scope:

Purpose

This standard provides requirements and guidance for managing cyber risk associated with industrial automation and control (IAC) environments to achieve security, integrity, and resiliency objectives. Within this standard, this is accomplished through proper isolation of IAC environments from non-IAC environments to help IAC operational continuity.

Even with proper isolation of IAC environments from IT environments, both play a part in overall business continuity. IAC operational continuity and IT system continuity are often developed and implemented jointly as part of the overall business continuity plan.

The scope of this standard is limited to only the IAC cybersecurity aspects that can influence overall business continuity.

This standard is tailored for the oil and natural gas (ONG) pipeline industry, which includes, but is not limited to, natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, liquefied natural gas (LNG) facilities, propane air facilities, and others involved in these industries.

This standard was developed to provide an actionable approach to protect IAC essential functions by managing cybersecurity risk to IAC environments. IAC environments can include, but are not limited to, supervisory control and data acquisition (SCADA), local control, and industrial internet of things (IIoT) solutions. This standard should be used in the context of developing, implementing, maintaining, and improving an IAC cybersecurity program, which includes the policies, processes, and procedural and technical controls for IAC cyber environments.

This standard is a set of requirements that should be customized prior to implementation using the company's risk management processes. The outcome is a customized, company-specific set of requirements for an IAC cybersecurity program to help manage the cybersecurity posture and any resulting residual risk to its IAC environments in alignment with the company's mission, objectives, and risk strategy, and in accordance with its policies and procedures.

While identification of threats and impacts is critical to the development of the IAC cybersecurity program, a riskbased evaluation of each will ensure the program is appropriately implemented, executed, and sustained consistent with an organization's desired risk posture. This standard focuses on desired cybersecurity outcomes by defining requirements for specific business objective impact protection levels.

Although the principles defined in this standard could be applied to safety instrumented systems (SIS), they are out of scope of this document. The security requirements specified within this standard do not attempt to address potential impacts to SIS safety integrity level (SIL) selection or determination. Any use of this standard in SIS environments is at the implementer's discretion and risk.

For companies that already have an IAC cybersecurity program, including one or more approved program policies and a documented IAC cybersecurity plan or plans implemented or being implemented, this standard should be considered an augmentation to their existing cybersecurity program elements. In these situations, a process of mapping this standard to current IAC cybersecurity program elements will determine any API 1164 requirements not currently in the existing program. The implementation of any missing elements should be tailored and prioritized using the company's risk management processes. The tailoring process for API 1164 cybersecurity requirements is described in 5.5.

This standard is not intended to preclude the implementation or use of any current or emerging technologies as long as applicable requirements specified herein are properly implemented, risk appropriate, and consistent with the company's risk management strategy.