Industrial processes that deal with a systematic series of chemical, physical, electrical, and mechanical processes are usually protected with traditional, legacy systems, which were never designed to work against modern threats in cybersecurity.
In energy production and refining industries, these processes are concerned with transforming raw materials into energy, on a large scale. Various OT equipment used in oil refineries need to communicate with each other for engineering processes to work.
And here is where the critical vulnerability arises.
Control systems such as PLCs, DCS, and SCADA generally assume that anything communicating with them is trusted. Thus, they can lack authentication, encryption, or the ability to validate commands.
If the OT systems are placed on the same network as IT systems (remote access tools, contractor connections, or maintenance laptops), any compromise in those less secure areas can directly reach the control environment. Consequently, a security incident that begins in IT can move laterally into OT with little resistance.
DoS/DDoS attacks, misconfigured software, or users with malicious intent can communicate directly with control systems, potentially altering process values, stopping production, damaging equipment, or creating unsafe operating conditions.
OT environments prioritize availability and stability. These aren't systems which can be patched quickly, which means vulnerabilities remain exploitable for long periods. In a flat or poorly segmented network, a single incident can therefore escalate rapidly and affect multiple assets or sites.
Our customer, one of the world’s largest publicly traded energy and chemical companies, recognized its risk exposure and set out to address legacy-based vulnerabilities through segmentation.
With proper segmentation in place, networks are separated based on risk and function. This way, critical OT assets are only reachable through tightly controlled pathways, while communication is explicitly defined and restricted, rather than assumed to be safe by default.
Since traditional IT firewalls proved ineffective in handling their unique communication protocols, the organization turned to OPSWAT’s MetaDefender Industrial Firewall to create secure segmentation between critical OT assets and less secure zones.
When Cybersecurity Becomes National Security
As a major European oil and gas operator, the customer’s processes relied on infrastructure spread across multiple refineries, offshore drilling platforms, and pipeline control centers.
This infrastructure depended heavily on legacy industrial systems such as PLCs, SCADA platforms, and HMIs.
These systems were originally designed for reliability and availability, not cybersecurity. They lacked built-in authentication, encryption, and detailed logging.
The traditional IT firewalls used were ineffective in handling the unique communication protocols used in OT and CPS environments, leaving systems exposed to:
- Unnecessary network traffic and lateral movement risks
- Potential entry points for ransomware and targeted cyberattacks
- Difficulties in enforcing granular control over industrial protocols
These aren’t risks that an organization operating in the energy production and refining industries can simply take in stride: attacks on energy systems can threaten public safety, disrupt essential services, and weaken national security.
Rather than waiting for the worst to happen, the customer set out to resolve the precarious situation the organization faced, by deploying OPSWAT’s MetaDefender Industrial Firewall.
Ensuring Industrial Cyber Resilience While Meeting IEC 62443 and NIS2 Requirements
The company deployed OPSWAT MetaDefender Industrial Firewall to create secure segmentation between critical OT assets and less secure zones.
MetaDefender Industrial Firewall
Our Industrial Firewall for Operations is a high-performance, ruggedized firewall, built as the last line of defense against accidental misconfigurations, malicious misuse, zero-day threats, DoS and DDoS attacks, and potentially harmful anomalies.
With its deep packet inspection for industrial protocols and policy-based access control, the firewall allowed the customer to:
- Isolate OT/ICS assets against cyberattacks targeting PLCs, SCADA, and DCS systems.
- Filter and control industrial protocols to block unauthorized commands while allowing safe operations.
- Protect historians and engineering workstations from unauthorized access attempts.
Compliance Support for IEC 62443 and NIS2
With the Industrial Firewall for Operations, the client was also supported in his efforts to stay compliant with IEC 62443 and NIS2 Directive requirements for European operators of essential services.
The NIS2 Directive | IEC 62443 |
Risk Management Enforcement: Enforces network segmentation between IT and OT to reduce systemic cyber risk to essential services. | Zone & Conduit Architecture: |
Attack Surface Reduction: | Command-Level Validation: |
Operational Resilience: | Industrial Protocol Command Filtering: |
Audit-Ready Controls: | Use Control & Communication Integrity (SR 3.x): |
Board-Level Accountability: | Access Control Enforcement for OT Assets: Restricts access to PLCs, SCADA, engineering workstations |
Architectural Control or Segmentation, Operational Stability and Improved Governance
MetaDefender Industrial Firewall also acts as a compensating control system for legacy or unpatchable assets which are quite common in refineries and pipeline systems.
With the Firewall, the customer can now:
- Prevent accidental or unauthorized commands to controllers through industrial protocol inspection.
- Contain disruptions at the site level, preventing multi-location propagation across interconnected facilities.
- Rate-limit abnormal traffic and malformed packets to preserve controller availability.
- Segment safety systems from standard control networks to reduce operational risk.
- Provide auditable enforcement of access governance for vendors and contractors.
Future Opportunities
Our customer understands that secure segmentation is only the first step towards implementing a strong defense-in-depth strategy.
And yet, it is an important step, as positioning for future growth allows the organization to continue its processes in a safe environment.
The customer can now add further layers to their cybersecurity strategy by:
- Integrating MetaDefender Industrial Firewall with MetaDefender OT Security for asset visibility and vulnerability detection across refinery and pipeline networks.
- Leveraging MetaDefender OT Access to enable secure, remote access into OT environments.
- Building a layered defense strategy across offshore platforms and refinery plants to mitigate insider and supply chain risks.
If your organization aims to modernize and protect its network at scale, the MetaDefender Industrial Firewall can help you enable faster troubleshooting and improve operations.
Get in touch to see how our OPSWAT solution can safeguard your systems.
