier this year. This projection is not specific to critical infrastructure, rather cybersecurity as a whole.
In an emailed statement, Natural Resources Canada outlined some of the federal government’s efforts to attract existing cybersecurity experts and develop new ones.
Employment and Social Development Canada led a program between 2018 and 2021 that created more than 1,000 student work placements in cyber security, to help students develop job-ready skills and employers to identify talent to support their future hiring needs.
The federal government noted it supports private sector-led initiatives, including a national cyber security competition aimed at engaging university students in the field of cyber security.
The U.S. and Canada’s respective cyber security agencies discussed cyber workforce strategies last November, according to the briefing note.
The U.S. Department of Energy has a program specifically focused on bolstering cybersecurity expertise in the energy sector in 2016. Its CyberForce program seeks to develop new talent with hands-on and virtual competitions, resources, career fairs and other learning resources.
The Natural Resources Canada briefing note states that electricity grids and pipelines are the two big sectors in which Canada and the U.S. are collaborating, due to the “highly integrated” North American energy system. This includes 34 electricity transmission lines and 74 oil and gas pipelines which are critical to both countries’ economies, according to the briefing note.
Cyber threat actors likely view Canada as an intermediate target through which they can impact the US electricity sector, according to the Canadian Centre for Cyber Security’s 2020 report on cyber threats to Canada’s electricity sector. The integrated nature of the energy systems means attacks on the U.S. grid could potentially impact the Canadian electricity sector.
In February, the U.S. Department of Energy announced US$45 million for more than a dozen projects to protect its power grid, electric utilities, pipelines, and renewable energy generation sources like wind or solar from cyberattacks.
Following the release of a 2023 report on cyber threats to the oil and gas sector, the Canadian Centre for Cyber Security and Natural Resources Canada held “targeted threat info briefings” for energy sector CEOs at a number of secure facilities across the country to share information that couldn’t be released publicly, the centre told Canada’s National Observer in an emailed statement.
Natasha Bulowski / Local Journalism Initiative / Canada’s National Observer
Comments
Being an IT guy of 35+ years, why is critical infrastructure connected to the Internet? Oh wait, because that is cheaper than using a secure private network, plus, they don't want to hire a security experts and it's all about profit over security & everything else. Ah, OK, now I understand. Then these critical infrastructure orgs wonder why they get targeted and hacked.
So, It is not that we lack security pros, but its that critical infrastructure companies don't want to pay for proper security professionals, private networks and take too many shortcuts in the process. <>
Retired engineering and IT guy here. For years, the construction industry resisted fire safety codes, then the automobile industry resisted seatbelts and airbags, and now the software industry won't take responsibility for their shoddy products. A security vulnerability is nothing more than a mistake or combination of mistakes that some clever people leverage for fun and profit. As long as software companies are not held accountable with hefty fines and lawsuits, they will continue to publish rubbish. To borrow an analogy from pollution control, you can clean up the source or treat the mess at the end of the pipe. Hiring more security professionals is exactly that kind of end-of-pipe treatment.
The majors are coming around including, to be fair, Microsoft. Unfortunately, most software producers rush barely tested product into live updates and treat cyber threat response as a PR damage control exercise.
Well-written and informative piece.
Now I need to figure out why my comment went to the queue.
Well-written and informative piece. And, yes, there is a rewarding future in cybersecurity; hopefully it will be welcoming also to non-bro's.
For anyone wishing to get up to speed -- or thinking this whole cybersecurity thing is getting blown out of proportion, there are several books published in the last few years detailing the problem.
cont...
Of those, I can highly recommend Andy Greenberg's engaging and frightening, "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers".
cont...
I can't recommend (but Amazon readers give it high marks, generally) Nicole Perlroth's, "This Is How They Tell Me the World Ends: The Cyberweapons Arms Race". I found the author's choice to include personal grievances of their work in the industry took away from the story (goes to my point about the industry being (un)welcoming to non-bro's), and I didn't finish it.
Going beyond that and focusing on prevention, however, I would l like to see reportage on how the high tech industry (computers, software, networks, mobile) has for decades largely escaped liability for their products. We simply accept that "There Will Be Bugs" (even those that shake a good chunk of the global economy). What if any large vehicle manufacturer got away with shrugging their shoulders and saying, "Meh... There Will Be Wheels/Axels Flying Off" or tall buildings spontaneously fell down (Too bad, So Sad.)? From where did tech receive its "get out of jail free" card?
Why do you think we now have multi-trillion dollar corporations? My money is on Monopoly, (honest) ignorance amongst elected officials, political corruption (particularly in the States) and no meaningful product liability.