Cybersecurity threats are more prevalent today than ever before. Proactive measures to protect our nation’s critical infrastructure, including pipelines, are of the utmost importance when faced with malicious actors utilizing evolving tactics.
The American Petroleum Institute (API) approaches cybersecurity the same way it approaches safety – it is a top priority that requires a systematic, multi-dimensional approach and allows for adaptation in a quickly shifting landscape.
The recently updated API Standard (Std) 1164, Pipeline Control Systems Cybersecurity, establishes key requirements to harden security against a range of threats, for both physical and digital assets. The 3rd edition of API Std 1164 also includes a comprehensive model for cybersecurity implementation.
A Collaborative Approach to Updating API Standard 1164
API and its members remain steadfast in their commitment to protecting critical infrastructure from cyber threats. API Standard 1164 gives the industry a foundation and framework to be agile in identifying and addressing these threats, ultimately allowing the industry to be more responsive and effective.
In development since 2017, the 3rd edition of API Std 1164 is a result of input from more than 70 organizations, including state and federal regulators within FERC, TSA, PHMSA, CISA, DoE, NIST as well Argonne National Laboratory, the American Gas Association (AGA), Interstate National Gas Association of America (INGAA), the Association of Oil Pipe Lines (AOPL) and numerous pipeline operators.
“The new edition of API Std 1164 builds on our industry’s long history of engaging and collaborating with industry as well as the federal government to protect the nation’s vast network of pipelines and other critical energy infrastructure,” API Vice President of Standards and Segment Services, Alexa Burr said.
The standard takes a comprehensive management system approach to pipeline cybersecurity, from developing a customized cybersecurity program, to implementation and testing utilizing a Plan-Do-Check-Act approach for continuous improvements in this constantly changing environment.
The 3rd edition is updated with contemporary cybersecurity methods that expand on NIST’s Cybersecurity Framework and the North American Electric Reliability Corporation in their Critical Infrastructure Protection (NERC CIP) standards. The framework utilizes an adaptive risk assessment model that provides operators with the flexibility to proactively mitigate against the evolving cyber threat matrix.
What is Included in the 3rd Edition?
API Std 1164 was initially developed in response to the terrorist attacks of September 11, 2001. First published in 2004, it was created to help the industry understand and protect against risks posed by attackers targeting a pipeline facility’s Supervisory Control and Data Acquisition (SCADA) controls.
Today, the standard has been expanded to cover all control systems instead of solely SCADA systems. The 3rd edition incorporates the many lessons learned and technological developments the industry has implemented over the last 17 years.
Furthermore, the updated edition provides organizations with expanded coverage of industrial automation and control environments (IAC). This framework adheres to the U.S Transportation and Security Administration (TSA) required Corporate Security Program.
Other notable elements include:
- Specific requirements to strengthen pipeline cyber assets from threats, including ransomware attacks
- Critical connection points with infrastructure and operations that interact with pipelines, including terminals and refineries, to strengthen cybersecurity along the supply chain
- Comprehensive model for the implementation of pipeline control system cybersecurity
- New risk rating system with actionable approaches to managing cybersecurity risk
- Preventative measures to protect critical infrastructure from cybersecurity damage
- Tools to conduct effective Security Risk Assessments (SRA) to identify threats and establish mitigating measures
- Assimilated findings and intelligence from real-world events
API’s Commitment to Intelligence and Collaboration
API Std 1164 is not the only document in API’s catalog of more than 700 standards that addresses cybersecurity and risk assessment. API’s security risk assessment standard, API Standard780, is recognized by the Department of Homeland Security (DHS) as an anti-terrorism tool. Additionally, API Recommended Practice (RP) 1173, Pipeline Safety Management System, outlines comprehensive strategies for developing and implementing pipeline safety management systems. Pairing these documents with API Std 1164 can help operators develop a robust pipeline cyber strategy.
In addition to standards, API recognizes that public-private partnerships, collaboration, and information sharing are essential to managing cybersecurity threats. API and its members participate in the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) and the Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC) to share information with the intelligence community and federal agencies and to facilitate the incorporation of threat mitigation into cybersecurity programs for the industry.
Through these public-private partnerships, as well as well as governmental participation in API’s standards development process, API will continue to work closely with federal regulators, including TSA and CISA, to find and implement the most effective and efficient paths to protecting critical energy infrastructure while not impeding business operations.
API and its members recognize the critical role the oil and natural gas industry play in ensuring that Americans can continue to have access to the affordable and reliable energy that they use every day.
About API Standards
With 100 years of experience as a standards-setting organization, API is accredited by the American National Standards Institute (ANSI) and has developed more than 700 standards to enhance safety, security, environmental protection, reliability, and sustainability through sound engineering practices.
API standards are developed in collaboration with natural gas and oil companies, manufacturers, service suppliers, contractors and consultants, government representatives, NGOs and academic institutions.
To learn more about API Std 1164 and the other work API is doing to advance safety through standards development, visit www.API.org.