Enabling The Digital Refinery
Protecting The Refining & Petrochemical Industry From Evolving Cyber Threats
Customer/ Partner:
North American Petrochemical Refinery.
Customer Requirement:
To protect critical equipment and on-going productivity of a highly sensitive production environment involving the processing of petrochemicals, while at the same time improve the performance of plant production with real-time, actionable and predictive analytics.
Waterfall’s Unidirectional Solution:
Secure the production environment perimeter from external threats and provide real-time enterprise visibility – Unidirectional Security Gateways protect all industrial control systems (DCS, individual controllers and logic controllers) with an impassable physical barrier to external network threats, while enabling enterprise access to real-time production data.
Refining & Petrochemicals Processing Modernization And Containing Remote Cyber Threats
The energy industry has become the second most prone to cyber attacks with nearly three-quarters of U.S. oil & gas companies experiencing at least one cyber incident. Remote cyber attacks on oil and gas refining & production can result in severe consequences to human and environmental safety in the form of ruptures, explosions, fires, releases, and spills. In addition, disruption of service and deliverability can be devastating for key infrastructure end users such as power plants, airports or national defense.
The challenge
To secure the safe, reliable and continuous operation of oil & gas processing control and safety networks from threats emanating from less trusted external networks. At the same time provide real-time access to operations data to the enterprise users and applications, as well as provide periodic and on-demand inbound access for anti-virus and other updates to turbine vendors and other third parties.
Waterfall solution
A Waterfall Unidirectional Gateway was installed between the process control network (PCN) and the enterprise network. Unidirectional Gateway software connectors replicate OSISoft PI, GE OSM and ICCP servers from the PCN to the enterprise network where enterprise clients can interact normally and bi-directionally with the replicas. A file server replication connector was also deployed, to eliminate the routine use of USB drives and other removable media. A Waterfall FLIP, a hardware-enforced Unidirectional Security Gateway whose orientation is reversible, was also installed between the PCN and IT networks. By schedule, or by exception, an independent control mechanism inside the protected OT network triggers the FLIP hardware to change orientation, allowing information to flow back into the protected OT network as needed.
Results & benefits
100% Security: With the gateways, the PCN is now physically protected from threats emanating from external, less-trusted networks. The FLIP permits disciplined, on-demand and scheduled updates of plant systems, without introducing firewall vulnerabilities.
100% Visibility: The enterprise network continues to operate as if nothing has changed. Instead of accessing servers on the critical operational network, users on the external network now access real-time data from replicated servers for all informational and analytical requirements.
100% Compliance: Unidirectional Gateways are recognized manufacturing cyber security standards as well as by global industrial control system cyber security standards and regulations.
Theory of Operation
Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to control systems and operations networks from attacks originating on external networks. The Gateways enable vendor monitoring, industrial cloud services, and visibility into operations for modern enterprises and customers. Unidirectional Gateways replicate servers, emulate industrial devices and translate industrial data to cloud formats. As a result, Unidirectional Gateway technology represents a plug-andplay replacement for firewalls, without the vulnerabilities and maintenance issues that always accompany firewall deployments. Unidirectional Gateways contain both hardware and software components. The hardware components include a TX Module, containing a fiber-optic transmitter/ laser, and an RX Module, containing an optical receiver, but no laser. The gateway hardware can transmit information from an industrial network to an external network, but is physically incapable of propagating any virus, DOS attack, human error or any cyber attack at all back into the protected network.
Unidirectional Security Gateways Benefits
Safe, continuous monitoring of critical systems
Protects product quality, safety of personnel, property and the environment
Protects safety and preventative maintenance systems of physical assets from remote Internet-based threats
Simplifies audits, change reviews, and security system documentation
Disciplined, on-demand and scheduled updates of plant systems, without introducing firewall vulnerabilities
Replaces at least one layer of firewalls in a defense-in-depth architecture thereby breaking the chain of infection and pivoting attacks
Global Cybersecurity Standards Recommend Unidirectional Security Gateways
Waterfall Security is the market leader in Unidirectional Gateway technology with installations at critical infrastructure sites across the globe. The enhanced level of protection provided by Waterfall’s Unidirectional Security Gateway technology is recognized as best practice by many leading industry standards bodies such as NIST, ANSSI, NERC, the IEC, the US DHS, ENISA and may more.
Share
Trending posts
Where does IT Security END and OT Security BEGIN?
Insights into Nation State Threats – Podcast Episode 134
Infographic: Top 10 OT Cyberattacks of 2024
Stay up to date
Subscribe to our blog and receive insights straight to your inbox