CDN NEWS | 
US NEWS 
Author: Jeff Thomas, Partner, Advisory Services
KPMG in Canada
Given the significant impacts of COVID-19 today, it is critical to understand your organization’s vulnerabilities to cyber-attacks, and the impacts that can arise if systems are corrupted. The threat of cyber attacks looms over all Canadian industries, but the stakes are arguably higher in the energy and natural resources (ENR) sector. For the ENR sector, impacts of data breaches or cyber incursions threaten not only the bottom line but the ability to deliver critical public services.
Consider, for example, the safety implications of an ENR operation going “dark” for merely a day. While a retail operation may take a hit to their bottom line, the costs to an energy company in the same scenario can quickly rise to millions of dollars. Moreover, the inability of utilities or mining companies to perform their regular safeguards can spark serious public safety and environmental concerns.
ENR organizations have always had cyber security on their radar, but the need to safeguard operations from internal and external threats has grown exponentially as equipment and controls become more digital, automated, and “smarter.” As more organizations take their operations to the “cloud” for greater data management and analytical capabilities, the demand for third-party risk management is more pressing than ever.
Moreover, as companies look to streamline their operations, they can inadvertently expose themselves to greater risk. Where critical operations were once governed by a complex and broad range of industrial control vendors, today these controls are becoming more standardized. While this may make it easier to manage areas of cyber weakness, it also creates new vulnerabilities as cyber criminals can easily use malware and other attack tools for numerous environments.
To address cyber security means understanding the threat landscape. Today’s threat actors run the gamut; from criminals seeking to hold critical systems “ransom,” industry competitors attempting to steal proprietary information, or nation states aiming to inflict damage to critical infrastructure. Internal threats also exist in the form of employees who take negative action against the company or third-party associations who may be providing insecure backdoors to your data and systems.
With the sources of cyber risk in view, the next challenge for the industry is to gain the expertise and knowledge to protect their industrial control systems. That can be difficult given that many ENR systems have been designed to make access and availability a top priority. Yet, while systems have traditionally been designed to ensure everyone can get in, the focus must now shift to ensuring only the right people are permitted access.
These considerations must be taken into account by board members, including the Audit Committee. Audit Committees play a critical role in understanding the vulnerabilities of the organization to cyber attacks, the impacts that can arise if systems are corrupted, and where to best invest in cyber security controls. After all, ENR companies face constant cost pressures and adding cyber security expenses to the budget isn’t always an easy sell. Audit Committees need to ensure they’re helping to guide cyber security investments towards the most critical assets and operations.
What should audit committees be asking?
- Are our cyber security efforts focused on the areas of highest risk?
- How well do we understand our cyber vulnerabilities, both on the operational and data side?
- What has our cyber risk mitigation process been to date?
- Have we obtained outside help to validate our assessment of the potential impact of a cyber event across key areas?
- How good are our controls in those prioritized areas? How do we evaluate those controls?
- What is our response and recovery strategy for when a cyber event happens?
Board members would also do well to remember that there is a significant difference between merely complying with cyber security requirements and actually being secure in today’s threat environment. That is, while many organizations “tick the box” to meet the requirements set out by the North American Electric Reliability Corporation’s Critical Information Protection (NERC CIP) standards, this does not necessarily mean they are entirely secure. Here again, it’s essential to assess each operation’s critical digital assets, vulnerabilities, and other potential targets.
The ENR industry is a diverse space consisting of energy generators, mining operations, and green energy innovators. Cyber security strategies differ between each based on numerous factors (e.g., assets, location, threat exposure), but there is a common push among all Canadian ENR players to recognize that the industry is as vulnerable to today’s cyber risks as any other, and just as accountable (if not more so) for keeping its operations and customers secure.
For more information on cyber services, please contact:
Jeff Thomas, Partner
Advisory Services, KPMG in Canada
Subscribe to KPMG Energy Insights
Share This:
Borrowing More and More – Federal Budget Brings New Programs and Pains: Margareta Dovgal – Resource Works