Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
API Publ 1157-1998: Securing Pipeline SCADA Systems – A Foundational Publication
Examining the Scope, Technical Guidance, and Compliance Implications of the 1998 Report on Supervisory Control and Data Acquisition Security in the Pipeline Industry
1. Scope and Purpose of API Publ 1157-1998
API Publication 1157 (Pipeline SCADA System Security, 1998) was developed by the American Petroleum Institute to address the emerging cybersecurity risks facing Supervisory Control and Data Acquisition (SCADA) systems used in petroleum pipeline operations. Unlike a full standard, this document was published as a technical report to identify vulnerabilities, document security best practices, and establish a baseline for safeguarding pipeline control networks.
The scope covers all critical components of a pipeline SCADA system, including:
- Remote terminal units (RTUs) and programmable logic controllers (PLCs)
- Central control room servers and human-machine interfaces (HMIs)
- Communication links (leased lines, radio, satellite, etc.)
- Data historians and interface gateways
The publication highlights that SCADA systems were originally designed for reliability and availability, with security being a secondary concern. As pipeline operations became increasingly reliant on interconnected digital networks, the threat landscape evolved—making the findings of API Publ 1157 especially forward-looking for its time.
| Document Element | Description |
|---|---|
| Identifier | API Publication 1157 (1998) |
| Title | Pipeline SCADA System Security |
| Category | Technical Report / Publication |
| Primary Audience | Pipeline operators, control system engineers, security managers |
| Key Focus Areas | Access control, network segregation, communications integrity, incident response |
Note: API Publ 1157-1998 has been superseded by API Standard 1164 (Pipeline SCADA Security, latest edition), but the 1998 publication remains a useful historical reference for understanding the evolution of pipeline cybersecurity frameworks.
2. Technical Vulnerabilities and Security Requirements Identified
API Publ 1157 categorises the security weaknesses found in typical pipeline SCADA deployments. These are grouped into four domains:
2.1 Physical Security
RTU cabinets, remote sites, and control room access were often unprotected or used only basic locks. The publication recommends tamper detection, environmental alarms, and multi-factor authentication for entry to sensitive areas.
2.2 Network Architecture
Flat network topologies were common, allowing any compromise to spread laterally. Segregation between the SCADA network and corporate IT networks is emphasised. The report suggests using firewalls, DMZ architectures, and dedicated communication paths for field devices.
2.3 Communications Security
Many SCADA protocols (e.g., Modbus, DNP3) lacked encryption and authentication. API Publ 1157 advocates for message integrity checks, encryption where feasible, and strong authentication for remote access and field device configuration.
2.4 Administrative Controls
Weak password policies, shared accounts, insufficient audit logging, and lack of formal incident response plans were widespread. The publication calls for role-based access control, centralised authentication, and regular security audits.
| Technical Domain | Typical Vulnerability (c. 1998) | Recommended Security Measure |
|---|---|---|
| Physical | Unsecured RTU enclosures | Tamper switches, CCTV, access logs |
| Network | No segmentation | Firewalls, VLANs, DMZ |
| Communications | Clear-text protocols | Encryption (e.g., VPN), message authentication |
| Administrative | Shared passwords | Role-based access, individual credentials |
Warning: Many of the vulnerabilities catalogued in API Publ 1157 persist in legacy installations today. Operators should not assume that outdated OT equipment is inherently air-gapped; thorough asset discovery is necessary.
3. Implementation Highlights and Security Recommendations
Although API Publ 1157 is not a standard, it provides actionable guidance that has influenced later mandatory frameworks. The following implementation highlights are distilled from the publication’s core recommendations:
- Establish a security policy specifically for SCADA systems, distinct from corporate IT policy.
- Conduct risk assessments tailored to pipeline operations, including threat modelling for worst-case spills or service disruptions.
- Deploy intrusion detection capabilities on SCADA networks, using both network-based and host-based sensors.
- Develop and test incident response procedures that consider physical and cyber events together.
- Implement secure remote access with two-factor authentication, session logging, and automatic disconnection after inactivity.
3.1 Lifelong Maintenance
The publication stresses that security is never a one-time project. It recommends periodic vulnerability scanning, patch management (with careful testing on OT systems), and continuous monitoring of security events.
3.2 Personnel Training
Human factors are addressed by advocating for security awareness programs for all operators, engineers, and third-party contractors, with special focus on social engineering risks and proper handling of incidents.
Success Factor: Organizations that adopted the baseline recommendations of API Publ 1157 were better positioned to meet subsequent regulations such as 49 CFR 195 (Pipeline Safety) and the TSA Pipeline Security Guidelines.
4. Compliance and Legacy Considerations
Because API Publ 1157 is a publication rather than a consensus standard, “compliance” is not formally defined. However, the document has been cited by regulators and auditors as industry-recognized good practice. Pipeline operators are encouraged to use it as a benchmark for evaluating their SCADA security posture.
The publication was eventually superseded by API 1164 (first edition 2004, latest 2020), which provides auditable requirements. Nevertheless, API Publ 1157 remains relevant for:
- Historical baseline – understanding the rationale behind today’s requirements.
- Legacy system references – many older RTUs and communication links are still in service and the specific vulnerabilities described still apply.
- Risk awareness – the threat scenarios and attack pathways remain valid, even if the technology has evolved.
| Document | Status | Application |
|---|---|---|
| API Publ 1157 (1998) | Historic / Superseded | Foundational reference; gap analysis |
| API Std 1164 (current) | Active Standard | Mandatory requirements for new builds and best practice upgrades |
| TSA Pipeline Security Guidelines | Regulatory Mandate (US) | Legal compliance for critical pipeline operators |
Important: Relying solely on the 1998 publication for modern SCADA security is insufficient. Operators should align with current API 1164 editions, international standards such as IEC 62443, and jurisdictional regulatory requirements.
5. Frequently Asked Questions
Q: Is API Publ 1157-1998 still applicable today?
A: While superseded by API Standard 1164, the 1998 publication still serves as a useful historical reference for understanding legacy vulnerabilities and the evolution of pipeline SCADA security. For compliance, always refer to the latest edition of API 1164 and applicable regulatory frameworks.
A: While superseded by API Standard 1164, the 1998 publication still serves as a useful historical reference for understanding legacy vulnerabilities and the evolution of pipeline SCADA security. For compliance, always refer to the latest edition of API 1164 and applicable regulatory frameworks.
Q: Does API Publ 1157 include specific technical requirements or is it more general guidance?
A: It is a technical report providing guidance and recommended practices rather than auditable requirements. It describes vulnerabilities and suggests countermeasures without prescribing specific configurations. This makes it a valuable educational tool, but not a compliance checklist.
A: It is a technical report providing guidance and recommended practices rather than auditable requirements. It describes vulnerabilities and suggests countermeasures without prescribing specific configurations. This makes it a valuable educational tool, but not a compliance checklist.
Q: Which organizations should consider API Publ 1157?
A: Any pipeline operator handling crude oil, refined products, natural gas liquids, or hazardous materials can benefit. The publication is equally relevant for SCADA system vendors, integrators, and security consultants working in the oil and gas sector.
A: Any pipeline operator handling crude oil, refined products, natural gas liquids, or hazardous materials can benefit. The publication is equally relevant for SCADA system vendors, integrators, and security consultants working in the oil and gas sector.
Q: How does API Publ 1157 relate to the NIST Cybersecurity Framework?
A: The publication predates the NIST CSF, but its focus on asset identification, access control, and incident response aligns well with the CSF’s core functions (Identify, Protect, Detect, Respond, Recover). Operators can use API Publ 1157 as an industry-specific supplement to broader cybersecurity frameworks.
A: The publication predates the NIST CSF, but its focus on asset identification, access control, and incident response aligns well with the CSF’s core functions (Identify, Protect, Detect, Respond, Recover). Operators can use API Publ 1157 as an industry-specific supplement to broader cybersecurity frameworks.
Article last reviewed: 2026. This technical review of API Publ 1157-1998 is provided for educational and reference purposes. Always consult the latest official API publications and regulatory requirements for compliance.