CSA Z246.1:21

Preface:

This is the fourth edition of CSA Z246.1, Security management for petroleum and natural gas industry systems. It supersedes the previous editions published in 2017, 2013 and 2009.

The most significant change, relative to the previous edition, is the introduction of cybersecurity measures that has replaced the previous Clause 7 on information technology and industrial control system security.

This Standard uses the concept of a security management program, and in particular risk management, to address security issues. This Standard provides a performance-based approach for use by the operator to establish governance, conduct planning, implement and improve security operations (including detection and mitigation practices), and refine the security management program through change management and audit processes. This approach allows users to apply this Standard across the petroleum and natural gas industry.

This Standard is one of several security risk management tools. Operators should work with other industries, as well as governmental agencies, in order to effectively manage the security of their energy infrastructure. A security management program should complement existing programs and should consider the risks and criticality of the assets being protected. Therefore, this Standard should be read in conjunction with other security legislation, safety legislation, best practices, policies, standards, and applicable codes (e.g., CSA Z662, CAN/CSA-ISO 31000, and CSA Z1600). In particular, this Standard is aligned with CSA Z246.2, Emergency preparedness and response for the petroleum and natural gas industry systems, to both support a continual improvement process and to develop sound risk-based management processes.

This Standard has been developed in compliance with Standards Council of Canada requirements for National Standards of Canada. It has been published as a National Standard of Canada by CSA Group.

Scope:

1.1 General
This Standard specifies criteria for establishing a security management program for petroleum and natural gas industry systems to ensure security threats and associated risks are identified and managed. This Standard provides mitigation and response processes and procedures to prevent and minimize the impact of security incidents that could adversely affect people, the environment, assets, and economic stability.

1.2 Applicability
This Standard applies to all petroleum and natural gas industry systems (as illustrated in Figures 2 and 3), including
a) pipeline systems handling
     i) oil;
     ii) gas;
     iii) oil-field water;
     iv) liquid products;
     v) multi-phase fluids;
     vi) slurries; and
     vii) system supports, including
           1) meter stations;
           2) compressor stations;
           3) pump stations;
           4) tank farms;
           5) terminals; and
           6) all assets that support Items 1) to 5);
b) liquefied natural gas (LNG) production, storage, and handling facilities;
c) storage of hydrocarbons in underground formations;
d) petrochemical installations, including
     i) refineries;
     ii) gas processing plants;
     iii) liquefied petroleum gas plants;
     iv) synthetic natural gas plants; and
     v) coal gasification plants;
e) oil and gas exploration, development, production, treatment, processing, and storage operations not covered in Items a) to d);
f) oil sands facilities; and
g) petroleum and natural gas wells.

The requirements of this Standard are applicable to all operators, regardless of the size or number of their assets.

1.3 Exclusions
Offshore petroleum and natural gas activity, petroleum and LNG tankers, and customers piping systems are outside the scope of this Standard.
Note: See Figures 2 and 3.

1.4 Terminology
In this Standard, "shall" is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the Standard; "should" is used to express a recommendation or that which is advised but not required; and "may" is used to express an option or that which is permissible within the limits of the Standard. Notes accompanying clauses do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material. Notes to tables and figures are considered part of the table or figure and may be written as requirements. Annexes are designated normative (mandatory) or informative (non-mandatory) to define their application.