Skip to main content

The BC Oil and Gas Commission (Commission) is drafting a proposed regulation related to physical and cyber security in the oil and gas sector.

The purpose of the regulation is to require permit holders to develop a security management program to minimize risks to critical physical and cyber infrastructure which could jeopardize the province’s safe, secure, and reliable energy supply.

Key elements of the regulatory initiative include:

  • Adopt the Canadian Standards Association (CSA) Standard Z246.1 entitled “Security management for petroleum and natural gas industry systems” into regulation. CSA Standard Z246.1 provides a risk-based framework for companies to evaluate and respond appropriately to security threats and protect energy infrastructure from malicious damage. CSA Standard Z246.1 was developed jointly by industry, multiple regulators and subject matter experts and has been adopted at the national level by the Canada Energy Regulator (formerly the National Energy Board) since 2011 for federally-regulated oil and gas activities.
  • By adopting CSA Standard Z246.1, permit holders will be required to establish a security management program. The purpose of a security management program is to identify physical and cyber security threats and risks to oil and gas infrastructure on a continuing basis and to manage them with appropriate mitigation and responses. Examples include:
    • Consideration of physical security measures related to facility design, construction and maintenance, such as perimeter protection, signage, gates, intrusion detection and alarms, and
    • Development of security incident management processes to respond to, communicate, document, recover from and de-escalate security-related threats and incidents.
  • Permit holders will need to report security incidents to the Commission. Reporting will be coordinated with existing reporting already required under the Emergency Management Regulation. Incident reporting will inform the Commission of potential security breaches and whether a permit holder’s security management program was disregarded or insufficient.
  • The regulation will require a permit holder to prepare and maintain records and reports related to a security incident as well as document required training activities related to their security management program. Record keeping and training help to verify that the permit holder is complying with regulatory requirements and that the programs and procedures are consistent with the CSA Standard Z246.1.

If you have feedback on the proposed regulation, we would appreciate receiving it by August 5, 2022. Please email your feedback or questions to

Website Feedback