On May 31, 2025, Regulation 84/2024 “Security Management for Critical Infrastructure” will take effect in Alberta. Introduced as part of the Responsible Energy Development Act, the new regulation underscores a growing focus on securing the province’s critical infrastructure and achieving alignment with other regulators across Canada. But what does this mean for players in Alberta’s energy sector and what are the practical steps to achieving compliance? Most importantly, what are the consequences of non-compliance?
Understanding the context around 84/2024 as well as the implications and scope of the new regulation is a critical step on the path to compliance. In this post, we’ll explore these topics and give you useful recommendations to help you meet the new requirements.
Getting to know 84/2024: Who does it affect?
At a high level, the new regulation will apply to the Alberta Energy sector, including:
· in situ operations
· wells
· processing plants
· pipelines
· mines and mining operations
· coal and processing property
The Alberta Energy Regulator will maintain a list of critical infrastructure and enforce the new regulation for organizations that meet a set of minimum threshold requirements based on several factors, including:
· the size and type of the facility,
· the proximity of the facility to people, property, and environmental factors,
· facility throughput,
· the interdependency between the facility and other infrastructure, and
· other relevant factors.
Understanding the context: Creating a comprehensive security framework
At its core, 84/2024 mandates that any facility named in the critical infrastructure list must establish a security management program in accordance with CSAZ246.1. Together with ISO27001, IEC 62443, and NIST SP 800-82, CSA Z246.1 creates a comprehensive security management program to safeguard both IT and OT in petroleum and natural gas systems.
Each of these standards plays an important role, promoting effective governance, technical controls, and risk management. ISO 27001 supports governance and audits, IEC introduces protections specific to industrial control systems (ICS), and NIST SP 800-82 offers tailored ICS safeguards. All three complement CSA Z246.1’s focus on critical infrastructure resilience and organizations that have taken an integrated approach to aligning these security management frameworks should be well on their way to compliance with 84/2024.
The CSA Z246.1 standard has already been adopted by the British Columbia Energy Regulator (BCER) and Canadian Energy Regulator (CER) for interprovincial pipelines. We anticipate more energy sector regulators across Canada will adopt it in the future.
Ten recommendations for compliance, in order of priority
For Alberta companies preparing for 84/2024, planning for compliance is essential, especially since failure to comply could result in consequences like suspension of an organization’s license to operate an asset or facility.
To help you get started, we’ve compiled and prioritized a list of ten recommendations:
1. Implement a scalable Security Management Program (SMP) with proper policies, standards, guidelines, accountability, and performance management targets.
2. Adopt an engineering-focused risk management process aligned to your overall enterprise risk management process.
3. Implement an OT specific threat vulnerability management program capable of identifying OT specific assets, threats, and vulnerabilities.
4. Strengthen cybersecurity measures by implementing proper network segregation, secure remote access, effective asset discovery, identity and access management, etc.
5. Establish OT specific incident response protocols and business continuity plans.
6. Prioritize security training around cyber threats and the new CSA guidelines for engineering at IT groups.
7. Enhance physical security controls to protect technology assets.
8. Secure sensitive information by implementing proper information management and data loss controls.
9. Automate compliance tasks, like log management and OT-specific monitoring.
10. Conduct regular audits and updates.
How we can help
Meeting the requirements set out by the new regulation won’t be an easy task, but our team is here to support you with deep expertise in IT and OT security for the energy sector. Here are some of the areas we can help:
Security Management Program (SMP) development
Our security experts can design and implement a risk-based SMP that’s aligned with CSA Z246.1, integrating governance frameworks, asset criticality, and key performance indicators for continuous improvement.
ICS/OT cybersecurity controls aligned with IEC 62443 or NIST 800-82
We can apply IEC 62443’s network segmentation and NIST 800-82’s audit checklists to secure OT systems against ransomware and supply chain threats, ensuring CSAZ246.1 compliance.
Incident response& recovery planning
We develop and test OT-specific incident protocols, including SCADA malware simulations, to enable rapid recovery and minimize downtime during cyber-physical breaches.
Security awareness training
Reducing human-error incidents, we deliver security, role-specific training–such as hands-on simulations–aligned with the mandates set out in clause 8 of CSAZ246.1.
Emergency management(CSA Z246.2) integration
Using automated alerts and cross-functional drills to coordinate security and crisis response teams, we align SMPs with CSA Z246.2 emergency plans.
Continuous monitoring& threat detection
We deploySIEM tools with threat detection capabilities to proactively hunt threats, validate controls, and support CSA Z246.1’s audit cycles in IT/OT environments.
Stay current on IT and OT security trends
The convergence of IT and OT is driving new conversations and trends in security. In fact, OT security is one of the 9 cybersecurity trends our team is keeping a close eye on in 2025.
We’ll continue to explore these standards and best practices for compliance and security, leading the conversation at key cybersecurity events throughout the coming year, starting with the NKSTCybersecurity Leadership Forum on February 27, 2025.
For information about future events we’re attending, please contact your MOBIA representative and follow us on LinkedIn.
In partnership with
By
Ashif Samnani
Ashif Samnani is a distinguished cybersecurity leader with over 20 years of experience, specializing in Cybersecurity Operations, Governance Risk and Compliance (GRC), and Operational Technology (OT) Cybersecurity. His expertise lies in aligning business goals with effective risk reduction strategies, helping organizations build successful cybersecurity programs tailored to their specific needs. Ashif's comprehensive approach integrates security across operations, governance, and technology, ensuring a holistic cyber resilience strategy. As a thought leader in the industry, he regularly shares insights on emerging trends, mentors cybersecurity professionals, and drives the adoption of cutting-edge technologies. Ashif's unique ability to balance robust security measures with business enablement has made him instrumental in shaping the cybersecurity landscape, guiding organizations through the complex digital terrain while supporting their overall objectives.
