Suncor Energy Inc. falling victim to a cyberattack may be the most significant cybersecurity breach of an oil and gas company thus far in Canadian history, experts say.
The Calgary-based oil company has provided no details about the attack or which parts of its operations were affected, saying simply in a news release issued late Sunday that it had “experienced a cybersecurity incident.”
The confirmation followed days of public speculation, after social media users complained on Twitter over the weekend about an inability to use credit or debit cards at the company’s chain of Petro-Canada gas stations in multiple major Canadian cities, as well as difficulties accessing car wash services.
On Saturday, Petro-Canada’s official Twitter account also issued a tweet saying that the company’s Petro-Points app and website were temporarily unavailable.
As of mid-day Monday, some of Suncor’s Petro-Canada sites remained cash-only, and its app and Petro-Points login were unavailable. Car washes were also unavailable at some locations, the company said via social media.
Ian L. Paterson, CEO of Vancouver-based cybersecurity company Plurilock Security Inc., said these public-facing issues could be “just the tip of the iceberg.” He added that as early as Friday, he was also hearing about Suncor employees being unable to log in to their own internal accounts.
“All of these things put together seem to suggest that there could be a sizable cyber incident that’s taking place,” Paterson said, cautioning that much is still unknown about the current situation.
“I think that this actually could be the Canadian Colonial Pipeline, just in the sense that Suncor is such a large part of the economy.”
In 2021, a ransomware attack successfully targeted the Colonial Pipeline, the largest pipeline system for refined oil products in the U.S.
It was the largest cyberattack on oil infrastructure in the history of the United States, and forced the company to temporarily halt pipeline operations.
Although the pipeline was only shut down for a few days, the disruption in the U.S. fuel supply caused the rerouting of flights, panic buying and short-term price spikes.
In Canada, there hasn’t been a publicized, large-scale, successful cyberattack on a domestic oil and gas company, though in April an apparent release of Pentagon documents onto social media sites contained a claim by Russian-backed hackers that they had successfully accessed Canada’s natural gas infrastructure.
The leaked documents did not name a specific company, and the legitimacy of that claim remains unclear.
However, cybersecurity experts have been warning for years that this country’s energy industry is an attractive target for cybercriminals.
Earlier this year, the Canadian Centre for Cyber Security (CCCS) — part of the federal Communications Security Establishment, which provides the government of Canada with information technology security and foreign signals intelligence — warned that the oil and gas sector attracts “more than its share” of attention from cybercriminals.
The CCCS said that is because of the high value of the industry’s assets and “the degree of customer dependence on the industry’s products,” adding that cybercriminals motivated by financial gain are the top cyber threats facing the Canadian oil and gas sector.
“We assess that ransomware is almost certainly the main threat to the supply of oil and gas to customers,” the agency wrote in a report.
“Since oil and gas organizations are part of Canadian critical infrastructure, they are attractive targets for extortion because of the importance of these products and services to Canadians.”
The CCCS also warned that while politically motivated attacks are less likely, state-sponsored or state-aligned cybercriminals — including those with ties to Russia, China and Iran — have targeted the global energy sector in the past for both espionage purposes as well as with an intent to create mayhem.
“The cybersecurity industry as a whole, and certainly governments both at the federal level and others, have been sounding the alarm for many years that critical infrastructure in particular is vulnerable,” Paterson said.
“This has the potential to be very, very serious for Suncor, and it’s not really a surprise.”
There is no indication that any of Suncor’s critical infrastructure, such as oilsands facilities or refineries, have been affected by the incident.
The company said there is also no evidence that any customer, supplier or employee data has been compromised or misused.
Paterson said in the best-case scenario, Suncor will have caught the breach quickly. But he said it’s also possible that it could take the company a very long time to resolve the issue.
“The problem here is that it’s such a large operation with multiple subsidiaries with such an expansive set of services,” he said.
“If the threat actor has been present and persistent for a long time, it could take a very long time to root them out.”