Enabling The Digital Refinery

Protecting The Refining & Petrochemical Industry From Evolving Cyber Threats
Enabling The Digital Refinery
Customer/ Partner:

North American Petrochemical Refinery.

Customer Requirement:

To protect critical equipment and on-going productivity of a highly sensitive production environment involving the processing of petrochemicals, while at the same time improve the performance of plant production with real-time, actionable and predictive analytics.

Waterfall’s Unidirectional Solution:

Secure the production environment perimeter from external threats and provide real-time enterprise visibility – Unidirectional Security Gateways protect all industrial control systems (DCS, individual controllers and logic controllers) with an impassable physical barrier to external network threats, while enabling enterprise access to real-time production data.

Refining & Petrochemicals Processing Modernization And Containing Remote Cyber Threats

The energy industry has become the second most prone to cyber attacks with nearly three-quarters of U.S. oil & gas companies experiencing at least one cyber incident. Remote cyber attacks on oil and gas refining & production can result in severe consequences to human and environmental safety in the form of ruptures, explosions, fires, releases, and spills. In addition, disruption of service and deliverability can be devastating for key infrastructure end users such as power plants, airports or national defense.

The Challenge icon
The challenge

To secure the safe, reliable and continuous operation of oil & gas processing control and safety networks from threats emanating from less trusted external networks. At the same time provide real-time access to operations data to the enterprise users and applications, as well as provide periodic and on-demand inbound access for anti-virus and other updates to turbine vendors and other third parties.

Waterfall solution - icon
Waterfall solution

A Waterfall Unidirectional Gateway was installed between the process control network (PCN) and the enterprise network. Unidirectional Gateway software connectors replicate OSISoft PI, GE OSM and ICCP servers from the PCN to the enterprise network where enterprise clients can interact normally and bi-directionally with the replicas. A file server replication connector was also deployed, to eliminate the routine use of USB drives and other removable media. A Waterfall FLIP, a hardware-enforced Unidirectional Security Gateway whose orientation is reversible, was also installed between the PCN and IT networks. By schedule, or by exception, an independent control mechanism inside the protected OT network triggers the FLIP hardware to change orientation, allowing information to flow back into the protected OT network as needed.

Results and benefits - icon
Results & benefits
  • 100% Security: With the gateways, the PCN is now physically protected from threats emanating from external, less-trusted networks. The FLIP permits disciplined, on-demand and scheduled updates of plant systems, without introducing firewall vulnerabilities.

    100% Visibility: The enterprise network continues to operate as if nothing has changed. Instead of accessing servers on the critical operational network, users on the external network now access real-time data from replicated servers for all informational and analytical requirements.

    100% Compliance: Unidirectional Gateways are recognized manufacturing cyber security standards as well as by global industrial control system cyber security standards and regulations.

vertical red line
Theory of Operation
Click to enlarge

Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to control systems and operations networks from attacks originating on external networks. The Gateways enable vendor monitoring, industrial cloud services, and visibility into operations for modern enterprises and customers. Unidirectional Gateways replicate servers, emulate industrial devices and translate industrial data to cloud formats. As a result, Unidirectional Gateway technology represents a plug-andplay replacement for firewalls, without the vulnerabilities and maintenance issues that always accompany firewall deployments. Unidirectional Gateways contain both hardware and software components. The hardware components include a TX Module, containing a fiber-optic transmitter/ laser, and an RX Module, containing an optical receiver, but no laser. The gateway hardware can transmit information from an industrial network to an external network, but is physically incapable of propagating any virus, DOS attack, human error or any cyber attack at all back into the protected network.

vertical red line
Unidirectional Security Gateways Benefits

arrow red right Safe, continuous monitoring of critical systems

arrow red right Protects product quality, safety of personnel, property and the

arrow red right Protects safety and preventative maintenance systems of
physical assets from remote Internet-based threats

arrow red right Simplifies audits, change reviews, and security system

arrow red right Disciplined, on-demand and scheduled updates of plant
systems, without introducing firewall vulnerabilities

arrow red right Replaces at least one layer of firewalls in a defense-in-depth
architecture thereby breaking the chain of infection and
pivoting attacks

vertical red line
Global Cybersecurity Standards Recommend Unidirectional Security Gateways

Waterfall Security is the market leader in Unidirectional Gateway technology with installations at critical infrastructure sites across the globe. The enhanced level of protection provided by Waterfall’s Unidirectional Security Gateway technology is recognized as best practice by many leading industry standards bodies such as NIST, ANSSI, NERC, the IEC, the US DHS, ENISA and may more.


Stay up to date

Subscribe to our blog and receive insights straight to your inbox