Protecting America's Critical Energy Infrastructure

Suzanne Lemieux
Posted May 10, 2021

Over the weekend, Colonial Pipeline Company experienced a cybersecurity attack, which has since been identified as ransomware, forcing the shutdown of one piece of U.S. critical energy infrastructure. Colonial Pipeline is issuing updates about their operations and response activities as well as precautionary and other measures they’ve taken to protect the safety and security of their energy systems. Read their press statements here.

As Colonial Pipeline consults with law enforcement and other federal agencies, the broader U.S. natural gas and oil industry continues to focus on mitigating cybersecurity risks and adapting to this evolving threat landscape. In recent months, ransomware attacks have disrupted public services in major U.S. cities as well as businesses in healthcare and manufacturing, among other essential industries. We encourage government policies that allow companies to innovate and refine processes that protect against future incidents.

API member companies are committed to protecting America’s critical oil and natural gas infrastructure, safeguarding intellectual property and providing affordable, reliable energy for everyday use.

Below, answers to frequently asked questions about industry and cyber security. More information here.

What do natural gas and oil pipeline companies do to protect their systems from cyber threats?

Liquid and natural gas pipeline operators take the cybersecurity of their assets and operations very seriously. Cyber threats targeting all of America’s critical infrastructure continue to evolve and cannot be ignored. Energy companies utilize their own security experts, vendors and partnerships with the intelligence community to maintain awareness of these threats and get the information they need to protect and defend their systems. Many pipeline companies also participate in the Downstream Natural Gas Information Sharing and Analysis Center (ISAC) and Oil and Natural Gas ISAC as other vectors to receive and share cyber threats throughout the industry.

While there are an increasing number and severity of cyber threats to pipelines and other U.S. critical infrastructure, that does not equate to higher vulnerability. Pipeline companies are continuously investing in their cyber infrastructure to respond to threats and the evolving sophistication of their attackers.

How do pipeline operators work with government to defend against cyber threats?

Pipeline operators are aware of the growing cyber threats against U.S. critical energy infrastructure and engage consistently with relevant government partners and the intelligence community to ensure they have the latest and best information to defend their networks and secure their operations.

Government efforts related to pipeline security are covered by the Transportation Security Administration’s (TSA) Office of Security Policy and Industry Engagement’s Surface Division. With the assistance of industry and government members of the Pipeline Sector and Government Coordinating Councils, industry association representatives and other interested parties, TSA developed the Pipeline Security Guidelines. Utilizing a similar industry and government collaborative approach, these guidelines are regularly updated to reflect the advancement of security practices to meet the ever-changing threat environment in both the physical and cybersecurity realms.

Pipeline operators also regularly engage with the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security (DHS), as well as the Department of Energy (DOE), to discuss cyber threats and campaigns, share threat information, participate in exercises and receive intelligence briefings.

What cyber security resources are commonly used by pipeline operators?

There are a number of both natural gas and oil and broader industry resources available to pipeline operators to manage cyber security threats. Examples include but are not limited to:

• API Standard 780: Facilitates effective Security Risk Assessments (SRA), used to identify and mitigate threats; Certified by the Department of Homeland Security (DHS) as a qualifying anti-terrorism technology.
  • API will quickly work with our standards and policy committees as well as other subject matter experts to evaluate the outputs from the ongoing investigation stemming from the Colonial incident. Based on the outcomes of the investigation, API will work closely with Colonial and our partners at DHS should any actions fall within the scope of protection offered by API’s SAFETY Act certification.
• National Institute of Standards and Technology (NIST) Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF): Pre-eminent Framework adopted by companies in all industry sectors; Natural gas and oil companies increasingly orient enterprise-wide programs around NIST CSF.
• International Electrotechnical Commission’s (IEC) 62443: Pre-eminent family of standards for industrial control systems (ICS) security; Widely adopted by natural gas and oil industry; applicable to any type of natural gas and oil ICS.
• International Organization for Standardization (ISO) 27000: Best-known standard in the family providing requirements for an information security management system (ISMS).
• API Standard 1164: Content unique to pipelines not covered by NIST CSF and IEC 62443; Currently being updated with expected completion in 2021.