Oil and gas companies own and manage major pieces of critical infrastructure that are vital not only to company operations but also to the nation’s economic and military well-being. Upstream, midstream, and downstream operations are valuable targets for cyber threats from adversaries with a variety of motives—from personal profit to industrial espionage to economic disruption. Due to the critical nature of these facilities, oil and gas companies also face stringent cybersecurity regulations.
Clearly, the cyber risks facing the oil and gas industry are significant. An attack on the supervisory control and data acquisition (SCADA) system that operates an offshore rig, oil well, pipeline, or refinery—or Internet-of-Things (IoT) devices that provide monitoring data to such systems—can have devastating consequences. These could include expensive damage to facilities, lengthy supply disruptions, and even injury and loss of life for employees, bystanders, and nearby residents. And attacks on corporate infrastructure could compromise intellectual property such as exploration data surveys, as well as pose data security risks for business and personnel information.
For more than a decade, Fortinet has provided comprehensive security solutions for the oil and gas industry and its infrastructure—from land-based and offshore drilling sites, to refineries and pipelines, to the corner gas station. The Fortinet Security Fabric enables end-to-end security integration across the entire infrastructure.
Key Oil and Gas Cybersecurity Challenges
Cost efficiency is a top priority in the oil and gas industry, as the market is subject to wild fluctuations in price. This volatility means that a company can easily go from significant profitability to an operating loss in a matter of days.
In this environment, replacing expensive, older equipment due to security vulnerabilities is sometimes out of the question, necessitating security workarounds that must be designed in such a way as to not impede operations. Many companies have multiple pieces of infrastructure with these kinds of vulnerabilities, stretching finite cybersecurity resources.
The cybersecurity skills shortage means that hiring additional team members to address these issues is costly, and it may be impossible to find some specific skills in the labor market at any price. Regardless, adding more staff does not address the core problem that manual security processes are inadequate to deal with threats that move at machine speed.
Visibility Across IT and OT Systems
The proliferation of Industrial Internet-of-Things (IIoT) devices that feed different kinds of data into supervisory control and data acquisition (SCADA) systems eliminates, in many cases, the air gap that has historically kept them relatively safe from cyberattacks. This expands a company’s attack surface, and the problem is exacerbated by the fact that many IoT devices are headless and thus cannot be updated with security patches. Trends such as the near-universal adoption of multi-cloud networks and growing use of mobile devices compound the problem.
To plug these security holes, organizations often deploy a multitude of point security products that are not integrated. The resulting security silos create complexity and obfuscate visibility, delaying threat detection, prevention, and response. This increases the risk that a fast-moving threat will get through before it is detected through manual processes.
This architectural fragmentation also increases operational inefficiencies for the cybersecurity team. Without end-to-end integration of all security elements, automation of security processes is impossible, and many security workflows must be managed manually. Highly paid security engineers end up devoting significant time to correlating logs from different security tools and manually preparing reports.
Architectural silos also create redundancies in management of applications and even in software and hardware licensing, decreasing the efficiency of the teams in legal, procurement, and finance that manage those licenses. Organizations may also find that their technology spend is higher because of the use of multiple vendors and overlapping features in different products that a company might own.
Fuel retailers engage with their customer base through a variety of electronic means, including point-of-sale (POS) infrastructure, mobile apps, and loyalty cards. Protecting those interactions against cyber threats is paramount for both compliance and maintenance of brand value. And that brand value primarily reflects on upstream, midstream, and downstream providers, given that these retailers typically carry the logos of major producers.
Energy companies are subject to a wide array of regulations and standards, from environmental requirements for drilling and refining to cybersecurity regulations. They must be able to demonstrate compliance with multiple regulations and standards without redeploying staff from strategic initiatives to preparing audit reports. Unfortunately, a disaggregated security architecture makes this impossible. Failure to demonstrate compliance can damage brand reputation and result in substantial fines and penalties.
Learn More While many OT systems are now connected, a significant minority remain air gapped. However, this does not eliminate cybersecurity risk, as software updates can be compromised.
Learn More Fortinet solutions help organizations involved in energy extraction to protect a complex infrastructure in remote locations, both on land and offshore.
Learn More Wholesale transport expands the physical attack surface by hundreds of miles, and the Fortinet Security Fabric covers it with end-to-end integration.
Learn More Refineries are targets for both physical and cyber attackers. The Fortinet Security Fabric protects cyber and physical security in a holistic way.
Fortinet Differentiators for Oil and Gas Cybersecurity
The Fortinet Security Fabric provides a single-vendor, end-to-end, integrated security architecture across IT and operational technology (OT), for every phase of the production process, from protection to detection to response—for greater visibility and control.
Networking, Cybersecurity, and Physical Security
Fortinet delivers the ability to consolidate networking, cybersecurity, and surveillance functions into a single pane of glass—whether at headquarters, a remote drilling site, or the corner gas station.
Ruggedized Security Appliances
Fortinet offers a broad selection of ruggedized appliances to fit all environmental needs, to provide cybersecurity protection for all phases of the production and delivery process.
Fortinet next-generation firewalls (NGFWs) have capabilities for working in complex, remote environments and deliver top performance even with secure sockets layer (SSL)/transport layer security (TLS) inspection activated. Fortinet is recognized as a Leader in the Gartner Magic Quadrant for Network Firewalls and achieved the best score in the NGFW Security Value Map from NSS Labs.
Robust Threat Intelligence
In addition to identifying IT-specific threats, FortiGuard Labs provides robust intelligence on threats specific to OT systems as a result of 15 years of work in the field. To detect zero-day threats, Fortinet has been analyzing files using artificial intelligence (AI) and machine learning (ML) for eight years, with unparalleled accuracy.
Broad Security with Minimal Devices
Fortinet delivers a wide variety of security and networking functions delivered in a single box, when competitive solutions often require multiple devices—and multiple license expenditures—for the same capabilities.
Why Compliance Is a Critical Part of a Cybersecurity Strategy The Destructive and Costly Growth of the OT Threat Landscape Securing OT Systems in the Face of Rapid Threat Evolution Fortinet Oil and Gas Cybersecurity Solutions Solving OT Security with the Fortinet Security Fabric Causes and Consequences of IT and OT Network Convergence Mitigating OT Cyber Risk with the Fortinet Security Fabric
2019 Operational Technology Security Trends Report Independent Study Finds That Security Risks Are Slowing IT-OT Convergence State of Operational Technology and Cybersecurity Report The COO and Operational Technology Cybersecurity: A Report on Current Priorities and Challenges Effective ICS Cybersecurity: Using the IEC 62443 Standard
Securing Upstream Infrastructure
Organizations involved in energy extraction must protect a complex infrastructure in remote locations, both on land and offshore. These sites are valuable targets for hackers whose objective is operational disruption, environmental terrorism, or even injury and loss of life for employees and members of the surrounding community.
To protect these sites, every aspect of security, from industrial control systems to physical security, must be integrated for centralized visibility and control. Electronics and surveillance infrastructure at a small drilling site should be as heavily protected as the corporate data center—and equally visible to the security operations team.
The Fortinet Security Fabric offers comprehensive, integrated cyber and physical security for the oil and gas industry. FortiGate Rugged Series next-generation firewalls (NGFWs) and FortiAP Outdoor Series wireless access points provide robust security protection while withstanding the rugged extremes of drilling and exploration sites on land and water. FortiCamera and FortiRecorder protect against physical intrusion, while Fortinet Secure SD-WAN and Fortinet SD-Branch provide secure networking to the remote site. Threat detection, management and analytics, and access control tools, usually delivered from the corporate infrastructure at headquarters, provide layers of security for these vulnerable remote sites.
Securing Midstream Infrastructure
The wholesale transport of petroleum expands an organization’s physical attack surface by hundreds or thousands of miles, and the connections between the different elements of this infrastructure involve both upstream and downstream processes. Pipelines are subject to both accidental leaks and physical sabotage, and the supervisory control and data acquisition (SCADA) systems and Internet-of-Things (IoT) devices that monitor and control them are often vulnerable. A successful attack can be catastrophic, with the potential for massive environmental damage and loss of life.
Midstream operators would do well to utilize the Purdue Enterprise Reference Architecture as a standard in designing their electronic infrastructure. The Purdue model calls for cyber and physical security to be protected holistically as a part of an end-to-end, integrated security architecture.
The Fortinet Security Fabric makes this possible with integrated cybersecurity, physical security, and secure networking. FortiGate Rugged Series next-generation firewalls (NGFWs) and FortiAP Outdoor Series wireless access points provide robust security protection while withstanding the remote outdoor environments that must be covered. Surveillance solutions protect against physical intrusion, while Fortinet Secure SD-WAN and Fortinet SD-Branch provide secure networking to pumping stations and other remote sites. A wide range of threat detection, management and analytics, and access control tools are delivered from headquarters to provide comprehensive security.
Securing Downstream Infrastructure
Refineries and other processing locations are also targets of both physical and cyberattackers, and either type of attack can cause significant physical danger to employees and the general public. Successful attacks can also impact the national economy with supply shortages. Threats can emanate from the outside, the inside, and from third parties. And while some insider attacks may be deliberate, others may be accidental.
To provide protection in such a volatile location, security teams need single-pane-of-glass visibility into the entire network, as well as the surveillance infrastructure.
The Fortinet Security Fabric protects cyber and physical security at these facilities in an integrated and holistic way. FortiGate Rugged Series next-generation firewalls (NGFWs) and FortiAP Outdoor Series wireless access points provide robust security protection while withstanding a variety of environmental challenges. Video surveillance solutions protect against physical intrusion, while a wide range of threat detection, management and analytics, and access control tools—often delivered from headquarters—provide layers of security for the site.
Securing Corporate Infrastructure
Oil and gas companies’ corporate infrastructures contain a variety of business-critical data, from geological and exploration data to financials to the personal information of employees and consumers. Most companies have remote and traveling workers, third-party partners with access to corporate resources, and services in multiple clouds. In addition to protecting these resources from external attack, it is crucial to protect against well-intentioned and malicious insiders exposing confidential data.
While a disaggregated security architecture impedes both security and operational efficiency, single-pane-of-glass visibility and control enhances both. End-to-end integration of the security infrastructure unlocks automation of threat detection, response, and reporting, freeing up time for well-paid security personnel to focus on strategic tasks.
The Fortinet Security Fabric provides an integrated security architecture that makes this possible. Fortinet covers the entire attack surface, from the data center to multiple clouds to the network edge, with broad, integrated, and automated protection. Fortinet Dynamic Cloud Security solutions break down silos between multiple public and private clouds, enabling consistent policy management. FortiManager, FortiAnalyzer, and FortiSIEM provide comprehensive management and analytics. FortiInsight and FortiDeceptor help protect against insider threats. And companies can protect devices and applications with FortiWeb, FortiMail, FortiClient, and FortiEDR.
Securing Oil and Gas Retail Locations
Oil and gas retailers usually sell other items as well, and they face similar challenges to other brick-and-mortar retailers. In addition, they have numerous Internet-of-Things (IoT) devices to track tank levels, refrigerator temperatures, and IP cameras. Fuel tanks on the property add extra safety and compliance requirements that other retailers do not have, and self-service, outdoor point-of-sale (POS) infrastructure presents another risk. As a result, the integration of cyber and physical security is critical, as is compliance with Payment Card Industry (PCI) standards and providing a pleasant in-store experience.
Such a complex set of business and security needs makes end-to-end integration of the security architecture especially important for gasoline retailers. Such an infrastructure eliminates the need for manual processes and workarounds that slow threat response and take staff members away from their mission of customer service.
Fortinet networking and security solutions help connect different locations in a chain, providing robust network security and automated compliance reporting. FortiGate next-generation firewalls (NGFWs) deliver robust protection for the entire attack surface, with many features built in that require an additional hardware purchase with other vendors. Fortinet Secure SD-WAN provides secure networking to all store locations without the need for expensive multiprotocol label switching (MPLS) bandwidth. And Fortinet SD-Branch solutions extend Fortinet security and networking within each store.
This infrastructure also allows for shared security services to be delivered from headquarters, including access management, advanced endpoint security, behavioral threat detection, and deception technology. In addition, management and analytics tools enable single-pane-of-glass visibility and automated reporting for compliance with standards like the PCI Software Security Framework (SSF).
How Effective Retailers Balance Customer Engagement and PCI Compliance Evolving Retailer Networks Require a New Security Architecture Perspective Advanced Threats: The CIO’s Time Bomb Network Complexity Creates Inefficiencies While Ratcheting Up Risks Why Security Architects Struggle to Manage Risk in Multi-cloud Environments
Complying with PCI SSF Without Sacrificing Customer Experience What Today's Retailers Need in a Security Architecture The Network Leader’s Guide to Secure SD-WAN Security-driven Networking Delivers Comprehensive WAN Edge How to Simplify Network Operations Complexity Reducing Complexity with Intent-based Segmentation Untangling Security Complexity Through Integration and Automation