The American Petroleum Institute (API) has published an updated edition of its cybersecurity standard for pipelines, which it says provides a comprehensive approach to cyber defense for critical infrastructure.

The update, which has been in development since 2017, is said to be a result of expert input from more than 70 organizations, including state and federal regulators within FERC, TSA, PHMSA, CISA, DoE, NIST, as well as Argonne National Laboratory, the American Gas Association (AGA), Interstate National Gas Association of America (INGAA), the Association of Oil Pipe Lines (AOPL) and numerous pipeline operators.

It is based on the NIST (National Institute of Standards and Technology) Cybersecurity Framework and NERC-CIP (Critical Infrastructure Protection) standards and significantly expands the scope, compared to the previous edition of the standard, to cover all control system cybersecurity instead of solely supervisory control and data acquisition (SCADA) systems, the API noted. The expansion of the standard supports the Biden administration’s national security priorities as well as the United Nations Sustainable Development Goal (UNSDG) 9 for resilient infrastructure, the API stated.

“The new edition API Std 1164 builds on our industry’s long history of engaging and collaborating with the federal government to protect the nation’s vast network of pipelines and other critical energy infrastructure from cyberattacks,” API Senior Vice President of API Global Industry Services (GIS), Debra Phillips, said in an organization statement.

“This standard will help protect the nation’s critical pipeline infrastructure by enhancing safeguards for both digital and operational control systems, improving safety and preventing disruptions along the entire pipeline supply chain. What sets this framework apart is its adaptive risk assessment model that provides operators with an appropriate degree of flexibility to proactively mitigate against the rapidly evolving cyber threat matrix,” Phillips added in the statement.

Commenting on the update, American Gas Association Senior Vice President for Safety, Operations and Security, Christina Sames, said, “this premier standard helps the operator manage cyber risks associated with control system cybersecurity environments by providing requirements and guidance for proper isolation of control system environments from non-control system environments”.

In July, the White House published a national security memorandum on improving cybersecurity for critical infrastructure control systems. Within the memorandum, U.S. President Joe Biden outlined that the cybersecurity threats posed to the systems that control and operate critical infrastructure are among the most significant and growing issues confronting the nation. He also highlighted that the degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States. Biden issued an executive order on improving the nation’s cybersecurity on May 12. The actions followed a cyberattack on the Colonial pipeline in early May.

