This regulation is in force now. AER Regulation 84/2024 — Security Management for Critical Infrastructure — took effect May 31, 2025. If you operate a facility on the AER's critical infrastructure list, compliance is not optional.
What Is Regulation 84/2024?
Regulation 84/2024, formally titled the Security Management for Critical Infrastructure Regulation, was enacted under Alberta's Responsible Energy Development Act (REDA). It requires operators of designated critical energy facilities in Alberta to implement a security management program aligned with CSA Z246.1 — the Canadian standard for security management for petroleum and natural gas industry systems.
The AER maintains a confidential list of designated critical facilities. If you operate pipelines, processing plants, or other energy infrastructure in Alberta, your facility may be on that list.
Who Does It Apply To?
The regulation applies to operators of facilities that the AER has designated as critical infrastructure. While the specific list is confidential, the scope of REDA means that most petroleum and natural gas systems in Alberta arguably qualify.
Critically, there is no small-business exemption. A junior producer with a single pipeline faces the same obligation as a major integrated operator. The regulation targets the criticality of the infrastructure, not the size of the company operating it.
What Does It Require?
At its core, the regulation requires a security management program that aligns with CSA Z246.1. That standard covers both physical and cybersecurity, but for network and OT environments, the key requirements include:
- Security risk assessment for the facility
- Network segmentation and access controls
- Monitoring and detection of security events
- Incident response procedures
- Personnel security awareness training
- Regular program review and updates
- Documentation sufficient for audit
What Can the AER Do?
The AER has enforcement tools that go well beyond fines:
- Audit your security management program
- Require you to demonstrate compliance
- Order facility shutdown for non-compliance
The shutdown authority is the teeth. Unlike regulations that only carry financial penalties, Regulation 84/2024 gives the AER the power to shut down a facility that cannot demonstrate an adequate security program. For a junior producer running on thin margins, that's an existential risk.
The CSA Z246.1 Connection
CSA Z246.1 is the standard that Regulation 84/2024 points to. It's also referenced by federal regulations (CER Onshore Pipeline Regulations) and the incoming Bill C-8 / CCSPA. Compliance with Z246.1 covers significant ground across all three regulatory layers simultaneously.
For OT cybersecurity specifically, Z246.1 aligns closely with IEC 62443 concepts: zones and conduits, defence in depth, and risk-based security program management.
How ZoneSentry Helps
ZoneSentry directly addresses several Z246.1 requirements for OT network environments:
| Z246.1 Requirement | ZoneSentry Coverage |
|---|---|
| Network monitoring & detection | Continuous firewall syslog monitoring with AI-powered anomaly detection |
| Asset inventory | Automatic inventory of all devices observed crossing zone boundaries |
| Network segmentation verification | Zone-aware architecture maps VLANs to IEC-62443 / Purdue levels |
| Incident detection & alerting | Confidence-scored alerts with plain-language narratives |
| Audit-ready documentation | Compliance PDF reports, device inventory, alert history |
| Program review evidence | Annual rollup reports: device changes, alert trends, baseline evolution |
ZoneSentry is not a complete Z246.1 compliance solution — no single product is. It covers the network monitoring and detection components. Your security management program will also need policy governance, personnel training, physical security measures, and incident response procedures. If you work with an integrator, these gaps are where their consulting services complement ZoneSentry's automated monitoring.
What Should You Do Now?
If you operate energy infrastructure in Alberta:
- Determine your status. Contact the AER if you're unsure whether your facility is designated.
- Get a copy of CSA Z246.1. This is the standard you'll be measured against.
- Assess your current gaps. Do you have a documented security management program? Network monitoring? Incident response?
- Start with what you have. Your firewall is already generating the data. ZoneSentry turns it into monitoring, alerting, and compliance evidence.
The best time to start was May 2025. The second best time is today. A 30-day ZoneSentry pilot gives you device inventory, behavioural baselines, and your first compliance report — tangible evidence you can show an auditor while you build the rest of your program.