With Alberta leading the way on industrial cybersecurity, experts call for a national strategy to defend Canada's critical infrastructure from rising OT threats
Alberta has raised the bar. As of May 31, its new Security Management for Critical Infrastructure Regulation mandates operational technology (OT)-focused protections aligned with CSA Z246.1 (the federal standard that specifies criteria for establishing a security management program for petroleum and natural gas industry systems). Operators must inventory and segment control systems, minimize attack surfaces and implement intrusion detection. Most critically, Alberta regulators have enforcement power.
“Alberta’s bold move sets a new standard for protecting what powers our nation. This isn’t just regulation; it’s a wake-up call to embed cybersecurity into the DNA of critical infrastructure,” says Denrich Sananda, managing partner at Arista Cyber in Richmond Hill, Ont.
At the federal level, Bill C-26’s Critical Cyber Systems Protection Act (CCSPA) promises long-overdue OT security requirements for sectors like telecom, banking and energy. It mandates risk management programs, incident reporting and compliance with government directives. But gaps remain: oversight is weak, its scope is narrow and it omits ransomware and safe harbour provisions.
“Canada must lead in OT cyber security policy to protect our national interests, as our critical infrastructure supports the essential services Canadians rely on every day,” urges Ashif Samnani, national cybersecurity practice leader at Dartmouth, N.S.-based Mobia Technology Innovations.
“This protection requires a national mandate, prioritizing and resurrecting bills such as Bill C-26 tied to a larger scope over provincial approaches such as Alberta Legislation 84/2024, to ensure a unified and resilient defense against evolving cyber threats.”
There are four priorities federal authorities should initiate:
Globally, allies are acting decisively. The U.S. now mandates cyber incident reporting and sector-specific controls. Europe’s NIS2 directive imposes strict OT requirements and executive accountability. Australia, too, is prioritizing OT risk management.
Meanwhile, ransomware attacks on industrial systems have surged 87 per cent. New malware like Pipedream targets control systems directly. CISA and CCCS warn that Canada’s OT environment, including water, transportation and power systems, remains dangerously exposed.
“To stay ahead of escalating threats, Canada must treat Alberta’s move not as the finish line, but as a starting point for national leadership in OT risk governance,” echoes Tristan Kim, head of security sales at Kore Solutions, Toronto.
The Canadian Cybersecurity Network (CCN) will publish a national OT cybersecurity report and host a leadership summit in Calgary this September. Policymakers should treat this moment as a turning point. Bill C-26 offers a framework, but leadership, transparency and funding must follow.
Canada cannot afford to remain reactive. OT is the new front line. The time to lead is now. To find out more about theNational OT Report and Event go here.