We recently conducted an interview with Sharul A. Rashid, PETRONAS Group Technical Authority and Custodian Engineer of Instrument and Control, to talk about how his company leverages the ISA/IEC 62443 series of standards, how the standards are advocated within the Malaysian government, and how the company implemented standards-based operations technology (OT) cybersecurity training.
Editor’s Note: PETRONAS is a Malaysian oil and gas company established in 1974 and wholly owned by the Government of Malaysia. The corporation is vested with the entire oil and gas resources in Malaysia and is entrusted with the responsibility of developing and adding value to these resources. PETRONAS is ranked among Fortune Global 500's largest corporations in the world.
How did PETRONAS come to the decision to implement ISA/IEC 62443 across its operations?
We implemented ISA training because we realized that our company, PETRONAS, has an ever-increasing threat of cyber-attacks. We realized that both IT and OT personnel must work together, and we applied an IT-OT convergence strategy in action. We quickly built up and nurtured our best performing team in this area as a high-level, IT-OT converged cybersecurity taskforce, guided by the ISA/IEC 62443 standards’ sustainable, international best practices. As part of this program, competency and capability building was one of our primary agenda points.
Once PETRONAS decided to implement ISA/IEC 62443, what steps did your leadership take to ensure that your teams were prepared and knowledgeable about the standards?
The journey towards an enterprise approach cybersecurity program for PETRONAS started in 2018. We quickly crafted a four-year roadmap towards building an institutionalized capability in OT cybersecurity, which was approved in 2019.
The institutionalized capability building program was established mainly to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with the risk to critical infrastructure and the following organizational objectives:
- Workforce Controls
- Knowledge, Skills, and Abilities
As part of the competency, we stipulated that cybersecurity task force members need acquire Cybersecurity Fundamental Specialist (CFS) ISA/IEC 62443 and Expert Level (Risk, Design, and Maintenance) training. Before selecting ISA/IEC 62443 cybersecurity training for OT, we had reviewed other OT cybersecurity trainings available in the market.
We decided on ISA training due to its leadership in developing widely used global standards. Based on this, ISA trainings were selected and had been approved by our management to be a part of the institutionalized capability four-year roadmap for PETRONAS.
How is PETRONAS able to coordinate ISA training within your company? What did the landscape look like for the company before the implementation of ISA training, and what does it look like now?
Since PETRONAS is a member of the ISA Global Cybersecurity Alliance (ISAGCA), we received a 40% discount, which requires at least more than 60 pax per single PO. With our internal advertisement and promotion of the program, we were able to get 73 nominations/pax, thus we went ahead with the proposal for procurement of the program in a single purchase from our top management. It was approved as part of the Institutionalized Capability Building Program. On personal capacity, I took the four complete training modules online and had been certified as a “Expert” back in 2020. I found the modules, combined with the lab, to be very relevant to OT.
With our staff trained in ISA/IEC 62443, we are now able to communicate our cybersecurity goals more effectively to our stakeholders and vendors. Knowledge in the standards have also helped us shape the cybersecurity governance framework of our organization.
How did the various teams approach the training? Was there any pushback or difficulty in implementation?
The company acknowledged our effort to educate the staff in cybersecurity. Along with ISA/IEC 62443 trainings, we had supplemented with other trainings such as the PETRONAS cybersecurity project for OT, short trainings on human defense/firewall, and more. More than 1,000 manhours were spent conducting awareness training in accelerating this cybersecurity maturity culture in the workplace.
For new IT personnel joining the PETRONAS cybersecurity project for OT, they attended onboarding programs to ensure that they understood very well the criticality and priority of the OT environment. We are also extending the awareness training to the frontline, such as panel operators and boardmen who are monitoring and controlling OT assets via distributed control systems (DCS) 24/7, 365 days a year.
There was hardly any pushback. The management team at PETRONAS understood the importance of the awareness training on cybersecurity and gave full cooperation to enable staff to be trained.
What does it mean to be “all in,” so to speak, on ISA/IEC 62443 within the company?
With combining ISA trainings with other relevant trainings, I believe that PETRONAS is moving forward in the right direction towards our goal of enhancing our cybersecurity culture. With this implementation, I believe that PETRONAS has a commitment to shape and steer ISA/IEC 62443 among ISAGCA end user companies at the international level. We at PETRONAS are making a continuous effort to collaborate on this initiative.
How does PETRONAS collaborate with the Malaysian government in related to enforcing ISA standards? What does this look like on both the company and government side?
We are progressing well in advocating the government of Malaysia towards the use of ISA/IEC 62443 cybersecurity standard for OT assets. Once the standard is approved to be used as part of the Malaysia standard, it may be adapted on a voluntary basis for any company operating in Malaysia. We are continuously campaigning on the awareness of the standard for OT cybersecurity, and will continue to promote its usage.
Editor's Note: Sharul Rashid would like to express his thanks to his OT Cybersecurity core team: Principal Instrument & Control (I&C) Engineers Azmi Hashim and Michael Ng Chien Han, along with Senior I&C Engineer Tan Ping Yang, who have helped shape and steer the OT Cybersecurity program for PETRONAS. He also would like to express his appreciation to the rest of the PETRONAS team who have put dedicated energy and effort in delivering this program.