Ampol

Ampol charters the future of energy transition

A vast digital landscape

Ampol's journey in shaping the future of energy transition is dependent on the digital revolution in the fuel, energy, and retail sectors. Ampol recognizes the tremendous power of Internet of Things (IoT) data in enhancing customer experience and service reliability. "Data is the new oil," says Satish Chowdhary, network enterprise architect at Ampol. "At Ampol, we've implemented IoT across our operational and retail infrastructure, encompassing electric vehicle (EV) charging units, fuel tank gauges, transportation trucks, and refrigeration units in retail stores. We leverage raw sensor data to manage Ampol's highly complex infrastructure proactively."

With 1500 retail stores, 89 oil depots, and 100 corporate sites spread across Australia, New Zealand, Singapore, and the U.S., Ampol's digital landscape is vast. And so is its attack surface. Being part of Australia's critical infrastructure, Ampol must secure its infrastructure, which includes refineries, fueling stations, and significant pipelines. "Dodgy devices in the network pose a critical security risk with IoT. When left unpatched and vulnerable, these devices expose our network to hackers," Chowdhary points out.

Comprehensive visibility across its infrastructure was crucial for Ampol to manage the diverse threat vectors. "We needed a solution that would give us visibility into the entire infrastructure," remarks Chowdhary. Ampol lacked contextual awareness to manage threats and respond quickly and proactively. Threat visibility was inefficient, with alerts spread across 10 or 15 consoles. Chowdhary continues, "Before using Cisco SecureX, security was a hindrance—not an enabler—for our IT team, employees, and even customers."

Ampol's nearly 50 vendors access the retail network and IoT devices in its retail locations. Securing those vendors' remote access to Ampol's network was paramount. Ampol also needed a way to segment the retail IoT devices at its retail locations to restrict vendor access without exposing other devices in the IoT network.

"Instances of cyberattacks on utility providers are increasing. And, as a response, owners of OT [operational technology] networks expend significant effort in protecting, maintaining, and securing these environments from attack and exposure," Chowdhary remarks. "The conundrum for our petroleum business was how to enable free and efficient access to trusted third parties while maintaining the best possible security posture."

Chowdhary continues, "It's critical to manage the IoT devices securely and efficiently. We must also secure how our third-party vendors access their IoT devices in our network. That's where Cisco comes in. The ever-increasing number of IoT devices demanded that the retail and future energy network provides secure access to these devices while uplifting the service reliability and resilience of our IoT and retail operations. Our collaboration with Cisco and Outcomex has been amazing on that front."

Robust layers of security

While evaluating security solutions, Ampol noticed the value Cisco brought to the table because its previous security platforms were isolated. Chowdhary explains, "The time and effort we invested in logging into every single device to get the logs just wasn't working for us."

With Cisco SecureX, Ampol can integrate alerts into a single-pane-of-glass view that helps mitigate threat vectors more quickly. Ampol also integrated its service ticketing system with SecureX. "We can now quickly log a ticket and trace back the origin of that attack," says Chowdhary.

The device insight feature of SecureX provides a comprehensive device inventory with the contextual awareness to act on potential threats or issues, all in one unified view. Chowdhary continues, "SecureX proactively tells us whenever there's an issue in the network. I think the proactive piece of SecureX is what we love at Ampol. Our SOC [security operations center] analysts absolutely love SecureX because they get to see everything in one single-pane-of-glass view."

Ampol's business data centers deployed many physical Cisco Identity Services Engine (ISE) appliances allocating administration, policy, and monitoring roles. "We configured these appliances for minimum network latency and in a highly redundant manner for maximum resiliency," mentions Chowdhary.

Each of Ampol's retail sites has over 20 external vendors, ranging from coffee bean suppliers to vending machine contractors, who have securely enrolled in Cisco ISE. With Cisco ISE, Ampol can securely integrate and manage vendor profiles in its multivendor environment. "Profiling is essential in IoT technology. We don't want one vendor to share their credentials with another vendor, so that is where profiling comes in," adds Chowdhary. Cisco ISE allows Ampol to create individual vendor profiles. There are nearly 30 IoT devices in each of Ampol's retail locations. Chowdhary continues, "Cisco ISE gathers the sensor data from all these devices and uploads it into Ampol's custom vendor portal, where the vendors can securely access the data based on their profiles and make better business decisions. Cisco has been a game changer in this."

Ampol's IoT network includes untrusted legacy devices. "Cisco TrustSec enables software-defined east-west traffic segregation and intra-subnet traffic control to automatically isolate vulnerable devices without exposing the rest of the network. TrustSec also blocks malicious traffic entering our network," says Chowdhary.

Ampol's fuel business has nearly 50 external vendors. TrustSec helped Ampol segregate vendor domains. Using TrustSec's segregation, every vendor gets a unique profile based on their identity. Chowdhary explains, "For example, our coffee machine vendors want to come in and check their coffee inventory. Cisco ISE technology and TrustSec limit their visibility to only coffee with no cross-function of roles, and this is exactly what we wanted to achieve with TrustSec."

Cisco AnyConnect enables secure remote access for vendors. By deploying IoT framework on switches with ISE Security Assertion Markup Language (SAML) integration authentication, Ampol's vendors can securely access the devices via Cisco AnyConnect without physically being on site. "The vendor for the automatic tank gauge, for example, can sit anywhere in Australia and troubleshoot that equipment remotely," says Chowdhary.

Ampol securely manages its IoT infrastructure with Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). "These solutions evaluate where the traffic is coming from. And in collaboration with Cisco Talos, we get to see if there's a malicious attack and curb that even before it spreads to the network. That's why Cisco is instrumental for us," remarks Chowdhary.

Cisco Duo secures Ampol's IoT network users and devices. Chowdhary comments, "Duo's strong multifactor authentication secured our workforce against phishing attacks while enhancing device trust as our critical OT network is supported by vendors from around the globe."

More trust and resilience

In Ampol's security journey, the company wanted to simplify its solutions, and Cisco made that happen. "The greatest outcome of using Cisco SecureX is simplicity at its core. We achieved highly efficient integration, better visibility with context that's not hidden across 5, 10, or 15 consoles, and, ultimately, greater security outcomes," says Chowdhary.

SecureX gives full visibility into what's in use in Ampol's multinational digital landscape, simplifying security investigations. Chowdhary continues, "SecureX integrated all our security products into a single-pane-of-glass view, and the Cisco global support team made troubleshooting much faster and easier."

With SecureX, Ampol can build custom policies to identify control coverage gaps and explore playbook-driven automation opportunities. "This helped Ampol address the inefficiencies of manual workflows with automated workflows for faster remediation, better precision, and SOC efficiency—all while reducing overall security costs," Chowdhary explains.

The TrustSec solution makes onboarding and provisioning remote access for new vendors and IoT devices much faster compared to static IPs/Dynamic Host Configuration Protocol (DHCP) reservations and access control lists (ACLs) updates all over the network. "Lead time to initiate safe access into the OT network segments has been significantly reduced. Through automation and self-service, internal IT and administration time investments have also decreased. Above all, the security posture of our critical OT infrastructure environment has increased," Chowdhary says. "Our ROI is that we've not had any serious security threats. All our devices are healthy right now."

Ampol's commitment to decarbonization is steering the company's transition to renewable green energy by utilizing solar panels and batteries. Chowdhary says, "Ampol is committed to providing Cisco's mobility solutions for the future and is expanding its EV net charging network across all retail networks."

To enable secure management of Ampol's expanded IoT network and allow optimized energy consumption, Ampol plans to leverage the Cisco Cybersecurity Framework. Chowdhary concludes, "The digital revolution is here and is powering life for our customers at Ampol. Our partnership with Cisco is helping us navigate this digital revolution."