Oil and Gas Cybersecurity Risks and Standards

Organizations involved in energy extraction must protect a complex infrastructure in remote locations, both on land and offshore. These sites are valuable targets for hackers whose objective is operational disruption, environmental terrorism, or even injury and loss of life for employees and members of the surrounding community.  

To protect these sites, every aspect of security, from industrial control systems to physical security, must be integrated for centralized visibility and control. Electronics and surveillance infrastructure at a small drilling site should be as heavily protected as the corporate data center—and equally visible to the security operations team.

The Fortinet Security Fabric offers comprehensive, integrated cyber and physical security defending against cyber threats to oil and gas industry data centers. FortiGate Rugged Series next-generation firewalls (NGFWs) and FortiAP Outdoor Series wireless access points provide robust security protection while withstanding the rugged extremes of drilling and exploration sites on land and water. FortiCamera and FortiRecorder protect against physical intrusion, while Fortinet Secure SD-WAN and Fortinet SD-Branch provide secure networking to the remote site. Threat detection, management and analytics, and access control tools, usually delivered from the corporate infrastructure at headquarters, provide layers of security measures for these vulnerable remote sites.

The wholesale transport of petroleum expands an organization’s physical attack surface by hundreds or thousands of miles, and the connections between the different elements of this infrastructure involve both upstream and downstream processes. Pipelines are subject to both accidental leaks and physical sabotage, and the supervisory control and data acquisition (SCADA) systems and Internet-of-Things (IoT) devices that monitor and control them are often vulnerable. A successful attack can be catastrophic, with the potential for massive environmental damage and loss of life.

Midstream operators would do well to utilize the Purdue Enterprise Reference Architecture as a standard in designing their electronic infrastructure. The Purdue model calls for cyber and physical security to be protected holistically as a part of an end-to-end, integrated security architecture.

The Fortinet Security Fabric makes this possible with integrated cybersecurity, physical security, and secure networking. FortiGate Rugged Series next-generation firewalls (NGFWs) and FortiAP Outdoor Series wireless access points provide robust security protection while withstanding the remote outdoor environments that must be covered. Surveillance solutions protect against physical intrusion, while Fortinet Secure SD-WAN and Fortinet SD-Branch provide secure networking to pumping stations and other remote sites. A wide range of threat detection, management and analytics, and access control tools are delivered from headquarters to provide comprehensive oil and gas cybersecurity.

Refineries and other processing locations are also targets of both physical and cyberattackers, and either type of attack can cause significant physical danger to employees and the general public. Successful attacks can also impact the national economy with supply shortages. Threats can emanate from the outside, the inside, and from third parties. And while some insider attacks may be deliberate, others may be accidental.

To provide protection in such a volatile location, oil and gas cybersecurity teams need single-pane-of-glass visibility into the entire network, as well as the surveillance infrastructure.

The Fortinet Security Fabric protects cyber and physical oil and gas security systems at these facilities in an integrated and holistic way. FortiGate Rugged Series next-generation firewalls (NGFWs) and FortiAP Outdoor Series wireless access points provide robust security protection while withstanding a variety of environmental challenges. Video surveillance solutions protect against physical intrusion, while a wide range of threat detection, management and analytics, and access control tools—often delivered from headquarters—provide layers of security for the site.

Oil and gas companies’ corporate infrastructures contain a variety of business-critical data, from geological and exploration data to financials to the personal information of employees and consumers. Most companies have remote and traveling workers, third-party partners with access to corporate resources, and services in multiple clouds. In addition to protecting these resources from external attack, it is crucial to protect against well-intentioned and malicious insiders exposing confidential data.

While a disaggregated security architecture impedes both security and operational efficiency, single-pane-of-glass visibility and control enhances both. End-to-end integration of the security infrastructure unlocks automation of threat detection, response, and reporting, freeing up time for well-paid security personnel to focus on strategic tasks.

The Fortinet Security Fabric provides an integrated security architecture that makes this possible. Fortinet covers the entire attack surface, from the data center to multiple clouds to the network edge, with broad, integrated, and automated protection. Fortinet Adaptive Cloud Security solutions break down silos between multiple public and private clouds, enabling consistent policy management and furthering protecting oil and gas security systems. FortiManager, FortiAnalyzer, and FortiSIEM provide comprehensive management and analytics. FortiInsight and FortiDeceptor help protect against insider cyber threats to oil and gas industry architectures. And companies can protect devices and applications with FortiWeb, FortiMail, FortiClient, and FortiEDR. 

Oil and gas retailers usually sell other items as well, and they face similar challenges to other brick-and-mortar retailers. In addition, they have numerous Internet-of-Things (IoT) devices to track tank levels, refrigerator temperatures, and IP cameras. Fuel tanks on the property add extra safety and compliance requirements that other retailers do not have, and self-service, outdoor point-of-sale (POS) infrastructure presents another risk. As a result, the integration of cyber and physical security is critical, as is compliance with Payment Card Industry (PCI) standards and providing a pleasant in-store experience.

Such a complex set of business and security needs makes end-to-end integration of the security architecture especially important for gasoline retailers. Such an infrastructure eliminates the need for manual processes and workarounds that slow threat response and take staff members away from their mission of customer service.

Fortinet networking and security solutions help connect different locations in a chain, providing robust network security and automated compliance reporting. FortiGate next-generation firewalls (NGFWs) deliver robust protection for the entire attack surface, with many features built in that require an additional hardware purchase with other vendors. Fortinet Secure SD-WAN provides secure networking to all store locations without the need for expensive multiprotocol label switching (MPLS) bandwidth. And Fortinet SD-Branch oil and gas security systems extend Fortinet security and networking within each store.

This infrastructure also allows for shared security services to be delivered from headquarters, including access management, advanced endpoint security, behavioral threat detection, and deception technology. In addition, management and analytics tools enable single-pane-of-glass visibility and automated reporting for compliance with standards like the PCI Software Security Framework (SSF).