This month’s Pipeline Technology Podcast episode sponsored by Pipeline & Gas Journal features Alexa Burr discussing API 1164, why it is important within the industry, and the current state of cyberthreats.

In this month’s episode, you will learn about when 1164 was updated and why, how companies are focusing more intently on cybersecurity, and ways to use 1164 in order to benefit and protect yourself.

Safety Act Certification of API 1164 Show Notes, Links, and Insider Terms

• Alexa Burr is the Vice President of Standards and Segment Services at API. Connect with Alexa on LinkedIn.
  • API (American Petroleum Institute) represents all segments of America’s natural gas and oil industry. API has developed more than 800 standards to enhance operational and environmental safety, efficiency, and sustainability.
• Pipeline & Gas Journal is the essential resource for technology, industry information, and analytical trends in the midstream oil and gas industry.  For more information on how to become a subscriber, visit pgjonline.com/subscribe.
• API 1164 (Pipeline Control Systems Cybersecurity) 3rd Edition was released in August 2021. The new version of the Standard provides a comprehensive approach to cybersecurity for the pipeline supply chain and sets a precedent for critical infrastructure.
• To learn more about the Pipeline Safety Management System (SMS), visit www.PipelineSMS.org.
• You can find API Standards like API 1164 on www.APIWebstore.org.
• Cybersecurity is the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.
• The Natural Gas Pipeline Safety Act of 1968 required the Department of Transportation (DOT) to develop and enforce minimum safety regulations for the transportation of gases by pipeline.
• NGO stands for non-governmental organization. While there is no universally agreed-upon definition of an NGO, typically it is a voluntary group or institution with a social mission, which operates independently from the government.
• NERC (North American Electric Reliability Corporation) is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid.
  • CIP (Critical Infrastructure Protection) plan consists of 9 standards and 45 requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management, and disaster recovery planning.
• NIST (National Institute of Standards and Technology) is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness.
• IEC 62443 was developed to secure industrial automation and control systems (IACS) throughout their lifecycle.
• DHS (Department of Homeland Security) is the U.S. federal executive department responsible for public security.
• TSA (Transportation Safety Administration) develops broad policies to protect the U.S. transportation system, including highways, railroads, buses, mass transit systems, ports, pipelines, and intermodal freight facilities.
• The Cybersecurity and Infrastructure Security Agency (CISA) is a United States federal agency, an operational component under Department of Homeland Security (DHS) oversight. Its activities are a continuation of the National Protection and Programs Directorate (NPPD).
• Listen to the other Pipeliners Podcast episode discussing API 1164 here.

Safety Act Certification of API 1164 Full Episode Transcript

Announcer: “The Pipeline Technology Podcast,” brought to you by Pipeline and Gas Journal, the decision making resource for pipeline and midstream professionals. Now your host, Russel Treat.

Russel Treat: Welcome to the Pipeline Technology Podcast, Episode 37. On this episode, our guest is Alexa Burr, Vice President of standards and segments services at API. We’re going to discuss the recent SAFETY Act certification of API 1164, the standard for pipeline control systems cybersecurity. Alexa, welcome to the Pipeline Technology Podcast.

Alexa Burr: Thank you. Thanks so much for having me. I’m excited to be here today.

Russel: We’re excited to have you and we’re going to get to talk about cybersecurity, which is always something that I’m interested in. I find it fascinating because all you have to do is wait a week and the whole world’s changed in that. It moves really quickly.

Anyways, before we get going, why don’t you do an introduction, tell us a little bit about who you are, what you do, and how you found yourself in your current role.

Alexa: Sure. Thanks so much. I have been at API for about five years. I am the vice president of our standards and segment services department. That encompasses our entire standards development team, our intellectual property and distribution team.

They’re responsible for selling and distributing our standards around the world. We also have our safety programs team, which runs a number of safety programs for the entire oil and gas industry that are based on API standards.

Then we’ve our statistics team as well that does a lot of safety data collection and analysis. Again, often based on API standards. All of those groups report to me. As I mentioned, I’ve been here about five years.

Prior to API, I was at the American Chemistry Council, or ACC, where I oversaw the responsible care program, their environment health safety program, as well as led a lot of their global advocacy. Then my academic background is actually a bit in Homeland Security.

I’ve been studying cybersecurity and other Homeland Security issues for a long time now.

Russel: Awesome. You have a nice smile on your face, so you’ve done well. You’ve not become jaded by working in that discipline for all those years.

Alexa: I try. It’s encouraging to work at API and with a lot of our standards, volunteers, and experts who put in so much time and resources to help the industry improve in this area.

Russel: Yeah, absolutely. I’ve asked you to talk about the SAFETY Act certification of API 1164. Probably a good place to start the conversation is just to talk a little bit about what is API 1164, and maybe a little bit of its background when it was last updated and so forth. Could you give us a quick overview on that standard?

Alexa: Sure. API 1164 is on Pipeline Control System Cybersecurity. We’re currently working with our third edition of the standard, which was most recently published in 2021. As part of that publication process, there was actually a long development process that went into it that incorporated about 70 organizations that all participated in the development of that standard.

Everyone from the government, to obviously pipeline operators, NGOs, to Argonne National Laboratory, all these stakeholders had a say and input into developing that standard, which took about four years to do and was a big rewrite from the second edition.

We’ve been really proud of the third edition and getting that incorporated into industry. Obviously, it just shows how important the issue of cybersecurity is for the industry and has been. Since it has been the third edition, we’ve learned a lot over the years.

I think the first edition was published in 2004. There’ve been a lot of advancements since then. This third edition is really a compilation of all the learnings we’ve had.

Russel: I participated in that working group and so I’m knowledgeable. It was very interesting to me because it really was a major lift. A lot of time was taken to look at other industry standards like NERC CIP, NIST 800, and others, to rationalize and normalize all that for what makes sense for pipeliners.

There’d been a lot of work going on, and then after the colonial incident, people matched on the gas and there was a lot of intentionality to get that finished. There were probably about two dozen people that burned the midnight oil for about six months to get that across the finish line.

Alexa: Yes, I remember that time very well.

Russel: Yes, we do.

Alexa: The group was meeting about every week or so to go through all of the comments that were received through the balloting process. As I mentioned before, working with our volunteers on our standards development committees is such an honor. The work that they put into that, I hope everyone, including you, are proud of the way that it turned out.

Russel: I’ve participated in a number of different standards, so I’m always amazed at how that process works. There’s always a lot of passion that comes from the people that are participating and a huge amount of expertise. Just unbelievable the amount of expertise that it’s in the room hashing through these things, and a lot of a lot of very careful wordsmithing.

Alexa: Yes,  the shalls versus shoulds.

Russel: Trying to understand, when somebody who wasn’t in the room with us sits down and tries to read it, what are they going to think it says?

Alexa: Exactly. I think it does a great job of incorporating other frameworks, like the NIST’s Cybersecurity Framework, the various IEC standards. I think it references those in a nice way so that it’s inclusive and demonstrates that it’s a journey.

Pipeline cybersecurity is a journey for many companies. There’s always a goal of zero incidents, but being able to have a resiliency plan in place is also an important piece of this updated standard.

Russel: I did do another episode where we took a very deep dive into the content of 1164. I’ll link that up in the notes. What would you say is the current state of cyber threat?

Alexa: High. I think not just for critical infrastructure, but every organization I feel like is constantly under a phishing attack or trying to prevent outsiders from getting into there, issuing spam emails.

That’s even more so for important infrastructure companies whether it’s pipelines, nuclear, or the financial sector. There’s constantly bad actors, whether they’re state sponsored or non-state sponsored, constantly trying to have an impact on key ways of life that we rely upon today.

Russel: What I always say about the nature of the threat in cyber is it’s constantly evolving. It moves very quickly. If you work in this domain, particularly if you’re at the level of threat mitigation, you’re getting new data every day that you have to take action.

You take a week off and it takes you two weeks to get caught back up as to what the nature of the threat is at that moment because it evolves that quickly, and the threat’s becoming more sophisticated and better resourced.

Alexa: Yes, exactly, and constantly evolving. I think we were chatting before. one week, something has changed, and so trying to get on a more proactive foot is important for our industry. I think 1164 helps the industry do that and set itself up for success.

Russel: Absolutely. What is SAFETY Act certification? I saw the press release that came out about that fact, and I’m like, “Oh, that’s neat. I have no idea what that means.” Maybe you could tell us, what does it mean that we have SAFETY Act certification for 1164, Alexa? Help me out.

Alexa: Sure. Let me back up a little bit. Rewind to 2002. You may recall shortly after the September 11th attacks, the Homeland Security Act of 2002 was passed by Congress.

This included the SAFETY Act designations that we had today, and that issues the ability for the now reformed Department of Homeland Security to give those SAFETY Act designations and certifications. The intent behind Congress including this in the establishment of DHS was to help encourage the innovation and deployment of technologies that would help prevent terrorist attacks.

Back then, there was a concern from many product manufacturers and companies worried about issuing new technologies and putting them on the market, for fear of…What if something happened or my technology failed or a terrorist attack got around it? Would I then be liable and be subject to litigation?

The SAFETY Act creates a risk and litigation management system that limits liability and the claims arising out of, relating to, or resulting from an act of terrorism. It really was almost a cover or basically a way to continue to encourage innovation and new technologies to be put on the market, all with the intent to help prevent terrorist attacks from happening.

That’s where it was established, with the Department of Homeland Security, and has been around for over 20 years now and, I think, has helped bring a lot of new, innovative technologies that we depend on today, whether it’s the metal detectors at airports or…

If you go to an NFL stadium, the technologies that they use there when you’re going through security, the dogs that they use, the event security, they all often have a SAFETY Act designation or certification, meaning that the processes and technology that they use has the seal of approval from the Department of Homeland Security as a qualified anti-terrorism technology.

That’s really what DHS means by the SAFETY Act certification. They have two. The SAFETY Act certification, and then there’s designation. Certification is the higher of the two levels that they issue.

Russel: I’m going to try and place this back because that was a lot of information.

In summary, by having the certification, what that means is anybody who is implementing 1164 and can prove they’re doing a diligent implementation would mitigate lawsuit risk if they had a terrorism incident.

Alexa: Correct. There are two different levels, as I mentioned. The designation, which really just shows that the technology…There’s a broad definition of technology by DHS. It could be processes, it could be physical safety, cybersecurity procedures, resiliency procedures.

All of those fall under that broad definition of technologies. That designation gives you certain protections against those liabilities and litigation protections.

The certification actually goes a step further and offers those that are implementing or using 1164 or other qualified anti-terrorism technologies the government contractor defense. That gives the company or organization implementing that technology the same level of liability protection that the government gets itself and government contractors.

Russel: That’s a big deal. It’s really a big deal. I want to try and talk about this. I always get a little nervous when I start talking about lawyer things because I’m not a lawyer. I guess the thing about the American system, particularly as it relates to civil law, is anybody can file a lawsuit about anything. It’s a pretty low bar for filing a lawsuit.

Then there’s all kinds of costs and risks to process a lawsuit. Takes time, takes money, takes attention, takes key leadership, all that kind of stuff, to do those things. Following these kinds of standards that are SAFETY Act certified can set a much higher bar and eliminate things that might otherwise be nuisance lawsuits.

Alexa: Exactly. It is a lot. I’m not a lawyer either. I’m trying to do my best job of explaining it. I think it really gives a level of protection to those trying to do the right thing and demonstrating the duty of care that DHS expects and approves.

Some of the benefits with certification is that if a lawsuit is brought, that it must be done in federal court, which means there’s a higher level threshold of what needs to be included to bring a suit in federal court.

There’s, as I mentioned, limited liability. There’s a reduction in how much, basically, fault there could be associated with an event. With that government contractor defense, that’s the same level of protection that a private company would be given if they’re proven to have implemented that technology or 1164.

Russel: That’s actually really interesting. One of my philosophies about running a small business is never sign an agreement that, if something goes wrong, it puts you out of business. That means you have to look really carefully at the indemnifications and the limits to liability and those types of things.

This is, in effect, a limit to liability and a limit to identification. It pre-specifies what those indemnifications are and what those limits to liability. That’s what I hear you saying.

Alexa: Yes, exactly.

Russel: For these kinds of things. The other thing I hear you saying – I want to validate my understanding here – is that I’m a contractor providing support to a pipeline and I am putting in place 1164 internally, then I get the same kind of protection.

Alexa: Correct.

Russel: That’s huge.

Alexa: API is technically the seller of the technology. We’re the ones with the certification. Ultimately, if there is a case, API would take on that liability. With that certification and with our application that we submitted to DHS, that went through a very long approval and very detailed approval process.

Russel: I can only imagine.

Alexa: If there was a lawsuit, there would be a cap on what API would have to pay but not the user of the technology.

Russel: Interesting. That kind of opportunity, that protection’s kind of unique in our industry. I’m not aware of anything like that in any other domains.

Alexa: No. I’m not aware of it either. It speaks to the creativity of those that helped craft the creation of DHS, and in doing so, realize the importance of how to continue to encourage new technologies in the space and that it’s, as we said, always evolving.

We need to make sure that organizations feel comfortable introducing these new technologies to the market and not be scared to do so for fear of litigation.

Russel: I know that for people that might be listening to this, that seems counterintuitive, but it just has to do with the way our legal system works. Sometimes you actually create more litigation risk if you’re doing your best than if you’re not.

Alexa: Exactly.

Russel: Counterintuitive, but the way our legal systems work, that can be the truth.

Alexa: Yes. Especially when you look at critical infrastructure, it’s critical for a reason. There can be significant impacts to communities and the public. Encouraging companies to take a proactive approach and implement these technologies, I think is a great thing to do.

Russel: Yeah, it’s a big deal. No doubt. Beyond the kind of litigation risk management, are there other kinds of benefits associated with this SAFETY Act certification and applying 1164?

Alexa: 1164 is a great standard in itself. I think the way that it’s set up and taking a management system approach provides some more guidance to pipeline operators on how to establish a pipeline cyber security system. Certainly, helps provide some more guidance when connecting across the pipeline supply chain.

Whether you’re connecting to a refinery or distribution hub, there are more requirements in 1164 and guidance there than we’ve had in previous editions. It also recognizes that the cybersecurity space is a journey and that there are operators at different maturity levels.

Having the recognition by DHS that this is the gold standard, if you will, for pipeline cybersecurity, while having that flexibility within the standard itself really is helpful to the industry, and hopefully will be a model for other standards, other industries.

Because this is a space that is not only important to the oil and gas industry, but hits everything from the financial sector, to automobiles now that we’re getting into a more digital space.

Russel: Yeah. What I would say for the vendors, and this is anybody who’s touching a pipeline or this information systems around the pipeline, they have the same kind of risk that the operators actually do.

One of the things that I think we’re going to see really start to, but I’m already seeing it in service agreements and software agreements that I’m looking at, is there’s whole multi-page addendums that are laying in cyber security requirements.

The software vendors, the technology vendors are going to see it first, but you’re going to see it in the service vendors as well.

Alexa: Oh, sure. We see it in contracts all the time now with our vendors and them asking us, how do we protect our data? What are our own cybersecurity practices? It’s going to be much more prevalent as we go forward.

Russel: Yeah. If you’re going to be a business of any size or scale, you’re going to have this capability. It’s just like having a safety program.

Alexa: Exactly. That’s actually one thing I’ll mention for many of our companies, we hear this from CEOs constantly. Cybersecurity, they’re approaching it in the same way they approach safety. It’s a C suite level issue. They are putting all the resources that they can behind it because it does have impacts on safety and environmental performance.

Russel: It’s another part of risk management.

Alexa: Exactly.

Russel: It’s another part of risk management. Exactly right. There’s something else that’s going on in the market at the moment, and that is this rulemaking and TSA related to pipeline cybersecurity. What, if any, relation does that have to the SAFETY Act certification of 1164?

Alexa: Sure. The SAFETY Act office is within the Science and Technology Directorate at DHS. It’s separate from TSA and CISA, which are overseeing the cybersecurity rulemaking, but they’re the same department, so they are consulted in reviewing the application.

TSA actually participated in the development of 1164, so they were consulted during the review process, and I’m sure had a say into whether we were approved or not. That being said, at this point in time, and with rulemaking going as it is, there’s no direct correlation between SAFETY Act certification and the rule. They are separate.

Our goal, and I think it’s a good thing to have a feather in our cap to be able to show we have this standard that is being used in the industry that has already received this certification from DHS.

I think that’s going to be a great tool for the industry to show how they’re proactively addressing it. Right now, there’s no regulatory relief or demonstration of compliance in the way that the proposed rules are shaping up right now.

Russel: I would think, and I would be interested in your opinion on this, but I would think that any operator that’s implementing 1164 is probably much better positioned for whatever comes out of DHS or TSA in this domain, number one.

Number two, if there’s something that comes into the rulemaking that’s radically different than what’s in 1164, I think the comments are going to be pretty strong about that. It lays out a little bit of framework, puts the rails down a bit as to where that rulemaking is probably headed. I think the fundamental thing is that the regulatory body wants the ability to audit implementation.

Alexa: I think you’re right, there. It’s our hope that 1164, we’ve done some comparisons with what’s in 1164 to the current security directives that came out after the Colonial incident, and there’s certainly crosswalk there in terms of, what’s in 1164 and how does that help demonstrate compliance or conformance with the security directive?

There’s certainly correlation and we’re having ongoing discussions with TSA about input there. We think 1164 is a great example of having flexibility and having a performance based approach, which we hope that the final regulations will do the same.

Russel: A lot of the comments going back about the security directives that have come out prior to this rulemaking has been, “These are overly prescriptive. We need the flexibility to do what makes sense for us.” The assertion is that in having a diversity of approaches, we have a higher level of security.

Alexa: Exactly. Not every operator is the same, and you don’t want them to be the same to give those bad actors the key.

Russel: You don’t want to give them blueprints for how the security is built.

Alexa: Exactly.

Russel: That’s not helpful. Not what we’re trying to do.

Alexa: There are different products that are transported, different technologies that are used, and I think that helps build our resiliency. There’s not one size that fits all. We need different approaches that also helps encourage innovation, helps push operators forward.

I think having set the performance base but letting companies decide what’s going to work best for them based on their size, geography, and whatnot.

Russel: Make sure their operations, the products they’re moving, all those things.

Alexa: Exactly, extremely different.

Russel: Sure. If you were going to try and summarize this, what would you think that you’d want operators to hear, if you’re going to try and get it down to a summary?

Alexa: I’d say 1164 is a baseline. It’s certainly a significant expansion from what has existed in the past, but sets a great framework for how to have a proactive cybersecurity framework in place.

With the DHS SAFETY Act certification, they recognize 1164 as being that duty of care, and again, the gold standard for the industry and what is best, and most likely to be helpful in preventing any acts of terrorism from happening.

One thing I will say is that, while we have the US Department of Homeland Security, the SAFETY Act covers anything that impacts a US person or a company.

It doesn’t necessarily only have to be in the territory of the United States, but if a US operator is operating a pipeline in another country and suffers an act of terrorism, then they would hypothetically be covered, if they’re implementing 1164, they’d be covered by the SAFETY Act certification as well.

Russel: I’ll tell you what my takeaway is, and it’s pretty simple. If you are working in the pipeline industry, if you’re a company working in the pipeline, industry, operator, vendor, contractor, whatever, you need to be getting yourself educated on and implemented around 1164. That’s my key takeaway. If you’re not doing it yet, you need to do it.

Because one of the things that’s going on is there’s a lot of effort being expended to make sure that 1164 is the right standard for the industry and there is safety being created in that standard. Some of that safety is around litigation, but other of that safety is around cybersecurity.

Alexa: Exactly, and I think it’s a demonstration of corporate responsibility. This is the right thing to do, and that’s recognized by this defacto DHS seal of approval.

Russel: For those of us that are patriots, we have a fiduciary responsibility to keep the wheels of our country turning. We do that, in my business, by keeping the fluid flowing in the pipelines.

Alexa: Exactly.

Russel: There you go. I think that’s a great place to leave it. That was actually a quotable remark, correct?

Alexa: That was perfect.

Russel: Alexa, I think that’s a great place to stop. Thank you so much.

Alexa: Thank you so much for having me today. It’s been a great opportunity to chat with you. Hopefully, the legal terms and categorizations aren’t too confusing. I’ve done an OK job pretending to put on a legal hat here.

Russel: I should make the obligatory legal disclaimer that any decisions that you make regarding content we talked about on this podcast that might be of a legal nature, you should consult your attorney.

Probably you should put that at the top.

Russel: Yeah, probably. That might’ve dropped half the listeners if we put it on the top, though.

 Hey, listen, I appreciate it. This has been really helpful for me. I had no idea what SAFETY Act certification was. This has been really helpful for me to understand what that is. I thank you.

Alexa: That’s great. Thank you so much for having me today.

Russel: I hope you enjoyed this month’s episode of the “Pipeline Technology Podcast” and our conversation with Alexa. If you would like to support the podcast, please leave us review on Apple Podcast, Google Play, or wherever you happen to listen.

You can find instructions at pipelinepodcastnetwork.com. If there’s a pipeline and gas journal article where you’d like to hear from the author, please let me know on the Contact Us page at PipelinePodcastNetwork.com, or reach out to me on LinkedIn Thanks for listening. I’ll talk to you next month.

Transcription by CastingWords