PETRONAS—Malaysia's national oil and gas company— is a dynamic global energy group with presence in over 100 countries that produces and delivers energy and solutions that power society’s progress.
PETRONAS seeks energy potential across the globe, optimizing value through an integrated business model. Their portfolio includes cleaner conventional and renewable resources and a ready range of advanced products and adaptive solutions.
Sustainability is at the core of what PETRONAS does, as the good in energy is harnessed to elevate and enrich lives. People are the strength and partners for growth, driving passion for innovation to progress towards the future of energy sustainability.
The enterprise-wide cybersecurity program for PETRONAS started in 2018. At that time, it was a task force consisting of Sharul, Azmi, Michael and Ping Yang. A five-year roadmap towards building an institutionalized capability in OT (Operational Technology) cybersecurity was crafted and subsequently approved in 2019. The focus was to accelerate a matured cybersecurity culture at the workplace and to ensure competence of personnel, which commensurate with the risk to critical infrastructure and other organizational objectives.
As part of the competency goals, it was stipulated that cybersecurity task force members had to complete the ISA/IEC 62443 Cybersecurity Fundamental Specialist (CFS) course, and subsequently achieved ISA/IEC 62443 Expert (by earning Risk, Design and Maintenance certificates. An extensive market survey was done before selecting ISA/IEC 62443 certification training.
Today, an established, experienced and matured cybersecurity team is collaboratively working as a fully converged IT-OT enterprise level entity.
Core to sustaining PETRONAS’ cybersecurity maturity ambitions was the establishment of a cyber risk management framework. In this regard, PETRONAS has developed a standardized cybersecurity risk management program to cover both IT and OT Domains.
OT Risk Management for PETRONAS is based on the ISA/IEC 624443-3-2 Standard. Cyber risk of an OT system is established by evaluating the business impact of that system, if it is compromised, and the likelihood of that compromise happening. Business impact is evaluated from the lens of how it affects people, environment and assets, as well as the company’s reputation. The likelihood is established via control compliance in addressing threats from a cyber security threat register.
In September 2023, PETRONAS reached a milestone by—for the first time—executing a cybersecurity risk assessment as part of the engineering design stage of a capital project. Through the risk assessment, the Security Level Target (SL-T) of each OT system of the project was established.
This exercise provided the EPCC (Engineering, Procurement, Construction and Commissioning), OT, and OT vendors with detailed security specifications for the systems being designed. The specifications to be delivered are from the ISA/IEC 62443-3-3 system security requirements and security levels standard in addition to the PETRONAS technical standards.
Utilizing the ISA/IEC 62443 standards in engineering design has helped advance cybersecurity discussions with the OT vendors in delivering secured-by-design OT systems. It has also helped PETRONAS as a tool to strengthen the cybersecurity awareness and practices of its partners and collaborators.