The API published the third edition of its pipeline cybersecurity standard this month, which focuses on mitigating cyber threats connected with industrial automation and control environments.
Since 2017, the third edition of Standard 1164, Pipeline Control Systems Cybersecurity, has been in development, with input from more than 70 companies. The standard is based on the NIST Cybersecurity Framework and the Critical Infrastructure Protection (NERC CIP) guidelines of the North American Electric Reliability Corporation.
This edition, according to the API, the largest trade organisation for the oil and natural gas sector, covers all control systems, not just SCADA systems, as the previous edition did.
The new standard lays out the standards for protecting pipeline assets from ransomware and other cyberattacks. It provides instructions on risk assessment, a model for implementing pipeline security, and a framework for an industrial automation and control security programme, as well as recommendations for protections at crucial supply chain connection points (such as ports, pipelines, and refineries).
The new edition, which costs $200, can be used in conjunction with other API standards such as Standard 780, which focuses on security risk assessments, and recommended practises for pipeline safety management systems, according to API.
“This standard will help protect the nation’s critical pipeline infrastructure by improving safeguards for both digital and operational control systems, improving safety and preventing disruptions throughout the pipeline supply chain,” said Debra Phillips, senior vice president of API Global Industry Services. “What distinguishes this methodology is its adaptive risk assessment paradigm, which gives operators the flexibility they need to proactively defend against the continually expanding cyber threat matrix.”
Following the intrusion on Colonial Pipeline, a revised edition of the pipeline cybersecurity standard was released. The May ransomware attack caused widespread disruption, prompting the reintroduction of the Pipeline Security Act, a TSA directive requiring pipelines to beef up their defences, a DHS directive requiring pipeline operators to beef up their cybersecurity, and other critical infrastructure security initiatives.
In a blog post about the new API standard, cybersecurity firm Trend Micro noted, “Industry standards and best practises are crucial in ensuring critical infrastructures and their operations are secured against malicious threats and other vulnerabilities.” “As threat actors become more sophisticated, government agencies and commercial businesses must future-proof their control systems and cybersecurity frameworks to reduce the danger of cyberattacks that might cost them millions of dollars and cause significant disruption.”