Publication
Published May 21, 2025
On May 31, 2025, the Government of Alberta's Security Management for Critical Infrastructure Regulation (the Regulation), under the Responsible Energy Development Act (the Act), will come into force.[1] The Regulation targets "critical" facilities in the province, such as pipelines and processing plants. A key goal of the Regulation is the prevention and management of cybersecurity attacks on critical infrastructure. These attacks are on the rise and can have devastating consequences on businesses, such as the temporary shutdown of critical services, which can cost millions of dollars. Below, we outline what you need to know about the upcoming Regulation.
The Regulation will apply to "critical" facilities as categorized by the Alberta Energy Regulator (AER). The AER will be responsible for determining whether a facility qualifies as a "critical facility", and in doing so, it will consider numerous factors, including the size of the facility, its proximity to people, and how it interacts with other infrastructure.[2] The AER will be required to maintain a list of critical facilities – the "critical infrastructure list" – and will be required to inform those whose facilities are on the list.[3] The critical infrastructure list will be confidential.[4]
The Regulation will require all critical facilities to have both security and cybersecurity measures in place that accord with CSA Z246.1 (the CSA Standard) – a Canadian standard related to security management for petroleum and natural gas industry systems.[5] The CSA Standard sets out general requirements for organizations (e.g. creating security incident management programs), but provides organization with some discretion in certain areas to consider which software and cybersecurity practices make the most sense for their business. Generally speaking, the CSA Standard uses "security" and "cybersecurity" interchangeably, but organizations should note that there may be both physical and non-physical elements to their cybersecurity. For example, organizations may be required to have certain technology and infrastructure in place (physical elements), while also maintaining specific data protection software on their electronic devices (non-physical elements). These components all work in tandem to bolster an organization's cybersecurity.
The CSA Standard requires organizations to:
The AER will have the power to require a licensee to file with the AER all or specified information in relation to the security management of a critical facility, and to audit security management programs.[9] If the AER finds that a critical facility has not established a proper security management program, it may order that one be established, or, in some cases, it may order the shut down of a critical facility.[10]
If you expect to be added to the AER's critical infrastructure list, some suggestions on how to prepare are:
For assistance on navigating the Regulation, the CSA Standard or cybersecurity generally, feel free to contact any of the authors.
[1] Security Management for Critical Infrastructure Regulation, Alta Reg 84/2024 at s 6 [Regulation].
[2] Responsible Energy Development Act, SA 2012, c R-17.3 [Act].
[3] Regulation at ss 2(1) and 2(3).
[4] Regulation at s 2(4).
[5] Regulation at s 3(1).
[6] CSA Group, "Security management for petroleum and natural gas industry standards" (February 2021) online (pdf): <CSA Z246.1:21 | Product | CSA Group> at s 10.2.
[7] CSA Group, "Security management for petroleum and natural gas industry standards" (February 2021) online (pdf): <CSA Z246.1:21 | Product | CSA Group> at s 4.2.
[8] CSA Group, "Security management for petroleum and natural gas industry standards" (February 2021) online (pdf): <CSA Z246.1:21 | Product | CSA Group> at s 7.2.1 & 7.2.2.
[9] Regulation at ss 3(3) and 3(5).
[10] Regulation at s 3(2).