How to Properly Cyber Secure an Upstream Oil & Gas Operation

The Waterfall Unidirectional Security Gateway and how it has been applied at Oil & Gas production sites such as oil fields and offshore platforms.
Picture of Kevin J. Rittie

Kevin J. Rittie

How to Properly Cyber Secure an Upstream Oil & Gas Operation

Protecting an Upstream Oil & Gas operation from cyber threats can be significantly challenging. Unlike many other industrial processes, any disruption to Upstream production has a potentially broad ripple effect, possibly impacting Midstream, Downstream, and even the entire supply chain that uses those petroleum products to provide society with its goods, services, and of course, the fuel with which to deliver them. 

Emerging technologies are making the task even more complex, for example, the use of IIoT has grown significantly over the past half-decade, requiring many points of external cloud connectivity that completely bypass important boundaries put in place by the Purdue Model, a commonly followed OT security framework. As this outside connectivity is used to fine-tune and optimize operations, organizations become dependent on this data’s derivative value, making it a requirement and no longer a nice to have. While there are traditional methods to control the flow of data from this class of devices, a unidirectional configuration can provide you guaranteed secure exchange with low maintenance needs. The data that the IIoT device sends out may not be sensitive, but the machine from which it is collecting that information could be highly sensitive. Therefore, the main goal is protecting the sensitive machine, not the non-sensitive data.  

“The data that the IIoT device sends out may not be sensitive, but the machine from which it is collecting that information could be highly sensitive.”

TSA Directive for Midstream—Is an equivalent coming to Upstream?

When the Colonial Pipeline cyber incident occurred, there were no formal regulations or laws geared toward preventing such occurrences. Within less than a year, initial regulations were established with updates and refinements garnered from the industry and from acknowledged best practices in an effort to prevent a repeat. The Upstream sector is currently not cyber-regulated, as (knock on wood) there haven’t been any overtly public cyber incidents targeting an Upstream operation, that is, a bellwether event similar to Colonial Pipeline. 

However, if such an Upstream incident were to occur, it could rapidly change the regulatory landscape. Even sans a cyber event, regulators and critical infrastructure oversight agencies are keen to prevent the lurking menace of an attack that could happen due to a lack of assurances that regulations can provide. This is the reason it makes sense for Upstream operations to ensure that its cybersecurity processes demonstrably leverage industry best practices used across many diverse industries, not just oil and gas.  This proactive behavior could reduce the need for regulations as well as provide society and oversight agencies with assurance that the Upstream industry is doing all that it can do to ensure safe, secure, environmentally sound, and uninterrupted operations across the entire segment. 

No one likes the risk of new regulations, and there’s a concern that those imposing these regulations are not fully familiar with the systems they are tasked with protecting, nor do they fully understand the threats against that which they are protecting. Waterfall provides a very high level of security to protect operations. As a side benefit, most regulations and compliances are fully met by using Waterfall’s Unidirectional Gateways. There are even aspects of certain regulations that have network areas exempt from certain details of compliance if those network areas are behind a Waterfall Unidirectional Gateway. 

The Best of Best Practices

Because of the sensitive nature of all Oil & Gas operations, the best-of-the-best practices make the most sense for securing these operations. When it comes to the best practice of protecting an industrial network from external threats while still maintaining external connectivity, the best-of-the-best practice is to use a Waterfall Unidirectional Gateway. This provides a safe and secure way to connect the OT network(s) to the IT network, protecting the connectivity used for the flow of operational data that needs to be analyzed to ensure optimized operation, as well as for IIoT devices that need to connect with their vendors or to the cloud for advanced analytics. 

One Way - Do Not Enter

ONE WAY street signWaterfall’s Unidirectional Gateway (UDG) is like a one-way street or a one-way valve, but for data. The UDG flawlessly lets data flow out, but it doesn’t let even a “drop” flow back into the industrial network. The technical details are of course more complex than a valve or a one-way street sign, but the concept is fundamentally the same, thereby providing a physical barrier that prevents data from ever flowing back in, no matter how capable the threat actor.  
 
Unlike IT security where our concern is that information will leak out, the threat with industrial connectivity is that a malicious payload will get INTO the system and cause damage or disruptions. By physically ensuring that nothing can remotely enter the system, unidirectional gateways protect against all such threats and risks. 

Industrial Connectivity with a Chance of Cloud

Many of the leading analytical products used to optimize industrial operations are based “in the cloud” and require uninterrupted connectivity from the industrial asset to the cloud. Leading cloud providers such as AWS recommend deploying unidirectional gateways to secure such cloud connectivity. By restricting the directionality of the data flow, we can establish secure connections to external and untrusted networks, including those that provide cloud-based services. If that cloud-based service or the cloud infrastructure itself was to be cyber compromised, the industrial network that is protected by a unidirectional gateway would remain physically unreachable and unbreachable.  

Protecting Upstream Oil & Gas Operations

Safeguarding upstream Oil & Gas operations against cyber threats requires proactive measures and the adoption of robust security solutions. As the industry grapples with the challenges posed by emerging technologies like IIoT and external cloud connectivity, the Waterfall Unidirectional Gateway emerges as a best-of-the-best practice for securing industrial networks. By providing a physical barrier that allows data to flow out but preventing any return flow, this solution not only aligns with industry compliance requirements, but also safeguards the network ensuring continuous operations while protecting against potential disruptions. As the threat landscape evolves, proactive implementation of such measures not only enhances security and complies with potential future regulations, but also demonstrates a commitment to safety and the resilience we’ve grown to expect as a society from critical infrastructure. 

About the author
Picture of Kevin J. Rittie

Kevin J. Rittie

With over 30 years in the control system market, Kevin Rittie is a seasoned software and cybersecurity professional who has led diverse development groups with budgets up to $10M. He has a comprehensive background, starting as a project engineer and software developer, and has excelled in roles such as Product Management, Cybersecurity, Sales, and Marketing. Kevin's innovative contributions include leading the design of a patented control visualization architecture and driving the development of energy management solutions, culminating in the establishment of his own business, RevelationSCS, focused on change management, software practices, and securing critical infrastructure.
Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox