Suncor trades laptops after a cybersecurity incident as the energy industry assesses risks

Suncor is replacing employee computers after a cybersecurity incident last week shut down debit and credit processing at Petro-Canada gas stations across the country, in addition to a slew of other security measures at the Calgary-based company.

A July 3 internal communication, seen by CBC News, says the company will be replacing desktop and laptop computers in waves to ensure the devices are safe to use, starting with “a small number of employees and contractors tuned to business critical”.

It’s not clear from the memo what the scope of the computer recall is or which departments were affected, but one expert said if the recall is extensive, it would indicate a serious situation.

“You wouldn’t normally expect hardware to be so completely compromised that you have to replace everything,” said cybersecurity expert Chester Wisniewski, field chief technology officer at global cybersecurity firm Sophos.

CBC News asked Suncor if it planned to replace all computers company-wide, or just certain departments, but received no response.

Suncor employees were also told in recent days not to use social media on company devices or let people piggyback behind them in an elevator.

The company has remained silent on the cause of last week’s attack, which affected debit and credit transactions at gas stations across the country and customers’ access to the Petro Points loyalty program.

While the public nature of the Suncor incident has made cybersecurity a hot topic, cyber threats have been a growing concern across the country for years, especially within the oil and gas sector.

According to Statistics Canada survey data, in 2019 about a quarter of Canadian organizations classified as oil and gas had reported a cyber incident — the highest of any infrastructure sector, according to a Canadian Center for Cyber ​​Security report released just days before the Suncor incident.

Affected for business reputation, operations

As of Wednesday, customers were still complaining to Petro-Canada Twitter about the Petro-Points app not working, an issue the company has said it is “working hard to fix”.

The outage is expected to cost the company its head.millions of dollarsbefore it is fully resolved, according to an early estimate by the Canadian Internet Registration Authority.

The blow to the company includes the direct loss of gas station sales during the peak of the outage, although there will also be effects that are not so immediately apparent, said Geoffrey Cann, a former Deloitte partner and consultant in the energy sector.

The brand’s reputation will have been dented by dedicated Petro-Can customers losing access to their loyalty program, he said.

There may also be the operational headache of dealing with the logistics of storing or selling oil that was still being refined as sales at Petro-Can sites fell, he said.

The incident could also affect productivity if IT issues persist, he said.

“Unless they somehow had a standby, ready-to-go, completely different computer system – which they could turn on while removing the old systems – there should be a break in the day-to-day activities of the staff, Kan said.

Within the broader oil slick, the incident is prompting companies to rethink their own IT systems.

“I know this is something board members will ask questions about because it’s all about risk management and business integrity,” said Deb Yedlin, CEO of the Calgary Chamber of Commerce.

She predicts that cybersecurity could become another focus that oil and gas companies discuss in quarterly talks, similar to the rise of environmental, social and governance (ESG) reporting.

“This is something that will be very high on the agenda, if it isn’t already,” she said.

Tim McMillan, former president of the Canadian Association of Petroleum Producers, says the incident is another “wake-up call” for companies, though he stressed that cyber threats are nothing new in the industry.

“No one can stop the attack, we know businesses will be under constant attack,” said McMillan, who is now a partner at the consulting firm Garrison Strategy.

“Are [about] how do you ensure the right security levels and different stages of security so that when you are inevitably attacked, if a vulnerability is found, it doesn’t become devastating to your business or to the power system here in Canada?”

‘This is coming at us’

High-profile cybersecurity incidents are becoming more common in the public and private sectors. In the past year, attacks have been carried out against various targets Indigo Unpleasant Empire foods to the Nova Scotia government have disrupted transactions and disclosed personal information of Canadians.

In April, a pro-Russian hacking group claimed responsibility for a cyber attack against Hydro Quebec. That same day, the Communications Security Establishment (CSE) warned a cyber threat actor “had the potential to cause physical damage” to a piece of critical infrastructure and while no damage was done, “the threat is real”.

Within the oil and gas sector, ransomware is the biggest threat to the reliable supply of oil and gas in the country, it said the report from the Canadian Center for Cyber ​​Security, although the sector is also likely to be targeted by state-sponsored cyber espionage “for commercial or economic reasons”.

Cann expects the threat to only increase in the coming years.

Amid the conflict between Russia and Ukraine, he said both sides are developing tools to attack each other’s critical infrastructure that could eventually circulate on the dark web and even be used against non-hostile players like Canada.

“We as an industry [have] I just need to know that this is coming our way and we have to be prepared,” said Cann.