New edition of cybersecurity standard for pipelines published
In development since 2017, the third edition is based on the National Institute of Standards and Technology Cybersecurity Framework and NERC Critical Infrastructure Protection standards. It significantly expands the scope compared to the previous edition of the standard to cover all control system cybersecurity, instead of solely supervisory control and data acquisition systems.
“The new edition API Standard 1164 builds on our industry’s long history of engaging and collaborating with the federal government to protect the nation’s vast network of pipelines and other critical energy infrastructure from cyber-attacks,” said API senior vice-president of API Global Industry Services, Debra Phillips.
“This standard will help protect the nation’s critical pipeline infrastructure by enhancing safeguards for both digital and operational control systems, improving safety and preventing disruptions along the entire pipeline supply chain.
“What sets this framework apart is its adaptive risk assessment model that provides operators with an appropriate degree of flexibility to proactively mitigate against the rapidly evolving cyber threat matrix.”
Christina Sames, senior vice-president for safety, operations and security at the American Gas Association, commented: “This premier standard helps the operator manage cyber risks associated with control system cybersecurity environments by providing requirements and guidance for proper isolation of control system environments from non-control system environments.”
The third edition is a result of expert input from more than 70 organisations, including state and federal regulations within FERC, TSA, PHMSA, CISA, DoE, NIST, as well as Argonne National Laboratory, the American Gas Association, Interstate National Gas Association of America, the Association of Oil Pipe Lines, and numerous pipeline operators.
This expansion of the standard supports the Biden Administration’s national security priorities as well as the UN Sustainable Development Goal 9 for resilient infrastructure. The updated standard establishes requirements to harden pipeline cybersecurity assets against a range of threats, including those posed by ransomware.
It provides enhanced protection at critical connection points along the supply chain, specifically at pipelines, terminals, and refineries. Additionally, it includes improved risk assessment guidelines, a comprehensive model for implementing pipeline cybersecurity, and a framework for building out a robust industrial automation control security programme, as part of the US Transportation Security Administration required corporate security programme.