Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

PETRONAS Leverages ISA IEC 62443 in Enterprise Risk Management

Read More

Categories Arrow

All Posts

PETRONAS Leverages ISA IEC 62443 in Enterprise Risk Management

PETRONASMalaysia's national oil and gas company— is a dynamic global energy group with presence in over 100 countries that produces and delivers energy and solutions that power society’s progress.

PETRONAS seeks energy potential across the globe, optimizing value through an integrated business model. Their portfolio includes cleaner conventional and renewable resources and a ready range of advanced products and adaptive solutions.

Sustainability is at the core of what PETRONAS does, as the good in energy is harnessed to elevate and enrich lives. People are the strength and partners for growth, driving passion for innovation to progress towards the future of energy sustainability.

The enterprise-wide cybersecurity program for PETRONAS started in 2018. At that time, it was a task force consisting of Sharul, Azmi, Michael and Ping Yang. A five-year roadmap towards building an institutionalized capability in OT (Operational Technology) cybersecurity was crafted and subsequently approved in 2019. The focus was to accelerate a matured cybersecurity culture at the workplace and to ensure competence of personnel, which commensurate with the risk to critical infrastructure and other organizational objectives.

As part of the competency goals, it was stipulated that cybersecurity task force members had to complete the ISA/IEC 62443 Cybersecurity Fundamental Specialist (CFS) course, and subsequently achieved ISA/IEC 62443 Expert (by earning Risk, Design and Maintenance certificates. An extensive market survey was done before selecting ISA/IEC 62443 certification training.

What's Happening Today? 

Today, an established, experienced and matured cybersecurity team is collaboratively working as a fully converged IT-OT enterprise level entity.

Core to sustaining PETRONAS’ cybersecurity maturity ambitions was the establishment of a cyber risk management framework. In this regard, PETRONAS has developed a standardized cybersecurity risk management program to cover both IT and OT Domains.

OT Risk Management for PETRONAS is based on the ISA/IEC 624443-3-2 Standard. Cyber risk of an OT system is established by evaluating the business impact of that system, if it is compromised, and the likelihood of that compromise happening. Business impact is evaluated from the lens of how it affects people, environment and assets, as well as the company’s reputation. The likelihood is established via control compliance in addressing threats from a cyber security threat register.

PETRONAS Reaches a Milestone 

In September 2023, PETRONAS reached a milestone byfor the first timeexecuting a cybersecurity risk assessment as part of the engineering design stage of a capital project. Through the risk assessment, the Security Level Target (SL-T) of each OT system of the project was established.

This exercise provided the EPCC (Engineering, Procurement, Construction and Commissioning), OT, and OT vendors with detailed security specifications for the systems being designed. The specifications to be delivered are from the ISA/IEC 62443-3-3 system security requirements and security levels standard in addition to the PETRONAS technical standards.

In Essence

Utilizing the ISA/IEC 62443 standards in engineering design has helped advance cybersecurity discussions with the OT vendors in delivering secured-by-design OT systems. It has also helped PETRONAS as a tool to strengthen the cybersecurity awareness and practices of its partners and collaborators.
Michael Ng Chien Han and Sharul A. Rashid
Michael Ng Chien Han and Sharul A. Rashid
Michael Ng Chien Han, Board Member, ISA Malaysia Section Michael is a Principal Engineer, Instrument and Control (I&C) in PETRONAS Group Technical Solutions (GTS). He has over 17 years of automation experience in the Oil and Gas industry, consisting of operating petrochemical plants, leading Instrumentation & Control design for flagship capital projects and technical consultancy in PETRONAS. Michael held the role of OT Domain Authority and currently leads Operational Technology (OT) Cyber Security governance and strategy for PETRONAS Cyber Security. Michael gained his Bachelor of Science in Electrical Engineering from The University of Michigan, Ann Arbor. He is an ISA/IEC 62443 Cyber Security Expert, Member of the ISA/IEC62443 working group and Member of the World Economic Forum (WEF) Security the OT Environment Action Group. Sharul A. Rashid, President, ISA Malaysia Section Sharul A. Rashid is the PETRONAS GTS Head of Technical Excellence, Group Technical Authority, Instrument and Control. He is currently President of ISA Malaysia and Advisory Board member ISAGCA (International Society Automation - Global Cybersecurity Alliance. He is also Co-Chair Certification Work Group (CWG) of Open Process Automation Forum (OPAF) and Vice-Chair IASSC (Instrument Automation Standards Subcommittee) for IOGP. Sharul has more than 30 years of experience in handling instrumentation and control issues in oil and gas, gas liquefaction and petrochemical plant including pipeline transmission network.

    Recent Posts

    Astronaut on a rocket

    Related Posts

    SPAN Ports and OT Continuous Monitoring: Securing Otherwise Insecure Network Traffic

    When the developers of Modbus began enabling communications from heterogeneous devices leveraging the RS-...
    Liz Neiman May 3, 2024 7:00:00 AM

    ISA/IEC 62443 and Risk Assessment: New Horizons in the AI Revolution

    Risk assessment has long been an important component of any cybersecurity program and operation for organ...
    Mohannad AlRasan Apr 26, 2024 7:00:00 AM

    Should ISA/IEC 62443 Security Level 2 Be the Minimum for COTS Components?

    A recent white paper published by the ISA Security Compliance Institute (ISCI) and its ISASecure certific...
    Liz Neiman Apr 23, 2024 5:18:27 PM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2024 International Society of Automation. All rights reserved.