API Releases Cybersecurity Report For Oil And Gas Industry

By American Petroleum Institute

API, in coordination with the Natural Gas Council (NGC) and the wider membership the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) released a report on Wednesday titled, ​“Defense-in-Depth: Cybersecurity in the Natural Gas and Oil Industry”.

The report describes the industry’s resilience and preparedness to defend itself and energy consumers against malicious cyber threats and provides insight for policymakers into the comprehensive cybersecurity programs of the natural gas and oil industry. In conjunction with the report, API launched a video highlighting the American natural gas and oil industry’s investment in people and cybersecurity technology to keep America’s energy infrastructure safe and operating reliably. 

This is a reminder to the Administration and policymakers on Capitol Hill that the oil and natural industry – an industry that provides cleaner, more reliable energy – is committed to investing its own capital to maintain and safeguard its infrastructure. In addition, API Midstream is working to finalize a shorter targeted pipeline-specific advocacy document on cybersecurity as a follow-on the release of this report. Key points in the Defense in Depth report include: 

• Companies acknowledge that cyberattacks can present ​“enterprise risks” – risks that could compromise the viability of a company – and have developed comprehensive approaches to cybersecurity.
• Companies orient their information technology (IT) and industrial control systems (ICS) cybersecurity programs to leading frameworks and best-in-class standards, especially the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the ISA/IEC 62443 Series of Standards on Industrial Automation and Control Systems (IACS) Security.
• Cyber threats are not new or unique to pipelines; they are present across the energy system, including at coal and nuclear plants. Pipeline companies have layers of security in place to protect against cascading failure, which also include mechanical controls that are not capable of being overridden through any cyber compromise of ICS.
• The natural gas and oil system is highly resilient because the production, gathering, processing, transmission, distribution and storage of natural gas and oil is geographically diverse, highly flexible and elastic, characterized by multiple fail-safes, redundancies and backups.
• Reliance upon voluntary mechanisms including proven frameworks and public-private collaboration, rather than prescriptive standards or regulations, is the best way to bolster the cybersecurity of natural gas and oil companies and the energy infrastructure they operate, and to afford the necessary flexibility and agility to respond to a constantly-changing cyber threat landscape.

AOPL endorsed the report as a member of the ONG SCC. 

For more information about the paper or video, please visit the API website.