The American Petroleum Institute (API) published on August 18, 2021, the 3rd Edition of Standard (Std) 1164, Pipeline Control Systems Cybersecurity, underscoring the ongoing commitment of the natural gas and oil industry to protecting the nation’s critical infrastructure from malicious and potentially disruptive cyber-attacks.
A timely update
The new edition comes out following the damaging attack on Colonial Pipeline and President Biden’s Executive Order for securing the national critical infrastructure. The Colonial Pipeline, which is the largest in the US and carries 45% of the US East Coast’s fuel needs, was shut down by a major ransomware attack in May 2021 from Russian-linked hacker group DarkSide, which caused fuel shortages and price rises, with some refineries having to cut production. US president Joe Biden signed an executive order to ensure federal agencies work more closely with the private sector to strengthen US cybersecurity, including by sharing information and deploying technologies to increase reliance against cyberattacks. At the same time, World Economic Forum has released a report warning that the oil and gas sector needs to increase cyber security efforts to confront increased cyber-attacks.
Based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NERC-CIP (Critical Infrastructure Protection) standards, the updated API 1164 expands the scope of the previous edition by covering all control system cybersecurity, not just supervisory control and data acquisition (SCADA) systems. It includes requirements for pipeline cybersecurity for a range of threats, including ransomware, to provide enhanced protection along the supply chain, at pipelines, terminals, and refineries. It also includes improved risk assessment guidelines, an implementation model, and a framework for building a robust industrial automation control (IAC) security program that complies with the requirements of the US Transportation Security Administration (TSA).
API says that the updated standard supports the Biden administration’s national security priorities, and the United Nations Sustainable Development Goal (UN SDG) 9 for resilient infrastructure. “API Std 1164 reflects state-of-the-art cybersecurity protections tailored specifically to pipeline operations,” Association of Oil Pipe Lines President and CEO Andy Black said.
Why was the update necessary?
The updated edition was in development since 2017 and is the result of expert input from more than 70 organizations, including state and federal regulators within FERC, TSA, CISA, NIST, the US Department of Energy (DoE), the National Gas Association of America (INGAA), and numerous pipeline operators. The revision of the previous version became a necessity when the US Government Accountability Office (GAO) identified weaknesses in the TSA Pipeline Security Guidelines and recommended the revision of these cybersecurity guidelines.
The decision to update API 1164 originated from the fact that, “natural gas and oil companies’ assets are the target of a growing number of increasingly sophisticated cyberattacks perpetrated by a variety of attackers including nation-states and organized international criminals.” API and Oil and Natural Gas Subsector Coordinating Council (ONG SCC) had jointly stated that “cybersecurity is a top priority for the natural gas and oil industry,” because these attacks or severe cyber incidents may result in “energy disruptions that can impact national security and public safety.”
“The new edition API Std 1164 builds on our industry’s long history of engaging and collaborating with the federal government to protect the nation’s vast network of pipelines and other critical energy infrastructure from cyber-attacks,” API Senior Vice President of API Global Industry Services (GIS) Debra Phillips said in a press release. “This standard will help protect the nation’s critical pipeline infrastructure by enhancing safeguards for both digital and operational control systems, improving safety and preventing disruptions along the entire pipeline supply chain. What sets this framework apart is its adaptive risk assessment model that provides operators with an appropriate degree of flexibility to proactively mitigate against the rapidly evolving cyber threat matrix,” Philipps added.
With more than 2.7 million miles of pipeline transporting and distributing natural gas, oil, and other hazardous products throughout the United States, the interstate pipelines run through remote areas and highly populated urban areas. These critical infrastructures are vulnerable to accidents, operating errors, and malicious physical and cyber-based attacks or intrusion. Pipeline system disruptions could result in commodity price increases or widespread energy shortages.
Industry standards and best practices are paramount in ensuring critical infrastructures and their operations are secured against malicious threats and other vulnerabilities. With threat actors becoming more sophisticated, government agencies and private enterprises must future proof their control systems and cybersecurity frameworks to minimize the risk of cyber-attacks that could cause them millions of dollars and disruptions.
Talk to our experts to find out how Itegriti can help secure oil and gas companies.