OT Insights CenterOil and GasUpstream / Midstream / Downstream Cyber Attacks – Dependency Analysis

Upstream / Midstream / Downstream Cyber Attacks – Dependency Analysis

It turns out that there are really only three ways that ransomware can shut down OT networks and physical operations: "abundance of caution" shutdowns, OT dependencies on IT systems and services, and ransomware impacting OT networks and systems directly.

Andrew Ginter

• July 9, 2024

“…there is little benefit in having the world’s strongest OT security program if we must shut down our operation every time the IT network is compromised…”

The Waterfall / ICS Strive 2024 Threat Report lists a handful of serious cyber attacks impacting the performance of oil & gas infrastructure in the last several years, including the Colonial Pipeline shutdown and halted shipments at three ports / oil terminals. Most of these incidents were due to ransomware, and most of that ransomware impacted the IT network. It turns out that there are really only three ways that ransomware can shut down OT networks and physical operations: “abundance of caution” shutdowns, OT dependencies on IT systems and services, and ransomware impacting OT networks and systems directly.

In today’s article we look at dependencies. In short, there is little benefit in having the world’s strongest OT security program if we must shut down our operation every time the IT network is compromised with ransomware, because our operations depend on IT services. For example:

• Upstream production might depend on a functioning IT-based royalty reporting system,

   

• Midstream operations might depend on a functioning IT custody transfer system, and

   

• Downstream refining might depend on a functioning IT-based emissions reporting system.

   

These kinds of dependencies are called out explicitly in the US TSA Security Directive 2021-02D for pipeline operators. In particular, the directives establish requirements for the nation’s most important pipelines. For critical OT systems, owners and operators must:

• Implement segmentation designed to prevent operational disruption to OT systems if IT systems are compromised,

   

• In support of that goal, identify all OT dependencies on IT services,

   

• Design OT networks so that they can be isolated from IT networks during incident response procedures.

   

While not stated explicitly in the security directives, the ability to separate OT and IT networks in an emergency can enable OT systems to continue operating through an IT emergency, but only if OT dependencies on IT networks and OT trusts of crippled IT domains do not impair that very desirable ability to operate independently.

If we wish to operate our OT systems through an IT security incident, then while it can be very difficult to eliminate all OT dependencies on IT systems, we cannot simply ignore those dependencies that remain. Instead, we must recognize that IT systems that are essential to continued physical operations are in fact reliability-critical components. These reliability-critical systems may be hosted on what we think of as the IT network instead of the OT network but must be managed and secured as if they were OT systems. For example:

• If a pipeline depends on a custody transfer and billing system in IT, we could modify our customer contracts so that if we must declare force majeure, custody transfer billing enters an “approximation” mode. The OT system continues operating the pipeline, caching all billing-relevant data in a historian or other repository until the billing system recovers and can reconcile accounts.

   

• If an upstream producer depends on a royalty reporting system in IT, we could (hopefully, beforehand) negotiate with the royalty administrator so that, again, if we must declare force majeure, royalty payments could enter an approximation mode, with manual payments authorized every day or two based on approximate data. The OT systems again cache all royalty-relevant data in a historian until the payment system recovers.

   

• For refining emissions data we do the same, but there are no payments or monies to track, simply emissions data to track in a force majeure condition.

   

In all three cases, what we are seeing here is not only two kinds of network criticality, a safety-critical OT network and a business-critical IT network, but three networks. The third is a reliability-critical network that is often mixed up with other IT assets. In the examples above, we might be able to redesign our systems so that custody transfer, royalty payments and emissions reporting can, in an emergency, be seen as non-critical. More generally, such redesign may not be possible. In this case, what we need to do is recognize that we are dealing with three network criticalities and start applying some of the TSA approach to managing the OT-critical components in the IT network.

For example – consider the upstream royalty payment system. To be effective in managing the royalty system as reliability-critical, we need to put the royalty system in its own network/DMZ and apply the TSA approach to that network as well – be wary of allowing the royalty network to rely on IT resources that may be compromised, be wary of sharing trusts between the reliability-critical DMZ and the IT network, and so on. It does no good to restore the reliability-critical systems to an uncompromised state if they, in turn, still depend on Active Directory or other IT services that are still crippled by the ransomware attack.

The word “resilience” is often used when looking at these dependencies between safety-critical and reliability-critical networks. In the royalty example, we might deploy unidirectional gateways at the IT/OT interfaces in the offshore platforms or oil fields to prevent any online attack from migrating from a compromised IT network into the safety-critical OT networks. If the IT network is compromised though, we must still shut down the production of hydrocarbons when the royalty system fails. But – if we can bring the royalty reporting system back within hours of failure, and we can bring the field back into full production an hour or two after that, then the result might be regarded as an acceptable worst-case outage of only a few hours.

This kind of network engineering is an example of enabling resilience – production “springs back” into operation after a brief outage, even while the bulk of the IT network is still compromised. Be aware though – while this kind of reliability-critical dependency analysis can result in improved resilience, it is not always a “silver bullet.” A petrochemical refinery for example, can take days or longer to go from an emergency stop condition back to 100% of capacity. Any IT dependency that triggers even a five-minute complete shutdown of such a facility incurs this start-up cost of losing days or more of production. Applying network engineering principles to reliability-critical IT sub-networks can save us a lot of downtime in some cases, but we must still consider the realities of the physical process. 

Further reading:

This example is a small part of Chapter 5 of the author’s new book Engineering-Grade OT Security – A manager’s guide. If you found value in this article, you can request your own free copy of the book here, courtesy of Waterfall Security Solutions.

Get your complimentary copy now

About the author

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Share

Trending posts

8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors

April 1, 2026

Webinar: 13 Ways To Break “Secure” OT Remote Access Systems

March 29, 2026

Webinar: 2026 OT Cyber Threat Report

March 25, 2026

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Upstream / Midstream / Downstream Cyber Attacks – Dependency Analysis appeared first on Waterfall Security Solutions.

OT Insights CenterOil and GasCyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Join our webinar for an in-depth look at how CIE (Cyber-Informed Engineering) can help in converging IT and OT security for Oil & Gas operations.

Join us on February 28th or 29th 2024.
There will be 2 live streams of the webinar, please pick the date and time that works best for you.

On this webinar, we'll take you through:

IT/OT integration introduces threats to reliable operations. Connected networks move both data, malware, and remote-control cyber attacks along their wires and cables. In the Oil & Gas industry, E&P, pipelines, and refineries have found that securing IT/OT connections involves more than just having Enterprise Security telling Engineering what to do and Engineering saying “no” to IT over and over. 

However, understanding what “more” means has been the challenge.

Cyber-Informed Engineering (CIE) is a new approach to securing IT/OT convergence – an approach and a perspective that highlights important opportunities. For example, in CIE, worst-case consequences define security requirements for industrial networks, and consequence boundaries define unique spheres of expertise and approaches, including safety engineering, process engineering, the NIST Cybersecurity Framework and leveraging industrial data in the cloud.

Join Kevin Rittie, Andrew Ginter, and Alan Acquatella in this webinar as they introduce a new approach to solving long standing challenges by:

Identifying the challenges facing OT engineering as it strives to build secure bridges between operations, corporate, and the cloud in order to satisfy the ever growing need for operational data that drives strategic business growth.  

Introducing CIE in a way that it is clear how this approach to secure-by-design engineering can improve the security and operational integrity of both brownfield and greenfield installations.

Looking at some practical examples that make tangible how cyber-informed engineering and unidirectional network engineering combine to build safe and secure production environments.

Listing some tangible next steps on your continuous cybersecurity journey.

Kevin Rittie, a Critical Infrastructure Technology Consultant

With over 30 years in the control system market, Kevin Rittie is a seasoned software and cybersecurity professional who has led diverse development groups with budgets up to $10M. He has a comprehensive background, starting as a project engineer and software developer, and has excelled in roles such as Product Management, Cybersecurity, Sales, and Marketing.

Andrew Ginter, Waterfall VP Industrial Security

Andrew Ginter is the most widely-read author in the industrial security space, with over 20,000 copies of his first two books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Alan Acquatella, Industry Expert at Schneider Electric

Alan Acquatella heads the Pipeline & New Energies Infrastructure Segment for Schneider Electric. He brings domain expertise about industry and customer requirements and provides thought leadership and knowledge on valuable technologies and services customers can use to improve their operations and sustainability efforts.

Share

Register Now

The post Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations appeared first on Waterfall Security Solutions.

TOGC stands for Transportation Oil &Gas Congress. The congress meets annually and brings together representatives from all aspects of the pipeline industry and focuses on strategic and technical issues impacting transportation of oil and gas via pipeline.

Some of the questions Naoufal answers in the video:

• What solutions does Waterfall Security provide to the Oil & Gas pipelines industry?
• What solutions is Waterfall Security presenting during the Congress?
• What else is there to say about Waterfall’s presentations at TOGC?

This quote from the video really drives home some of the main takeaways:

“It is very important to take into consideration cybersecurity because it’s an important enabler for digital transformation.”

– Naoufal Kerboute, Regional Sales Director – Middle East, Turkey & North Africa

Really something to think about! Without the safety net provided by cybersecurity, the digital transformation of the oil & gas industry would never happen. Too much risk!

A big thanks to everyone that participated in this year’s Congress, looking forward to seeing everyone and meeting new people next year at TOGC 2024 in Italy!

The post Waterfall Security at TOGC 2023 in Istanbul appeared first on Waterfall Security Solutions.

For decades, cybersecurity for infrastructure such as oil & gas pipelines was treated as a “done deal” until the May 7th Colonial Pipeline Ransomware Cyberattack. Regulators and business leaders were both caught off guard, having dismissed the robust security required for pipeline infrastructure as beyond sufficient.

While the OT environment of the Colonial Pipeline was never directly compromised, it did have to be shutdown till it could be confirmed that no breach had occurred. This precautionary measure presents a huge risk to all pipeline operations and led the TSA to rollout more robust directives for securing pipeline infrastructure. And there’s a good chance they’ll be rolling out some more in the near future.

SPEAKERS:

Andrew Ginter – VP Industrial Security at Waterfall Security Solutions and author of Secure Operations Technology (SEC-OT)

The post Evolving TSA Pipeline Security Directives | Recorded Webinar appeared first on Waterfall Security Solutions.

The Directive

A month after the incident, the TSA issued Security Directive Pipeline-2021-02: Pipeline Cybersecurity Mitigation Actions, Contingency Planning and Testing. The directive was confidential, but a redacted version was subsequently released to the Washington Post in response to a Freedom of Information request. The redacted directive ordered large pipeline operators to address many topics, but the mostpertinent directive was II.2(b):

Implement network segmentation sufficient to ensure that the Operational Technology system can operate at necessary capacity, even if the Information Technology system is compromised, …

The directive continues, requiring a number of measures, including II.2(b).vii:

Developing workarounds or manual controls to ensure industrial control system networks can be physically isolated when the Information Technology system creates risk to the safe and reliable Operational Technology system processes.

These directives directly addressed the concern regarding pipeline outages due to compromised IT networks.

Unidirectional Gateways

The TSA directive includes many far reaching requirements, and Waterfall’s Unidirectional Security Gateway products and technologies are powerful tools for compliance with the directive, and for strengthening pipeline OT cybersecurity programs.

When deployed as recommended, Unidirectional Gateways directly address network segmentation and other provisions in the directive. Waterfall recommends that Unidirectional Security Gateway products be deployed as the sole connection between operations-critical OT networks and all external networks, such as IT networks, the Internet and/or connections to external vendors and/or service providers. Waterfall further recommends that the gateways be oriented to send data exclusively from OT networks to IT networks.

Such configuration is of tremendous benefit to security programs, because Waterfall’s Unidirectional Security Gateways are physically able to send information in only one direction – from the protected OT network out to external networks such as IT networks. No online attacks can traverse the Unidirectional Gateway hardware back into protected OT networks.

When deployed as recommended, the gateways assure pipeline operators that no stolen remote access credentials, malware, ransomware, hacktivist attacks, nation-state attacks or any other online attacks can pass through the gateway hardware into a protected OT network.

HOW GATEWAYS WORK

Waterfall’s Unidirectional Security Gateways are a combination of hardware and software. The hardware consists of separate Transmit (TX) and Receive (RX) hardware modules – the TX module contains a fiber-optic transmitter (a laser), the RX module contains a fiber-optic receiver (a photocell,) and a short segment of fiber-optic cable connects the two modules. Since there is no fiberoptic laser in the RX hardware module, there is physically no way to send any optical signal from the receiving hardware back to the sending hardware.

Unidirectional Gateway software makes copies of servers and emulates devices. For example – consider an OT network where an OPC server or process historian server contains all the industrial data that is permitted to be shared with external users via the IT network. In this case, the Waterfall software connects to the source server, logs in, and asks for a snapshot of all recent data. The software receives that data, converts it to Waterfall’s proprietary unidirectional formats and protocols, and sends the data through the unidirectional hardware to the Waterfall software on the receiving network.

That software receives the snapshot and logs into an identical server on the IT network. That is, if the source was OPC, then the destination is OPC. If the source was a historian server, then the destination is an identical historian server.

The software logs into the destination server and inserts the latest data snapshot. All IT users and applications that need access to real-time industrial data interact normally with the destination or “replica” server. No queries or other communications can be sent through the gateway to the source server, and since all data allowed to be shared with IT is already in the destination/replica server, no queries or other communications need to be sent through the gateway back into the protected OT network.

Waterfall’s unidirectional replication software already supports a very wide range of industrial servers, software, protocols, systems, and requirements. For that matter, Waterfall’s Unidirectional Security Gateways already serve many petrochemical pipeline operators, so pipeline operators can be confident that the systems and protocols they need to replicate to external networks have already been proven in the field.

Benefits

Using Waterfall’s Unidirectional Gateways has many benefits

• Per directive II.2(b), there is physically no way for online attacks to propagate from compromised IT or other external networks into OT targets through Unidirectional Gateways, ensuring that OT networks continue operating uninterrupted when IT networks are compromised,
• Per II.2(b).vii, with Unidirectional Gateways there is no need for emergency workarounds to ensure physical isolation of OT networks in cyber emergencies, because OT networks are permanently, physically isolated and protected from cyber attacks, and
• The deployment of Unidirectional Gateways makes obvious any OT dependencies on IT services, such as corporate Active Director controllers or other servers, so that those dependencies can be addressed in security designs, rather than being discovered in dismay during emergencies and triggering “abundance of caution” shutdowns.

The gateways also simplify other requirements in the TSA directive, such as requirements for controlling OT connectivity with the Internet, blocking connections to OT networks from post-exploitation tools, isolating IT from OT systems in the event of cyber emergencies, and many others.

Future-Proof Protection

Better yet, the benefits of deploying Unidirectional Gateways endure for many years to come, even as cyber attacks continue to evolve and become more sophisticated over time. All cyber-sabotage attacks able to affect OT networks are, by definition, information – the only way for an OT network to change from an uncompromised state to a compromised state is for attack information to somehow enter that OT network. Unidirectional Gateway hardware is, and will always remain, physical protection against the online movement of such attack information, no matter how sophisticated that attack information becomes as years pass.

The world’s most secure petrochemical pipelines already use Waterfall’s Unidirectional Security Gateways, as do a much greater number of power plants, refineries, water treatment plants, rail systems and other critical infrastructures. Unidirectional Security Gateways are recommended or required by IEC 62443, ANSSI Critical Infrastructure Cybersecurity standards, and other national standards, such as Israeli and South Korean standards. In North America, the gateways are recognized by CISA and the NERC CIP standards as providing stronger protection than do firewalls.

Please consider Unidirectional Security Gateways when seeking strong assurances of the continuity of physical operations in the face of rapidly evolving ransomware and other threats to IT networks.

To learn more about how Waterfall’s Unidirectional Security Gateways can contribute to your cybersecurity program, please contact Waterfall here https://waterfall-security.com/contact/

customized cybersecurity solutions

Get started today

Contact Us

DOWNLOAD A PDF OF THIS BLOG

RELATED NEWS:

The post Simplifying Network Segmentation for the TSA Pipeline Security Directive appeared first on Waterfall Security Solutions.

The Colonial Pipeline has resumed operations, again delivering millions of barrels of gasoline from refineries in Texas to markets in the Eastern United States. Bloomberg reports that Colonial paid $5 million to the attackers, who have been confirmed as the criminal group Darkside. This is after 6 days downtime and widespread gasoline shortages.

The CISA alert AA21-131A reports that the ransomware was deployed on Colonial’s IT network, and that at the time of the alert, there was no indication that OT or industrial networks were affected. Why is it then, that the pipeline had to be shut down?

Read Waterfall’s special coverage of the Colonial Pipeline cyber attack

https://youtu.be/rntwzIRRb_A

Well, CISA reports that the attack was targeted ransomware. A targeted attack is where the attackers gain a foothold on a target network, usually the IT network, with a RAT – a Remote Access Trojan. The RAT connects to an Internet-based Command and Control center, and the attackers operate the RAT manually and remotely through that center. They send instructions to the RAT to spread through firewalls to find more valuable targets, and eventually to encrypt everything the RAT can touch.

Targeted ransomware can affect physical operations in one of three ways:

• Modern RATS are powerful tools – once in the IT network there is a real chance of the RAT “leaking” into operations accidentally. Even without evidence that the attack has migrated into operations, an organization might shut everything down in an abundance of caution.  CISA reports that this was the case with Colonial Pipelines.
• Attackers can deliberately push the RAT into industrial and OT networks, specifically targeting physical operations. This is what the TRITON attackers did in 2017.
• And the ransomware attack might shut down IT systems that operations needs. In hindsight, these IT systems should probably have been protected as part of the OT network, not left on the Internet-exposed IT network. This was the case with many of the manufacturing sites that targeted ransomware took down in 2020.

The root of the problem is connectivity. Targeted ransomware breaks through firewalls routinely. The attackers send commands right through firewalls to operate the RAT.

The solution that many pipeline companies deploy is a Unidirectional Security Gateway at the IT/OT network interface. The gateways are physically able to send information in only one direction – from the OT network out to the IT network. Unidirectional Gateways give a business access to industrial data to increase efficiencies, without providing any access to industrial systems. Unidirectional Gateway Hardware is physically not able to send RATs or RAT commands, key strokes, mouse movements or ransomware into the operations network.

Waterfall Security Solutions invented Unidirectional Security Gateways over a decade ago, specifically to defeat targeted attacks. Back then, nation-state actors were behind the worst targeted attacks. Today these attacks are organized crime using the tools and techniques of nation-states. These groups punch through layers of firewalls and extort money from all kinds of businesses. The time has come to put Unidirectional Gateway protections in place for all important OT networks.

Pipelines and other critical infrastructures all over the world are turning to Waterfall for security. For a free consultation with a Waterfall expert to see how Unidirectional Gateways can help your organization, please visit the Contact Us page on the Waterfall website.

The post Three Ways Ransomware Can Shut Down A Pipeline | Colonial Pipeline Attack Update appeared first on Waterfall Security Solutions.

 Read Waterfall’s special coverage of the Colonial Pipeline cyber attack

READ THE FULL INTERVIEW HERE

The post Help Net Security Interview: What Does The Pipeline Attack Mean? appeared first on Waterfall Security Solutions.