CSA Z246.1:21 — Security Management for Petroleum and Natural Gas Industry Systems

A contributor to Canada's national security management standard for the petroleum and natural gas industry. As Vice-Chair of the technical committee and a member of the working group, contributed to Update No. 1 (2025), which revised Clauses 6 and 7 covering information security and cybersecurity.

A contributor to Canada's national security management standard for the petroleum and natural gas industry. As Vice-Chair of the technical committee and a member of the working group, contributed to Update No. 1 (2025), which revised Clauses 6 and 7 covering information security and cybersecurity.

CSA Z246.1 is the National Standard of Canada for security management in petroleum and natural gas industry systems. First published in 2009 and now in its fourth edition (CSA Z246.1:21, February 2021), the standard sets out a performance-based, risk-driven approach to establishing a Security Management Program (SMP)—governance, planning, detection and mitigation, and continual improvement through change management and audit. It is adopted federally by the Canadian Energy Regulator and enforced provincially, including by the Alberta Energy Regulator under Alberta Regulation 84/2024 (effective May 31, 2025) and by the BC Energy Regulator.

As Vice-Chair of the CSA Z246.1 technical committee, I served on the working group responsible for Update No. 1 (2025), which revised Clauses 6 and 7 on information security and cybersecurity. The revision was the product of extensive collaboration with professionals from Enbridge, CSIS, the Canadian Energy Regulator (CER), the Alberta Energy Regulator (AER), the BC Energy Regulator (BCER), and many others across Canada—more than three in-person meetings, roughly ten online sessions, and over forty industry comments carefully considered and integrated. The work reflects the standard's core philosophy: rather than a prescriptive checklist, it asks operators to build cybersecurity and information-security measures that reflect the characterization and risk of the IT and industrial control system assets they need to protect.

CSA Z246.1:21 is now published under the designation CSA Z246.1:21 (R2026), incorporating Update No. 1 (2025) and Errata (2026).