As prime targets for cyberattacks, critical energy infrastructure — such as water systems, pipelines and power supplies — need increased security measures to protect data, systems, supply chains and more.

There is a cyberattack every 39 seconds, and threats are growing in frequency and intensity. In 2020, the average ransomware payoff cost companies $1.2 million. A year later, the average cost is $4.2 million, with Colonial Pipeline paying as much as $5 million and at least one known attack resulting in a $70 million payout.

For oil and gas companies not properly protecting critical energy infrastructure, the cost can be astronomical. A threat can cost an owner/operator not only financially in ransomware payouts, but also in downtime and liability costs, as well as the loss of data, talent, revenue and reputation.

As a result of cyberattacks escalating, regulations and standards are expanding and evolving rapidly to keep pace. In August 2021, the American Petroleum Institute (API) published its 3rd Edition of Standard 1164, Pipeline Control Systems Cybersecurity, underscoring the natural gas and oil industry’s commitment to protecting U.S. critical energy infrastructure from cyberattacks.

API 1164 provides a solid road map for electric and gas utilities as well as oil and gas pipeline owner/operators who need help guarding their systems against cyberattacks. This includes at vulnerable connecting points along the supply chain, such as pipelines, ports and refineries.

The revised API standard is voluntary and works hand in hand with the U.S. Department of Homeland Security’s two cybersecurity requirements for critical infrastructure. Those two enforceable security directives call for new requirements for internal cybersecurity staffing and reporting. The directives also call for a criticality analysis to determine if a utility or pipeline has critical energy infrastructure assets. If so, suppliers are required to complete a cyber asset inventory, conduct a security vulnerability assessment and address cybersecurity weaknesses.

Bad actors can wreak havoc if they gain access to compressor stations, refineries, power plants, pipelines, SCADA systems, gas control units and electric transmission and distribution lines. API 1164 focuses on five key parts of an industrial automation control (IAC) security program to mitigate damage.

  1. Identify: The identify stage requires the establishment of formal IAC security program documentation in the form of policies, processes and operational and procedural controls. The resources that support critical functions and the related cybersecurity risks enable an organization to focus and prioritize its security efforts.
  2. Protect: The protect function supports the ability to reduce the impact of a potential cybersecurity event. A key component of this part of the plan is access control, which blocks unauthorized access and limits access from authenticated users to only the resources required to perform their authorized functions and duties.
  3. Detect: The actions related to the swift detection and identification of a cybersecurity incident are addressed by the detect function in an IAC plan. The detect portion of the plan is critical to a plan’s proper implementation since cyberattack response and recovery depends on prompt threat detection.
  4. Respond: The respond portion of an IAC plan should provide a guideline for implementing an organization’s cyber incident response capabilities. A proper response will efficiently minimize potential loss or disruption to essential functions. The plan should be developed to meet an organization’s mission, size, structure and functions. Predefined procedures help see that appropriate response sequencing takes place. An important part of response includes regular mock testing.
  5. Recover: Recovery may involve activities such as retrieving cyber assets from clean backups, rebuilding cyber assets, replacing compromised files or installing patches. In the recover stage, key learnings should be incorporated into the plan to strengthen protection against future attacks.

The challenge for most utilities and gas and liquid pipeline distributors is that cybersecurity regulations are often hard to interpret and apply. The new API 1164 standard gives owner/operators a solid framework for meeting the Department of Homeland Security’s cybersecurity regulations. The clock is ticking, with critical 90-day and 180-day windows for security directive compliance soon closing.

While many critical energy infrastructure owner/operators find the expense of developing an effective cyberattack plan costly, the price of not doing so could be even higher. That is why it’s critical to work with a consultant that has the technical understanding and competence to help navigate the federal cybersecurity compliance process.


Detailed analysis, coupled with in-depth regulatory knowledge and broad, real-world experience, is essential to determining optimal solutions that address costly cyber threats.

Read the Blog

Michael D. Falk, a leader in pipeline and pipeline facility initiatives at Burns & McDonnell, consults with electric and gas utilities, specializing in operations management and regulatory compliance for interstate natural gas transmission and LNG and LP propane/air mix plants.