American Petroleum Institutes (API) 2021 Cybersecurity Conference was held November 9th and 10th at the Woodlands Waterway Marriott just north of Houston. For those serving or working in America’s Natural Gas and Oil industry this is the must attend industry specific cyber security conference each year. This years conference didn’t disappoint as an opportunity to come together and reconnect with peers helping to protect the energy industries critical infrastructure.

Part of attending any conference is enjoying local cuisine with your fellow conference goers. This year I had the pleasure of eating at “Lupe Tortilla” at the recommendation of a client. Not to be confused with big brand tex-mex chains Lupe’s was founded in Houston and has grown from there. I wouldn’t hesitate to recommend it after having enjoyed their queso and fajitas. If you are a fan of tex-mex and make it down to Houston be sure and plan to have a meal at Lupe’s.

Beyond reconnecting with peers and clients in the energy sector the big draw to this event is the content. This was the 16th year for the event to be held and it was headlined by Rob Lee of Dragos across two days of sessions. I first became aware of Rob’s work via the book “SCADA and Me: A Book for Children and Management“. Rob didn’t disappoint with an excellent talk about “OT/ICS Cyber Threats and Driving Buy in Across the Organization”. He had an interesting segment discussing issues with the current regulation regime as it has been enacted with pipelines. Unfortunately common sense fell to the wayside as a knee-jerk reaction to Colonial and other breaches. It could be argued that Rob was simply playing to the audience, but I don’t believe that was the case. Many security professionals will comment that compliance doesn’t equal security and I feel like the regulatory reaction to Colonial has been compliance focused.

Besides Rob’s keynote on Day One of the conference I enjoyed sessions discussing the cybersecurity workforce shortage and cybersecurity insurance. Cybersecurity insurance is a topic that I continue to hear about from colleagues and clients. The panel at API gave more background about insurance from maritime perspective that was interesting as many large E&P companies are doing offshore drilling.

The cybersecurity workforce “shortage” continues with many opinions on the cause and possible solutions. Under this topic John Ellis and Julia Atkinson spoke about building a ICS Cybersecurity apprenticeship program. Obviously many large companies have internships that are supposed to give recipients real world experience, but an apprenticeship takes real world experience to another level and involves a more concrete pathway to employment. It also requires a large commitment and investment on the part of the company. I am interested to see if this takes off or it is simply one more tool to address a multifaceted problem.

All in all the conference was well worth the time spent and be sure and mark your calendar for November 2022 for the 17th edition of API Cybersecurity.