• Cybersecurity

    Cybersecurity has received a lot of attention in 2014. We have had a Cybersecurity Subcommittee under the Plant Automation and Decision Support Committee since 2005. This subcommittee has provided technical feedback on legislation and regulatory efforts. However, many of the cybersecurity issues we have presently (e.g. Executive Order on Improving Critical Infrastructure Cybersecurity) need not only technical feedback, but feedback from higher levels in our companies also. While there are members of the AFPM Government Regulations Committee who also receive our emails on cybersecurity issues, they are very much engaged with other industry issues.

    AFPM Position

    Cybersecurity is an issue that is increasing in importance for the refining and petrochemical industries. Cybersecurity demands proactive thinking by IT, industry control systems, physical security and executive level staff. To that end, we suggest a standing ad hoc group of Chief Information Officers and those at the level from our membership, both regular and associate members, to review draft legislation, proposed regulatory requirements, and to help us engage more fully in these efforts. We believe that by having this ad hoc group, along with the existing Cybersecurity Subcommittee, we will be able to fully cover both technical and advocacy issues in cybersecurity.

    AFPM also supports legislation that will allow member companies to freely share information with the government and other private companies—in a timely manner and secure environment—while also being provided with adequate liability and antitrust protections. Importantly, cybersecurity legislation should not impose mandatory standards on the private sector nor duplicate existing requirements already being implemented.

    NIST Cybersecurity Framework

    Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. It directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure.

    NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014. The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

    NIST Framework