Cybersecurity in Oil & Gas Company

1. Cybersecurity Journey in
Digital Transformation
Cybersecurity in Oil & Gas Company
Eryk Budi Pratama
Nov 2019
PIEP Sharing Session

2. 2
Digital Transformation in Oil & Gas Industry

3. 3
Technology that Help Drive Transformation
Emerging technology stands the greatest chance of delivering transformational value to organization.
Source: ISACA’s 2018 Digital Transformation Barometer Study of 5,847 members
Emerging technologies face the greatest organizational resistance.

4. 4
Current State of Digital Transformation
Before assessing risk and security implications, organizations need to understand why a particular emerging technology may fuel its
digital transformation. It’s no surprise that big data, AI (including machine learning), and public cloud adoption lead the pack.
Benefit of Big 3 Transformative Technologies
Big Data
describes large data sets that may
be analyzed to reveal patterns,
trends and associations.
Applications include managing road
traffic patterns, understanding
consumer behavior, drug discovery
and loan processing.
Artificial Intelligence
bolstered by machine learning
allows organizations to learn and
interact much faster than workers
or customers can themselves. AI is
used in sectors as varied as
marketing, manufacturing, financial
services, medicine, healthcare,
energy exploration, government,
entertainment (particularly sports)
and retail.
Public Cloud
Organizations tend to use the public
cloud for non-strategic applications,
such as sales (customer relationship
management), human resources
or the fast “spinning up” of resources
for application development.

5. 5
Harvey Nash/KPMG CIO Survey 2018 - Oil & Gas Industry
Source: Harvey Nash/KPMG CIO Survey 2018 - Oil & Gas Industry

6. 6
Digital Transformation Pathway for Upstream Operations
Source: Deloitte Insights - From bytes to barrels: The digital transformation in upstream oil and gas
“ The near-term objective of the seismic
imaging unit of Oil & Gas companies has
shifted toward rightsizing their existing
resource portfolio, including the identification
of sub-commercial, marginal resources that
are reducing profitability and locking up
significant capital “

7. 7
Digital Transformation for Offshore Drilling Setup
Source: Deloitte Insights - From bytes to barrels: The digital transformation in upstream oil and gas
1. Virtualizing the ecosystem
2. Enabling cross-functional workflows
3. Integrating operations data
4. Analyzing at edge
5. Mechanizing and automating equipment
6. Robotizing platforms
7. Crafting complex parts
“ Using next-gen technology enablers, the
company is creating a digital twin of every
product by integrating all the four ecosystem
hubs—engineering, manufacturing, test and
check-out, and sustainment—through a
common data language and open system
architecture “

8. 8
Cyber Security in OT/ICS Environment

9. 9
IT vs OT/ICS System
Source: NIST SP 800-82 rev 2
Main differences between IT and OT/ICS system
Category IT OT/ICS
Performance Requirements Non-real-time Real-time
Availability (Reliability)
Requirements
Responses such as rebooting are
acceptable
Responses such as rebooting may
not be acceptable because of
process availability requirements
Risk Management Requirements ▪ Manage data
▪ Data confidentiality and integrity
is paramount
▪ Control physical world
▪ Human safety is paramount,
followed by protection of the
process
Change Management Software changes are applied in a
timely fashion
Software changes must be
thoroughly tested and deployed
incrementally throughout a system
Communications Standard communications protocols Many proprietary and standard
communication protocols
Component Lifetime Lifetime on the order of 3 to 5 years Lifetime on the order of 10 to 15
years

10. 10
Business Concern in OT/Control System
Source: SANS 2019 State of OT/ICS Cybersecurity Survey
Ensuring reliability and availability of control systems continues to be the top concern for respondents. However,
ensuring the health and safety of employees is now the second highest concern for OT cybersecurity.

11. 11
OT/Control System Components Support of Visibility
Source: SANS 2019 State of OT/ICS Cybersecurity Survey
Data shows the relative risk and impact potential attributed to field devices (digital sensors and actuators) are low,
given that these various devices are the first and last step to link digital information to physical effects.

12. 12
Benefits of IT-OT Integration for Asset Management
Source: ABB – Bridging IT-OT for the Connected Asset Lifecycle Management
IT-OT Integration is critical for Connected Asset Lifecycle Management

13. 13
Cyber Security Journey

14. 14
Evolution of attacker motives, vulnerabilities and exploits
Source: IBM X-Force Trend and Risk Report

15. 15
Source: Natural Gas Council – Cybersecurity in the Natural Gas & Oil Industry

16. 16
Critical Cyber Security Program: Technology Lens
Source: Natural Gas Council – Cybersecurity in the Natural Gas & Oil Industry

17. 17
Balancing Security and Digital Transformation
When testing or implementing transformative technologies, consider the following security and management
checkpoints:
Train IT and business staff with regard to responsibilities and how to mitigate threats
Create an internal communications plan
Create contingencies for any external communications, especially in light of a breach
“Automate everything”—Try to automate as much of the staging, testing, security and audit
validation, configuration checking, deployment, and other elements of the systems

18. 18
Shifting Security to the Left means built-in
“Apps & data are as safe as
where you put it, what’s in it,
how you inspect it, who talks
to it, and how its protected…”
Security is a Design Constraint

19. 19
Security by design in the pipeline and team
Source: KPMG
Leading organizations are embedding security into everything they do using DevSecOps
SecOps
DevOps
SecDevOps
Security
OperationsDevelopment
The addition of security within DevOps has coined many terms including DevOpsSec, SecDevOps, DevOpsSec.
These terms are generally used to refer to specific activities within the DevOps process. Secure DevOps means
that security is built into the entire
SharingMetricsAutomationCulture

20. 20
Cybersecurity Journey for Oil & Gas Company
Source: KPMG
IT
OT
IoT / IIoT
Data &
Analytics
Visualization
Infrastructure (On-Prem and/or Cloud)
Application (Web/Mobile/Thick/Embedded)
Change Management

21. 21
Cybersecurity is not just a technical issue
Source: RSM - Digital Transformation, Cybersecurity, IoT and You
Basic things that we must do in terms of
cybersecurity
1. Secure your web presence/applications
2. Secure your endpoints
3. Secure your people from phishing baits
4. Secure software by timely patching
5. Manage users via an Identity Access Management (IAM)
solution
6. Effective Password Policy
7. Secure Mobile, cloud and IoT
8. Protect Sensitive Data
9. Backup Your Data
10.Prepare for the worst incident and test the process

22. 22
Case Studies

23. 23
Cybersecurity Transformation in Oil & Gas Company
Three-years transformation journey, endorsed by
the XYZ SOE, that has prioritized into XXX key cyber
security themes over the next three years to 2022
Cyber Security Competency
Cyber Security Risk
Cyber Hygiene
Cyber Response & Resilience
[Sanitized]
[Sanitized]
[…]
Targeted Cyber Maturity Levels
Identify Now 2020 2022 onwards
Protect Now Q3 2019 2020 2022 onwards
Detect Now Q3 2019 2021 2022 onwards
Respond Now Q3 2019 2021 2022 onwards
Recover Now Q3 2019 2021 2022 onwards
The foundation of the Cyber Security Strategy
is built on the NIST Cyber Security Framework
and XYZ Framework. These industry good
practices consist of standards, guidelines and
best practices to manage cyber security related
risks.
XX GoalsTop X Themes
Vision & Mission Internal & External Context Risk Radar Goals & Themes Goal Cards Roadmap

24. 24
Security Architecture Review
Source: NIST SP 800-82 rev 2

25. 25
Vulnerability Assessment on OT/ICS Environment
Site Survey Details
Workstations and Servers
Network assets
Assessment Categories
Policies, Procedures, Standard
Physical Security
Network-based Security
Host-based Security
Safety
OT/ICS/SCADA System
Process-based Assessment
XX Process Domain
Risks for each Process Domain
Core Assessment
Organizational Maturity & Capability Process Safety
General Control & Process Control Audit

26. 26
Thank You ☺