February 2022, Vol. 249, No. 2
Features
New API Cyber-Standards Offer Comprehensive Approach for Pipelines
Special to P&GJ
The American Petroleum Institute (API) has published its third edition of Standard Pipeline Control Systems Cybersecurity, underscoring the natural gas and oil industry’s ongoing commitment to protecting the nation’s critical infrastructure from malicious and potentially disruptive cyberattacks.
In development since 2017, the standards are the result of contributions from more than 70 organizations, including state and federal regulators within the Federal Energy Regulatory Commission (FERC), Transportation Security Administration (TSA), Pipeline and Hazardous Materials Safety Administration (PHMSA), Argonne National Laboratory, American Gas Association (AGA), Interstate National Gas Association of America (INGAA), and Association of Oil Pipe Lines (AOPL).
It is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and North American Electric Reliability Corporation–Critical Infrastructure Protection (NERC-CIP) standards. It significantly expands the scope compared to the previous edition of the standard to cover all control system cybersecurity instead of solely SCADA systems.
“This standard will help protect the nation’s critical pipeline infrastructure by enhancing safeguards for both digital and operational control systems, improving safety and preventing disruptions along the entire pipeline supply chain,” said API Senior Vice President of API Global Industry Services (GIS) Debra Phillips. “What sets this framework apart is its adaptive risk assessment model that provides operators with an appropriate degree of flexibility to proactively mitigate against the rapidly evolving cyber-threat matrix.”
The expansion of the standard supports the Biden administration’s national security priorities as well as the United Nations Sustainable Development Goal (UNSDG) 9 for resilient infrastructure. The updated standard establishes requirements to harden pipeline cybersecurity assets against a range of threats, including those posed by ransomware.
“This premier standard helps the operator manage cyber-risks associated with control system cybersecurity environments by providing requirements and guidance for proper isolation of control system environments from non-control system environments,” said AGA Senior Vice President for Safety, Operations and Security Christina Sames.
The guidelines provide enhanced protections at critical connection points along the supply chain, specifically at pipelines, terminals and refineries. Additionally, it includes improved risk assessment guidelines, a comprehensive model for implementing pipeline cybersecurity and a framework for building out a robust industrial automation control (IAC) security program as part of the U.S. TSA-required corporate security program.
This new edition combines with other API standards to form a framework that is integral to industry’s ongoing work to counter cyber-threats, including:
- API 780 – Provides tools to conduct effective security risk assessments, which are used to identify threats to facilities as well as countermeasures to those threats. Last October, API 780 was certified as an anti-terrorism technology by the U.S. Department of Homeland Security (DHS) under the Support Anti-terrorism by Fostering Effective Technologies Act of 2002. This provides liability protection if API members and others using API 780 have a terrorist attack at one of their facilities.
- Recommended Practice 1173 – Pipeline safety management systems provide pipeline operators with safety management system requirements that, when applied, provide a framework to reveal and manage risk, promote a learning environment and continuously improve pipeline safety and integrity.
API represents all segments of America’s natural gas and oil industry, which supports more than 11 million U.S. jobs and is backed by a growing grassroots movement of millions of Americans.
Comments