The American Petroleum Institute has published the third edition of its Pipeline Control Systems Cybersecurity standard, API 1164.
The updated standard expands the scope of the previous edition by covering all control system cybersecurity, not just supervisory control and data acquisition (SCADA) systems. It includes requirements for pipeline cybersecurity for a range of threats, including ransomware, to provide enhanced protection along the supply chain, at pipelines, terminals and refineries. It also includes improved risk assessment guidelines, an implementation model, and a framework for building a robust industrial automation control (IAC) security programme meeting US Transportation Security Administration requirements.
The Colonial Pipeline, which is the largest in the US and carries 45% of the US East Coast’s fuel needs, was shut down by a major ransomware attack in May 2021 from Russian-linked hacker group DarkSide, which caused fuel shortages and price rises, with some refineries having to cut output. US president Joe Biden signed an executive order to ensure federal agencies work more closely with the private sector to strengthen US cybersecurity, including by sharing information and deploying technologies to increase reliance against cyberattacks.
API says that the updated standard supports the Biden administration’s national security priorities, and the United Nations Sustainable Development Goal (UN SDG) 9 for resilient infrastructure.
API 1164 has been in development since 2017, and in developing the updated edition, API consulted with more than 70 organisations, including US state and federal regulators in the Federal Energy Regulatory Commission (FERC), the Transportation Security Administration (TSA), and the Pipeline and Hazardous Materials Safety Administration (PHMSA), as well as Argonne National Laboratory, the American Gas Association (AGA), Interstate National Gas Association of America (INGAA), the Association of Oil Pipe Lines (AOPL) and numerous pipeline operators. It is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the NERC-CIP (Critical Infrastructure Protection).
‘The new edition API Std 1164 builds on our industry’s long history of engaging and collaborating with the federal government to protect the nation’s vast network of pipelines and other critical energy infrastructure from cyber-attacks,’ says senior vice-president of API Global Industry Services (GIS) Debra Phillips. ‘This standard will help protect the nation’s critical pipeline infrastructure by enhancing safeguards for both digital and operational control systems, improving safety and preventing disruptions along the entire pipeline supply chain. What sets this framework apart is its adaptive risk assessment model that provides operators with an appropriate degree of flexibility to proactively mitigate against the rapidly evolving cyber threat matrix.’