As someone who has spent years working at the intersection of energy infrastructure and cybersecurity regulation through CSA Z246.1, I've been watching an inevitable shift unfold across North America's energy landscape. While many utilities currently operate outside direct government cybersecurity mandates, the writing is on the wall—and it spells opportunity for forward-thinking leadership.

The Regulatory Momentum is Undeniable

We've seen the dominoes falling across critical infrastructure sectors. Alberta Regulation 84 (AR-84) now mandates cybersecurity requirements for oil and gas operations. The TSA's pipeline security directives have fundamentally changed how energy transportation companies approach cyber risk. Meanwhile, many power generation and distribution companies watch from the sidelines—for now.

But here's what I've learned from years of regulatory development work: the "for now" won't last much longer. As Alberta and federal governments pivot away from traditional oil-focused policies, electricity generation and distribution is moving squarely into the regulatory crosshairs. The question isn't whether cybersecurity regulations will come to Canada's utility sector—it's whether companies will be ready when they do.

The Leadership Opportunity

Canada's utilities sit at a unique inflection point. While their peers in other sectors scramble to meet emerging requirements, forward-thinking utilities could position themselves as cybersecurity leaders across the energy landscape. I've seen this hunger for leadership firsthand at BSides Calgary, critical infrastructure conferences, and through my work with industry stakeholders developing CSA Z246.1. The utilities sector is actively seeking companies willing to set the standard rather than merely meet it.

This leadership opportunity extends beyond power generation to encompass the entire energy ecosystem—from distribution companies to renewable energy providers to energy storage operators. The organizations that move first will shape the regulatory framework for everyone else.

A Strategic Approach: Three-Phase Cybersecurity Program Development

Having led comprehensive cybersecurity implementations across major energy companies, I believe utilities need a methodical, risk-based approach that balances current operations with future regulatory readiness. Here's how I would structure this transformation:

Phase 1: Understand the Baseline

Organizational Assessment

• Map operational complexity and security maturity across all business units

• Inventory existing security programs (cyber, physical, IT/OT) and identify overlaps, gaps, and redundancies

• Analyze current organizational structure for IT, Cyber, OT, and physical security teams

This foundation work is critical—you can't build effective cybersecurity without understanding what you're protecting and how your teams currently operate.

Phase 2: Comprehensive Gap Assessment

Regulatory Landscape Mapping The regulatory review should cast a wide net, then apply risk-based prioritization:

• Current Mandatory Requirements: NERC-CIP (where applicable), Alberta Reliability Standards (ARS), federal requirements

• Emerging Regulations: Provincial cybersecurity mandates, updated federal standards, industry-specific requirements

• Industry Best Practices: NIST Cybersecurity Framework (with OT extensions), CIS Controls, CSA Z246.1 principles

I'd create a compliance matrix that distinguishes between "must do" and "should do" requirements, streamlining future audit processes while building a defensible risk framework.

Internal Program Alignment

• Comprehensive document review against regulatory requirements

• Elimination of duplicate processes and procedures

• Focus investment on genuine gaps rather than redundant controls

• Restructure cybersecurity program documentation following information security management best practices

Phase 3: Strategic Scope Management

Future-Focused Implementation Planning

• Define long-term compliance goals and timelines based on regulatory trajectory

• Develop multi-year action plan aligned with risk tolerance, audit cycles, and budget realities

• Implement change management framework supporting both quick wins and strategic initiatives

The key is starting with low-hanging fruit—policy and process improvements that demonstrate immediate value—while building toward comprehensive technical implementations that require significant investment.

Why This Matters Now for All Utilities

Canadian utilities operate in a regulatory environment that's shifting faster than most organizations realize. The companies that proactively build comprehensive IT/OT cybersecurity programs won't just be prepared for future regulations—they'll help define what those regulations look like.

Having worked directly with regulators developing cybersecurity standards for critical infrastructure, I can say with confidence that industry leaders who engage early in this process don't just achieve compliance—they shape compliance to reflect operational realities.

Whether you're operating renewable energy facilities, managing distribution networks, or running traditional power plants, the fundamentals remain the same: understanding your risk landscape, building appropriate controls, and preparing for a regulatory environment that will increasingly focus on cybersecurity resilience.

The utilities that have the operational expertise, technical infrastructure, and market vision can become Canada's cybersecurity leaders in the energy transition. This includes not just the major players, but also the innovative smaller companies pioneering new technologies and approaches.

The question is whether the industry will seize this opportunity to lead collectively, or wait for regulation to force individual hands.

The Path Forward

The regulatory wave is coming to Canadian utilities. The smart companies—regardless of size or specialization—are already preparing to ride it. Those that move now will have the advantage of shaping the conversation, influencing regulatory development, and building competitive advantages through cybersecurity excellence.

The energy sector's future depends not just on clean generation and smart distribution, but on the cybersecurity foundation that makes it all possible. The time to build that foundation is now.

Lisa Zhao is Vice Chair of CSA Z246.1, Canada's federal cybersecurity standard for energy infrastructure, and holds a CISM certification. She has led cybersecurity risk assessments and compliance programs for major energy companies including TC Energy, Trans Mountain, and Pembina Pipeline.