Securing Critical Infrastructure Network for Petroleum Business

In today’s hyper connected world, traditional methods of securing critical infrastructure are being challenged. This is primarily driven by business owners who demand more efficient, cost effective solutions that are designed to connect more devices and services to various consumption points.

In line with the proliferation of devices and services transiting networks, the need to deliver elevated security posture is heightened. The continuously evolving threat landscape is one of the main issues presenting significant challenges to organisations. This creates a problem for those in operational roles: how to provide extremely agile and effective environments which provide access and transit for multiple use cases – in line with business requirements, while maintaining best practice from a security posture perspective.

Cisco has an extremely strong history of innovating to address business requirements. Partnerships with specialised organisations like Outcomex, who have deep technical and engineering experience integrating Cisco platforms, provides customers with holistic solutions that are robust, drive efficiency and map technical outcomes to business initiatives.

Client

As a key petroleum business that owns and operates a number of operations delivering fuel and consumer products via a network of service stations around Australia, as well as significant fuel management, wholesale transit and processing plant infrastructure – including two refinery plants – around the country, they have several commercial partnerships in Australia and also conduct operations in South East Asia and New Zealand.

Due to the critical nature of the processing and transit infrastructure required to supply different types of fuels to large consumers and plants around NSW, the petroleum business has significant contracts with multiple specialist engineering organisations around the state.

These contracts provide logistical and operational support of the pipeline, pump, and refinery assets, delivered on a just-in-time basis with aggressive service level agreements. The petroleum business has expended significant commercial and engineering effort to ensure that the IP based networks that drive communication systems for control of these assets (the Operational Technology or OT Network) is resilient, fit for purpose and on the forefront of capability.

Opportunity

As reliance on OT Networks increases due to automation requirements, efficiency potential, and other use cases, the traditional ‘closed’ nature of the network is being challenged. In the petroleum environment, the enablement of contractors, third party, and internal staff to work within the OT environment safely and securely was a paramount concern.

Various workstreams within the OT environment require specialist engineering skills be utilised by the petroleum business in day-to-day operational tasks, project initiatives and incident management and troubleshooting. This means an array of engineering assets need to be identified, assigned permissions, allowed access, and have their movements through the network journaled and logged.

For our client to extend operational efficiency through their population of trusted staff and contractors, delivering an efficient NAC environment is absolutely key. Speed and accuracy are crucial, as downtime due to delay in delivering engineering is directly attributable to reputational and financial loss. However, speed of access and onboarding cannot be delivered without strict adherence to security policy.

The reliance on critical infrastructure providers to push workloads into OT networks is not lost on malicious entities. Instances of cyber-attacks on utility providers are increasing and as a response, owners of OT networks expend significant effort protecting, maintaining, and securing these environments from attack and exposure.

Conundrum for this petroleum business was simply this: How to enable free and efficient access to trusted third parties, while maintaining the best possible security posture?

Solution

Cisco’s rich history of providing innovative and fit-for-purpose infrastructure within the petroleum industry, combined with the demonstrable capabilities of Outcomex within the NAC and security arena made these partnerships bought to bear.

Traditionally, access to the OT network was controlled by a mixture of process (identity, change management, etc.), and toolsets. The toolsets deployed required renovation due to their age and new business requirements, which would then provide an opportunity to promote more efficient processes. Removing redundant steps and automating elements of identity management could deliver significant time savings and reduction of human error.

Outcomex and Cisco put forth a solution based on Cisco Identity Services Engine (ISE). This class leading network access control platform met all fundamental functional requirements, as well as provided new features. ISE’s new features offered a better, more efficient contractor on-boarding process and overall strengthened security posture.

A number of physical ISE appliances were deployed in the petroleum business’ data centres, and allocated administration, policy and monitoring roles. These appliances were sized appropriately to ensure minimum network latency as well as configured in a highly redundant manner to provide maximum resiliency.

Business outcome-based workshops were conducted to settle a high-level design, then a low-level configuration design was delivered which also worked through key concepts for deployment of various policies. These policies were designed to encompass several different third-party roles, within segmented parts of the OT environment with permissions and resource allocation dynamically assigned per user, organisation, and role.

Automation based on policies was also leveraged where possible, providing administration free remediation capabilities for failed profiling sessions – streamlining problem management and allowing elements of self service for both internal and external users.

Key capabilities that were leveraged within the ISE platform include:

Tight integration with an advanced Microsoft Active Directory and domain structure.
Profiling of external and internal users.
Log generation and retention, with journaling of activity and access duration.
Integration with Cisco clientless VPN services.
Alerting and alarm management based on policies, with automation for remediation.

Technologies used

Cisco Identity Service Engine (ISE)

Clientless SSL VPN

Impact

As a result of the successful delivery of the new network access control environment for our client, the business requirements were met and some areas were exceeded.

Lead time to initiate safe access into the OT network segments has been significantly reduced. Contractors and third parties operate within the environment under strict policies and roles, which are standardised across the business. These standardised control policies have been rationalised, to streamline management and promote predictable delivery of access across internal and external stakeholders.

The petroleum business is enjoying significant value, post project delivery. Operationally, SLA achievement for incident management works is higher due to reduced lead times for engineering access into the OT environment. Utilisation of ancillary and complimentary systems has increased because of integrations within the ISE environment, thereby increasing return on investment for pre-implemented platforms and solutions. Internal IT and administration investment of time has been reduced, through automation and self-service. Above all, security posture of their critical OT infrastructure environment has been increased.

Given the success of the initial deployment scope, our client has re-engaged with us to broaden the Network Access Control (NAC) environment with Cisco ISE, to extend into their consumer business (retail outlets and service stations) OT network environment. This project is now in its early stage of design and planning, with an estimated completion over the next few months.