The American Petroleum Institute (API), the Natural Gas Council (NGC) and the wider membership the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) – the official body representing the operators of natural gas and oil infrastructure to federal agencies involved in industry-related security – released a report today titled, “Defense-in-Depth: Cybersecurity in the Natural Gas and Oil Industry.” The report describes the industry’s resilience and preparedness to defend itself and energy consumers against malicious cyber threats and provides insight for policymakers into the comprehensive cybersecurity programs of the natural gas and oil industry.
“Cybersecurity is a top priority for the natural gas and oil industry,” said API President and CEO Mike Sommers. “As the owners and operators of critical energy infrastructure, our companies are providing the leadership, proactive solutions and ongoing coordination with federal agencies to help prevent future cyberattacks. Natural gas and oil pipeline systems are purpose-built to be highly resilient and our members are leaders in cybersecurity, sharing cyber threat indicators and intelligence with each other and with the U.S. government through the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC).”
In conjunction with the report, API launched a video highlighting the American natural gas and oil industry’s investment in people and cybersecurity technology to keep America’s energy infrastructure safe and operating reliably. This is a reminder to the Administration and policymakers on Capitol Hill that the natural gas and oil industry – an industry that provides cleaner, more reliable energy – is committed to investing its own capital to maintain and safeguard its infrastructure.
Key points in the report include:
- Companies acknowledge that cyberattacks can present “enterprise risks” – risks that could compromise the viability of a company – and have developed comprehensive approaches to cybersecurity.
- Companies orient their information technology (IT) and industrial control systems (ICS) cybersecurity programs to leading frameworks and best-in-class standards, especially the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the ISA/IEC 62443 Series of Standards on Industrial Automation and Control Systems (IACS) Security.
- Cyber threats are not new or unique to pipelines; they are present across the energy system, including at coal and nuclear plants. Pipeline companies have layers of security in place to protect against cascading failure, which also include mechanical controls that are not capable of being overridden through any cyber compromise of ICS.
- The natural gas system is highly resilient because the production, gathering, processing, transmission, distribution and storage of natural gas is geographically diverse, highly flexible and elastic, characterized by multiple fail-safes, redundancies and backups.
- Reliance upon voluntary mechanisms including proven frameworks and public-private collaboration, rather than prescriptive standards or regulations, is the best way to bolster the cybersecurity of natural gas and oil companies and the energy infrastructure they operate, and to afford the necessary flexibility and agility to respond to a constantly-changing cyber threat landscape.
For more than 15 years, API has convened its member companies to address cybersecurity defense and to pioneer solutions in systems technology, network security and critical infrastructure protection. This information sharing within the industry and also between industry and government is a critical component of a robust and effective cyber defense strategy.
For more information about the paper or video, visit the API website.