Public-Private Collaboration is Best Cyber Defense for Pipelines

John D. Siciliano
Posted May 20, 2021

Even before the Colonial Pipeline reopened after a criminal cyber attack, some were demanding action, including Federal Energy Regulatory Commission (FERC) Chairman Richard Glick’s call for mandatory cybersecurity standards.

The attack on Colonial caused major disruptions – underscoring the importance of getting the response right. Unfortunately, some in Washington can’t help but react to an issue before the facts are clear and before calm, rational analysis can guide the best response.

The fact is natural gas and oil industry has a long history of engaging and collaborating with the federal government to protect the nation’s vast network of pipelines and other critical energy infrastructure from cyber attacks.

The key is an active, robust information-sharing relationship with federal partners on specific threats – as well as regularly updated industry standards for cyber assessment and protection – not prescriptive, bureaucratic rules that actually could hinder the industry’s ability to identify and adapt to threats. API President and CEO Mike Sommers told CNN the industry is actively working to protect itself in collaboration with government officials, and that an economywide approach to protecting against cyber attacks is critically important:

“All of our member CEOs are focused on making sure that they have their cyber defenses in place, and we want to work with the federal government on making sure that there aren’t vulnerabilities to our energy supply. … This is an economywide issue. This isn't just something that exists within the oil and gas industry. Every American company has suffered these kinds of cyber attacks, and we need to make sure that we have a robust system in place that can fight back against these rogue actors.”

Our industry has in place more than 700 standards, including a number that are focused on the kind of cyber-risk assessment that is more likely to be effective against threats than a static, one-size-fits-all approach that struggles to keep up with the rapidly changing cyber-threat landscape. Three API standards are integral to industry’s ongoing work to counter cyber threats:

• API Recommended Practice 1164 – Pipeline supervisory control and data acquisition (SCADA) focuses on holistic security practices, recognizing cyber security is continuous, not a one-time event. Pipeline security is improved by identifying and analyzing potential vulnerabilities, developing a list of comprehensive practices to harden core architecture and providing examples of industry best practices. RP 1164 is being revised and updated currently, with a new edition expected in the next few months.
• API 780 – Provides tools to conduct effective Security Risk Assessments, which are used to identify threats to facilities as well as countermeasures to those threats. Last October, API 780 was certified as an anti-terrorism technology by the U.S. Department of Homeland Security (DHS) under the Support Anti-terrorism by Fostering Effective Technologies Act of 2002. This provides liability protection if API members and others using API 780 have a terrorist attack at one of their facilities.
• API 1173 – Pipeline Safety Management Systems provides pipeline operators with safety management system requirements that when applied provide a framework to reveal and manage risk, promote a learning environment, and continuously improve pipeline safety and integrity.

Working together on industry standards and operating procedures is the best way to drive progress across the breadth of industry. Working through industry associations, such as API, can mobilize assessments to further drive improvements. These approaches can allow industry members to adapt and respond to threats, which as we said above, are constantly evolving.

At the same time, our industry is continuing to deepen collaboration with DHS, the U.S. Department of Transportation, the U.S. Commerce Department and others across the government on cyber security. Some, including FERC Commissioner Neil Chatterjee, the panel’s former chairman, recognize the need for flexibility in countering cyber threats. Chatterjee to CNN:

“I think that our adversaries are sophisticated. I think they will continually adapt. This is why I have been short of calling for mandatory standards, [because] I think standards are the floor. We have to go much above standards. We have to be as sophisticated as our adversaries, as coordinated as our adversaries across the federal government, state government, [and] industry to stay ahead of these evolving threats.”

U.S. Homeland Security Secretary Alejandro Mayorkas said rraising the “cyber hygiene” of the nation has been primarily a voluntary effort, emphasizing collaboration and public-private partnerships:

“We share information between the public and private sectors. We share best practices. We have cybersecurity directors to actually be onsite at a company’s facilities to assess it, to make recommendations, and to … voluntarily direct it to raise its cyber hygiene …” 

Continuing and enhancing this kind of public-private collaboration is the best course for protecting America’s critical energy infrastructure. Sommers:

“We want to work with the federal government on building those robust defenses and also doing things to make sure that those people in other countries that are targeting energy infrastructure and other infrastructure are held accountable.”