This article is sponsored by the American Petroleum Institute.
Against a backdrop of increased cyberattacks against critical infrastructure, the American Petroleum Institute (APO) has released an updated standard for pipeline control systems cybersecurity, better known as API Standard 1164. This third edition includes improved risk assessment guidelines, a comprehensive model for implementing pipeline cybersecurity and a framework for building out a strong industrial automation control (IAC) security program, as part of the Transportation Security Administration’s required corporate security program.
SmartBrief asked Suzanne Lemieux, director for Operations Security and Emergency Response Policy at API, what was involved in updating the standards and how API members can protect their pipelines from cyberattacks.
How does the updated Standard 1164 better protect American pipelines from cyberattacks?
API Standard 1164 specifies requirements to strengthen protection of pipeline assets from cyber threats, including ransomware attacks. It focuses on critical connection points with infrastructure and operations that interact with pipelines, including terminals and refineries, strengthening cybersecurity along the entire pipeline supply chain.
The third edition incorporates the many lessons learned and technological advancements the industry has experienced over the 17 years since the standard’s first publication. The first two editions focused primarily on a pipeline operator’s Supervisory Control and Data Acquisition (SCADA) controls. With this new edition, we’ve expanded coverage of industrial automation and control environments (IAC) and introduced more advanced cybersecurity methods.
The new edition also provides a comprehensive model for implementing pipeline cybersecurity, a new risk rating system with actionable approaches to managing cybersecurity risk, and tools to conduct effective Security Risk Assessments (SRA) to help identify threats and establish mitigating measures.
How does the third edition align with TSA’s Guidelines for Pipeline Security?
After the Colonial Pipeline incident, the U.S. Transportation and Security Administration (TSA) issued two security directives focused on pipeline cybersecurity. The directives mandated examinations of operator cybersecurity procedures for the largest pipeline operators in the country. Standard 1164, which was in development since 2017, published just months after the incident and shortly after TSA issued the security directives. The standard incorporates a risk assessment process, which incorporates aspects of the 2018 TSA Guidelines for Pipeline Security.
Additionally, this edition’s expanded coverage of IACs may assist companies as they plan for TSA’s Corporate Security Program.
In what ways can the government best support industry efforts to protect critical infrastructure such as pipelines?
The development of the third edition of Standard 1164 is a great example of the success that public-private partnerships can achieve in providing guidance for protecting pipelines and other infrastructure. Working across 70 organizations, including state and federal regulators within FERC, TSA, PHMSA, CISA, DoE and NIST, as well as Argonne National Laboratory, the American Gas Association (AGA), the Interstate National Gas Association of America (INGAA), the Association of Oil Pipe Lines (AOPL) and numerous pipeline operators, this document represents the collective expertise of many to achieve an outcome that will allow industry to be more responsive, effective and safe.
As we move forward, API will continue to work collaboratively with these organizations to implement the most effective strategies for protecting critical energy infrastructure. API, operators and regulators will continue to assess what regulations and practices are necessary to protect pipeline cyber assets.
What lessons did the natural gas and oil industry learn from the ransomware attack in May on Colonial Pipeline?
The ransomware attack was a strong reminder that the industry’s efforts to continuously improve practices and standards is of the utmost importance to help protect the nation’s energy infrastructure.
We know that cybersecurity threats endanger not just pipelines but infrastructure across other industries and government entities. The Colonial Pipeline incident revealed the speed at which these threats can evolve, highlighting the importance of standards, in addition to legislation and regulation, to manage cybersecurity threats.
It has also deepened our industry’s discussions with government agencies to drive progress to quickly assimilate findings from the Colonial Pipeline incident to advance our standards and harden our assets to cyberattacks.
API hosted the 16th Annual API Cybersecurity Conference and Expo last month. What opportunities were provided at this event and others for API members to collaborate on cybersecurity?
API’s Cybersecurity Conference provides a great opportunity for our industry — from industry subject matter experts and academia to cybersecurity vendors and suppliers — to come together to advance safety and security in this area of ever growing importance. This last conference felt especially important as it was our first time coming today in-person since before the pandemic.
The conference provides a forum to discuss methods for preventing bad actors from gaining access to critical systems and infrastructure, what the scene looks like over the horizon, and how the latest technologies can help counter cyber espionage, address cyber warfare and make industrial automated control systems more secure.
This year, the conference provided an opportunity for attendees to earn CPEs (Continuing Professional Education), maintaining their certifications and required hours. It also provided the opportunity — as it does every year — for networking and idea exchange, with our dedicated sponsors and exhibitors sharing their latest products and services.
How can a cybersecurity strategy respond quickly to developing threats, while also enforcing strict protocols across a diverse organization?
API and our members remain steadfast in our commitment to protect critical infrastructure from cyber threats. API Standard 1164 gives the industry a framework and foundation to be agile in identifying and addressing these threats, ultimately enabling the industry to be more responsive and effective.
API members recognize the critical role that their organization plays in ensuring that Americans can continue to access affordable and reliable energy. API Standard 1164 will help the industry continue to combat cyber threats.
About Suzanne Lemieux
Suzanne Lemieux is API’s director for Operations Security & Emergency Response Policy. She is primarily responsible for cyber and physical security policy, emergency preparedness and response, UAS policy, oil spill preparedness and response, and public and private stakeholder engagement. Previously, she served as manager of API’s Midstream and Industry Affairs group. Before joining API, Lemieux worked for BCS Inc. at the US Energy Department’s Office of Electricity Delivery and Energy Reliability and for MCI Worldcom. She is a graduate of the National Preparedness Leadership Initiative Executive Education Program at the Harvard Kennedy School’s Center for Public Leadership and the Harvard T.H. Chan School of Public Health. She has a master’s degree in Public and International Affairs from the Virginia Polytechnic Institute and State University and a bachelor’s of Business Administration in Marketing Management from Radford University.