Updated Cybersecurity Standard Helps Protect Infrastructure

Mark Green
Posted August 26, 2021

Calls for new government cybersecurity mandates to protect the nation’s energy infrastructure after the ransomware attack on the Colonial Pipeline earlier this year failed to acknowledge some key things about addressing cyber threats, including:

• Cybersecurity not only threatens the pipeline industry, but also all critical infrastructure, industries and even government entities.
• The speed with which such threats are evolving, making it unlikely legislation and regulatory processes could keep up.
• The degree to which our industry already is engaged with government agencies to identify emerging cyber threats.
• Our industry’s strong commitment to take the initiative in protecting its infrastructure and other assets.

That last bullet provides context for the release of API’s updated Standard 1164, covering pipeline control systems cybersecurity.

The update – the third edition of Std. 1164 – reflects the natural gas and oil industry’s commitment to protect critical infrastructure, and API’s member companies are highly motivated to do so.

Std. 1164 establishes requirements to harden pipeline security against a range of threats, including ransomware, and provides enhanced protections at pipelines, terminals and refineries. It includes improved risk assessment guidelines, a comprehensive model for implementing pipeline cybersecurity, and a framework for building out a strong industrial automation control (IAC) security program – as part of TSA’s required corporate security program. (More on Std. 1164 here.)

Debra Phillips, API senior vice president of Global Industry Services, said the updated standard builds on industry’s long history of working with the federal government to protect pipelines and other critical energy infrastructure:

“What sets this framework apart is its adaptive risk assessment model that provides operators with an appropriate degree of flexibility to proactively mitigate against the rapidly evolving cyber threat matrix.”

This ability to be agile in identifying and addressing evolving cyber threats is so important. Operator flexibility means companies can see specific threats to their facilities and operations and adapt defenses against them based on their own operating systems. We believe this is more responsive and effective to rapidly evolving threats than government-mandated measures.

Two important points to underscore. First, our companies have made major investments in facilities and infrastructure and want to protect them against cyber criminals. The old narrative – that government must require industry to be proactive – is just that, old. Suzanne Lemieux, API manager for operations security and emergency-response policy, told the Wall Street Journal recently:

“There’s a misconception that operators won’t take steps to protect against cyber threats unless they are mandated to by regulators. That overlooks the fact that companies across all industries have a business incentive to protect their data and operations from malicious actors.”

The other point is that instead of government mandates, our industry and others in the private sector need increased information-sharing from government agencies that develop key intelligence on cyberattacks. Lemieux:

“There’s a lot of intelligence coming through right now that just doesn’t make its way to private-sector operators who need it to make better defenses for their systems. … It takes months to declassify things. We need to really improve how they’re postured to share with the private sector.”

Useful, timely information from agencies and the development of industry initiatives such as updated API Std. 1164 offer the best way to uncover and deal with cyber threats that can do great harm to industry and American consumers.