Case Study: Zero Trust Is a Requirement for Connected Oil and Gas Workers

At the ARC forum earlier this year in Orlando, Rahayu Ramli, head of cyber strategy and architecture at PETRONAS, presented about the digital journey PETRONAS is on, and the crucial role that zero trust access management and remote access plays in achieving PETRONAS cybersecurity goals.

Based in Malaysia, PETRONAS is one of the largest oil and gas companies in the world with close to 48,000 employees and over $83 billion in revenue. Ramli discussed the oil major’s path to digital transformation, its impact on the company’s cybersecurity strategy and how it eventually led to the adoption of a zero trust solution to adapt to the increasing number of connected workers and increased use of remote operations. 

The PETRONAS presentation reflected many of the concerns that end users in the process industries face today as they adopt digital transformation. Many organizations have discovered that digital transformation requires a complete revamping of their cybersecurity organization, breaking down barriers between the IT and OT domains when it comes to cybersecurity governance and best practices. 

Digitalization also means a larger number of connected workers and a push to remote operations. End users like PETRONAS are discovering that their current implementations for secure remote access no longer meet their needs, and they are instead adopting true zero trust fabrics. In this case study, PETRONAS has decided to implement the Xage Zero Trust Fabric.

Digitalization effort spurs merger of IT and OT cybersecurity domains

As with many oil and gas companies today, PETRONAS is increasingly focused on digitalization. The company is in the middle of a three-phase corporate digitalization effort, which started in 2018 with efforts to define new ways of working and to create a digital organization. In 2023, PETRONAS began phase 2 of its initiative, which focuses on taking the digitally enabled enterprise to provide a path to net zero operations and to provide increased resilience and improved governance. The third phase, scheduled for 2027, will create a fully digital organization with a fully democratized, self-sustainable organization with digital hard coded into the company’s business DNA. 

With the adoption of digitalization, PETRONAS found it increasingly difficult to keep traditional boundaries between IT and OT. Traditionally, the IT cybersecurity organization was focused on the traditional CIA triad of confidentiality, integrity and availability. IT security personnel had to deal with assets that typically had a five-year lifecycle. Most cybersecurity vulnerabilities could be managed centrally, 

On the OT side, the cybersecurity organization was primarily concerned with people, the environment, assets and reputation (PEAR), followed by the CIA triad. Assets and operating systems had a 10–20-year lifecycle instead of a 5-year lifecycle. On the OT side, cybersecurity vulnerabilities cannot typically be addressed remotely and require some level of physical intervention. Systems can often be isolated, in remote locations, and can often require extensive physical effort to gain access. 

With the adoption of a digitalization strategy, however, PETRONAS has found that cybersecurity must be approached from a more holistic perspective. The boundaries of IT and OT must be dissolved to adopt this holistic perspective. PETRONAS is now looking at cybersecurity through the lens of how it can benefit the business and create a data-driven organization that can enable new ways of working.

Increasing focus on resilience and proactivity leads to new cybersecurity organization

For successful digitalization, cybersecurity must become more proactive and focused on building a more resilient enterprise. This means proactively seeking out threats to the organization, knowing where the risks and exposures can be, and protecting the enterprise. Being able to respond and recover if an incident occurs is also essential to this strategy. 

With these two primary strategic objectives in mind–increasing resilience and being increasingly proactive – PETRONAS formed its new unified IT and OT cybersecurity organization. The mandate from PETRONAS to the entire cybersecurity organization within the company is that there is single accountability across all of PETRONAS IT and OT.