The energy sector's unique OT/IT convergence, ICS/SCADA environments, and increasing regulatory pressure from Bill C-8 (CCSPA) and the Canada Energy Regulator require security training and assessments that understand your operational environment - not generic IT security templates.
The oil and gas sector faces a threat landscape that general IT security training and assessments aren't designed for.
Modern oil and gas operations connect Operational Technology (OT) - PLCs, SCADA systems, DCS, field devices - to IT networks and the internet. An attack that starts on a workstation can reach a compressor station control system. Most IT security tools don't understand OT environments.
Industrial Control Systems and SCADA environments often run legacy software with decade-old patch states. Many ICS components were designed for air-gapped environments and have no authentication, encryption, or modern security controls. Connecting them to networks introduces risk they were never designed to handle.
Drilling contractors, measurement service companies, equipment vendors, and remote monitoring providers all need access to operational data. Each third-party connection is a potential attack vector - and Bill C-8 now requires formal supply chain risk management for federally regulated operators.
Energy infrastructure is a priority target for nation-state threat actors. Groups attributed to Russia (Sandworm/Industroyer), Iran (APT33), and China (APT41) have demonstrated capabilities and intent against energy sector OT systems. The threat is real and active.
Oil and gas operators face an increasingly complex regulatory landscape: Bill C-8 (CCSPA) for federally regulated pipelines, Alberta Energy Regulator expectations, NERC CIP for connected electrical systems, PIPEDA for employee/customer data, and cyber insurance requirements.
A cybersecurity incident in oil and gas isn't just a data breach - it's potential pipeline shutdown, spill event liability, environmental consequence, and public safety risk. The operational stakes of a cyber incident are orders of magnitude higher than a corporate IT breach.
The Canada Energy Regulator (formerly National Energy Board) regulates interprovincial and international pipelines and has issued cybersecurity expectations for regulated pipeline operators. These expectations align with NIST CSF and require demonstrated controls across identification, protection, detection, response, and recovery.
The AER regulates Alberta upstream oil and gas operations - wells, facilities, and pipelines within Alberta. While AER does not yet have CCSPA-equivalent mandatory cybersecurity rules, it expects operators to manage technology and cybersecurity risk as part of their overall risk management obligations. AER's regulatory expectations continue to evolve.
Oil and gas companies with co-generation facilities or operations connected to the North American bulk electric system may face NERC CIP obligations. If your facility feeds power to the grid or has BES interconnections, NERC CIP compliance may be required.
See NERC CIP Details →ThreeShield delivers training designed for energy sector realities - not generic corporate security awareness.
Tailored for field staff: remote access security, USB/removable media risks, social engineering at operational sites, connected device risks in field environments, and what to do when something looks wrong on a control panel or SCADA display.
For instrument technicians, control systems engineers, and IT/OT support staff. Covers network segmentation principles, PLC/HMI security, remote access to OT systems, vendor access management, and incident recognition.
For executives, compliance officers, and senior management at federally regulated pipeline operators. Covers CCSPA obligations, designation criteria, cybersecurity program requirements, incident reporting obligations, and board accountability.
Facilitated tabletop exercise simulating a cyberattack on energy infrastructure. Scenarios include ransomware hitting the corporate network, ICS/SCADA-targeted attack, remote access compromise at a remote facility, and supply chain-sourced malware.
For procurement, vendor management, and operations teams who manage third-party access. Covers C-8 supply chain risk requirements, vendor security assessment processes, and secure third-party access configuration.
A 60-90 minute executive briefing on the oil and gas threat landscape, regulatory obligations (C-8, CER, AER), and what board-level oversight of cybersecurity requires. Ideal before regulatory examinations or annual strategy sessions.
For energy companies with internal security teams that need continuous monitoring and compliance tooling
For energy companies beginning their CCSPA journey or wanting an independent CISSP/CISA perspective on their security posture
For operators who need a complete, regulator-ready cybersecurity program with ongoing management
Lavawall® provides IT-layer security monitoring for corporate and administrative networks - endpoints, M365, cloud, and patch compliance. For OT/ICS-specific monitoring (SCADA networks, PLCs, field device communications), ThreeShield partners with OT-specialist vendors and can integrate OT assessment findings into a unified security program. Many oil and gas operators need both IT and OT coverage; ThreeShield coordinates the full picture.
It depends on your regulatory designation. Bill C-8 CCSPA applies to designated operators of critical cyber systems - primarily large, federally regulated pipeline operators. Smaller Alberta operators under AER jurisdiction face less prescriptive mandatory requirements today, though this is evolving. However, cyber insurance requirements, customer security questionnaires, and the real operational risk of a cyber incident apply regardless of size. ThreeShield scales its engagements to organization size.
ThreeShield delivers training in multiple formats: in-person at facility locations (Calgary and Alberta-based delivery), virtual instructor-led for distributed teams, and asynchronous e-learning modules that field staff can complete on their schedule. Training is adapted for the audience - we don't present a corporate IT security slide deck to a crew on a well site.
Yes. ThreeShield provides incident response support for active compromises. For energy sector incidents that may involve OT environments, we coordinate with OT specialist partners and escalate to the appropriate regulatory contacts (CER, CCCS) as required by notification obligations. Contact (403) 538-5053 immediately if you have an active incident.
ThreeShield is headquartered in Calgary - Canada's energy capital. We understand the oil and gas operational environment, the regulatory landscape, and the specific threats facing Canadian energy companies. Book an assessment or training conversation today.
Book Oil & Gas Security Assessment(403) 538-5053 · Contact Us · Calgary, AB