API STD 1164:2009 (R2016)

This document is structured so that the main body provides the high-level view of holistic security practices. The annexes provide further details and technical guidance. Reviewing the main body of this document and following the guidance set forth in the annexes assists in creating inherently secure operations. Implementation of this standard, to advance supervisory control and data acquisition (SCADA) cyber security, is not a simple process or one time event, but a continuous process. The overall process could take years to implement correctly depending on the complexity of the SCADA system. Additionally, the process would optimally be started as part of a SCADA upgrade project and use this standard to 'design in' security as a element of the new system Purpose and Objectives The goal of an operator is to control the pipeline in such a way that there are no adverse effects on employees, the environment, the public, or the customers as a result of actions by the operator, or by other parties. This SCADA security program provides a means to improve the security of the pipeline SCADA operation by: - analyzing vulnerabilities of the SCADA system that can be exploited by unauthorized entities, - listing the processes used to identify and analyze the SCADA system vulnerabilities to unauthorized attacks, - providing a comprehensive list of practices to harden the core architecture, - providing examples of industry best practices.