Cybersecurity in the Energy Sector: Interview with Martin Laberge, CISO of Énergir

In response to growing threats targeting critical infrastructure, Énergir is implementing an integrated cybersecurity strategy centered on anticipation, operational resilience, and cross-sector collaboration. Martin Laberge, Executive Director of Cybersecurity, IT Governance and Risk, and Chief Information Security Officer, presents a concrete and systemic approach to addressing cyberattacks, securing the supply chain, leveraging artificial intelligence, and managing IT/OT convergence within Canada’s rapidly evolving energy sector.

What are the specific cybersecurity challenges in the energy sector?

In recent years, the energy sector, as critical infrastructure, has become a prime target for threat actors—whether criminal organizations or state-sponsored groups.

The geopolitical context has shifted. When a nation, territory, or population is targeted, energy becomes an obvious focus. Previously, attackers were primarily motivated by financial gain, aiming to lock IT systems and demand ransom. Today, we are increasingly seeing attacks designed to destroy or disable infrastructure, with direct consequences for the population.

Since the beginning of the war in Ukraine, such attacks have surged. It’s a reality: if one wants to harm a population, depriving it of energy for several days is highly effective. We simply cannot afford extended service interruptions.

There have been real-world cases. In Florida, for example, a region was left without fuel—not due to a shortage, but because the pipeline supplying it was taken offline for three days. That triggered panic. We now have concrete examples where cyberattacks are directly impacting people and the economy. These are major issues.

Can you share an example of an incident that was detected and effectively managed?

I cannot disclose specific cases for confidentiality reasons. However, I can say that we conduct many simulations and tests at Énergir, including large-scale exercises. We always work under the assumption that an attack will happen eventually.

Being able to respond goes far beyond IT. A cyber incident impacts the entire company’s operations. The whole organization must be prepared to ask the right questions.

We gather teams in person, at our offices, and simulate major crises. Each year, we change the scenario. Participants range from operational staff to the board of directors. Everyone is placed in separate rooms to observe how each group reacts.

The goal is to see if the organization functions properly, to identify missing procedures or resources. When a real incident occurs—and it has—we must be able to respond, maintain operations, and contain the attack to minimize impact.

We must also communicate effectively with stakeholders: the public, customers, and employees. At Énergir, this is how we’ve structured our response. It’s a system we test annually. We’ve successfully managed incidents thanks to this approach.

What is the nature of your collaboration with government agencies and other partners?

We work closely with the Canadian Centre for Cyber Security, which is heavily involved in critical infrastructure matters. They support us with monitoring tools and surveillance capabilities.

We also collaborate with law enforcement agencies. If an incident occurs, we can involve them. Today, they want to be engaged because it helps them better protect other entities as well.

On the regulatory side, if something happens, we must notify the Régie de l’énergie du Québec. And if there is any impact on energy distribution, we may also need to alert civil security authorities.

Fortunately, we have never had to go that far, but our processes are designed for such extreme cases. If necessary, we have communication protocols that extend all the way to the Premier’s Office or Civil Security.

This collaboration has grown stronger over time. Authorities have recognized that the energy sector is increasingly targeted by cyber threats. They are now more engaged, more collaborative, and significantly more proactive.

There is also cooperation among energy operators across Canada. We’ve established formal information-sharing networks. In the Canadian gas sector, we participate in security working groups where we exchange indicators of compromise so that all parties can prepare and act proactively.

There are even joint projects—for example, pooling certain monitoring tools to better analyze activity on the Canadian electricity grid.

With my fellow CISOs in other sectors, particularly in Québec, we now have formal exchange networks—something that didn’t exist five or six years ago.

Previously, we learned about cyberattacks on other companies through the media. Today, people understand that information must be shared. If one company is attacked, others could be affected as well. We are all interconnected, especially via gas pipelines. An attack in Ontario can impact our supply in Québec. We must stay informed.

And what about the supply chain?

This is an issue we take very seriously. The more stakeholders involved, the more entry points there are. We are working with an increasing number of suppliers and partner companies who may connect to our environments. Managing this properly is essential.

We’ve implemented a comprehensive supplier review policy, especially for those who interact with our environments. We classify them based on their criticality and apply tailored security requirements for each level.

But beyond that, we also assess the resilience of these suppliers. A supplier may appear to be low-risk from a cybersecurity standpoint, but if they’re attacked and can no longer deliver a critical component, operations can grind to a halt.

Take, for example, a supplier of protective gloves for our technicians: if they can’t deliver, we can’t send crews into the field. So even if that supplier isn’t cybersecurity-critical, they are operationally essential. We need a backup plan.

This is something we began integrating into our practices about a year ago: evaluating whether we can continue operations if a supplier fails. That’s the direction we’re moving in, and I believe the industry is starting to recognize the importance of this approach.

What technological innovations or strategies do you see emerging to strengthen cybersecurity?

Artificial intelligence will obviously play a major role. This is no longer theoretical—we are already seeing AI being used in cyberattacks, through deepfakes, fake videos, and so on. It’s now highly accessible. Very convincing videos of executives can be fabricated.

We will have to use AI to counter AI. This is an immediate concern. There are real opportunities to leverage this technology to enhance our defensive capabilities.

Another key issue is IT/OT convergence. Historically, information technology and operational technology were separated. That’s no longer feasible—for geographic or logistical reasons, environments need to be interconnected.

This convergence creates new vulnerabilities that we must learn to manage. At Énergir, we integrated OT security several years ago. But at a recent summit I attended, I saw that some are still grappling with the basics. There are significant disparities in maturity levels across the sector.