In June 2023, Suncor Energy, which operates the Petro-Canada brand nationwide, disclosed that its systems had been targeted by a cyberattack that disrupted payment processing at gas stations across Canada. The incident impacted customer fuel purchases and revealed vulnerabilities in critical energy sector infrastructure. The attack prompted increased scrutiny of cybersecurity practices across Canada's energy industry and coordination between government and energy sector organizations.
About the Attack
On June 5, 2023, Suncor Energy's IT systems experienced disruptions affecting payment processing at Petro-Canada retail locations. Investigation revealed that threat actors had compromised systems controlling payment processing, point-of-sale infrastructure, and customer-facing applications. While Suncor did not publicly attribute the attack to specific threat actors, analysis suggested the sophisticated nature of the attack and its targeting of critical infrastructure indicated organized threat activity.
The attack appeared to focus on disruption of payment systems rather than traditional ransomware deployment, suggesting the attackers may have been testing defenses, conducting espionage, or attempting to extort the company through threatened continued service disruption.
Impact on Petro-Canada Operations
The disruption to payment systems at Petro-Canada stations had immediate and widespread effects:
- Payment systems offline at hundreds of Petro-Canada locations across Canada
- Customers forced to use alternative payment methods or unable to complete fuel purchases
- Significant decline in fuel sales during outage period
- Revenue impact estimated in millions of dollars per day
- Operational disruption lasting several hours to over a day at various locations
- Widespread customer frustration and negative publicity
Suncor's Response
Suncor Energy's response to the attack included:
- Immediate containment and isolation of affected systems
- Restoration of payment processing systems from backup infrastructure
- Engagement of external cybersecurity firms for incident investigation
- Coordination with law enforcement agencies
- Implementation of emergency monitoring and detection systems
- Enhancement of access controls and authentication mechanisms
- Communication with customers regarding data security
Suncor confirmed that customer payment information processed through PCI-compliant payment processors remained secure, as the company does not directly store sensitive payment card data.
Broader Energy Sector Implications
The Suncor attack raised significant concerns about cybersecurity across Canada's energy sector. Energy infrastructure, including refineries, pipelines, and distribution systems, represents critical infrastructure that supports the entire Canadian economy. A successful attack against operational technology systems could disrupt fuel supply chains and cause cascading economic effects.
The incident prompted the Canadian government and energy companies to increase cybersecurity investments, improve information sharing about threats, and strengthen resilience planning for critical infrastructure.
Defensive Measures Implemented
Following the incident, Suncor and other energy companies accelerated implementation of several security measures:
- Enhanced monitoring of payment systems and point-of-sale infrastructure
- Improved segmentation between operational technology and information technology systems
- Implementation of zero-trust access control principles
- Increased security awareness training for employees
- Development of more robust incident response capabilities
- Coordination with law enforcement on threat intelligence
Lessons for Critical Infrastructure
The Suncor incident demonstrated that even large, well-resourced critical infrastructure operators can experience successful attacks. The energy sector's reliance on networked systems for operational efficiency creates security challenges that require ongoing attention and investment. Organizations managing critical infrastructure must balance operational efficiency with security requirements, implement defense-in-depth strategies, and maintain rapid incident response capabilities.