December 2, 2023

Suncor is replacing employee computers after a cybersecurity incident last week shut down debit and credit processing at Petro-Canada gas stations across the country, among a series of other security measures at the Calgary-based company.

An internal communication dated July 3, viewed by CBC News, says the company will replace desktop and laptop computers in waves to ensure the devices are safe to use, starting with “a small number of employees and contractors aligned with business criticality.”

It’s not clear from the memo what the scope of the computer recall is or what departments were affected, but one expert said that if the recall is extensive, it would be an indication of a serious situation.

“Normally you wouldn’t expect hardware to be compromised so fully that you need to replace everything,” said cybersecurity expert Chester Wisniewski, who is field chief technology officer at the international cybersecurity firm Sophos.

CBC News asked Suncor if it planned to replace all computers across the company, or just in certain departments, but did not receive a response. 

Among other things, Suncor employees have also been told in recent days not to use social media on company devices or let people tailgate behind them into an elevator. 

The company has stayed mum about the cause of last week’s attack, which affected debit and credit transactions at gas stations across the country and restricted customers’ access to the Petro-Points loyalty program. 

While the public-facing nature of the Suncor incident has made cybersecurity a hot topic, cyber threats have been a growing concern for years across the country, especially within the oil and gas sector. 

According to Statistics Canada survey data, in 2019 about a quarter of Canadian organizations classified as oil and gas had reported a cyber incident — the highest of any infrastructure sector, according to a report from the Canadian Centre for Cyber Security released just days before the Suncor incident. 

Hit to business reputation, operations

A Petro-Canada gas station is pictured in Nepean, Ont.
A Petro-Canada gas station is pictured in Ottawa, Ont. (Francis Ferland/CBC)

As of Wednesday, customers were still complaining to Petro-Canada on Twitter about the Petro-Points app not working, an issue the company has said it’s “working hard to resolve.” 

The outage is expected to cost the company “millions of dollars” before it’s fully resolved, according to an early estimate from the Canadian Internet Registration Authority. 

The hit to the business includes the direct loss of gas station sales during the peak of the outage, though there will also be impacts that aren’t as immediately apparent, said Geoffrey Cann, a former Deloitte partner and energy industry consultant.

The brand’s reputation will have taken a hit from having dedicated Petro-Can customers locked out of their loyalty program, he said.

There may also be the operational headache of dealing with the logistics of storing or selling oil that was still being refined while sales at Petro-Can locations were down, he said.

The incident may also be affecting productivity if any IT problems are ongoing, he said.

“Unless they had somehow some standby, ready-to-go, completely different computer system — that they could switch on while they remove the old systems — there would have to be some interruption in the day-to-day activities of the workforce,” said Cann.

Within the broader oilpatch, the incident is prompting companies to take another look at their own IT systems. 

“I know that this is something that board members will be asking questions about because this is all about risk management and business integrity,” said Calgary Chamber of Commerce CEO Deb Yedlin.

She predicts cybersecurity could become another point of emphasis that oil and gas companies discuss at quarterly earnings calls, similar to the emergence of environmental, social and governance (ESG) reporting. 

“This is something that will be very high on the agenda if it isn’t already,” she said. 

A man in a suit gestures with his hands as he speaks.
Tim McMillan is a consultant with Garrison Strategy and the former president and CEO of the Canadian Association of Petroleum Producers. (Justin Tang/The Canadian Press)

Tim McMillan, former president of the Canadian Association of Petroleum Producers, says the incident is a further “wake-up call” for companies, though he emphasized cyberthreats are nothing new in the sector.

“No one can stop the attack from happening, we know that companies are going to be continuously attacked,” said McMillan, who is now a partner at the consulting firm Garrison Strategy. 

“It’s [about] how do you put in the right levels of security, and different stages of security, so that when, inevitably, you are attacked, if a vulnerability is found that it doesn’t get devastating to your company or to the energy system here in Canada?”

‘This is coming at us’

High-profile cybersecurity incidents are becoming increasingly common across the public and private sector. In the last year, attacks on disparate targets from Indigo to Empire Foods to the Nova Scotia government have disrupted transactions and exposed Canadians’ personal information. 

In April, a pro-Russian hacking group claimed responsibility for a cyberattack against Hydro-Quebec. That same day, the Communications Security Establishment (CSE) warned a cyber threat actor “had the potential to cause physical damage” to a piece of critical infrastructure and that while no damage was done, “the threat is real.”

Within the oil and gas sector, ransomware is the primary threat to the country’s reliable supply of oil and gas, according to the report from the Canadian Centre for Cyber Security, though the sector is also likely to be targeted by state-sponsored cyber espionage “for commercial or economic reasons.”

Cann expects that the threat will only grow in the years ahead.

Amid the conflict between Russia and Ukraine, he said both sides are developing tools to target one another’s critical infrastructure that could ultimately end up circulating on the dark web, and used against even non-hostile players like Canada. 

“We as an industry [have] got to just know this is coming at us and we need to be prepared,” said Cann.