Control Path Protection for Upstream, Midstream, and Refinery
Oil and gas operations span remote wellheads, offshore platforms, pipelines, and refineries. Each environment runs safety-critical control systems that must remain isolated from corporate networks and external threats.
Oil and Gas
In oil and gas, a compromised control system is not a data breach. It is a potential safety incident with consequences measured in lives, environmental damage, and billions in liability.
100%
DCS and SIS isolation from corporate IT
Zero
Persistent vendor paths to safety systems
5
Operational zones with independent governance
Full
IEC 62443 and NIS2 compliance evidence
Oil and gas face converging cyber-physical risks.
Safety System Exposure
Safety instrumented systems increasingly share network infrastructure with DCS and business systems, creating paths to the last line of defence against catastrophic events.
Remote Operations
Offshore platforms and remote wellheads rely on satellite and radio communications for control, with limited visibility into who is accessing what.
Contractor Access
Dozens of specialist contractors require access to different control systems, each creating persistent pathways that outlive the maintenance window.
The Scenario
Scenario: Refinery DCS Compromise via Contractor VPN
Attackers compromise a control system integrator through a targeted phishing campaign. Using the integrator's VPN credentials, they access the refinery DCS network through a maintenance connection that was left active between scheduled visits. Over three weeks, they map the process control network and deploy modified logic on key programmable controllers. When activated, the modified logic causes a distillation column to operate outside safe parameters. The safety instrumented system should intervene, but its engineering workstation was reachable from the same network segment. With Firevault Control, the contractor VPN path is physically severed between maintenance windows. The SIS exists on a separate, disconnected network. The attack cannot reach safety systems because the path does not exist.
"We had 23 active contractor VPN tunnels into our DCS network. When we audited them, seven belonged to contractors whose projects had ended more than a year ago. The tunnels were still live."
Where each Control module is deployed across SCADA, DCS and safety.
Oil and gas operators run a corporate estate, SCADA across pipelines and terminals, DCS at process plants and SIS at the safety layer. Control puts a real boundary between each layer.
Grounded in IEC 62443-3-2, API Standard 1164 and TSA Pipeline Security Directives.
Internet / Cloud
External
External traffic stops at the perimeter.
Enterprise
IT
Office estate has no path into SCADA on its own.
Industrial DMZ
DMZ · trust boundary
Data crosses the DMZ on controlled routes only.
Operations
OT
Engineering and SCADA on separate fabrics.
Supervisory
OT
Control changes require approval before they move.
Basic control
Field
Safety sits behind its own boundary.
Safety systems
Field
Safety integrity. Last line of defence.
Safety integrity. Last line of defence.
Field kit ties to named engineers.
Physical
Field
Crown jewels
Off-network
Detail callout · A
Offline Secure Storage
DCS baselines, PLC programs, SIS logic, recipes and the recovery sets you need to rebuild from.
Offline by design · secure by defaultModules & symbols
Where each module is deployed, and what it does there.
One row per module. Placement on the network, then plain-English purpose at that point.
-
Isolate
At every Purdue boundary
Each layer sits on its own physical fabric. A compromise in one does not walk into the next.
-
Firebreak
On the L5 to L4 link and the L4 to L3.5 link
Real hardware off switches on the public and office boundaries, cutting the live path into operations when needed.
-
Validate
On the L5 to L4 link and inside the L3.5 DMZ
Before data feeds operations, Validate checks its origin and integrity. A spoofed reading does not become a process action.
-
Relay
Inside the L3.5 DMZ
Telemetry and operational data land inside a defined route. Nothing streams unattended.
-
Execute
On the L2 to L1 link
Pushing a change to a controller holds until the right approval is in place.
-
Lock
On the L1 to SIS link and the SIS to L0 link
Safety and field access ties to named engineers with the right authority and the right device.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Sovereign Process Data
All process control configurations and safety system logic remain within the agreed jurisdiction in NATO-approved Firevault Bunkers.
Multi-Party Access Control
Contractor and vendor access requires sign-off from both operations and HSE teams before any path is activated.
IEC 62443 Evidence
Automated compliance logging maps directly to IEC 62443 zone and conduit requirements and NIS2 Article 21 outcomes.
Satellite Failover
Out-of-band management ensures control plane access to offshore and remote facilities independent of primary communications.
Tamper-Proof Logging
Every contractor session, configuration change, and access authorisation is recorded in immutable logs on physically separate infrastructure.
Verified Safety Configuration Baselines
Verified baselines of SIS logic and safety configuration enable restoration of control-plane state during total compromise scenarios.
Demo to Live
Adoption Guide
Process Network Assessment
Map all network paths between corporate IT, DCS, SIS, and contractor access points across upstream, midstream, and downstream operations.
Zone and Conduit Design
Design physically separated zones aligned to IEC 62443 requirements with Control modules governing each conduit between zones.
Single Facility Pilot
Deploy at one facility with full zone separation, contractor access governance, and compliance logging to validate operational procedures.
Enterprise Rollout
Phased deployment across all facilities with verified configuration baselines, continuous compliance evidence, and out-of-band management.
Process Network Assessment
Map all network paths between corporate IT, DCS, SIS, and contractor access points across upstream, midstream, and downstream operations.
Zone and Conduit Design
Design physically separated zones aligned to IEC 62443 requirements with Control modules governing each conduit between zones.
Single Facility Pilot
Deploy at one facility with full zone separation, contractor access governance, and compliance logging to validate operational procedures.
Enterprise Rollout
Phased deployment across all facilities with verified configuration baselines, continuous compliance evidence, and out-of-band management.
Explore More
Control for Critical Infrastructure
National-grade security for essential services.
Learn more about Control for Critical InfrastructureIEC 62443 Framework
Industrial automation security and Purdue model compliance.
Learn more about IEC 62443 FrameworkSupply Chain Threat
Disconnect third-party paths when not in active use.
Learn more about Supply Chain ThreatControl for OT Environments
Physical-path governance for SCADA, ICS and industrial control data.
Learn more about Control for OT EnvironmentsControl for Utilities
Zone and conduit governance for power, water and gas networks.
Learn more about Control for UtilitiesNIS2 Framework
Article 21 outcomes evidenced through physical path governance.
Learn more about NIS2 FrameworkQuestions
Frequently Asked
Speak to the team to organise a PoC
Walk through your blueprint with the Firevault team and scope a proof of concept on your estate. 30 minutes, no sales pitch.