Loading...
Loading...
OT-aware cybersecurity for Malaysian upstream, midstream and downstream operators. IEC 62443 audits, safety-gated pentests, and incident response that understands the difference between a SIEM alert and a flare-control failure.
The hydrocarbon supply chain is one of the most heavily targeted sectors globally for state-aligned and financially motivated threat actors. The 2017 Triton (also known as Trisis or HatMan) malware targeted Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical facility — the first publicly attributed malware engineered specifically to manipulate safety systems with the potential to cause physical harm. The 2016 Industroyer malware against the Ukrainian power grid and the 2021 Colonial Pipeline ransomware incident, which forced a 5,500-mile fuel pipeline offline for six days, demonstrated that OT outages produce immediate national-economic consequences.
Closer to home, the Malaysian energy ecosystem — anchored by Petronas as the national oil company and supported by independent operators, EPCC contractors and downstream players including Petros in Sarawak and a network of retail and terminal operators — sits squarely within the National Critical Information Infrastructure scope under the Cyber Security Act 2024. NACSA's enforcement posture is shifting from advisory to mandatory, and the operator that has not yet inventoried its OT estate, segmented its corporate-to-industrial DMZ, or pre-arranged its IR retainer is operating on borrowed time.
nCrypt's oil & gas practice is built on a simple premise — IT pentest tooling will hurt an industrial network if pointed at it without restraint. Our methodology is passive-first, hazard-gated, and led by consultants who understand the difference between a Modbus function code and an HTTP verb.
Exploration and production assets — onshore wellpads, offshore platforms and FPSOs — operate behind satellite VSAT links and legacy serial-to-IP gateways. Threat scenarios include drilling SCADA disruption, MODU positioning system manipulation, and crew-welfare network as a beach-head into the production DCS. Hazard consequence: well integrity, blowout potential and personnel safety.
Pipelines, gas processing plants, LNG terminals and storage. Long-haul SCADA over MPLS or radio. Attack patterns include leak-detection system spoofing, valve manipulation at unmanned RTU sites with weak physical security, and ransomware-driven control-system shutdown of the type that took Colonial Pipeline offline in 2021. Hazard consequence: hydrocarbon release, environmental damage, supply disruption.
Refineries, petrochemical plants, retail forecourts and terminal operations. Heaviest IT/OT convergence — corporate ERP integrating into the plant historian, refinery operator workstations dual-homed onto IT, and retail forecourts with payment, loyalty and fuel-dispenser controllers all reachable from the same network. Hazard consequence: process safety, payment-card fraud, fuel measurement integrity.
IEC 62443 is the international standard family for Industrial Automation and Control Systems security. It is purpose-built for OT and explicitly elevates safety and availability over confidentiality — the inverse of the IT-centric CIA triad. The standard introduces zones (logical groupings of assets with shared security requirements) and conduits (the communication paths between zones), each assigned a Security Level Target between SL 1 (protection against casual or coincidental violation) and SL 4 (protection against intentional violation by a state-level adversary using sophisticated means).
An nCrypt IEC 62443 engagement begins with a Zone & Conduit Diagram workshop — we map your IACS into discrete zones, document the conduits between them, and agree the Security Level Target per zone with your operations and process safety leads. We then assess the Foundational Requirements (FR 1 through FR 7 — identification & authentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability) against the SL-T and produce a gap report with prioritised remediation aligned to MTBF and capex cycles.
For NACSA NCII designees, the IEC 62443 framework also serves as a credible answer to the audit obligation under the Cyber Security Act 2024 — providing an externally validated controls baseline that maps cleanly to the Act's risk assessment and incident response requirements.
Passive-first scoping against SCADA, DCS, PLC and historian estates. Active testing in maintenance windows or on digital twins, gated by hazard review.
Zone & Conduit diagram review, Security Level Target setting (SL-T), and Foundational Requirement gap mapping for the IACS in scope.
Pre-positioned credentials, offline forensic tooling and a playbook that covers Modbus/DNP3/OPC manipulation, engineering workstation compromise and SIS tamper.
Pre-designation NCII readiness review aligned to the Cyber Security Act 2024 obligations for the energy sector.
IEC 62443 is the international standard purpose-built for Industrial Automation and Control Systems (IACS). Where ISO 27001 treats availability, integrity and confidentiality as roughly equal, IEC 62443 elevates safety and availability — a SCADA outage on a refinery flare control loop is a safety event, not just a data event. IEC 62443 introduces the concept of zones and conduits (network segmentation purpose-built for OT), Security Levels (SL 1-4 mapped to threat capability), and a Foundational Requirements set covering identification, use control, system integrity, data confidentiality, restricted data flow, timely response and resource availability. nCrypt scopes IEC 62443 audits at the Zone & Conduit Diagram level first, then maps controls to your Security Level Target.
Under the Cyber Security Act 2024, the National Cyber Security Agency (NACSA) designates National Critical Information Infrastructure (NCII) entities across 11 sectors, including energy. Major upstream operators, refineries, gas processing plants, pipeline operators and downstream terminal operators are likely candidates. NCII designation imposes obligations including risk assessment, audit, incident reporting and licensed cybersecurity service provider procurement. nCrypt is in the process of formal NACSA cybersecurity service provider licensing under the Act and can scope a pre-designation readiness review now.
Yes — but the test plan looks nothing like an IT pentest. We default to passive techniques (network capture, asset inventory via PCAP, configuration review of historian and engineering workstations) on the live OT network, and reserve active techniques (port scanning, protocol fuzzing, exploitation) for either a maintenance window, a digital twin, or an offline lab replica. Every active step is gated by an explicit operator approval and is preceded by a hazard review against the safety case. We do not run Nessus against a Modicon PLC.
An OT-aware retainer covers IT incident response (the corporate Active Directory blast, the email phish) and additionally covers OT-specific failure modes — ICS protocol manipulation (Modbus / DNP3 / OPC), engineering workstation compromise, historian data integrity loss, safety system tamper, ransomware crossover from IT into the OT DMZ, and integrity-of-process attacks like Triton (which targeted Schneider Triconex SIS controllers in 2017). The retainer also pre-positions credentials, network maps, jump-host access and offline forensic tooling — because in an OT incident the corporate VPN and SIEM may already be in the threat actor's hands.
Upstream (exploration, production) is dominated by remote drilling, FPSOs, satellite VSAT links into platform networks and a sprawl of legacy DCS / RTU equipment that was never designed to be on a network. Midstream (pipelines, terminals) is dominated by long-haul SCADA, RTU sites in the field with weak physical security, and the leak detection systems whose integrity matters more than their confidentiality. Downstream (refining, retail) carries the heaviest IT/OT convergence — refineries with corporate ERP integration into the historian, and retail with payment, fuel-controller and forecourt-IoT exposure. Each tier needs its own threat model, its own pentest scope, and its own IR playbook.
30-minute scoping call with an OT-credentialed consultant. Hazard-aware methodology. NACSA Cyber Security Act 2024 alignment.
Request OT Scoping Call