October 2021, Vol. 248, No. 10
Cybersecurity
API’s Cybersecurity Standard Provides Approach to Protection
By Suzanne Lemieux, American Petroleum Institute (API)
Cybersecurity threats have become commonplace in our world and securing our nation’s energy infrastructure is more imperative than ever. As we’ve seen over the course of the year, cybersecurity not only threatens the pipeline industry, but also all critical infrastructure, industries and even government entities.
However, as critical infrastructure is needed to deliver affordable, reliable and cleaner energy, pipelines require essential protection against malicious and potentially disruptive cyberattacks.
The natural gas and oil industry approaches cybersecurity similar to the way we approach safety – as a top priory and by taking a systematic, multi-dimensional approach that allows us to adapt to the evolving cybersecurity landscape. Working together with industry and government, the American Petroleum Institute (API) has taken a major step to enhance protection of critical pipeline infrastructure by publishing the 3rd edition of Standard (Std) 1164, Pipeline Control Systems Cybersecurity.
Formed more than 100 years ago as a standards-setting organization, API is accredited by the American National Standards Institute (ANSI) and has developed more than 700 industry standards, to promote safety, security, environmental protection, reliability, and sustainability through proven engineering practices.
These standards and documents are developed in collaboration with natural gas and oil companies, manufacturers and suppliers, contractors and consultants, and government representatives, non-governmental organizations (NGO’s) and academic institutions. The ANSI accreditation ensures that API standards are recognized not only for their technical rigor but also their third-party accreditation. This process includes multiple opportunities for public consultation and input from interested stakeholders.
As technology evolves, so too do the guidelines and practices within API standards. Although security is not a novel concept, the ever-changing nature of technology and the connectivity of our modern lives provides more vulnerabilities in natural gas and oil operations. To counteract these ongoing threats, API standards include many that focus on physical and cybersecurity, cyber-risk assessments, and specifically, pipeline cyber security.
As an example, API Standard 780, Security Risk Assessment Methodology, provides tools to conduct effective security risk assessments, which are used to identify threats to facilities as well as countermeasures to those threats.
Providing a Framework
Last October, API 780 was certified as an anti-terrorism technology by the U.S. Department of Homeland Security (DHS) under the Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002. The DHS designation means that API members and others who use API 780 would have important protections in the event of a terrorist attack on their facilities.
API Recommended Practice (RP) 1173, Pipeline Safety Management Systems, provides pipeline operators with safety management system requirements that when applied provide a framework to reveal and manage risk, promote a learning environment, and continuously improve pipeline safety and integrity.
The newest addition to API’s cyber strategy is the 3rd edition of API Standard 1164, Pipeline Control Systems Cybersecurity, which helps protect the nation’s critical pipeline infrastructure by enhancing safeguards for both digital and operational control systems, improving safety and preventing disruptions along the entire pipeline supply chain.
The standard was initially developed in response to the terrorist attacks of Sept. 11, 2001. First published in 2004, it was originally created to help the industry understand and protect against the risks posed by any would-be attacker targeting a pipeline facility’s Supervisory Control and Data Acquisition (SCADA) controls.
The revision is based on the NIST (National Institute of Standards and Technology) Cybersecurity Framework and NERC-CIP (Critical Infrastructure Protection) standards and significantly expands the scope compared to the previous edition of the standard to cover all control system cybersecurity instead of solely SCADA systems.
Since initial publication, the cybersecurity landscape has evolved at a rapid pace and the industry has operationalized many innovative technologies to address new threats. The 3rd edition incorporates the many lessons learned and technological developments the industry has implemented over the last 17 years.
In particular, the 3rd edition establishes:
Additional specificity and requirements to harden pipeline cyber-assets from threats, including those from ransomware attacks.
Critical connection points with infrastructure and operations that interact with pipelines, including terminals and refineries. By addressing these interfaces, the 3rd edition strengthens cybersecurity along pipeline supply chains.
Comprehensive model for the implementation of pipeline cybersecurity, from laying out effective governance to building a secure supply chain, to building out plans for recovery from incidents.
A new risk rating system to provide operators actionable approaches to managing cybersecurity risk, with a focus on preventing cybersecurity threats from harming critical infrastructure.
A framework to develop a robust industrial automation control (IAC) security program as part of the U.S. Transportation Security Administration required Corporate Security Program.
In development since 2017, API Std 1164 is a result of expert input from more than 70 organizations, including state and federal regulators within FERC, TSA, PHMSA, CISA, DoE, NIST, as well as Argonne National Laboratory, the American Gas Association (AGA), Interstate National Gas Association of America (INGAA), the Association of Oil Pipe Lines (AOPL) and numerous pipeline operators.
“The new edition API Std 1164 builds on our industry’s long history of engaging and collaborating with the federal government to protect the nation’s vast network of pipelines and other critical energy infrastructure from cyber-attacks,” API Vice President, Standards & Segment Services, Alexa Burr said.
API Std 1164 takes a comprehensive management system approach to pipeline cybersecurity, from developing a customized cybersecurity program, to implementation and testing utilizing a Plan-Do-Check-Act approach for continuous improvement in this rapidly changing threat environment.
API Std 1164 was updated with contemporary cybersecurity methods, expanded, and based on work undertaken by NIST in their Cybersecurity Framework and the North American Electric Reliability Corporation in their Critical Infrastructure Protection (NERC CIP) standards.
The framework utilizes an adaptive risk assessment model that provides operators with an appropriate degree of flexibility to proactively mitigate against the rapidly evolving cyber threat matrix.
In addition to standards, public-private partnership, collaboration, and information sharing are essential to managing cybersecurity threats and tackling the continually changing threat landscape.
As such, API and its members value our participation in the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) and the Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC) to share information with the Intelligence Community, federal agencies, and facilitate the incorporation of threat mitigations into cybersecurity programs of companies in the natural gas and oil sector.
Through these public-private partnerships as well as through governmental participation in API’s standards development process, API will continue to work closely federal regulators, including the Transportation Security Administration (TSA) and the Cyber Security and Infrastructure Security Agency (CISA), to find and implement the most effective and efficient paths to protecting critical energy infrastructure while not impeding business operations.
API and our members remain steadfast in our commitment to protect our critical infrastructure from cyber threats. As such, API Standard 1164 gives the industry a framework and foundation to be agile in identifying and addressing these threats, ultimately allowing the industry to be more responsive and effective.
As an industry, API and its members recognize the critical role we play in ensuring that Americans can continue to have access to the affordable and reliable energy that they use every day, and API Standard 1164 will help the industry continue to do so.
Comments