This regulation is in force now. AER Regulation 84/2024 — Security Management for Critical Infrastructure — took effect May 31, 2025. If you operate a facility on the AER's critical infrastructure list, compliance is not optional.
What Is Regulation 84/2024?
Alta Reg 84/2024, formally titled the Security Management for Critical Infrastructure Regulation, was enacted under Alberta's Responsible Energy Development Act (REDA). It requires operators of designated critical energy facilities in Alberta to implement a security management program aligned with CSA Z246.1:21 (fourth edition, 2021) — the Canadian standard for security management for petroleum and natural gas industry systems.
The AER maintains a confidential list of designated critical facilities. If you operate pipelines, processing plants, or other energy infrastructure in Alberta, your facility may be on that list.
Who Does It Apply To?
The regulation applies to operators of facilities that the AER has designated as critical infrastructure. While the specific list is confidential, the scope of REDA means many petroleum and natural gas systems in Alberta may be designated. The specific designation is determined by the AER.
Critically, there is no small-business exemption. A junior producer with a single pipeline faces the same obligation as a major integrated operator. The regulation targets the criticality of the infrastructure, not the size of the company operating it.
What Does It Require?
At its core, the regulation requires a security management program that aligns with CSA Z246.1. That standard covers both physical and cybersecurity, but for network and OT environments, the key requirements include:
- Security risk assessment for the facility (CSA Z246.1:21 Clause 5.6)
- Network segmentation and access controls (Clauses 7.2.2, 7.2.3)
- Monitoring and detection of security events (Clause 7.2.5)
- Incident response procedures (Clause 10.2)
- Personnel security awareness training (Clauses 8, 8.3)
- Regular program review and updates (Clauses 11.3, 11.4)
- Documentation sufficient for audit (Clause 11.2)
What Can the AER Do?
The AER has enforcement tools that go well beyond fines:
- Audit your security management program
- Require you to demonstrate compliance
- Order operations to cease under REDA authority
Enforcement goes beyond fines. Under the Responsible Energy Development Act (REDA), the AER has broad enforcement authority including the power to order operations to cease. For a junior producer running on thin margins, non-compliance with Regulation 84/2024 is an existential risk.
The CSA Z246.1:21 Connection
CSA Z246.1:21 (fourth edition, 2021) is the standard that Alta Reg 84/2024 points to. It's also referenced by federal regulations (CER Onshore Pipeline Regulations, s.4(1)(e)), BC's Security Management Regulation, and Bill C-8 / CCSPA (passed the House of Commons March 26, 2026 — now in Senate). Compliance with Z246.1:21 covers significant ground across all four regulatory layers simultaneously.
For OT cybersecurity specifically, Z246.1:21 aligns closely with IEC 62443 concepts: zones and conduits, defence in depth, and risk-based security program management.
How ZoneSentry Helps
ZoneSentry directly addresses several Z246.1 requirements for OT network environments:
| Z246.1 Requirement | ZoneSentry Coverage |
|---|---|
| Network monitoring & detection | Continuous firewall syslog monitoring with AI-powered anomaly detection |
| Boundary-observed device inventory | Automatic inventory of all devices observed crossing zone boundaries |
| Network segmentation visibility (Clause 7.2.3 + IEC 62443 alignment) | Zone-aware architecture maps VLANs to IEC-62443 / Purdue levels |
| Incident detection & alerting | Confidence-scored alerts with plain-language narratives |
| Audit-ready documentation | Compliance PDF reports, device inventory, alert history |
| Program review evidence | Annual rollup reports: device changes, alert trends, baseline evolution (in development) |
ZoneSentry is not a complete Z246.1 compliance solution — no single product is. It covers the network monitoring and detection components. Your security management program will also need policy governance, personnel training, physical security measures, and incident response procedures. If you work with an integrator, these gaps are where their consulting services complement ZoneSentry's automated monitoring.
What Should You Do Now?
If you operate energy infrastructure in Alberta:
- Determine your status. Contact the AER if you're unsure whether your facility is designated.
- Get a copy of CSA Z246.1:21. This is the standard you'll be measured against. It's available as a free download for Canadian customers from CSA Group.
- Assess your current gaps. Do you have a documented security management program? Network monitoring? Incident response?
- Start with what you have. Your firewall is already generating the data. ZoneSentry turns it into monitoring, alerting, and compliance evidence.
The best time to start was May 2025. The second best time is today. A 30-day ZoneSentry pilot gives you device inventory, behavioural baselines, and your first compliance report — tangible evidence you can show an auditor while you build the rest of your program.