Risk of cyber, bomb attacks grows for Canada’s energy sector, CSIS says

A dump truck works near the Syncrude oilsands extraction facility near the city of Fort McMurray, Alta., on June 1, 2014.
A dump truck works near the Syncrude oilsands extraction facility near the city of Fort McMurray, Alta., on June 1, 2014. Jason Franson, The Canadian Press

Canada’s main spy agency last year warned energy companies about an increasing risk of cyber espionage and attacks on pipelines, oil storage and shipment facilities and power transmission towers using homemade explosives, according to a classified document obtained by Reuters.

The Canadian Security Intelligence Service (CSIS) warning last May highlights an additional risk for the energy sector, where opposition to pipelines has ramped up in Canada, home to the world’s third-largest oil reserves, and the United States.

In the document, which features speaking notes prepared for a CSIS briefing with energy and utilities sector stakeholders, an unidentified official specifies a threat from foreign state-owned firms looking for confidential information about investments or takeovers.

READ MORE: Canada’s cybersecurity strategy is anemic: expert

“You should expect your networks to be hit if you are involved in any significant financial interactions with certain foreign states,” the official said in the document, obtained by Reuters under access-to-information laws.

Story continues below advertisement

The hackers would want information on anything from valuations to tax records and client names, the official said in the document. The official said the agency had collected evidence of such espionage in the past.

The document, parts of which were obscured for security reasons, did not show the foreign states whose companies may be linked to industrial espionage or their purported Canadian victims.

In 2012, CSIS told the government that takeovers by Chinese companies may threaten national security. At the time, China’s state-owned CNOOC Ltd had bid for Canadian producer Nexen Inc.

The document also warned the sector was “vulnerable to explosives” and identified potential targets. In the document, the CSIS official referred to “terrorist attacks” since 2014 in Canada and abroad, saying even large-scale attacks are “technically simple.”

Last year, five oil pipelines carrying Canadian crude in the United States were halted in coordinated attacks by environmental protesters, showing the ease with which people with no technical expertise can disrupt the industry.

Energy companies already use surveillance cameras, helicopters, remote sensors and drones to monitor some 119,000 km of pipelines across Canada, carrying 3.4 million barrels of crude a day, and have an agreement to collaborate during an emergency.

READ MORE: Trudeau vows to ensure security agencies obey letter of law amid surveillance fears

But security experts and energy industry officials have said it is impossible to lower the threat to zero.

Story continues below advertisement

Last week, vandals used on-site equipment to damage a pipeline under construction in Canada’s oil heartland of Alberta.

Asked about the document, CSIS spokeswoman Tahera Mufti did not address details about the industry meeting or the briefing official’s description of physical threats to Canada’s energy infrastructure.

She said only that the agency’s overall threat assessment for the energy sector has remained constant, and that the sector is a target globally for cyber attacks. Detecting such threats is a “key national security priority,” she said.

Major energy infrastructure companies in Canada, including TransCanada Corp and Enbridge Inc, declined to say whether they sent representatives to the meeting.

The Canadian Energy Pipeline Association, which includes major pipeline companies but did not attend the meeting, said its members have a “robust cyber security program” to prevent espionage.

The Natural Resources Canada federal agency said only that it works with the industry and regional governments to address physical security and referred questions on cyber-intrusion to Public Safety Canada, which did not immediately respond to requests for comment.