American Petroleum Institute releases new report featuring cybersecurity in the oil & gas industry

GAIN recognizes that in addition to growing our nation’s infrastructure, it is critical that we also prioritize protecting what is already in the ground. The American Petroleum Institute (API), in conjunction with the Oil and Natural Gas Subsector Coordinating Council and the Natural Gas Council, recently released a new report emphasizing the importance of cybersecurity in the oil & gas industry. The report highlights the industry’s “resilience and preparedness to defend itself and energy consumers against malicious cyber threats,” as well as “providing insight for policymakers into the comprehensive cybersecurity programs of the natural gas and oil industry.” The report goes into great detail, describing cybersecurity efforts from the time natural gas is extracted till it reaches the consumer:

Cybersecurity in the natural gas and oil industry applies throughout the value chain, extending from wellheads to pipelines and through to the supply of natural gas to an electric power generation facility or gas utility, or the supply of oil to a refinery and through to the manufacturing of fuels and sales at a gasoline station.

However, a misconception has recently developed that implies natural gas pipelines are more vulnerable to attacks than other energy infrastructure. Although it is true that cyberattacks targeting US energy infrastructure are on the rise, our pipelines have a number of security mechanisms in place to ensure safe, efficient operation. As the report notes, there are a series of industry guidelines that are closely adhered to, as energy companies are continuously evaluating potential risks and adding increased levels of enhanced security. Expanding on this point, the report contends:

Furthermore, the natural gas system is highly resilient because the production, gathering, processing, transmission, distribution and storage are highly flexible and elastic – characterized by multiple fail-safes, redundancies and backups. Pipeline companies have in place layers that protect against cascading failure, which also include mechanical controls that are not capable of being overridden through any cyber compromise of [industrial control systems].

A layered defense approach provides optimal protection in the rapidly evolving cyber threat landscape, as no one layer of defense or technology will ever be completely effective. This approach creates a landscape that is much more challenging for an attacker to fully penetrate – providing necessary time to implement defensive response measures.

Industry works closely with the government agencies responsible for cybersecurity throughout each of these segments – from Coast Guard regulatory oversight in maritime and maritime-facing facilities to TSA regulatory oversight of pipelines, as well as bi-directional sharing with the U.S. intelligence community via DHS/NCCIC, DOE, FBI and others – ensuring collaboration and communication at every point.

Through strong public-private partnerships and ongoing technological advancements, energy companies will be able to continue to protect and maintain pipelines around the country. GAIN appreciates the extensive efforts of the American Petroleum Institute in compiling this comprehensive report on the continued need to protect our nation’s critical energy infrastructure.

Read the full report here.