The Canadian energy and utilities sector is undergoing a profound digital transformation. As legacy industrial control systems and supervisory control and data acquisition networks become increasingly connected to corporate information technology environments, the attack surface for threat actors has expanded exponentially. In response to high-profile ransomware attacks on critical infrastructure across the globe, Canadian regulators are stepping in with unprecedented rigour.
For operators of pipelines, electrical grids, and natural gas facilities, cybersecurity is no longer merely a best practice; it is a strict regulatory mandate. Navigating this complex web of provincial and federal requirements can feel overwhelming, particularly when dealing with fragile, legacy operational technology that was never designed to be connected to the internet. However, compliance does not have to mean a complete network redesign. By adopting an identity-first, zero-trust architecture, operators can exceed regulatory expectations while streamlining their operational workflows.
The New Standard of Care: A Shifting Regulatory Landscape
Across the country, energy and utility operators are facing a synchronised push from regulators demanding stronger digital access controls, meticulous audit trails, and robust network segmentation.
At the national level, the Canadian Standards Association Z246.1:21 standard (Security management for petroleum and natural gas industry systems) has fundamentally raised the bar. Specifically, Clause 7.2.2 dictates that operators must implement strict digital access controls, including the principle of least-privilege access and the enforcement of multi-factor authentication. Furthermore, Clause 7.2.3 requires clear network segmentation to ensure industrial control systems are appropriately zoned and isolated from the public internet and corporate information technology networks.
Provincial regulators are equally aggressive in their mandates. Alberta Regulation 84/2024 reflects a growing legislative focus on the resilience of the province’s critical utility infrastructure, mandating that operators prioritise cybersecurity risk management alongside physical safety and environmental protection.
Similarly, the British Columbia Utilities Commission has drawn a firm line in the sand. Through their dedicated cybersecurity initiatives (outlined at https://www.bcuc.com/WhatWeDo/Cybersecurity), the commission requires regulated entities to actively demonstrate their preparedness, mitigation strategies, and incident response capabilities against cyber threats.
The unified message from these regulatory bodies is clear: perimeter-based defence is dead. Relying on a simple firewall to separate the corporate network from the plant floor is no longer legally or operationally defensible.
The Problem with the Status Quo
Historically, when third-party vendors or off-site engineers required remote access to perform maintenance on a programmable logic controller or a human-machine interface, operators relied on virtual private networks.
Unfortunately, traditional virtual private networks are entirely at odds with the new regulatory mandates. Virtual private networks inherently grant network-level access. Once a user authenticates, they are placed on the inside of the network, creating a massive risk of lateral movement. If a vendor’s laptop is compromised by malware, that virtual private network connection acts as a direct bridge into the heart of the operational technology environment. This directly violates the “least privilege” requirements outlined in the Canadian Standards Association standard.
Furthermore, operators face a significant technical hurdle: legacy operational technology. Many critical industrial control systems running our energy infrastructure are decades old. These systems cannot natively support modern security protocols like multi-factor authentication, and installing third-party security software agents on them often voids warranties or risks knocking a critical system offline.
Faced with these challenges, many organisations mistakenly believe that achieving compliance requires a massive, multi-million dollar physical network redesign or the wholesale replacement of functional legacy equipment.
The Agilicus Solution: Zero-Trust Architecture
As a thought leader in industrial cybersecurity, Agilicus recognised that the energy sector needed a paradigm shift. We built Agilicus AnyX to bridge the gap between strict regulatory compliance and the operational realities of legacy industrial control systems.
Agilicus AnyX replaces vulnerable virtual private networks with an identity-first, zero-trust network access broker. We provide a frictionless path to compliance by addressing the specific technical demands of Canada’s energy regulators:
1. Application-Level Micro-Segmentation (Solving Clause 7.2.3)
Agilicus does not put users on your network. Instead, we provide granular, application-level access. When a vendor logs in, they see only the specific pump, valve, or human-machine interface they are authorised to maintain. The rest of the network remains entirely invisible to them. Furthermore, Agilicus operates on an outbound-only connection model. This means your operational technology network has zero open inbound firewall ports, effectively creating a digital air gap that completely isolates your critical infrastructure from the public internet.
2. Multi-Factor Authentication for Legacy Systems (Solving Clause 7.2.2)
Agilicus seamlessly overlays modern multi-factor authentication onto any legacy application, even those that were built decades before multi-factor authentication was invented. We act as a secure proxy in front of the resource. The user authenticates against your existing corporate identity provider (such as Microsoft Entra ID or Google Workspace), completes their multi-factor authentication challenge, and only then is the connection brokered to the legacy system. You achieve total compliance without installing a single piece of software on your fragile supervisory control and data acquisition machines.
3. Centralised Identity and Instant Off-Boarding
When an employee leaves the company or a vendor contract expires, disabling their account in your central corporate directory instantly revokes their remote access to all physical sites and industrial control systems simultaneously. There are no shared passwords left behind and no forgotten backdoor accounts, ensuring continuous compliance with access management regulations.
4. Immutable Audit Trails for Incident Management
To satisfy the rigorous reporting requirements of the British Columbia Utilities Commission and the Canadian Standards Association, Agilicus AnyX captures every single access request in a tamper-proof audit log. Instead of forcing security teams to decipher cryptic internet protocol addresses in a firewall log, Agilicus provides a clear, human-readable ledger. You can prove to any auditor exactly which human identity accessed what system, exactly when they did it, and from what device.
Compliance as a Byproduct of Excellent Security
For the Canadian energy and utilities sector, the regulatory tsunami is already here. However, treating regulations like the Canadian Standards Association Z246.1:21 or Alberta Regulation 84/2024 as mere check-box exercises is a missed opportunity.
By adopting a zero-trust architecture with Agilicus AnyX, operators can move beyond bare-minimum compliance. You can empower your workforce, enable secure and efficient third-party vendor access, and breathe new life into legacy industrial control systems—all while securing the critical infrastructure that powers our nation.
It is time to stop fighting with complex virtual private networks and unmanageable firewalls. Embrace the future of secure industrial connectivity. Reach out to the team at Agilicus today to learn how we can help your organisation achieve compliance and secure your operational technology environment.