Downstream – Waterfall Security Solutions

Upstream / Midstream / Downstream Cyber Attacks – Dependency Analysis

Andrew Ginter — Tue, 09 Jul 2024 06:31:40 +0000

OT Insights Center Oil and GasUpstream / Midstream / Downstream Cyber Attacks – Dependency Analysis

Upstream / Midstream / Downstream Cyber Attacks – Dependency Analysis

It turns out that there are really only three ways that ransomware can shut down OT networks and physical operations: "abundance of caution" shutdowns, OT dependencies on IT systems and services, and ransomware impacting OT networks and systems directly.

Andrew Ginter

July 9, 2024

“…there is little benefit in having the world’s strongest OT security program if we must shut down our operation every time the IT network is compromised…”

The Waterfall / ICS Strive 2024 Threat Report lists a handful of serious cyber attacks impacting the performance of oil & gas infrastructure in the last several years, including the Colonial Pipeline shutdown and halted shipments at three ports / oil terminals. Most of these incidents were due to ransomware, and most of that ransomware impacted the IT network. It turns out that there are really only three ways that ransomware can shut down OT networks and physical operations: “abundance of caution” shutdowns, OT dependencies on IT systems and services, and ransomware impacting OT networks and systems directly.

In today’s article we look at dependencies. In short, there is little benefit in having the world’s strongest OT security program if we must shut down our operation every time the IT network is compromised with ransomware, because our operations depend on IT services. For example:

Upstream production might depend on a functioning IT-based royalty reporting system,
Midstream operations might depend on a functioning IT custody transfer system, and
Downstream refining might depend on a functioning IT-based emissions reporting system.

These kinds of dependencies are called out explicitly in the US TSA Security Directive 2021-02D for pipeline operators. In particular, the directives establish requirements for the nation’s most important pipelines. For critical OT systems, owners and operators must:

Implement segmentation designed to prevent operational disruption to OT systems if IT systems are compromised,
In support of that goal, identify all OT dependencies on IT services,
Design OT networks so that they can be isolated from IT networks during incident response procedures.

While not stated explicitly in the security directives, the ability to separate OT and IT networks in an emergency can enable OT systems to continue operating through an IT emergency, but only if OT dependencies on IT networks and OT trusts of crippled IT domains do not impair that very desirable ability to operate independently.

If we wish to operate our OT systems through an IT security incident, then while it can be very difficult to eliminate all OT dependencies on IT systems, we cannot simply ignore those dependencies that remain. Instead, we must recognize that IT systems that are essential to continued physical operations are in fact reliability-critical components. These reliability-critical systems may be hosted on what we think of as the IT network instead of the OT network but must be managed and secured as if they were OT systems. For example:

If a pipeline depends on a custody transfer and billing system in IT, we could modify our customer contracts so that if we must declare force majeure, custody transfer billing enters an “approximation” mode. The OT system continues operating the pipeline, caching all billing-relevant data in a historian or other repository until the billing system recovers and can reconcile accounts.
If an upstream producer depends on a royalty reporting system in IT, we could (hopefully, beforehand) negotiate with the royalty administrator so that, again, if we must declare force majeure, royalty payments could enter an approximation mode, with manual payments authorized every day or two based on approximate data. The OT systems again cache all royalty-relevant data in a historian until the payment system recovers.
For refining emissions data we do the same, but there are no payments or monies to track, simply emissions data to track in a force majeure condition.

In all three cases, what we are seeing here is not only two kinds of network criticality, a safety-critical OT network and a business-critical IT network, but three networks. The third is a reliability-critical network that is often mixed up with other IT assets. In the examples above, we might be able to redesign our systems so that custody transfer, royalty payments and emissions reporting can, in an emergency, be seen as non-critical. More generally, such redesign may not be possible. In this case, what we need to do is recognize that we are dealing with three network criticalities and start applying some of the TSA approach to managing the OT-critical components in the IT network.

For example – consider the upstream royalty payment system. To be effective in managing the royalty system as reliability-critical, we need to put the royalty system in its own network/DMZ and apply the TSA approach to that network as well – be wary of allowing the royalty network to rely on IT resources that may be compromised, be wary of sharing trusts between the reliability-critical DMZ and the IT network, and so on. It does no good to restore the reliability-critical systems to an uncompromised state if they, in turn, still depend on Active Directory or other IT services that are still crippled by the ransomware attack.

The word “resilience” is often used when looking at these dependencies between safety-critical and reliability-critical networks. In the royalty example, we might deploy unidirectional gateways at the IT/OT interfaces in the offshore platforms or oil fields to prevent any online attack from migrating from a compromised IT network into the safety-critical OT networks. If the IT network is compromised though, we must still shut down the production of hydrocarbons when the royalty system fails. But – if we can bring the royalty reporting system back within hours of failure, and we can bring the field back into full production an hour or two after that, then the result might be regarded as an acceptable worst-case outage of only a few hours.

This kind of network engineering is an example of enabling resilience – production “springs back” into operation after a brief outage, even while the bulk of the IT network is still compromised. Be aware though – while this kind of reliability-critical dependency analysis can result in improved resilience, it is not always a “silver bullet.” A petrochemical refinery for example, can take days or longer to go from an emergency stop condition back to 100% of capacity. Any IT dependency that triggers even a five-minute complete shutdown of such a facility incurs this start-up cost of losing days or more of production. Applying network engineering principles to reliability-critical IT sub-networks can save us a lot of downtime in some cases, but we must still consider the realities of the physical process.

Further reading:

This example is a small part of Chapter 5 of the author’s new book Engineering-Grade OT Security – A manager’s guide. If you found value in this article, you can request your own free copy of the book here, courtesy of Waterfall Security Solutions.

About the author

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Hardware Hacking – Essential OT Attack Knowledge – Episode 145

November 26, 2025

Top 10 OT Cyber Attacks of 2025

November 24, 2025

Cyber Threats to the Manufacturing Industry: Risks, Impact, and Protection Strategies

November 11, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Upstream / Midstream / Downstream Cyber Attacks – Dependency Analysis appeared first on Waterfall Security Solutions.

Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Waterfall team — Thu, 01 Feb 2024 08:17:43 +0000

OT Insights Center Oil and GasCyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Join our webinar for an in-depth look at how CIE (Cyber-Informed Engineering) can help in converging IT and OT security for Oil & Gas operations.

Join us on February 28th or 29th 2024.
There will be 2 live streams of the webinar, please pick the date and time that works best for you.

On this webinar, we'll take you through:

IT/OT integration introduces threats to reliable operations. Connected networks move both data, malware, and remote-control cyber attacks along their wires and cables. In the Oil & Gas industry, E&P, pipelines, and refineries have found that securing IT/OT connections involves more than just having Enterprise Security telling Engineering what to do and Engineering saying “no” to IT over and over.

However, understanding what “more” means has been the challenge.

Cyber-Informed Engineering (CIE) is a new approach to securing IT/OT convergence – an approach and a perspective that highlights important opportunities. For example, in CIE, worst-case consequences define security requirements for industrial networks, and consequence boundaries define unique spheres of expertise and approaches, including safety engineering, process engineering, the NIST Cybersecurity Framework and leveraging industrial data in the cloud.

Join Kevin Rittie, Andrew Ginter, and Alan Acquatella in this webinar as they introduce a new approach to solving long standing challenges by:

Identifying the challenges facing OT engineering as it strives to build secure bridges between operations, corporate, and the cloud in order to satisfy the ever growing need for operational data that drives strategic business growth.

Introducing CIE in a way that it is clear how this approach to secure-by-design engineering can improve the security and operational integrity of both brownfield and greenfield installations.

Looking at some practical examples that make tangible how cyber-informed engineering and unidirectional network engineering combine to build safe and secure production environments.

Listing some tangible next steps on your continuous cybersecurity journey.

Kevin Rittie, a Critical Infrastructure Technology Consultant

With over 30 years in the control system market, Kevin Rittie is a seasoned software and cybersecurity professional who has led diverse development groups with budgets up to $10M. He has a comprehensive background, starting as a project engineer and software developer, and has excelled in roles such as Product Management, Cybersecurity, Sales, and Marketing.

Andrew Ginter, Waterfall VP Industrial Security

Andrew Ginter is the most widely-read author in the industrial security space, with over 20,000 copies of his first two books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Alan Acquatella, Industry Expert at Schneider Electric

Alan Acquatella heads the Pipeline & New Energies Infrastructure Segment for Schneider Electric. He brings domain expertise about industry and customer requirements and provides thought leadership and knowledge on valuable technologies and services customers can use to improve their operations and sustainability efforts.

Register Now

The post Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations appeared first on Waterfall Security Solutions.

Oil and Gas Cyber Security – A Safety Priority for Refining

Courtney Schneider — Sat, 26 Nov 2022 00:00:00 +0000

Refineries are some of the safest production facilities in the world. Oil and gas industries practice some of the strictest workplace safety and security of any industry. A serious malfunction at a refinery not only threatens human lives and the environment, but unplanned shutdowns at this type of critical infrastructure are extremely expensive and can have impacts on public safety. In this very strict, consequential environment, industrial oil and gas cyber security is increasingly a problem.

Cyber attacks with physical consequences in process & manufacturing industries

Industrial cyber security is a factor because efficient refining operations demand automation – both process automation and IT-style business automation. To enable that automation and digitalization, IT systems and operations technology (OT) systems are increasingly connected, both within their own networks and across the so-called IT/OT interface. This is a problem, because all cyber sabotage attacks are information and every communications channel that lets information move across networks also lets in cyber attacks. Ever-increasing connectivity deployed in support of steadily-increasing automation results in an every-increasing number of attack vectors that put digitized refineries at risk.

Attacks on oil and gas cyber security show no signs of slowing down

Cyber attacks that cause production outages or other physical consequences were a largely theoretical problem a decade ago. Over the past 5 years, however, such attacks are growing exponentially in sophistication, malintent and ubiquity. The 2017 TRITON attack that compromised Safety Instrumented Systems (SIS) in a Middle Eastern petrochemical facility and twice shut down the facility, shows that this cyber threat is very relevant to the refining industry. The increase in industrial exploits is evidence that connecting enterprise networks to ICS networks can open attack vectors for bad actors to spread malware and even to issue malicious commands deep into control system devices.

Worst-case consequences drive cyber security requirements

The modern approach to dealing with cyber threats due to connectivity starts with identifying both networks at differing levels of criticality and “criticality boundaries” – connections between networks whose worst-case consequences of compromise differ sharply. Determining this consequence delta is the sweet spot to properly defending operational technology.

At most refineries, the most important criticality boundary is between the enterprise network and the plant-wide Process Control Network (PCN). Worst-case consequences of compromise on the enterprise network include the potential for lawsuits, reputational damage and other negative repercussions of breaches of personally-identifiable information (PII), as well as clean-up costs: identifying, isolating, erasing, and restoring compromised equipment from backups. Worst-case consequences of cyber compromise on PCN networks include costly production downtime or possibility of fires, explosions, worker casualties and even threats to public safety. These are sharply and qualitatively different kinds of consequences – we cannot restore lost production, the environment or human lives “from backups.”

Engineering Cyber Security Approach – Unidirectional Security Gateways

In response to both the deteriorating threat environment and the need to keep safety as a top priority, many refineries are investing in unbreachable unidirectional protection at this critical IT/OT boundary. What does this look like? Unidirectional Gateways eliminate targeted ransomware and other modern threats because the gateways physically send information in only one direction: from the PCN network out to business automation. A fiber-optic transmitter in the PCN side of the gateway sends information to a receiver on the enterprise side. The receiving circuit board contains no transmitter or laser. This makes the receiving hardware physically unable to send any information back to the transmitter. If all information is prevented from flowing back through the hardware to the protected PCN network, then no attacks can flow back either – the unidirectional hardware is physical protection from cyber attacks.

Unidirectionally connected PCN

Whereas enterprise-grade defenses are probabilistic – meaning they may or may not defeat attacks depending on several external variables – Waterfall Unidirectional Security Gateways are deterministic protection. The gateways prevent all remote attacks from entering the protected network, no matter how sophisticated that ransomware, malware or other cyber attacks might be today or might become in the future. Deterministic solutions are engineered for a safety-minded environment – they provide the same degree of reliable protection, consistently.

Security Is Essential to Safety

Maintaining the highest level of engineering-grade industrial cyber security at refineries is essential to maintaining safety standards. Beyond safety, refining is critical infrastructure, and costly downtime and unplanned shutdowns carry enormous financial and societal costs. Preventing cyber attacks on operational networks at petrochemical facilities is key to maintaining safe and reliable operations for all stakeholders.

When we control the flow of information at criticality boundaries with physical, unidirectional hardware, we control the flow of attacks. Unidirectional Gateways are engineering-grade solutions to connectivity risks at criticality boundaries.

Reading Further on Oil and Gas Cyber Security

To dive deeper into use cases, strategies, and solutions for cyber security for refining, please download Waterfall’s guide: Cybersecurity for Refining. The guide explains how refineries can achieve deterministic, unbreachable protection for safe and reliable operations, while continuing to enjoy the efficiency, optimization and real-time OT visibility benefits that come from modern business automation.

The post Oil and Gas Cyber Security – A Safety Priority for Refining appeared first on Waterfall Security Solutions.

Enabling The Digital Refinery

Waterfall team — Thu, 08 Sep 2022 10:59:00 +0000

OT Insights Center Oil and GasEnabling The Digital Refinery

Enabling The Digital Refinery

Protecting The Refining & Petrochemical Industry From Evolving Cyber Threats

Customer/ Partner:

North American Petrochemical Refinery.

Customer Requirement:

To protect critical equipment and on-going productivity of a highly sensitive production environment involving the processing of petrochemicals, while at the same time improve the performance of plant production with real-time, actionable and predictive analytics.

Waterfall’s Unidirectional Solution:

Secure the production environment perimeter from external threats and provide real-time enterprise visibility – Unidirectional Security Gateways protect all industrial control systems (DCS, individual controllers and logic controllers) with an impassable physical barrier to external network threats, while enabling enterprise access to real-time production data.

Refining & Petrochemicals Processing Modernization And Containing Remote Cyber Threats

The energy industry has become the second most prone to cyber attacks with nearly three-quarters of U.S. oil & gas companies experiencing at least one cyber incident. Remote cyber attacks on oil and gas refining & production can result in severe consequences to human and environmental safety in the form of ruptures, explosions, fires, releases, and spills. In addition, disruption of service and deliverability can be devastating for key infrastructure end users such as power plants, airports or national defense.

The challenge

To secure the safe, reliable and continuous operation of oil & gas processing control and safety networks from threats emanating from less trusted external networks. At the same time provide real-time access to operations data to the enterprise users and applications, as well as provide periodic and on-demand inbound access for anti-virus and other updates to turbine vendors and other third parties.

Waterfall solution

A Waterfall Unidirectional Gateway was installed between the process control network (PCN) and the enterprise network. Unidirectional Gateway software connectors replicate OSISoft PI, GE OSM and ICCP servers from the PCN to the enterprise network where enterprise clients can interact normally and bi-directionally with the replicas. A file server replication connector was also deployed, to eliminate the routine use of USB drives and other removable media. A Waterfall FLIP, a hardware-enforced Unidirectional Security Gateway whose orientation is reversible, was also installed between the PCN and IT networks. By schedule, or by exception, an independent control mechanism inside the protected OT network triggers the FLIP hardware to change orientation, allowing information to flow back into the protected OT network as needed.

Results & benefits

100% Security: With the gateways, the PCN is now physically protected from threats emanating from external, less-trusted networks. The FLIP permits disciplined, on-demand and scheduled updates of plant systems, without introducing firewall vulnerabilities.
100% Visibility: The enterprise network continues to operate as if nothing has changed. Instead of accessing servers on the critical operational network, users on the external network now access real-time data from replicated servers for all informational and analytical requirements.
100% Compliance: Unidirectional Gateways are recognized manufacturing cyber security standards as well as by global industrial control system cyber security standards and regulations.

Theory of Operation

Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to control systems and operations networks from attacks originating on external networks. The Gateways enable vendor monitoring, industrial cloud services, and visibility into operations for modern enterprises and customers. Unidirectional Gateways replicate servers, emulate industrial devices and translate industrial data to cloud formats. As a result, Unidirectional Gateway technology represents a plug-andplay replacement for firewalls, without the vulnerabilities and maintenance issues that always accompany firewall deployments. Unidirectional Gateways contain both hardware and software components. The hardware components include a TX Module, containing a fiber-optic transmitter/ laser, and an RX Module, containing an optical receiver, but no laser. The gateway hardware can transmit information from an industrial network to an external network, but is physically incapable of propagating any virus, DOS attack, human error or any cyber attack at all back into the protected network.

Unidirectional Security Gateways Benefits

Safe, continuous monitoring of critical systems

Protects product quality, safety of personnel, property and the environment

Protects safety and preventative maintenance systems of physical assets from remote Internet-based threats

Simplifies audits, change reviews, and security system documentation

Disciplined, on-demand and scheduled updates of plant systems, without introducing firewall vulnerabilities

Replaces at least one layer of firewalls in a defense-in-depth architecture thereby breaking the chain of infection and pivoting attacks

Global Cybersecurity Standards Recommend Unidirectional Security Gateways

Waterfall Security is the market leader in Unidirectional Gateway technology with installations at critical infrastructure sites across the globe. The enhanced level of protection provided by Waterfall’s Unidirectional Security Gateway technology is recognized as best practice by many leading industry standards bodies such as NIST, ANSSI, NERC, the IEC, the US DHS, ENISA and may more.

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Enabling The Digital Refinery appeared first on Waterfall Security Solutions.

Downstream – Waterfall Security Solutions

Upstream / Midstream / Downstream Cyber Attacks – Dependency Analysis

Upstream / Midstream / Downstream Cyber Attacks – Dependency Analysis

It turns out that there are really only three ways that ransomware can shut down OT networks and physical operations: "abundance of caution" shutdowns, OT dependencies on IT systems and services, and ransomware impacting OT networks and systems directly.

Andrew Ginter

About the author

Andrew Ginter

Share

Trending posts

Hardware Hacking – Essential OT Attack Knowledge – Episode 145

Top 10 OT Cyber Attacks of 2025

Cyber Threats to the Manufacturing Industry: Risks, Impact, and Protection Strategies

Stay up to date

Tags

Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Join our webinar for an in-depth look at how CIE (Cyber-Informed Engineering) can help in converging IT and OT security for Oil & Gas operations.

On this webinar, we'll take you through:

Join Kevin Rittie, Andrew Ginter, and Alan Acquatella in this webinar as they introduce a new approach to solving long standing challenges by:

Kevin Rittie, a Critical Infrastructure Technology Consultant

Andrew Ginter, Waterfall VP Industrial Security

Alan Acquatella, Industry Expert at Schneider Electric

Share

Register Now

Oil and Gas Cyber Security – A Safety Priority for Refining

Attacks on oil and gas cyber security show no signs of slowing down

Worst-case consequences drive cyber security requirements

Engineering Cyber Security Approach – Unidirectional Security Gateways

Security Is Essential to Safety

Reading Further on Oil and Gas Cyber Security

Enabling The Digital Refinery

Enabling The Digital Refinery

Protecting The Refining & Petrochemical Industry From Evolving Cyber Threats

Customer/ Partner:

Customer Requirement:

Waterfall’s Unidirectional Solution:

Refining & Petrochemicals Processing Modernization And Containing Remote Cyber Threats

The challenge

Waterfall solution

Results & benefits

Theory of Operation

Unidirectional Security Gateways Benefits

Global Cybersecurity Standards Recommend Unidirectional Security Gateways

Share

Trending posts

Top Oil and Gas Security Challenges and Best Practices for Protection

Data Diode vs Firewall: Understanding the Key Differences in OT Security

Security by Design- The New Imperative for Rail Systems

Stay up to date

Tags