October 2023, Vol. 250, No. 10
Features
Significance of API 1164 in Safeguarding Pipelines
By Alexa Burr, Vice President, Standards & Segment in the GIS Division, American Petroleum Institute (API).
(P&GJ) — Digital connectivity comes at a steep cost: security. Hardly a news cycle goes by without word of a cyberattack compromising sensitive data. Yet, the proverbial genie is already out of the bottle.
While legacy paper-and-pen record-keeping isn’t vulnerable to hackers thousands of miles away, in today’s global economy, let’s face it: Interconnectivity is an essential part of doing business. Which means that we must prioritize protecting our digital assets. It’s an ongoing battle that’s growing increasingly challenging.
Hackers today are often well-funded and part of organized groups intent on economic, political and social disruption. Nearly a quarter century ago (ancient in technology years), the world got a taste of what’s at stake.
In May 2000, people around the world began receiving provocative email attachments named “ILOVEYOU.” (This was when “phishing” was considered a mere misspelling.) The result was damaging and widespread, with millions of computers impacted around the world.
The digital worm inflicted billions in damages, a lesson that when we connect digitally, we expose our systems to compromise. For industries that are vital to our national security and infrastructure, such as the oil and natural gas sector, this revealed a pressing need: a robust framework to defend and respond to such cyber-threats. The American Petroleum Institute (API) responded by publishing (API Std. 1164, now in its third edition.
Cybersecurity
API, the leading trade association representing all segments of America’s natural gas and oil industry, has been at the forefront of driving advancements and promoting industry best practices for over a century. API was formed in 1919 as a standards-setting organization and has since developed over 800 standards that enhance operational integrity, safety, and sustainability.
With a deep commitment to health, safety, and environmental protection, API seeks to continuously improve industry practices, a commitment that led to the creation of API Std. 1164, Pipeline Control Systems Cybersecurity, first introduced in the early 2000s.
API Std. 1164 was an important first step at strengthening the security of pipeline Supervisory Control and Data Acquisition (SCADA) systems, which monitor and control the flow of oil and natural gas through large networks. While the standard didn’t mandate specific practices, it offered guidelines that received broad stakeholder agreement as to how best to protect pipelines against a cyberattack.
Over the years, as cyber-threats grew more sophisticated, API Std. 1164 has evolved, too, part of API’s ongoing effort to prevent a cyberattack from disrupting the energy infrastructure. Its current third edition has expanded beyond its initial SCADA scope.
It now includes a comprehensive approach to pipeline cybersecurity that incorporates additional specificity and requirements to harden pipeline cyber-assets from threats, including those from ransomware attacks. Additionally, it introduces a comprehensive management-system approach, addressing the entire pipeline supply chain, and a new risk rating system that provides operators actionable strategies to manage cybersecurity.
To understand its current state, it’s important to understand some basics about pipeline operations.
Current Landscape
The digital revolution has transformed the pipeline industry, bringing innovations that enhance efficiency, safety and cost-effectiveness.
While historically, pipelines were standalone mechanical systems, today they form sprawling, interconnected networks that incorporate Internet of Things (IoT) devices, cloud-based systems, and real-time data analytics. And it is this interconnectivity that has brought about considerable challenges, as pipelines have become an increasing target for cyber-threats that aim to destabilize energy infrastructures.
This is not hypothetical fear mongering, either. The May 2021 ransomware attack on Colonial Pipeline, an important pipeline for the U.S. East Coast, halted operations and disrupted a portion of our nation’s fuel supply. While an isolated event, the incident highlighted the importance of our pipeline infrastructure systems and the risk of a cyber-breach.
And it’s not just pipelines that are at risk when they suffer a cyberattack. Today’s pipelines often tap other critical infrastructures, such as power grids, water systems and transportation networks. A cyberattack on one sector can impact others, increasing the potential damage and disruption.
As a result of these threats, API’s focus has shifted from defending perimeter security to adopting a multi-layered cybersecurity strategy. Recognizing that defeating all cyberattacks is impossible, API’s approach has moved beyond just prevention and now includes detection, response, recovery and resiliency. And while API standards and recommended practices have been adopted to great success by operators around the world, government support offers enhanced visibility that leads to even more widespread adoption.
Such has been the fortune of API Std. 1164, which has recently earned the certification by the Department of Homeland Security as Qualified Anti-Terrorism Technology (QATT).
SAFETY Act Implications
Shortly after the September 11th attacks, the Homeland Security Act of 2002 was passed by Congress. This included the SAFETY Act legislation (Support Anti-Terrorism by Fostering Effective Technologies), which provides incentives for the development and deployment of anti-terrorism technologies that help prevent terrorist attacks.
As an incentive for companies to innovate and pursue such technologies, the SAFETY Act establishes liability limitations for claims resulting from an act of terrorism where QATTs have been deployed. To date, more than 1,000 anti-terrorism technologies have received endorsement pursuant to the SAFETY Act, including those used in airports, sports stadiums, parks and more.
The Act’s mission is twofold: first, to promote anti-terrorism technologies; and second, to promote the development of innovative security solutions, shielding their creators for the deployment of QATTs.
There are two principal categories of SAFETY Act protection, each with its distinct level of liability protection:
- SAFETY Act Designation is given to “Qualified Anti-Terrorism Technologies” and provides a basic level of protection, limiting liability to the amount of insurance that the Department of Homeland Security requires the seller to maintain.
- SAFETY Act Certification, for which SAFETY Act Designation is a pre-requisite, certifies a QATT as an “Approved Product for Homeland Security” and provides additional benefits. In addition to limiting liability to the amount of insurance that DHS requires the seller to maintain, it also allows the seller to assert the “Government Contractor Defense” for any claims arising from acts of terrorism.
Deep Dive
Published in 2021, API Std. 1164, 3rd edition, underscores the natural gas and oil industry’s ongoing commitment to protecting the nation’s critical infrastructure from malicious and potentially disruptive cyberattacks.
In development since 2017, the edition incorporates input from more than 70 organizations, including state and federal regulators within FERC, TSA, PHMSA, CISA, DoE, NIST (National Institute of Standards and Technology), as well as Argonne National Laboratory, the American Gas Association (AGA), Interstate National Gas Association of America (INGAA), the Liquid Energy Pipeline Association (LEPA) and numerous pipeline operators.
It is based on the NIST Cybersecurity Framework and NERC-CIP (Critical Infrastructure Protection) standards and significantly expands the scope compared to the previous edition of the standard to cover all control system cybersecurity instead of solely supervisory control and data acquisition (SCADA) systems.
The focus of API Std. 1164 is to help protect the nation’s critical pipeline infrastructure by enhancing safeguards for both digital and operational control systems, improving safety and preventing disruptions along the entire pipeline supply chain.
What distinguishes this framework is its adaptive risk assessment model that provides operators with an appropriate degree of flexibility to proactively mitigate against the rapidly evolving cyber-threat matrix. This expansion supports the Biden administration’s national security priorities as well as the United Nations Sustainable Development Goal (UNSDG) 9 for resilient infrastructure.
The updated standard establishes requirements to harden pipeline cybersecurity assets against a range of threats, including those posed by ransomware. It provides enhanced protection at critical connection points along the supply chain, specifically at pipelines, terminals, and refineries.
Additionally, it includes improved risk assessment guidelines, a comprehensive model for implementing pipeline cybersecurity, and a framework for building out a robust industrial automation control (IAC) security program as part of the U.S. Transportation Security Administration required corporate security program.
The endorsement gives API members and others that use the management system approach of API Std 1164, 3rd edition, liability protections if a cyber- terrorist attack impacts their pipeline operations.
Future Directions
While developing a successful strategy for combatting terrorist threats requires significant action from both the private and public sectors, associations like API play a pivotal role in their execution, fostering collaboration among stakeholders and collective knowledge-sharing.
This is an especially important approach, for as cyber-threats grow more sophisticated, siloed, go-it-alone approaches fall short in their effectiveness.
Through its transparent, collaborative approach to standards development – the precise process that has led to API Std. 1164 – API is helping facilitate comprehensive evaluations of cyber-infrastructure while calling out unified defense strategies. This approach not only upholds the integrity of individual industry stakeholders but serves to protect the industry as a whole against cyber-threats.
Looking Ahead
For the natural gas and oil industry, cybersecurity today is a boardroom imperative. As pipelines and critical infrastructure become increasingly integrated into complex systems, the risk of potential breaches is growing. Whether state-sponsored or not, bad actors are continually trying to impact the ways of life that we rely on today.
With robust frameworks like API Std. 1164, the industry is not standing still. It's actively evolving, anticipating, and adapting to new threats. And keep in mind, this is not a one-and-done proposition. Cybersecurity is an ongoing game of cat-and-mouse, and protection is measured as a snapshot in time.
While API Std. 1164 cannot prevent a cyberattack, it establishes a robust and proactive cybersecurity framework to enhance protection and resiliency. One that demonstrates a gold standard for duty of care and provides its adopters with liability protection.
Author: Alexa Burr is vice president of Segment Standards & Programs in API’s Global Industry Services division, which is responsible for standards setting, certification, training, events, publications and safety programs for industry operations. Prior to API, she worked at the American Chemistry Council in various roles where she oversaw the strategic direction of Responsible Care program and led international advocacy efforts on a range of issues. She holds an undergraduate degree in Biology of Global Health and a master’s in Biological Threat Agents and Emerging Infectious Diseases, both from Georgetown University.
Comments