Suncor is proactively addressing a recent cybersecurity incident at Petro Canada gas stations. The company will replace employee computers and implement additional security measures as part of its response.
An internal communication obtained by CBC News states that the replacement process will occur in stages. Starting with a small number of critical employees and contractors.
While the memo does not provide specific details about the extent of the computer recall or which departments were affected, cybersecurity expert Chester Wisniewski emphasizes that a comprehensive recall indicates a severe situation.
He explains that it is unusual for hardware to be compromised to such an extent that replacement becomes necessary. Suncor has yet to disclose whether all computers throughout the company will be replaced or if only specific departments will be affected.
In addition to computer replacements, Suncor has instructed employees not to use social media on company devices and to avoid getting too close to people in elevators.
The company has refrained from revealing the cause of the attack that disrupted debit and credit transactions at gas stations nationwide and impacted customer access to the Petro Points loyalty program.
The recent incident involving Suncor highlights the ongoing concern surrounding cyber threats in Canada, particularly within the oil and gas sector. According to data from Statistics Canada's 2019 survey, approximately 25% of oil and gas organizations reported experiencing a cyber incident—the highest percentage among infrastructure sectors.
These findings align with a report from the Canadian Centre for Cyber Security released shortly before Suncors' incident.
Despite efforts to resolve issues promptly, customers continue to voice complaints on Twitter regarding functionality problems with the Petro Points app. Petro Canada has assured customers that they are working diligently towards resolving these issues as quickly as possible.
Early estimates suggest that this outage could incur costs amounting to millions of dollars for Suncor until it is fully rectified, according to information provided by the Canadian Internet Registration Authority (CIRA).
According to Geoffrey Cann, a former Deloitte partner and energy industry consultant, this incident will have multiple repercussions apart from direct sales loss during Petro-Can outage.
These consequences may not be immediate but are expected to influence various aspects differently. The brand reputation of Petro-Can has been affected due to loyal customers' inability to access their loyalty program.
According to his observations, there might be operational complexities involved in handling or selling oil that was still undergoing refining while sales at Petro-Can locations were decreasing.
Additionally, he mentioned that ongoing IT issues could pose productivity challenges. Cann stated that unless they had an alternative computer system readily available while replacing old systems, day-to-day employee activities would inevitably be disrupted.
Consequently, this situation has led energy industry companies to reassess their IT systems' capabilities.
Deb Yedlin, CEO of the Calgary Chamber of Commerce, predicts that board members will question this incident's impact on risk management and business integrity.
She anticipates cybersecurity becoming a prominent topic discussed during quarterly earnings calls among oil and gas companies—similar to how environmental, social, and governance reporting has gained significance.
"This is an area we cannot overlook," she emphasized.
Attacks cannot be stopped; however, implementing the proper security measures at multiple levels or stages can significantly minimize their detrimental impact on the affected company or the whole energy system.
Over the past year, there have been numerous cyberattacks on various organizations in Canada, such as Indigo, Empire Foods, and the Nova Scotia government. These attacks have caused disruptions and exposed the personal information of Canadians in April. A hacking group with pro-Russian ties claimed responsibility for a cyberattack on Hydro Quebec.
On that same day, the Communications Security Establishment (CSE) issued a warning stating that a cyber threat actor could cause physical damage to critical infrastructure. Although no damage occurred, according to a report from the Canadian Centre for Cyber Security, the CSE emphasized that this threat is real. Ransomware poses the greatest threat to Canada's oil and gas sector and its reliable supply of these resources.
State-sponsored cyber espionage will likely target this sector for commercial or economic reasons. Cann anticipates that this threat will continue to grow in the coming years. Given the ongoing conflict between Russia and Ukraine, both sides are developing tools to target each other's critical infrastructure. It is possible that these tools could end up on the dark web and be used against countries like Canada. Even if they are not directly involved in the conflict, as an industry, we must acknowledge that these threats are imminent and take steps to ensure our preparedness.