13/10/2025

API 780 Security Risk Assessment Mastering API 780 For Oil And Gas Facilities

API 780, Oil And Gas Security, Security Risk Assessment
API 780 Security Risk Assessment at an oil and gas facility with layered security controls

Introduction

API 780 Security Risk Assessment is a structured methodology that helps oil and gas facilities identify threats, evaluate vulnerabilities, and prioritize countermeasures to reduce potential consequences across refineries, petrochemical plants, pipelines, LNG jetties, and offshore platforms. It is widely referenced in the energy sector and was reaffirmed in 2022, underscoring its ongoing relevance.

What API 780 Covers In Practice

API 780 provides an end-to-end approach for conducting SRAs across both fixed and mobile operations, guiding teams through defining assets, mapping credible threat scenarios, rating likelihood and consequence, and selecting proportionate countermeasures. The standard’s scope is industry-wide and intended for practitioners who conduct SRAs or manage facility security programs.

Why It Matters Now

  • Regulatory and policy alignment: U.S. transportation security guidance for pipelines explicitly references ANSI/API 780 as a foundational resource for assessing risk at remote and linear assets.
  • Recognition and liability protection: API 780 earned U.S. DHS SAFETY Act certification, which acknowledges the methodology as anti-terrorism technology and can provide liability protections when implemented.
  • Staying current: API lists API 780 as first edition (2013) and reaffirmed in 2022 in its latest catalogs, confirming it remains an accepted reference for today’s security programs.

Roles And Responsibilities

Successful adoption of API 780 spans multiple disciplines—security, operations, maintenance, process safety, and emergency response. Training providers and industry courses reflect this cross-functional need, preparing practitioners to facilitate workshops, quantify risk, and translate findings into executable plans. (petc.us)

A Simple Workflow To Get Started

  1. Define the scope and critical assets across units, utilities, and interfaces (e.g., jetty, tank farm, compressor station).
  2. Identify credible threats relevant to location and operation (intrusion, theft, sabotage, cyber-physical events).
  3. Assess vulnerabilities in physical protection, procedures, and OT/ICS exposure.
  4. Estimate consequence and likelihood using consistent criteria tailored to business and safety objectives.
  5. Prioritize countermeasures that reduce risk to tolerable levels and align with budget and schedule.
  6. Document and track actions and connect outputs to your Facility Security Plan (see API RP 781 as a companion for planning).

Integration With OT And Operations

Modern facilities benefit from treating cyber and physical risks together. Pipeline and facility cybersecurity guidance from federal agencies complements API 780’s risk lens and helps ensure that control system vulnerabilities translate into clear operational impacts and mitigations. (CISA)

Benefits You Can Expect

  • Sharper prioritization of investments using a common risk language accepted across the industry.
  • Audit-ready documentation that aligns to recognized standards and transportation security guidance.
  • Improved resilience with liability protections when using certified methodologies like API 780 under the DHS SAFETY Act.

Practical Tips For Your First SRA Cycle

  • Start with one high-risk asset cluster (e.g., crude tanks and manifolds) and expand.
  • Involve operations and maintenance early to validate practicality of countermeasures.
  • Connect SRA outputs to turnaround plans and management of change so improvements are executed, not shelved.
  • Refresh the SRA after major configuration changes, new threats, or incident learnings.
  • Track KPIs such as residual risk trends and closure rate of actions.

Frequently Asked Questions

Is API 780 mandatory worldwide?
No—regulatory regimes vary. However, major U.S. guidance and many corporate standards reference API 780 as good practice for petroleum and petrochemical security risk assessments.

How often should we refresh the assessment?
Update after material operational changes, new threat intelligence, or at planned intervals (e.g., annually or pre-turnaround) to keep assumptions current—consistent with the standard’s intent and industry practice.

Does API 780 cover cyber risks?
API 780 focuses on security risk assessment across facility operations and can be integrated with cybersecurity frameworks for pipelines and process control systems to capture cyber-physical scenarios. (CISA)

Tags :

api 780 security risk assessment, api standard 780, audit ready reporting, dhs safety act, facility security plan, ics dcs security, layered security, lng jetty security, offshore platform security, oil and gas security, ot cybersecurity, petroleum and petrochemical, pipeline security, refinery security, residual risk, risk mitigation, threat scenarios, tsa pipeline security guidelines, turnaround and startup, vulnerability assessment

Share :