In a recent webinar, Axio’s Global Co-founder and President, David White, sat down with American Gas Association’s Managing Director of Security and Operations, Kimberly Denbow, to discuss the latest release (v3) of API-1164, Pipeline Control Systems Cybersecurity, which is a NIST CSF-based community standard for cybersecurity regulation. We encourage you to check out the full webinar for all the enlightening details and discussion, which can be found on Axio’s website. Read on for some highlights…
API-1164 Overview and History
The API-1164 is a standard released by the American Petroleum Institute (API) for pipeline and SCADA systems that was initially developed after the terrorist attacks on 9/11. From its conception, the primary objectives in creating this standard have been to help businesses:
- Analyze vulnerabilities that could be exploited as part of a cyber-attack.
- List the processes to identify those vulnerabilities
- Provide best practice guidance around hardening the core architecture for pipeline control systems, and
- Provide examples of industry best practices to improve pipeline cybersecurity across the sector
Version one (v1) was released in September of 2004 and was created to provide guidance for operators of oil and gas liquid pipeline systems. Version two (v2) was released in 2009 and was updated with other API standards to improve cybersecurity, including the NIST 800 series. The latest release, v3, debuted in August of last year. It was rewritten to increase its scope to cover all pipeline operation technology environments for both oil and natural gas.
API-1164 v3 Development
With significant support from the oil and natural gas business community, API-1164-v3 was developed using a consensus-based approach. Owners, operators, and federal partners were involved from beginning to end using fundamental security principles across critical infrastructure sectors – not just the pipeline sector. Collaboration was crucial throughout the development process, and included contributors from the Dept. of Energy, CISA, AGA, TSA, and many others. A three-year project, the latest version of the standard involved:
- Over 5000 hours of work from pipeline owners and operators
- Over 75 industry experts collaborating and contributing
- A total of 300 working sessions
- Over 50 companies in participation
- 300 working sessions
- 25 full-day workshops
API-1164 v3 Objectives: Applicability and Flexibility
API-1164 v3 will have a broad applicability to other sectors because it now includes a progression of controls that can be customized to businesses of any size across industries. With greater flexibility and applicability, the controls in v3 are designed to be driven by
- Your organization’s business and its mission objectives
- Critical cyber threats your company faces
- The impact those threats may have if they occur
- Any other organization-specific constraints
The strategy behind this design means you or any organization can fine-tune the suggested protection requirements to best meet your business’ operating condition, position, and risk tolerance.
Want More Information?
For full details on API-1164 v3, download our webinar here, where David and Kimberly cover additional details of the new standard, including building blocks like the NIST CSF-800 series and ISA/IEC 62443 that were used to inform the latest version. They also discuss how business stakeholders across different industries can leverage it to their advantage. API-1164 v3 is the “best in breed” for pipeline security standards. Stay tuned for our ongoing, in-depth coverage of this latest release and how it can apply to your organization.