Cybersecurity Preparedness for Oil, Gas and Petrochemical Operations

Role of training and certification

Facing increasing threats of cyber-attacks, PETRONAS sought to better train its staff. “We realized that both IT and OT personnel must work together, and we applied an IT-OT convergence strategy in action,” said Rashid. “We quickly built up and nurtured our best performing team in this area as a high-level, IT-OT converged cybersecurity taskforce, guided by the ISA/IEC 62443 standards’ sustainable, international best practices. As part of this program, competency and capability building was one of our primary agenda points,” he explained.

As part of the competency goals, PETRONAS decided that all cybersecurity task force members would be trained. The team reviewed available OT cybersecurity trainings and chose ISA online certificate courses including Cybersecurity Fundamental, Risk, Design and Maintenance courses and passed four certificate exams to earn ISA/IEC62443 Expert Certificates.

PETRONAS added other trainings, such as the PETRONAS cybersecurity project for OT, short trainings on human defense/ firewall, and more. New IT personnel “attend onboarding programs to ensure that they understand very well the criticality and priority of the OT environment. We are also extending the awareness training to the frontline, such as panel operators and boardmen who are monitoring and controlling OT assets via distributed control systems (DCS) 24/7, 365 days a year,” he said.

More than 1,000 manhours were spent conducting awareness training. “Combining ISA trainings with other relevant trainings, I believe that PETRONAS is moving forward in the right direction toward our goal of enhancing our cybersecurity culture,” said Rashid.

With the staff trained in ISA/IEC 62443, Rashid said PETRONAS personnel are “able to communicate our cybersecurity goals more effectively to our stakeholders and vendors. Knowledge in the standards have also helped us shape the cybersecurity governance framework of our organization.”

Addressing vulnerabilities, supporting staff

In general, OT cybersecurity incident reporting reveals more unauthorized attempts and a marked increase in malicious code attacks. Rashid believes OT systems will be subject to the same vulnerabilities as IT systems, especially as industrial control systems employ more commercial off-the-shelf (COTS) hardware and software with more embedded IT technology such as MS Windows operating system, Ethernet IP-based communication, and virtualization such as VMWare and Hypervisor.

“Common cyber incidences include blue screens, denial of service (DOS), and unauthorized remote access. Therefore, aggressive education, training, visual management, audits, and the courage to give feedback to staff on cybersecurity malpractices is surely needed,” said Rashid. Rashid and Hasim published a case history article showing some of the “aggressive education,” training, and visual management tools PETRONAS used to create the cybersecurity culture they wanted. See the ISAGCA blog titled, “Accelerating Cybersecurity Culture Maturity in the Workplace.

“Today, an established, experienced and matured cybersecurity team is collaboratively working as a fully converged IT-OT enterprise level entity. Core to sustaining PETRONAS’ cybersecurity maturity ambitions was the establishment of a cyber risk management framework. In this regard, PETRONAS has developed a standardized cybersecurity risk management program to cover both IT and OT domains,” said Rashid.

“As part of an accelerated cybersecurity culture at the workplace, one must engage staff, conduct awareness training, and foster an understanding that becoming inactive and uneducated on cybersecurity risk management can lead to a major loss of business,” said Rashid. “In leading the OT Cybersecurity team at PETRONAS, we engage and support staff as much as possible. We build and nurture our best performing teams with our new cybersecurity taskforce, as well as guide them using international standards and best practices on sustainable, pragmatic approaches."

ISASecure and other OT cybersecurity work ISA is doing

Industrial automation and control system cybersecurity, also known as operational technology or OT cybersecurity, is one of the most critical issues facing manufacturing and industrial companies around the world today.

The International Society of Automation plays a key role in helping to protect people, operating sites, products, and systems through its wide range of resources built on the ISA/IEC 62443 series of standards.

As Andre Ristaino, managing director of Global Consortia and Conformity Assessment for ISA explains, “ISA is addressing multiple dimensions of the challenge and seeking to elevate OT cybersecurity from an art to a science and ultimately to an engineering discipline.”

While the ISA Education department trains and certifies personnel on the OT cybersecurity topics, for example, the ISASecure program certifies commercial off-the-shelf (COTS) devices and systems to the ISA/IEC 62443 series of standards. This makes it easier for asset-owner companies like PETRONAS to build secure systems.

“When ISASecure becomes an integral part of an asset owner’s overall security strategy and program, they can include ISA/IEC 62443 product and system conformance in their procurement specifications,” said Ristaino. “That means there are fewer security mitigations needed at the operating site.” The ISASecure program was founded in 2007 and has been elevating the security levels of COTS products since 2010, he added, and “some companies are now informing suppliers that they want ISASecure-compliant products.”