Critical infrastructure

Critical infrastructure work is where a security failure becomes a safety failure. Oil and gas yards, electric utility substations, water and wastewater plants, and Health Canada licensed cannabis facilities operate under regulatory frameworks that treat the security system as part of the operational safety envelope, not as a separate convenience layer. The pathway changes (hazardous-area listings, EMI-hardened equipment), the network changes (SCADA segregation, operations-centre integration), and the audit changes (regulatory retention, mandatory reporting). Walk into a critical infrastructure project with the institutional-office playbook and the install fails the regulatory audit; walk in with the discipline this chapter describes and the install supports the operator’s compliance.

The risk profile

How critical infrastructure differs

Commercial and institutional office work has a relatively standard threat model: theft, vandalism, unauthorised access, occasional targeted attack. Critical infrastructure adds nation-state actors, organised attempts at operational sabotage, regulatory inspectors who treat the audit findings as enforcement actions, and the consequence that a successful attack causes physical harm or service disruption to large populations. The integrator’s risk tolerance has to match the operator’s.

The four common verticals

Oil and gas (upstream, midstream, downstream): Wellheads, pipelines, compressor stations, refineries, terminals. CSA Z246 governs the security framework, with the operator’s risk assessment driving design. Hazardous-area classifications limit equipment selection; classified Zone 1 and Zone 2 areas require certified equipment.
Electric utility: Generation stations, substations, transmission yards. CER (Canada Energy Regulator) requirements for federally-regulated assets, provincial regulator requirements for distribution. EMI-hardened equipment for substation environments. Physical security at the substation perimeter is the typical institutional project scope.
Water and wastewater: Treatment plants, pumping stations, reservoirs. Operator (municipal or regional authority) defines the security framework. Indoor environments are corrosive (chlorine, hydrogen sulfide); outdoor environments are weather-exposed. Equipment selection accounts for both.
Health Canada licensed cannabis: Cultivation, processing, storage, and retail facilities licensed under the Cannabis Act and Cannabis Regulations. Prescriptive video, access, and audit requirements with specific retention periods. Health Canada inspects the security install as part of the licence renewal process.

Oil and gas (CSA Z246)

When the rule applies

Every oil and gas facility in Canada under the CSA Z246 framework. The standard sets the framework; the operator’s site-specific risk assessment defines the design.

The spec

// OIL AND GAS SECURITY

Security framework per CSA Z246; the operator’s risk assessment defines the specific design
The operator performs the risk assessment (typically with a security consultant); the integrator implements the design that results
Hazardous-area equipment per CEC Section 18 in classified areas::
- Class I Division 1 / Zone 0: continuously hazardous atmosphere; intrinsically-safe equipment only
- Class I Division 2 / Zone 2: hazardous atmosphere under abnormal conditions; non-incendive equipment
- Equipment certification: CSA marking for the specific Zone and Class
Perimeter detection at facility boundaries: photoelectric beams, perimeter LiDAR, or vibration sensors per the operator’s risk assessment
Access control at every facility entry, with two-factor authentication for restricted areas
Video coverage at perimeter, entries, control rooms, and high-value assets (compressor stations, control valves, transformer pads)
SCADA network segregated from the physical security network; no bridging between the two without operator’s explicit authorisation and a documented architecture
Operations-centre integration: events from the security system report to the operator’s control room or to a delegated regional operations centre

Field note

Electric utility substations

When the rule applies

Substation security perimeter, control buildings, and equipment yards on transmission and distribution utility assets. CER and provincial regulators define the framework; the utility’s standard implements it.

The spec

// ELECTRIC UTILITY SUBSTATION

EMI-hardened equipment for substation environments: cameras, intercoms, access readers rated for the electromagnetic field strength near switchgear and transformers
Equipment certifications: IEC 61850-3 for substation electronic equipment, IEEE 1613 for North American substation hardening
Redundant grounding per chapter 04 with substation-specific equipotential bonding
Perimeter detection at the substation fence line: photoelectric beam, perimeter LiDAR, or vibration sensors per the utility’s standard
Camera coverage at the perimeter, control building entries, high-value asset pads, and transmission line termination structures
Access control at the perimeter gates and the control building doors, with two-factor authentication and supervised credentials per the utility’s policy
Operations-centre integration: every event reports to the utility’s control centre, with the utility’s preferred protocol (often DNP3, IEC 61850, or MODBUS over an isolated path)
Physical security separation from SCADA: zero bridging between the security network and the operational technology network unless the utility has explicitly authorised and architected the bridge

Field note

Water and wastewater

When the rule applies

Treatment plants, pumping stations, reservoirs, and water distribution control buildings. The operator (municipal or regional authority) defines the security framework. Federally-regulated water systems (some First Nations, some federal assets) have additional requirements.

The spec

// WATER AND WASTEWATER SECURITY

Equipment selection for corrosive indoor atmospheres: chlorine in water treatment, hydrogen sulfide in wastewater. Epoxy-coated enclosures, stainless hardware, gasketted device housings.
Equipment selection for outdoor weather exposure: NEMA 4 or NEMA 4X enclosures, IP66 or IP67 device housings, integrated heaters in cold-climate environments
Wash-down compatibility at treatment plant interior areas where pressure washing is part of routine cleaning
Perimeter detection at the facility boundary per the operator’s risk assessment
Access control at every facility entry, with extended retention on the audit log per institutional policy
Video coverage at the perimeter, entries, treatment process areas, and the SCADA control room
SCADA network segregation per chapter 11 and per the operator’s IT standard
Chlorine and chemical storage room security: dual-authentication at the door, video coverage with extended retention, audit log of every entry
Operations-centre integration: security events report to the operator’s control centre or to a regional centre

Field note

Health Canada licensed cannabis facilities

When the rule applies

Every facility licensed under the Cannabis Act and Cannabis Regulations: cultivation, processing, storage, packaging, testing, and retail. The Cannabis Regulations Part 4 (Physical Security Measures) define the prescriptive security requirements; Health Canada inspects the install as part of the licence application and renewal.

The spec

// HEALTH CANADA CANNABIS REQUIREMENTS

Visual monitoring of every entrance to and exit from an operations area (cultivation, processing, packaging, storage)
Visual monitoring of every storage area where cannabis is stored
Visual monitoring of every location in the facility where cannabis is present
Recording quality sufficient to identify a person
Recording retention: 1 year minimum per Cannabis Regulations
Intrusion detection system covering every entrance to and exit from operations areas and storage areas
Intrusion detection system monitored by a licensed monitoring service (ULC-S301 or S302)
Access control: documented list of authorised persons, with access records retained for inspection
Physical barriers and locks on every operations area and storage area
Compliance officer at the facility responsible for the security framework
Security records retained for at least 2 years per Health Canada requirements

Cannabis facility design pattern

Field note

SCADA and operational technology segregation

When the rule applies

Every critical infrastructure project. The Supervisory Control and Data Acquisition (SCADA) network and the broader operational technology (OT) network are the operator’s safety-critical control infrastructure. The physical security network is a separate domain that, in general, does not bridge to the SCADA network.

The spec

// SCADA SEGREGATION

Physical security network on dedicated infrastructure: separate VLANs at minimum, separate switches and separate physical cabling where the operator’s policy requires
SCADA network on its own dedicated infrastructure per the operator’s IT/OT standard
No bridging between the two networks without operator’s explicit authorisation and a documented architecture review
Where integration is required (security event triggers SCADA acknowledgment, for example), the bridge uses a data diode, application gateway, or unidirectional gateway with documented inspection
Network management: the security network has its own NMS, separate from the SCADA NMS
Cybersecurity baseline: the security network follows the operator’s IT cybersecurity standard; the SCADA network follows the operator’s OT cybersecurity standard (typically IEC 62443 or NERC CIP for North American utility)
Audit: the security network’s audit log is reviewed by the institutional security team; the SCADA audit log is reviewed by the operations team

Operations centre integration

When the rule applies

Every critical infrastructure facility. The operator (or a delegated regional operations centre) is the response party for security events; integration is the technical path that gets the event from the facility to the responder.

The spec

// OPERATIONS CENTRE INTEGRATION

Communication path: encrypted WAN connection from the facility to the operations centre, primary and secondary paths
Protocol: the operator’s preferred event protocol (Genetec federation, Milestone interconnect, SIA-DC09, MODBUS, DNP3, or IEC 61850 depending on the operator)
Event types reported: alarm, fault, tamper, access denied, after-hours access, supervisory test, return-to-normal
Video stream: cameras viewable from the operations centre on demand; alarm-triggered cameras prioritised
Recording: local at the facility (primary) and replicated to a regional or central archive (secondary) per the operator’s retention policy
Response plan: documented for each event type, with the operator’s standard response procedure
Annual integration test: every event type tested, every camera viewable, every response procedure verified

Field note

// THE PRACTITIONER POSITION

Critical infrastructure work needs heavier-duty equipment than commercial and a different risk tolerance. CSA Z246 governs oil and gas; the operator’s risk assessment drives the design. Hazardous-area certification is non-negotiable. Electric utility yards need EMI-hardened equipment, redundant grounding, operations-centre integration on the utility’s protocol. Water and wastewater have corrosive indoors and weather outdoors; specify for both. Health Canada cannabis facilities have prescriptive video, access, and retention rules; pull the current regulation at every project. SCADA and physical security networks stay segregated; do not bridge without explicit operator authorisation. Operations-centre integration is the technical path that closes the loop. Get this discipline right and the install supports the operator’s compliance; get it wrong and the regulatory audit finds the gaps.