From Ukraine to the Oilfield: Why Zero Trust OT Security Beats Firewalls for Critical Infrastructure Protection

How One Upstream Operator Secured 22,000 Devices Without Re-IPing, Downtime, or Expensive Infrastructure

On March 23, 2025, Ukraine’s national railway operator, Ukrzaliznytsia, was hit by a major cyberattack that disrupted online passenger ticketing and freight operations across the country. The company was forced to revert to paper-based systems, deploy additional staff at ticket counters, and suspend digital freight documentation. While train traffic itself continued running on time, the digital disruption lasted 89 hours before services were fully restored. The attack, widely attributed to Russian actors, served as a stark reminder of the growing threat to critical infrastructure—and just how fragile many operational technology (OT) environments remain in the face of modern cyber threats.

Though this incident impacted transportation, the risks it exposed are strikingly familiar to oil and gas operators, who rely on vast, remote, and often outdated OT networks with little segmentation or visibility. As attacks become more sophisticated and persistent, the conventional defenses—firewalls and VPNs—are falling short.

In high-stakes sectors where downtime can result in lost production, safety hazards, or reputational damage, organizations need a new approach: one that’s faster, simpler, and purpose-built for OT.

That’s exactly what one major upstream oil & gas operator discovered when they deployed BlastShield across more than 22,000 OT devices and 38 gateways, achieving Zero Trust segmentation and secure remote access—without re-IPing or disrupting operations.

The Problem: Flat Networks and Overlapping IPs

When this operator assessed its cybersecurity posture, they found a huge problem: SCADA systems fully exposed on the corporate network. There was no segmentation between field and enterprise, and most field devices—legacy PLCs and industrial controls—lacked even basic protections like usernames or passwords.

Layer in multiple acquisitions, each with its own conflicting IP scheme, and you’ve got a recipe for chaos. The conventional answer—drop in more firewalls, manually re-IP everything, and build a patchwork of routing rules—wasn’t scalable or realistic.

The Solution: Overlay Network + Zero Trust Architecture

Instead of retrofitting old defenses, they adopted a more modern approach: BlastShield’s Zero Trust overlay network.

By deploying gateways at tower aggregation points, they brought entire fields online securely—without having to send teams to reconfigure remote devices. In some cases, a single 60-foot wireless tower covered 70% of the sites, while the remainder used cellular-connected gateways for resilience.

This architecture delivered:

• Fast deployment without IP conflicts
  
• No need for truck rolls to remote wells
  
• Immediate segmentation for acquired fields
  
• Granular, time-bound access for contractors and partners
  
• Rapid field transitions completed in weeks, not months
  

Real Results, Real Flexibility

Today, the operator is running over 22,000 OT devices securely through BlastShield, with Zero Trust access controlled via SSO and pre-installed clients. Field infrastructure is segmented by tower, IP conflicts are no longer a blocker, and temporary access—like during divestitures—is granted with just a few clicks.

One standout example: when selling off a group of saltwater disposal sites, they used BlastShield to grant the buyer limited access only to those assets—without exposing the rest of the network.

Their unofficial motto?

"Whatever the problem is… BlastShield fixes it."

Why It Matters

In OT environments, firewalls don’t stop breaches—they often just slow them down. Remote sites lack visibility, patching is inconsistent, and legacy systems weren’t built for today’s threats.

This operator’s shift to a Zero Trust overlay wasn’t just a security win—it was an operational game-changer. From M&A integrations to day-to-day access control, their network is now more agile, secure, and scalable than ever before.

Want to See It in Action?

Whether you're protecting 15 devices or 15,000, BlastShield simplifies infrastructure while delivering real OT security—fast.

Schedule a demo

The future of critical infrastructure security isn’t more firewalls.

It’s smarter architecture—and it starts here.