Oil and Gas Cybersecurity Risks and Standards
Protecting Critical Infrastructure and Assets Against Cyber Threats with End-to-end IntegrationDownload the Report
Oil and natural gas companies own and manage major pieces of critical infrastructure that are vital not only to company operations but also to the nation’s economic and military well-being. Upstream, midstream, and downstream operations are valuable targets for cyber threats from adversaries with a variety of motives—from personal profit to industrial espionage to economic disruption. Due to the critical nature of this sector, cyber security for oil rigs and gas companies also face stringent regulations.
Clearly, the cyber threats to oil and gas industry sectors are significant. An attack on the supervisory control and data acquisition (SCADA) system that operates an offshore rig, oil well, pipeline, or refinery—or Internet-of-Things (IoT) devices that provide monitoring data to such systems—can have devastating consequences. These could include expensive damage to facilities, lengthy supply disruptions, and even injury and loss of life for employees, bystanders, and nearby residents. And attacks on corporate infrastructure could compromise intellectual property such as exploration data surveys, as well as pose data security risks for business and personnel information.
For more than a decade, Fortinet has provided comprehensive security solutions for the oil and gas sector and its infrastructure—from land-based and offshore drilling sites, to refineries and pipelines, to the corner gas station. The Fortinet Security Fabric enables end-to-end security integration across the entire infrastructure.
Organizations involved in energy extraction must protect a complex infrastructure in remote locations, both on land and offshore. These sites are valuable targets for hackers whose objective is operational disruption, environmental terrorism, or even injury and loss of life for employees and members of the surrounding community.
To protect these sites, every aspect of security, from industrial control systems to physical security, must be integrated for centralized visibility and control. Electronics and surveillance infrastructure at a small drilling site should be as heavily protected as the corporate data center—and equally visible to the security operations team.
The Fortinet Security Fabric offers comprehensive, integrated cyber and physical security defending against cyber threats to oil and gas industry data centers. FortiGate Rugged Series next-generation firewalls (NGFWs) and FortiAP Outdoor Series wireless access points provide robust security protection while withstanding the rugged extremes of drilling and exploration sites on land and water. FortiCamera and FortiRecorder protect against physical intrusion, while Fortinet Secure SD-WAN and Fortinet SD-Branch provide secure networking to the remote site. Threat detection, management and analytics, and access control tools, usually delivered from the corporate infrastructure at headquarters, provide layers of security measures for these vulnerable remote sites.
The wholesale transport of petroleum expands an organization’s physical attack surface by hundreds or thousands of miles, and the connections between the different elements of this infrastructure involve both upstream and downstream processes. Pipelines are subject to both accidental leaks and physical sabotage, and the supervisory control and data acquisition (SCADA) systems and Internet-of-Things (IoT) devices that monitor and control them are often vulnerable. A successful attack can be catastrophic, with the potential for massive environmental damage and loss of life.
Midstream operators would do well to utilize the Purdue Enterprise Reference Architecture as a standard in designing their electronic infrastructure. The Purdue model calls for cyber and physical security to be protected holistically as a part of an end-to-end, integrated security architecture.
The Fortinet Security Fabric makes this possible with integrated cybersecurity, physical security, and secure networking. FortiGate Rugged Series next-generation firewalls (NGFWs) and FortiAP Outdoor Series wireless access points provide robust security protection while withstanding the remote outdoor environments that must be covered. Surveillance solutions protect against physical intrusion, while Fortinet Secure SD-WAN and Fortinet SD-Branch provide secure networking to pumping stations and other remote sites. A wide range of threat detection, management and analytics, and access control tools are delivered from headquarters to provide comprehensive oil and gas cybersecurity.
Refineries and other processing locations are also targets of both physical and cyberattackers, and either type of attack can cause significant physical danger to employees and the general public. Successful attacks can also impact the national economy with supply shortages. Threats can emanate from the outside, the inside, and from third parties. And while some insider attacks may be deliberate, others may be accidental.
To provide protection in such a volatile location, oil and gas cybersecurity teams need single-pane-of-glass visibility into the entire network, as well as the surveillance infrastructure.
The Fortinet Security Fabric protects cyber and physical oil and gas security systems at these facilities in an integrated and holistic way. FortiGate Rugged Series next-generation firewalls (NGFWs) and FortiAP Outdoor Series wireless access points provide robust security protection while withstanding a variety of environmental challenges. Video surveillance solutions protect against physical intrusion, while a wide range of threat detection, management and analytics, and access control tools—often delivered from headquarters—provide layers of security for the site.
Oil and gas companies’ corporate infrastructures contain a variety of business-critical data, from geological and exploration data to financials to the personal information of employees and consumers. Most companies have remote and traveling workers, third-party partners with access to corporate resources, and services in multiple clouds. In addition to protecting these resources from external attack, it is crucial to protect against well-intentioned and malicious insiders exposing confidential data.
While a disaggregated security architecture impedes both security and operational efficiency, single-pane-of-glass visibility and control enhances both. End-to-end integration of the security infrastructure unlocks automation of threat detection, response, and reporting, freeing up time for well-paid security personnel to focus on strategic tasks.
The Fortinet Security Fabric provides an integrated security architecture that makes this possible. Fortinet covers the entire attack surface, from the data center to multiple clouds to the network edge, with broad, integrated, and automated protection. Fortinet Adaptive Cloud Security solutions break down silos between multiple public and private clouds, enabling consistent policy management and furthering protecting oil and gas security systems. FortiManager, FortiAnalyzer, and FortiSIEM provide comprehensive management and analytics. FortiInsight and FortiDeceptor help protect against insider cyber threats to oil and gas industry architectures. And companies can protect devices and applications with FortiWeb, FortiMail, FortiClient, and FortiEDR.
Oil and gas retailers usually sell other items as well, and they face similar challenges to other brick-and-mortar retailers. In addition, they have numerous Internet-of-Things (IoT) devices to track tank levels, refrigerator temperatures, and IP cameras. Fuel tanks on the property add extra safety and compliance requirements that other retailers do not have, and self-service, outdoor point-of-sale (POS) infrastructure presents another risk. As a result, the integration of cyber and physical security is critical, as is compliance with Payment Card Industry (PCI) standards and providing a pleasant in-store experience.
Such a complex set of business and security needs makes end-to-end integration of the security architecture especially important for gasoline retailers. Such an infrastructure eliminates the need for manual processes and workarounds that slow threat response and take staff members away from their mission of customer service.
Fortinet networking and security solutions help connect different locations in a chain, providing robust network security and automated compliance reporting. FortiGate next-generation firewalls (NGFWs) deliver robust protection for the entire attack surface, with many features built in that require an additional hardware purchase with other vendors. Fortinet Secure SD-WAN provides secure networking to all store locations without the need for expensive multiprotocol label switching (MPLS) bandwidth. And Fortinet SD-Branch oil and gas security systems extend Fortinet security and networking within each store.
This infrastructure also allows for shared security services to be delivered from headquarters, including access management, advanced endpoint security, behavioral threat detection, and deception technology. In addition, management and analytics tools enable single-pane-of-glass visibility and automated reporting for compliance with standards like the PCI Software Security Framework (SSF).
How Effective Retailers Balance Customer Engagement and PCI Compliance Evolving Retailer Networks Require a New Security Architecture Perspective Advanced Threats: The CIO’s Time Bomb Navigating Network Complexity: Unraveling the Inefficiency and Risks of Digital Transformation Why Security Architects Struggle to Manage Risk in Multi-cloud Environments
Complying with PCI SSF Without Sacrificing Customer Experience What Today's Retailers Need in a Security Architecture Required Capabilities for Effective and Secure SD-WAN: The Network Leader's Guide Seamless Security Unleashed: Empowering Your Organization with Hybrid Mesh Firewall Reducing Complexity with Intent-based Segmentation Untangling Security Complexity Through Integration and Automation
Cost efficiency is a top priority in the international oil and gas industry, as the market is subject to wild fluctuations in price. This volatility means that a company can easily go from significant profitability to an operating loss in a matter of days.
In this environment, replacing expensive, older equipment due to security vulnerabilities is sometimes out of the question, necessitating security workarounds that must be designed in such a way as to not impede operations. Many companies have multiple pieces of infrastructure with these kinds of vulnerabilities, stretching finite oil and gas cybersecurity resources.
The global cybersecurity skills shortage means that hiring additional team members to address these issues is costly, and it may be impossible to find some specific skills in the labor market at any price. Regardless, adding more staff does not address the core problem that manual oil and gas security systems are inadequate to deal with threats that move at machine speed.
The proliferation of Industrial Internet-of-Things (IIoT) devices that feed different kinds of data into supervisory control and data acquisition (SCADA) systems eliminates, in many cases, the air gap that has historically kept them relatively safe from cyberattacks. This expands a company’s attack surface, and the problem is exacerbated by the fact that many IoT devices are headless and thus cannot be updated with security patches. Trends such as the near-universal adoption of multi-cloud networks and growing use of mobile devices compound the problem.
To plug these security holes, organizations often deploy a multitude of point security products that are not integrated. The resulting security silos create complexity and obfuscate visibility, delaying threat detection, prevention, and response. This causes an increase in the risk that a fast-moving threat will get through before it is detected through manual processes.
This architectural fragmentation also increases operational inefficiencies for the oil and gas cybersecurity teams. Without end-to-end integration of all security elements, automation of security processes is impossible, and many security workflows must be managed manually. Highly paid security engineers end up devoting significant time to correlating logs from different security tools and manually preparing reports.
Architectural silos also create redundancies in management of applications and even in software and hardware licensing, decreasing the efficiency of the teams in legal, procurement, and finance that manage those licenses. Organizations may also find that their technology spend is higher because of the use of multiple vendors and overlapping features in different products that a company might own.
Fuel retailers engage with their customer base through a variety of electronic means, including point-of-sale (POS) infrastructure, mobile apps, and loyalty cards. Protecting those interactions against cyber threats is paramount for both compliance and maintenance of brand value. And that brand value primarily reflects on upstream, midstream, and downstream providers, given that these retailers typically carry the logos of major producers.
Energy businesses are subject to a wide array of government regulations and standards, from environmental requirements for drilling and refining to cybersecurity regulations. They must be able to demonstrate compliance with multiple regulations and oil and gas cybersecurity standards without redeploying staff from strategic initiatives to preparing audit reports. Unfortunately, a disaggregated security architecture makes this impossible. Failure to demonstrate compliance can damage brand reputation and result in substantial fines and penalties.
The Fortinet Security Fabric provides a single-vendor, end-to-end, integrated security architecture across IT and operational technology (OT), for every phase of the production process, from protection to detection to response—for greater visibility and control.
Fortinet delivers the ability to consolidate networking, cybersecurity, and surveillance functions into a single pane of glass—whether at headquarters, a remote drilling site, or the corner gas station.
Fortinet offers a broad selection of ruggedized appliances to fit all environmental needs, to provide cybersecurity protection for all phases of the production and delivery process.
Fortinet next-generation firewalls (NGFWs) have capabilities for working in complex, remote environments and deliver top performance even with secure sockets layer (SSL)/transport layer security (TLS) inspection activated. Fortinet is recognized as a Leader in the Gartner Magic Quadrant for Network Firewalls and achieved the best score in the NGFW Security Value Map from NSS Labs.
In addition to identifying IT-specific threats, FortiGuard Labs provides robust intelligence on threats specific to OT systems as a result of 15 years of work in the field. To detect zero-day threats, Fortinet has been analyzing files that present cyber threats to oil and gas industry practices using artificial intelligence (AI) and machine learning (ML) technologies for eight years, with unparalleled accuracy.
Fortinet delivers a wide variety of security and networking functions delivered in a single box, when competitive solutions often require multiple devices—and multiple license expenditures—for the same capabilities.