Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

PETRONAS Leverages ISA IEC 62443 in Enterprise Risk Management

PETRONASMalaysia's national oil and gas company— is a dynamic global energy group with presence in over 100 countries that produces and delivers energy and solutions that power society’s progress.

PETRONAS seeks energy potential across the globe, optimizing value through an integrated business model. Their portfolio includes cleaner conventional and renewable resources and a ready range of advanced products and adaptive solutions.

Sustainability is at the core of what PETRONAS does, as the good in energy is harnessed to elevate and enrich lives. People are the strength and partners for growth, driving passion for innovation to progress towards the future of energy sustainability.

The enterprise-wide cybersecurity program for PETRONAS started in 2018. At that time, it was a task force consisting of Sharul, Azmi, Michael and Ping Yang. A five-year roadmap towards building an institutionalized capability in OT (Operational Technology) cybersecurity was crafted and subsequently approved in 2019. The focus was to accelerate a matured cybersecurity culture at the workplace and to ensure competence of personnel, which commensurate with the risk to critical infrastructure and other organizational objectives.

As part of the competency goals, it was stipulated that cybersecurity task force members had to complete the ISA/IEC 62443 Cybersecurity Fundamental Specialist (CFS) course, and subsequently achieved ISA/IEC 62443 Expert (by earning Risk, Design and Maintenance certificates. An extensive market survey was done before selecting ISA/IEC 62443 certification training.

What's Happening Today? 

Today, an established, experienced and matured cybersecurity team is collaboratively working as a fully converged IT-OT enterprise level entity.

Core to sustaining PETRONAS’ cybersecurity maturity ambitions was the establishment of a cyber risk management framework. In this regard, PETRONAS has developed a standardized cybersecurity risk management program to cover both IT and OT Domains.

OT Risk Management for PETRONAS is based on the ISA/IEC 624443-3-2 Standard. Cyber risk of an OT system is established by evaluating the business impact of that system, if it is compromised, and the likelihood of that compromise happening. Business impact is evaluated from the lens of how it affects people, environment and assets, as well as the company’s reputation. The likelihood is established via control compliance in addressing threats from a cyber security threat register.

PETRONAS Reaches a Milestone 

In September 2023, PETRONAS reached a milestone byfor the first timeexecuting a cybersecurity risk assessment as part of the engineering design stage of a capital project. Through the risk assessment, the Security Level Target (SL-T) of each OT system of the project was established.

This exercise provided the EPCC (Engineering, Procurement, Construction and Commissioning), OT, and OT vendors with detailed security specifications for the systems being designed. The specifications to be delivered are from the ISA/IEC 62443-3-3 system security requirements and security levels standard in addition to the PETRONAS technical standards.

In Essence

Utilizing the ISA/IEC 62443 standards in engineering design has helped advance cybersecurity discussions with the OT vendors in delivering secured-by-design OT systems. It has also helped PETRONAS as a tool to strengthen the cybersecurity awareness and practices of its partners and collaborators.

Michael Ng Chien Han and Sharul A. Rashid
Michael Ng Chien Han and Sharul A. Rashid
Michael Ng Chien Han, Board Member, ISA Malaysia Section Michael is a Principal Engineer, Instrument and Control (I&C) in PETRONAS Group Technical Solutions (GTS). He has over 17 years of automation experience in the Oil and Gas industry, consisting of operating petrochemical plants, leading Instrumentation & Control design for flagship capital projects and technical consultancy in PETRONAS. Michael held the role of OT Domain Authority and currently leads Operational Technology (OT) Cyber Security governance and strategy for PETRONAS Cyber Security. Michael gained his Bachelor of Science in Electrical Engineering from The University of Michigan, Ann Arbor. He is an ISA/IEC 62443 Cyber Security Expert, Member of the ISA/IEC62443 working group and Member of the World Economic Forum (WEF) Security the OT Environment Action Group. Sharul A. Rashid, President, ISA Malaysia Section Sharul A. Rashid is the PETRONAS GTS Head of Technical Excellence, Group Technical Authority, Instrument and Control. He is currently President of ISA Malaysia and Advisory Board member ISAGCA (International Society Automation - Global Cybersecurity Alliance. He is also Co-Chair Certification Work Group (CWG) of Open Process Automation Forum (OPAF) and Vice-Chair IASSC (Instrument Automation Standards Subcommittee) for IOGP. Sharul has more than 30 years of experience in handling instrumentation and control issues in oil and gas, gas liquefaction and petrochemical plant including pipeline transmission network.

Related Posts

Industrial Control Systems Certification

An increasing number of intentional attacks are being detected that target industrial control systems (IC...
Nikhil Kapoor Jun 7, 2024 7:00:00 AM

Most Cybersecurity Teams Are Unprepared for AI Cyberattacks

Cybersecurity teams aren’t the only ones using artificial intelligence to their advantage — cybercriminal...
Zac Amos May 31, 2024 4:02:28 PM

Protecting Vital OT Infrastructure: Key Strategies for OT Penetration Testing

Operational technology (OT) cybersecurity faces significant challenges in maturing its operations and pro...
Mohannad AlRasan May 24, 2024 4:44:16 PM