Recent Breaches
Breaches
2026PowerSchool62.4M records stolen2026DISA Global Solutions3.3M records stolen2026Globe Life850K records stolen2026NHS ScotlandUndisclosed records stolen2026HertzUndisclosed records stolen2025Marks & Spencer9.4M records stolen2025PayPal35K records stolen2025Jaguar Land RoverUndisclosed records stolen2025Co-operative GroupUndisclosed records stolen2024National Public Data2.9B records stolen2024Ticketmaster560M records stolen2024Change Healthcare100M+ records stolen2024AT&T73M records stolen2024Dell Technologies49M records stolen2023Progress Software (MOVEit)77M+ records stolen202323andMe6.9M records stolen2023Royal MailOperations halted records stolen2023British LibraryUndisclosed records stolen2023MGM ResortsUndisclosed records stolen2022Uber57M records stolen2022LastPass33M records stolen2022Optus9.8M records stolen2022Medibank9.7M records stolen2022Twitter5.4M records stolen2026NHS ScotlandUndisclosed records stolen2026HertzUndisclosed records stolen2025Marks & Spencer9.4M records stolen2025PayPal35K records stolen2025Jaguar Land RoverUndisclosed records stolen2025Co-operative GroupUndisclosed records stolen2024National Public Data2.9B records stolen2024Ticketmaster560M records stolen2024Change Healthcare100M+ records stolen2024AT&T73M records stolen2024Dell Technologies49M records stolen2023Progress Software (MOVEit)77M+ records stolen202323andMe6.9M records stolen2023Royal MailOperations halted records stolen2023British LibraryUndisclosed records stolen2023MGM ResortsUndisclosed records stolen2022Uber57M records stolen2022LastPass33M records stolen2022Optus9.8M records stolen2022Medibank9.7M records stolen2022Twitter5.4M records stolen2026PowerSchool62.4M records stolen2026DISA Global Solutions3.3M records stolen2026Globe Life850K records stolen
View All →
Oil and Gas

Control Path Protection for Upstream, Midstream, and Refinery

Oil and gas operations span remote wellheads, offshore platforms, pipelines, and refineries. Each environment runs safety-critical control systems that must remain isolated from corporate networks and external threats.

Back to Control
Control

Oil and Gas

In oil and gas, a compromised control system is not a data breach. It is a potential safety incident with consequences measured in lives, environmental damage, and billions in liability.

100%

DCS and SIS isolation from corporate IT

Zero

Persistent vendor paths to safety systems

5

Operational zones with independent governance

Full

IEC 62443 and NIS2 compliance evidence

The Challenge

Oil and gas face converging cyber-physical risks.

Safety System Exposure

Safety instrumented systems increasingly share network infrastructure with DCS and business systems, creating paths to the last line of defence against catastrophic events.

Remote Operations

Offshore platforms and remote wellheads rely on satellite and radio communications for control, with limited visibility into who is accessing what.

Contractor Access

Dozens of specialist contractors require access to different control systems, each creating persistent pathways that outlive the maintenance window.

The Scenario

Scenario: Refinery DCS Compromise via Contractor VPN

Attackers compromise a control system integrator through a targeted phishing campaign. Using the integrator's VPN credentials, they access the refinery DCS network through a maintenance connection that was left active between scheduled visits. Over three weeks, they map the process control network and deploy modified logic on key programmable controllers. When activated, the modified logic causes a distillation column to operate outside safe parameters. The safety instrumented system should intervene, but its engineering workstation was reachable from the same network segment. With Firevault Control, the contractor VPN path is physically severed between maintenance windows. The SIS exists on a separate, disconnected network. The attack cannot reach safety systems because the path does not exist.

"We had 23 active contractor VPN tunnels into our DCS network. When we audited them, seven belonged to contractors whose projects had ended more than a year ago. The tunnels were still live."

Solution Blueprint

Physical governance for process control environments.

Oil and gas operators gain physical control over every network path into DCS, SIS, and remote operations infrastructure. Contractor access exists only during authorised windows. Safety systems remain physically disconnected from all other networks. Recovery from sophisticated attacks is guaranteed through air-gapped archives.

  • Physical separation between DCS, SIS, and corporate networks
  • Contractor paths that do not exist outside maintenance windows
  • Multi-party authorisation involving operations and HSE teams
  • Out-of-band management for offshore and remote facilities
  • Continuous IEC 62443 and NIS2 compliance evidence
  • Air-gapped recovery for safety system configurations
Fracture

Fracture — Emergency Process Isolation

Module 1 of 4

Physically severs network connections between process zones during active threats. When a compromise is detected in one area, Fracture prevents lateral movement into adjacent process units or safety systems.

Featured In

TechRadar ProConnected BritainTotal TelecomSecurity BuyerComms BusinessComms DealerBlocks & FilesYahoo FinanceGlobeNewswireChannel InsiderUK DirectorSecurityBriefPCRBusiness Time in EssexTechRadar ProConnected BritainTotal TelecomSecurity BuyerComms BusinessComms DealerBlocks & FilesYahoo FinanceGlobeNewswireChannel InsiderUK DirectorSecurityBriefPCRBusiness Time in Essex

Key Capabilities

Sovereign Process Data

All process control configurations and safety system logic remain within the agreed jurisdiction in NATO-approved Firevault Bunkers.

Multi-Party Access Control

Contractor and vendor access requires sign-off from both operations and HSE teams before any path is activated.

IEC 62443 Evidence

Automated compliance logging maps directly to IEC 62443 zone and conduit requirements and NIS2 Article 21 outcomes.

Satellite Failover

Out-of-band management ensures control plane access to offshore and remote facilities independent of primary communications.

Tamper-Proof Logging

Every contractor session, configuration change, and access authorisation is recorded in immutable logs on physically separate infrastructure.

Air-Gapped Safety Backups

Physically disconnected copies of SIS logic and safety configurations ensure restoration capability during total compromise scenarios.

Demo to Live

Adoption Guide

Step 1

Process Network Assessment

Map all network paths between corporate IT, DCS, SIS, and contractor access points across upstream, midstream, and downstream operations.

Step 2

Zone and Conduit Design

Design physically separated zones aligned to IEC 62443 requirements with Control modules governing each conduit between zones.

Step 3

Single Facility Pilot

Deploy at one facility with full zone separation, contractor access governance, and compliance logging to validate operational procedures.

Step 4

Enterprise Rollout

Phased deployment across all facilities with air-gapped recovery, continuous compliance evidence, and out-of-band management.

Step 1

Process Network Assessment

Map all network paths between corporate IT, DCS, SIS, and contractor access points across upstream, midstream, and downstream operations.

Step 2

Zone and Conduit Design

Design physically separated zones aligned to IEC 62443 requirements with Control modules governing each conduit between zones.

Step 3

Single Facility Pilot

Deploy at one facility with full zone separation, contractor access governance, and compliance logging to validate operational procedures.

Step 4

Enterprise Rollout

Phased deployment across all facilities with air-gapped recovery, continuous compliance evidence, and out-of-band management.

Questions

Frequently Asked

Ready to take the next step?

See how Control can govern your data paths with physical enforcement no software exploit can bypass.

    Your privacy matters

    We use cookies to keep the site running smoothly and to understand how you use it. You are in control. Privacy Charter · Cookie Policy