Calgary is the corporate headquarters for Canada's oil and gas industry. Suncor Energy, Canadian Natural Resources, Cenovus Energy, TC Energy, Enbridge, and hundreds of mid-size operators make Calgary the decision-making centre for upstream exploration and production, pipeline operations, and energy infrastructure across Alberta and beyond.
The operational technology supporting these organisations, from SCADA systems monitoring oil sands extraction to pipeline control centres managing thousands of kilometres of transmission infrastructure, represents some of the most complex and consequential OT environments in North America. The Canadian Centre for Cyber Security (CCCS) has identified the energy sector as one of Canada's highest-priority critical infrastructure protection areas, and CCCS advisories increasingly reference OT-specific threats from nation-state actors and criminal ransomware groups targeting industrial operations.
We provide OT cybersecurity assessments, IEC 62443 alignment, and OT risk management services for energy and industrial operators in Calgary and across Alberta, delivered remotely and on-site as required.
The OT Cybersecurity Risk Landscape for Calgary-Based Energy Operators
Corporate Risk and Distributed Operational Technology
Calgary-headquartered energy companies face a distinctive OT security challenge: corporate decision-making, IT infrastructure, and security teams are concentrated in Calgary, while operational technology is distributed across remote field sites in northern Alberta, British Columbia, Saskatchewan, and offshore. Remote site connectivity, required for real-time monitoring and control of oil sands extraction, SAGD operations, gas processing, and pipeline systems, creates the attack pathways that OT-focused threat actors exploit.
Oil Sands and SAGD Operations
Steam-assisted gravity drainage operations in the Athabasca oil sands are among the most process-intensive OT environments in Canada. DCS systems managing steam injection pressures, wellbore temperatures, and bitumen extraction rates operate continuously, cannot tolerate unplanned interruptions, and run on patching cycles measured in years rather than months. The combination of process criticality and patching constraints makes these systems high-priority targets that require compensating security controls at the network and access control level.
Pipeline Operations and SCADA Networks
TC Energy and Enbridge together operate the largest pipeline networks in North America, both headquartered in Calgary. Smaller pipeline operators controlling intra-Alberta gathering and transmission systems face the same OT security obligations with proportionally smaller security teams. Pipeline SCADA networks span thousands of monitoring and control points across remote terrain, many of which connect to the corporate network through cellular or satellite communications links that require specific remote access hardening.
Regulatory and Compliance Framework for Alberta Energy Operators
| Standard / Regulation | Applies To | Key OT Requirement |
|---|---|---|
| CCCS Industrial Control Systems Security Guidelines | All Canadian critical infrastructure operators | Asset inventory, network segmentation, incident detection and reporting |
| Alberta Energy Regulator (AER) Directive 067 and security requirements | Alberta oil and gas operators | Operational data protection, control system integrity |
| IEC 62443 (ISA/IEC) | Industrial automation and control system operators | Zone and conduit architecture, Security Levels, and patch management |
| NIST SP 800-82 Rev. 3 (referenced by CCCS) | Critical infrastructure operators | OT-specific security controls, asset visibility, and monitoring |
| Canadian Petroleum Safety Council (CPSC) standards | Pipeline and oil and gas operators | Safety and operational integrity requirements with cybersecurity implications |
Industries We Serve in Houston and the Texas Energy Corridor
OT Cybersecurity Services for Calgary and Alberta Energy Operators
OT Risk Assessment and Gap Analysis
A structured OT risk assessment maps current security controls across your industrial network against IEC 62443, CCCS guidelines, and sector-specific requirements. For Calgary-based operators with distributed field operations, we assess both the corporate-to-field connectivity architecture and the OT security posture of individual field sites. The deliverable is a risk-prioritised remediation roadmap that accounts for operational constraints at each site type.
IEC 62443 Zone and Conduit Architecture
IEC 62443 provides the most technically specific framework for securing industrial control systems in oil and gas and pipeline environments. Zone and conduit design, Security Level assignment, and systematic control implementation give OT security teams a structured approach that scales from a single gas processing facility to a multi-site pipeline network spanning multiple provinces. We conduct Security Level assessments and design architecture changes aligned to IEC 62443 Part 3 requirements.
Remote Site and Field OT Security
Remote oil and gas sites in Alberta often rely on cellular, microwave, or satellite communications for SCADA connectivity, with limited on-site IT support and vendor remote access provided through general-purpose VPN connections. We assess remote site connectivity architecture, identify access control gaps, and design hardening measures that maintain operational reliability while eliminating unnecessary remote access pathways.
OT Vulnerability Assessment
Passive OT vulnerability assessment provides a risk-prioritised inventory of vulnerabilities across your control system asset base without active scanning that could disrupt operations. For oil sands and pipeline operators running legacy Honeywell, Emerson, ABB, or Rockwell Automation platforms, we cross-reference installed firmware versions against CCCS advisories and vendor security bulletins to identify which vulnerabilities are exploitable in your specific network context.
Incident Response Planning
An OT-specific incident response plan for an Alberta energy operator needs to account for coordination between Calgary-based security and IT teams, remote site operations personnel, regulatory notification obligations to the AER and Transport Canada, and vendor support requirements for control system recovery. We develop and test OT incident response plans through tabletop exercises that simulate realistic attack scenarios based on current CCCS threat intelligence for the energy sector.
Frequently Asked Questions
We provide both. Remote assessment and advisory work covers most planning, documentation review, architecture analysis, and gap assessment activities. On-site work at specific facilities in Alberta is available by arrangement for hands-on vulnerability assessment, network architecture review, and tabletop exercise facilitation. Most engagements begin with a remote scoping call to understand the environment before any on-site activities are planned.
Yes. Multi-site engagements are common for Alberta-based energy operators with distributed operations. We typically conduct a corporate architecture review and representative site assessments, then extrapolate findings across similar site types. For operators with highly variable site profiles, such as a mix of large facilities and remote unmanned sites, we design the assessment scope to cover each distinct site category.
IEC 62443 applies directly. Oil sands SAGD operations use distributed control systems and safety instrumented systems that fall within the industrial automation and control system (IACS) scope of IEC 62443. The zone and conduit model applies to segmenting the process control network from historian systems, from the corporate network, and from vendor remote access pathways. Security Level assignments are determined by the process criticality of each zone, with safety-critical zones such as emergency shutdown systems typically targeting SL 2 to SL 3.
The CCCS publishes cybersecurity guidance and advisories specifically for Canadian critical infrastructure operators, including the energy sector. CCCS advisories identify active threat actors targeting Canadian industrial networks and publish technical mitigation guidance. While CCCS guidance is not legally mandated for private sector operators in the same way that TSA directives apply in the US, Canadian energy regulators increasingly reference CCCS guidelines in their expectations. Aligning with CCCS guidance is considered due diligence for Canadian energy operators.
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}