Protecting critical infrastructure and enterprise systems through rigorous threat modelling, systematic vulnerability management, and comprehensive compliance auditing across the energy, trading, and industrial sectors.
Case StudiesThese engagements demonstrate how our Security Analysts protect critical infrastructure, ensure regulatory compliance, and strengthen the security posture of organisations operating in high-threat environments.
BP's operations technology (OT) security team recognised that the convergence of IT and OT networks in its refining and petrochemical operations was creating new attack surfaces that had not been fully assessed. The SCADA (Supervisory Control and Data Acquisition) systems controlling refinery processes were increasingly connected to enterprise IT networks for data analytics and remote monitoring purposes, and the organisation needed a thorough threat assessment to understand the risks and develop appropriate mitigations.
Our Security Analyst conducted comprehensive threat modelling across three refinery sites, using the STRIDE methodology adapted for industrial control system environments. The work involved detailed analysis of network architectures, communication protocols, access control mechanisms, and the physical-to-cyber attack vectors specific to refinery operations. The analyst worked closely with control system engineers, OT network administrators, and process safety engineers to build accurate threat models that reflected both the technical architecture and the operational context of each facility.
The threat modelling exercise identified 156 distinct threat scenarios, of which 23 were assessed as high or critical severity. These included scenarios involving exploitation of legacy protocols that lacked authentication, lateral movement from compromised IT systems into OT networks through inadequately segmented connections, and insider threats targeting safety instrumented systems. For each high and critical threat, the analyst developed detailed mitigation recommendations, ranging from immediate compensating controls (such as enhanced monitoring and network segmentation) to longer-term architectural changes (such as implementing the Purdue Model for OT network zoning and deploying OT-specific intrusion detection systems).
The analyst also developed a threat intelligence framework specific to the energy sector, incorporating feeds from the National Cyber Security Centre (NCSC), the Centre for the Protection of National Infrastructure (CPNI), and industry-specific sharing organisations. This framework enabled BP's OT security team to maintain awareness of emerging threats relevant to their operational environment and update their threat models accordingly.
Shell's downstream operations required a structured vulnerability management programme that could operate across both IT and OT environments in its refinery network. The existing approach to vulnerability management was primarily IT-focused, using standard scanning tools and patching processes that were not suitable for the operational technology environments found in refineries, where unplanned downtime could have safety and environmental implications.
Our Security Analyst designed and implemented a vulnerability management programme tailored to the specific requirements of refinery operations. The programme distinguished between IT assets (where standard vulnerability scanning and patching approaches could be applied) and OT assets (where scanning needed to be conducted carefully to avoid disrupting control systems, and patching needed to be scheduled around maintenance windows and validated in test environments before deployment).
For the OT environment, the analyst implemented a passive network monitoring approach using specialised OT security tools that could identify vulnerabilities by analysing network traffic rather than actively probing devices. The analyst also developed a risk-based prioritisation framework that assessed vulnerabilities not just by their technical severity (CVSS score) but also by the criticality of the affected asset, the availability of compensating controls, and the operational constraints on remediation. This approach ensured that the most significant risks were addressed first, even when they existed on assets that could not be easily patched. Over the first year of the programme, the analyst oversaw the remediation of 840 vulnerabilities across IT and OT environments, reducing the organisation's overall vulnerability exposure by 65%.
Aramco Trading Company was subject to an increasingly complex web of regulatory requirements governing information security in the commodity trading sector. These included the FCA's operational resilience requirements, the Saudi Arabian National Cybersecurity Authority (NCA) regulations, and various data protection regulations across the jurisdictions in which ATC operates. The organisation needed a comprehensive compliance audit to assess its current posture against these requirements and develop a roadmap for addressing any gaps.
Our Security Analyst conducted a multi-framework compliance audit, mapping ATC's existing security controls against the requirements of each applicable regulation and standard. The audit covered organisational security policies, access management, data protection, incident response, business continuity, vendor risk management, and security monitoring across ATC's London, Dhahran, and Singapore operations. The analyst developed a unified control framework that consolidated overlapping requirements from different regulations, reducing the compliance burden by identifying controls that satisfied multiple regulatory obligations simultaneously.
The audit identified 34 compliance gaps, of which 8 were assessed as high priority due to regulatory deadlines or the severity of the associated risk. The analyst produced a detailed remediation plan for each gap, specifying the required actions, estimated effort, responsible parties, and target completion dates. The analyst also designed a continuous compliance monitoring programme that automated the assessment of key controls using security information and event management (SIEM) data, reducing the manual effort required for ongoing compliance assurance and providing real-time visibility of the organisation's compliance posture. ATC passed its subsequent FCA and NCA audits with no material findings, a significant improvement from the previous year's results.
BP's offshore production platforms in the North Sea presented unique challenges for cybersecurity incident response. The platforms operated with limited bandwidth connectivity to shore, had small on-site IT support teams, and ran a mix of IT and OT systems where a cybersecurity incident could potentially have safety implications. The existing incident response procedures had been developed for onshore IT environments and were not suitable for the specific constraints and risks of the offshore environment.
Our Security Analyst was engaged to develop a comprehensive incident response capability specifically designed for offshore platform operations. The work began with a thorough assessment of the offshore environment, including the communication infrastructure, the systems and applications deployed on platforms, the on-site personnel and their technical capabilities, and the specific threat scenarios most relevant to offshore operations (including nation-state threats, ransomware, and insider threats).
Based on this assessment, the analyst developed a tiered incident response framework. Tier 1 responses, covering routine incidents such as malware detection on workstations, could be handled by on-site personnel using pre-defined playbooks. Tier 2 responses, covering more complex incidents requiring specialist investigation, involved remote support from the onshore security operations centre (SOC) via the platform's communication links. Tier 3 responses, covering critical incidents with potential safety implications, included procedures for isolating affected OT systems, activating emergency communication channels, and deploying specialist responders to the platform by helicopter. The analyst also designed and facilitated tabletop exercises that tested each tier of the response framework, involving participants from platform operations, IT support, OT engineering, and the onshore SOC. These exercises validated the response procedures and identified areas for improvement, which were incorporated into revised playbooks.
Shell was undertaking a strategic initiative to increase the integration between its operational technology (OT) and information technology (IT) environments to enable advanced analytics, predictive maintenance, and remote operations capabilities. Whilst the business benefits were substantial, the convergence of these historically separate environments introduced significant security risks that needed to be assessed and mitigated before the integration could proceed.
Our Security Analyst conducted a comprehensive security assessment of the planned OT/IT convergence, focusing on six key areas: network architecture, identity and access management, data flows, endpoint security, monitoring and detection, and governance. The assessment covered Shell's refining, chemicals, and upstream operations, each of which had distinct OT environments with different risk profiles and operational constraints.
The analyst developed a security architecture for OT/IT convergence based on the IEC 62443 standard, adapted to Shell's specific operational context. The architecture defined security zones and conduits between OT and IT environments, specified the security controls required at each boundary, and established monitoring requirements for detecting threats that might traverse the IT/OT boundary. Key recommendations included the implementation of a demilitarised zone (DMZ) between IT and OT networks, the deployment of unidirectional security gateways for data flows from OT to IT, the establishment of separate identity stores for OT and IT with controlled federation, and the deployment of OT-aware security monitoring tools that could detect anomalous behaviour in industrial protocols.
The analyst also developed a maturity model for OT/IT security convergence that enabled Shell to assess the readiness of each operational site before proceeding with integration activities. This phased approach ensured that security foundations were in place before connectivity was established, rather than attempting to retrofit security controls after the integration was complete.
Our Security Analysts bring deep expertise in protecting critical infrastructure and enterprise systems, combining technical security skills with an understanding of the operational contexts in which these systems operate.
Systematic identification and assessment of threats to organisational assets using structured methodologies including STRIDE, MITRE ATT&CK, and bespoke threat modelling approaches adapted for specific operational environments. We produce threat models that enable informed decision-making about security investments and risk acceptance.
Planning and executing vulnerability assessment programmes across IT and OT environments, using both active scanning and passive monitoring techniques appropriate to each environment's constraints. We implement risk-based prioritisation frameworks that focus remediation effort on the vulnerabilities that pose the greatest risk to the organisation.
Conducting compliance audits against regulatory requirements and security standards including ISO 27001, NIST CSF, IEC 62443, and sector-specific regulations. We develop unified control frameworks that reduce compliance overhead and automated monitoring approaches that provide continuous assurance of compliance posture.
Developing and testing incident response capabilities tailored to each organisation's specific environment, threats, and operational constraints. We create response playbooks, facilitate tabletop exercises, and establish the processes, tools, and communication channels needed for effective incident detection, containment, eradication, and recovery.
Developing comprehensive security policy frameworks that provide clear, enforceable guidance on information security practices across the organisation. We produce policies, standards, and procedures that are aligned with regulatory requirements, industry best practices, and the specific risk profile of each organisation.
Quantifying cybersecurity risks in financial terms using methodologies such as FAIR (Factor Analysis of Information Risk), enabling business leaders to make informed decisions about security investments based on objective analysis rather than subjective assessments of threat severity and likelihood.
Our Security Analysts bring the technical depth, regulatory knowledge, and operational awareness needed to protect critical infrastructure and enterprise systems against evolving threats. Let us help you strengthen your security posture and achieve compliance with confidence.
Get In Touch →