In May 2021, a ransomware attack crippled Colonial Pipeline, one of North America’s largest fuel distribution systems across its 5,500-mile network. The incident disrupted supply across the U.S. East Coast for days, triggering widespread shortages, panic buying at gas stations. The attack exposed a troubling reality: critical infrastructure in North America is more vulnerable than previously suspected. While Canada avoided the full effects of the attack, given that the pipeline does not supply the Canadian market, the implications are clear. An incident targeting a cross-border pipeline or power transmission system could trigger a cascading effect through the integrated network, causing disruption in both Canada and the United States simultaneously, with far greater economic and security consequences.
Securing these assets is complicated by Canada’s divided jurisdiction. The federal government oversees international and interprovincial infrastructure, telecommunications, banking, and nuclear energy; however, provinces retain primary authority over electricity generation, transmission and distribution within their borders. This division prevents Ottawa from unilaterally imposing uniform baselines, meaning any move toward national standards requires negotiation across these distinct jurisdictional boundaries.
This fragmented oversight produces three critical vulnerabilities. First, baseline cybersecurity standards remain voluntary and unaudited across operators. Second, there is a shortage of actionable technical advisories that translate threat intelligence into operator-specific protective measures. Third, there is no consistent federal-provincial interface at the operational level that produces synchronized incident response at speed. Modern cyber attacks propagate through technical networks faster than federal and provincial authorities can coordinate responses. Threat actors, whether state-sponsored or criminal, exploit these jurisdictional seams, targeting vulnerabilities that exist precisely because no single authority can mandate comprehensive protection across interconnected systems.
Canada’s Critical Energy Infrastructure: Governance and Threat Environment
Canada’s energy sector, which forms the backbone of the nation’s economy and way of life, is characterized by its geographic expanse, diverse resource base, and intricate interdependencies. This Critical Energy Infrastructure (CEI) spanning from the oil sands of Alberta and offshore Atlantic platforms to the vast hydroelectric dams and nuclear facilities of Ontario and Quebec, faces an evolving threat landscape that includes cyber-attacks, physical sabotage, and climate disruption.
Securing this infrastructure is best evaluated through the lens of NATO’s energy security framework that provides three relevant analytic categories: i.e. enhancing strategic awareness of the security implications of energy, protecting critical energy infrastructure; and improving military energy efficiency. While these categories originated within a collective security context, they offer a rigorous framework for assessing domestic resilience. This article identifies the governance gaps in Canada’s CEI approach, demonstrates why voluntary frameworks are inadequate for the modern threat environment, and establishes the urgent case for reform.
NATO’s 2022 Strategic Concept acknowledges that authoritarian actors conduct cyber-attacks and manipulate energy supplies, requiring Allies to identify and mitigate strategic vulnerabilities in critical infrastructure. The comprehensive domestic strategy required for Canada’s CEI must strengthen cyber-physical resilience and reduce vulnerability through diversification of energy generation and distributed infrastructure.
Canada’s Current CEI Governance Framework: Origins and Evolution
To understand the gaps, we must first examine Canada’s existing approach. Public Safety Canada (PSC) coordinates the national strategy for critical infrastructure resilience by working through a collaborative federal-provincial-territorial model with significant private sector participation. This framework is organized around ten critical infrastructure sectors, including Energy and Utilities, Transportation, among others.
The cornerstone of this approach is the National Strategy for Critical Infrastructure (2009), which emphasizes voluntary collaboration, information sharing, and risk management partnerships rather than imposing top-down regulatory mandates. This voluntary model reflected the policy consensus of the early 2000s: private sector flexibility and government-industry partnership could deliver security outcomes more efficiently than prescriptive regulations.
For more than a decade and a half, this collaborative approach fostered relationships between government agencies and industry operators, enabled information sharing through established networks, and created a foundation for coordinated risk management. However, the strategic threat landscape has evolved from primarily regional concerns toward sophisticated, state-sponsored hybrid warfare targeting critical systems. The voluntary governance model, well-intentioned and initially effective, now represents a critical vulnerability in Canada’s defence posture.
The Response Latency Gap: Why Voluntary Governance Falls Short
The central challenge of Canada’s voluntary governance is the response latency between the detection of emerging threats and the implementation of coordinated defensive measures. Within the National Institute of Standards and Technology (NIST) Cybersecurity Framework, this represents a failure in the critical transition from the “Detect” to “Respond” function. Jurisdictional fragmentation systematically widens the gap. Adversaries exploit this lag using what the Canadian Centre for Cyber Security (CCCS) defines as Cyber Tools: the programs and capabilities used by threat actors to conduct malicious activity. The increasing commercialization of these tools, particularly ransomware-as-a-service, enables threat actors to operate with a velocity that outpaces Canada’s current voluntary reporting and coordination cycles.
In its effort to safeguard critical systems, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) releases detailed, actionable alerts; for example, it warns energy operators about advanced persistent threat (APT) actors targeting ICS/SCADA devices such as programmable logic controllers. The agency also provides technical indicators of compromise, mitigation steps, and assessments of the potential consequences of successful attacks.
In contrast, Canada faces an operator-facing specificity gap. While the CCCS provides sector-wide technical guidance, and PSC acts as a coordinating body, the decentralized nature of Canadian critical infrastructure hinders centralized collection of incident intelligence. This fragmentation causes threat intelligence to be scattered across diverse actors, often forcing federal agencies to issue generic sector-wide alerts instead of the device-specific guidance required for immediate defensive action. Consequently, by the time operators receive these generalized warnings, adversaries may have already exploited specific vulnerabilities.
This governance model creates a collective-action problem with uneven incentives for investment. While some operators invest heavily in resilience for internal risk management, the current voluntary system allows others to operate with minimal defenses at a lower price point, as there is no uniform penalty for insecurity unless a major incident occurs. This disparity risks a “race to the bottom” where rational economic actors may minimize security spending to remain competitive. This uneven investment landscape leaves critical systems vulnerable to adversaries who strategically target the weakest points in the shared network.
Despite existing legal frameworks for national security information sharing, the federal government faces persistent challenges in operationalizing rapid, actionable data flows. To address this, the government introduced Bill C-26 in 2022; however, the legislation died on the Order Paper following the prorogation of Parliament in January 2025. Its successor, Bill C-8, was introduced in June 2025 and contains substantially similar provisions. Under this proposal, the government would establish mandatory reporting obligations, which would require designated operators to notify the Communications Security Establishment (CSE) within 72 hours of detecting a cyber-incident. Such a transition from voluntary sharing to a mandated framework would reflect an official recognition that existing mechanisms for threat intelligence exchange are insufficient for current operational demands.
Regulatory Asymmetry and Strategic Vulnerability
Canada and the United States maintain deeply integrated energy infrastructure, sharing over 35 cross-border electricity transmission connections and extensive pipeline systems. The Bulk Electric System (BES), which includes large generation facilities and major transmission lines, operates under mandatory North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) standards. Within Canada, these standards are implemented through provincial regulators and reliability authorities to maintain cross-border alignment. However, a security gap persists at the distribution level; unlike the BES, security standards at the distribution level vary significantly across provinces. These non-BES systems are managed by provincial and municipal utilities under voluntary frameworks, such as NIST. While valuable for risk management, these voluntary standards lack the enforcement powers and rigorous audit mechanisms associated with NERC-CIP.
This disparity creates a strategic vulnerability: adversaries seeking successful disruption increasingly target less-regulated segments where defensive measures are weakest. While some Canadian infrastructure operates under mandatory standards like those governing Bulk Electric Systems (BES), large portions of critical distribution and control systems remain subject to voluntary NIST standards with no obligatory audits and minimal regulatory baselines, ultimately undermining the resilience of NATO’s collective defence architecture.
Conclusion
Canada’s voluntary CEI governance framework, built during a different threat environment, now faces challenges that exceed its design parameters. Response latency gaps, regulatory asymmetry with integrated U.S. systems at the distribution level, and insufficient operator-facing technical guidance have created gaps that sophisticated adversaries can exploit. Cyber enabled disruption, coercive state behaviour, and climate cascades can exploit uneven baselines and slow pathways for converting threat information into operator action.
Bill C-8’s proposed Critical Cyber Systems Protection Act represents a fundamental shift from voluntary to mandatory cybersecurity obligations for designated operators in federally regulated sectors. A credible reform agenda requires four concrete elements; each reflected in the proposed framework. First, establish mandatory cybersecurity baselines for designated operators in high-consequence segments, with clear accountability and enforcement mechanisms that move beyond voluntary self-attestation. Second, implement routine audit and assurance processes with meaningful consequences for non-compliance, including administrative penalties scaled to the severity of violations. Third, develop operator-facing technical advisories that translate threat intelligence into actionable, device-specific guidance for front-line operators. Fourth, institutionalize joint exercises and incident coordination protocols across federal, provincial, and private actors so that response roles are established before crisis forces improvisation. The legislation’s effectiveness will ultimately depend on how designation criteria, reporting timelines, and enforcement authorities are defined and resourced through the regulatory development process.
The governance challenges identified above extend beyond administrative coordination. Canada’s energy infrastructure is integrated with U.S. systems through cross-border transmission lines and pipeline networks, creating interdependencies where vulnerabilities in one jurisdiction can affect the resilience of shared systems. Strengthening Canada’s governance framework through the mechanisms proposed in Bill C-8 would address the domestic vulnerabilities identified in this analysis, particularly the response latency and enforcement gaps that affect federally regulated critical systems. How effectively Canada closes this governance gaps is likely to shape both domestic resilience and efforts to strengthen the coherence of cross-border critical infrastructure protection.
