offshore – Waterfall Security Solutions https://waterfall-security.com Unbreachable OT security, unlimited OT connectivity Thu, 03 Apr 2025 13:58:20 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.2 https://waterfall-security.com/wp-content/uploads/2023/09/cropped-favicon2-2-32x32.png offshore – Waterfall Security Solutions https://waterfall-security.com 32 32 How to Properly Cyber Secure an Upstream Oil & Gas Operation https://waterfall-security.com/ot-insights-center/oil-gas/how-to-properly-cyber-secure-an-upstream-oil-gas-operation/ Tue, 13 Feb 2024 10:27:02 +0000 https://waterfall-security.com/?p=19276 The Waterfall Unidirectional Security Gateway and how it has been applied at Oil & Gas production sites such as oil fields and offshore platforms.

The post How to Properly Cyber Secure an Upstream Oil & Gas Operation appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOil and GasHow to Properly Cyber Secure an Upstream Oil & Gas Operation

How to Properly Cyber Secure an Upstream Oil & Gas Operation

The Waterfall Unidirectional Security Gateway and how it has been applied at Oil & Gas production sites such as oil fields and offshore platforms.
Picture of Kevin J. Rittie

Kevin J. Rittie

How to Properly Cyber Secure an Upstream Oil & Gas Operation

Protecting an Upstream Oil & Gas operation from cyber threats can be significantly challenging. Unlike many other industrial processes, any disruption to Upstream production has a potentially broad ripple effect, possibly impacting Midstream, Downstream, and even the entire supply chain that uses those petroleum products to provide society with its goods, services, and of course, the fuel with which to deliver them. 

Emerging technologies are making the task even more complex, for example, the use of IIoT has grown significantly over the past half-decade, requiring many points of external cloud connectivity that completely bypass important boundaries put in place by the Purdue Model, a commonly followed OT security framework. As this outside connectivity is used to fine-tune and optimize operations, organizations become dependent on this data’s derivative value, making it a requirement and no longer a nice to have. While there are traditional methods to control the flow of data from this class of devices, a unidirectional configuration can provide you guaranteed secure exchange with low maintenance needs. The data that the IIoT device sends out may not be sensitive, but the machine from which it is collecting that information could be highly sensitive. Therefore, the main goal is protecting the sensitive machine, not the non-sensitive data.  

Get the Checklist: 9 Best Practices for Safeguarding Upstream

“The data that the IIoT device sends out may not be sensitive, but the machine from which it is collecting that information could be highly sensitive.”

TSA Directive for Midstream—Is an equivalent coming to Upstream?

When the Colonial Pipeline cyber incident occurred, there were no formal regulations or laws geared toward preventing such occurrences. Within less than a year, initial regulations were established with updates and refinements garnered from the industry and from acknowledged best practices in an effort to prevent a repeat. The Upstream sector is currently not cyber-regulated, as (knock on wood) there haven’t been any overtly public cyber incidents targeting an Upstream operation, that is, a bellwether event similar to Colonial Pipeline. 

However, if such an Upstream incident were to occur, it could rapidly change the regulatory landscape. Even sans a cyber event, regulators and critical infrastructure oversight agencies are keen to prevent the lurking menace of an attack that could happen due to a lack of assurances that regulations can provide. This is the reason it makes sense for Upstream operations to ensure that its cybersecurity processes demonstrably leverage industry best practices used across many diverse industries, not just oil and gas.  This proactive behavior could reduce the need for regulations as well as provide society and oversight agencies with assurance that the Upstream industry is doing all that it can do to ensure safe, secure, environmentally sound, and uninterrupted operations across the entire segment. 

No one likes the risk of new regulations, and there’s a concern that those imposing these regulations are not fully familiar with the systems they are tasked with protecting, nor do they fully understand the threats against that which they are protecting. Waterfall provides a very high level of security to protect operations. As a side benefit, most regulations and compliances are fully met by using Waterfall’s Unidirectional Gateways. There are even aspects of certain regulations that have network areas exempt from certain details of compliance if those network areas are behind a Waterfall Unidirectional Gateway. 

The Best of Best Practices

Because of the sensitive nature of all Oil & Gas operations, the best-of-the-best practices make the most sense for securing these operations. When it comes to the best practice of protecting an industrial network from external threats while still maintaining external connectivity, the best-of-the-best practice is to use a Waterfall Unidirectional Gateway. This provides a safe and secure way to connect the OT network(s) to the IT network, protecting the connectivity used for the flow of operational data that needs to be analyzed to ensure optimized operation, as well as for IIoT devices that need to connect with their vendors or to the cloud for advanced analytics. 

One Way - Do Not Enter

ONE WAY street signWaterfall’s Unidirectional Gateway (UDG) is like a one-way street or a one-way valve, but for data. The UDG flawlessly lets data flow out, but it doesn’t let even a “drop” flow back into the industrial network. The technical details are of course more complex than a valve or a one-way street sign, but the concept is fundamentally the same, thereby providing a physical barrier that prevents data from ever flowing back in, no matter how capable the threat actor.  
 
Unlike IT security where our concern is that information will leak out, the threat with industrial connectivity is that a malicious payload will get INTO the system and cause damage or disruptions. By physically ensuring that nothing can remotely enter the system, unidirectional gateways protect against all such threats and risks. 

Industrial Connectivity with a Chance of Cloud

Many of the leading analytical products used to optimize industrial operations are based “in the cloud” and require uninterrupted connectivity from the industrial asset to the cloud. Leading cloud providers such as AWS recommend deploying unidirectional gateways to secure such cloud connectivity. By restricting the directionality of the data flow, we can establish secure connections to external and untrusted networks, including those that provide cloud-based services. If that cloud-based service or the cloud infrastructure itself was to be cyber compromised, the industrial network that is protected by a unidirectional gateway would remain physically unreachable and unbreachable.  

Protecting Upstream Oil & Gas Operations

Safeguarding upstream Oil & Gas operations against cyber threats requires proactive measures and the adoption of robust security solutions. As the industry grapples with the challenges posed by emerging technologies like IIoT and external cloud connectivity, the Waterfall Unidirectional Gateway emerges as a best-of-the-best practice for securing industrial networks. By providing a physical barrier that allows data to flow out but preventing any return flow, this solution not only aligns with industry compliance requirements, but also safeguards the network ensuring continuous operations while protecting against potential disruptions. As the threat landscape evolves, proactive implementation of such measures not only enhances security and complies with potential future regulations, but also demonstrates a commitment to safety and the resilience we’ve grown to expect as a society from critical infrastructure. 

Get the Checklist: 9 Best Practices for Safeguarding Upstream
About the author
Picture of Kevin J. Rittie

Kevin J. Rittie

With over 30 years in the control system market, Kevin Rittie is a seasoned software and cybersecurity professional who has led diverse development groups with budgets up to $10M. He has a comprehensive background, starting as a project engineer and software developer, and has excelled in roles such as Product Management, Cybersecurity, Sales, and Marketing. Kevin's innovative contributions include leading the design of a patented control visualization architecture and driving the development of energy management solutions, culminating in the establishment of his own business, RevelationSCS, focused on change management, software practices, and securing critical infrastructure.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post How to Properly Cyber Secure an Upstream Oil & Gas Operation appeared first on Waterfall Security Solutions.

]]> Waterfall And W-Industries Secure Offshore Platforms https://waterfall-security.com/ot-insights-center/oil-gas/waterfall-and-w-industries-secure-offshore-platforms/ Tue, 23 May 2017 08:29:00 +0000 https://waterfall-security.com/?p=10249 Secure, safe, and continuous operation of offshore platforms, protected against remote cyber attacks, while enabling reliable real-time monitoring and reporting of production data and the statuses of essential platform systems.

The post Waterfall And W-Industries Secure Offshore Platforms appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOil and GasWaterfall And W-Industries Secure Offshore Platforms

Waterfall And W-Industries Secure Offshore Platforms

Partnering With Global Systems Integrator To Secure Critical Production Processes
Customer/ Partner:

Offshore Oil & Gas Producer.

Customer Requirement:

Secure safe and continuous operation of offshore platforms from remote cyber attacks, while enabling reliable real-time monitoring and reporting of production data and the status of essential platform systems.

Waterfall’s Unidirectional Solution:

Secures the platform control system network perimeter from external threats with Unidirectional Security Gateways, enabling real-time enterprise monitoring and third-party monitoring and diagnostics, while creating fully operational Wonderware PCS, OPCDA, power turbine monitoring and file server replicas.

Offshore Production Modernisation And Containing Remote Cyber Threats

The energy industry is the second most prone critical infrastructure to cyber attacks with nearly threequarters of U.S. oil & gas companies experiencing at least one industrial cyber incident annually. Remote cyber attacks targeting offshore oil platforms can result in severe consequences to human and environmental safety. Waterfall partnered with W-Industries, a leading global systems integrator for the offshore industry, to secure a fleet of offshore platforms and operational processes from cyber attacks.

The Challenge icon
The challenge

Waterfall Unidirectional Gateways were deployed, both on the platform and in onshore facilities. Each gateway is the only point of connection between IT and OT networks, replicating information from control networks to the enterprise network. A central OSIsoft PI enterprise server served as a repository for analyzing operations data, company-wide. An OPC-DA server in each control network pulls realtime data from industrial servers. The Waterfall Gateway replicates OPC-DA servers to platform and onshore IT networks. The enterprise PI server pulls data from the Waterfall OPC-DA replicas and makes it available enterprise-wide for reporting, analysis and optimization planning.

Waterfall solution - icon
Waterfall solution

W-Industries replaced the IT/OT firewall with a Unidirectional Security Gateway. The gateways replicate an OSIsoft PI historian from the OT network to the IT network. The IT PI replica provides enterprise users and applications with real-time access to all operations data authorized to be shared with the enterprise. The enterprise hydraulic analysis application draws real-time reservoir levels, pressures and pump indications from the replica historian. A secure web portal accesses equipment status information, billing information and other readings from the replica as well. This data IS available to utility management, end users and field personnel.

Results and benefits - icon
Results & benefits

Security: Absolute protection from online attacks originating on the IT network, and from Internet-based attacks which might breech the enterprise network.

Visibility: Online access to real-time operations data, with no change in end-user or business application integration procedures.

Cost: Reduced training, admin, audit, testing, and monitoring costs when compared to a conventional firewall-based solution.

vertical red line
Theory of Operation
Click to enlarge

“Using the Waterfall Gateways gave our customer the assurance of true unidirectional server replication from the control network to the business network.”

Greg Hanson, W-Industries

Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to control systems and industrial control networks from attacks emanating from external less-trusted networks. Waterfall Gateways contain both hardware and software components. The hardware is physically able to send information in only one direction. The software replicates servers and emulates devices. The gateway software produces an accurate, timely replica of a production OPC server. Enterprise applications and users interact normally with the replica server.

Unidirectional Gateways enable control system intrusion detection, vendor monitoring, industrial cloud services, and visibility into operations for modern enterprises and customers. The gateways replicates servers, emulate industrial devices, and translate industrial data to cloud formats. Unidirectional Gateway technology represents a plug-and-play replacement for firewalls, without the vulnerabilities and maintenance issues that accompany firewall deployments. Replacing at least one layer of firewalls in a defense-in-depth architecture breaks the attack path from the Internet to critical systems

vertical red line
Unidirectional Security Gateways Benefits:

arrow red rightSafe, continuous monitoring of critical systems

arrow red rightProtects product quality and the safety of personnel, equipment and the environment

arrow red rightSimplifies audits, change reviews, and system documentation

arrow red rightDisciplined, on-demand and scheduled updates of plant systems, without introducing firewall vulnerabilities

arrow red rightReplaces at least one layer of firewalls in a defense-in-depth architecture, breaking the chain of infection and preventing pivoting attacks

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Waterfall And W-Industries Secure Offshore Platforms appeared first on Waterfall Security Solutions.

]]>