Skip to main content

OT/ICS Security Assessment

OT and ICS security assessment for Indonesian oil and gas operators

In short

How Indonesian oil and gas operators assess OT and ICS security across SCADA, DCS, and safety systems under IEC 62443 and Perpres 82/2022 without disruption.

OT/ICS security assessment

An OT security assessment in oil and gas has one non-negotiable constraint before anything else: it must not disturb the systems that keep a refinery, a platform, or a pipeline from failing dangerously. The safety instrumented systems that trigger an emergency shutdown, the DCS that holds a process inside safe limits, and the SCADA that watches a pipeline for a leak are exactly the systems an assessment has to understand, and exactly the systems it cannot afford to knock over while understanding them. This page covers what that assessment looks like for an Indonesian operator specifically. For what an OT/ICS security assessment covers as a general service, see our OT/ICS Security Assessment service page.

Why an OT assessment looks different in oil and gas

A failure in an oil and gas control system is rarely just downtime. A PLC misreading pressure, a DCS accepting an unauthorized setpoint change, or a safety system disabled without anyone noticing are safety and environmental events before they are IT events. That shapes what the assessment has to look for.

Safety instrumented systems as a direct target

TRITON/TRISIS, discovered in 2017, was the first malware built specifically to attack a safety instrumented system. It showed that attackers will go after the exact systems designed to prevent an explosion or an environmental release, not just the ones that keep production running, which is why SIS isolation and change management are a first-order question in any assessment.

Offshore platform OT

Offshore platforms combine satellite communications with remote SCADA, an unusual set of attack vectors that also makes recovery slow when something goes wrong. A control network reachable over a VSAT link is exposed in ways an onshore plant is not, and the distance means a compromise can run longer before anyone is physically present to respond.

Pipeline SCADA and leak-detection

Pipeline SCADA and leak-detection systems can be manipulated to mask an actual breach, drive overpressure, or disrupt distribution. A tampered leak-detection reading is worse than a missing one, because it tells operators a line is healthy while product is escaping, so the integrity of that data path is part of the scope.

Unmanaged contractor remote access

Drilling, pipeline, and maintenance vendors routinely connect to control systems through remote access the primary operator often cannot see. Unlogged sessions and default credentials on these links are a recurring finding across the sector, and each one is a path into the OT estate that sits outside the operator's own monitoring.

Perpres 82/2022 designates oil and gas infrastructure as critical national infrastructure for the energy sector, with BSSN as the oversight body, and requires operators and designated contractors to set baseline controls and report major incidents. The regulation sets the obligation to protect that infrastructure; it does not itself specify what an adequate control looks like at the level of a SCADA zone or a DCS conduit. That is the gap IEC 62443, the international standard for industrial automation and control system security, is built to fill, and it is the reference framework this assessment is structured around. The table below maps the obligations to what the assessment actually produces.

ObligationSourceWhat the assessment does
Protect critical national infrastructure in the energy sectorPerpres 82/2022Estate-level findings a BSSN-designated operator can use as supporting evidence that its OT is protected
Security management and incident reporting for electronic systemsPP 71/2019Reviews how OT and its supporting electronic systems are secured and whether detection feeds a usable incident-reporting path
Zone and conduit segmentation and security levels for control systemsIEC 62443A gap assessment against IEC 62443 zones and conduits, prioritized by exploitability and operational impact rather than CVSS score alone
Protection of employee, contractor, and community personal dataUU PDP (UU 27/2022)Flags where OT-adjacent systems hold personal data without adequate safeguards

How we assess it without disrupting operations

The assessment spans the control estate rather than a single site, and it is scoped around what each system can tolerate.

SCADA (upstream, pipeline, and plant)Distributed control systems (DCS)PLCs and RTUsSafety instrumented systems (SIS), configuration and architecture onlyRefinery and plant historiansPipeline leak-detection systemsOffshore platform control networksIT/OT boundary and DMZ

The assessment runs in five phases, and the constraint that shapes every one of them is that nothing active is sent into a live control network. Passive discovery observes traffic to build an asset inventory and identify vulnerable firmware without putting a packet on the wire itself. Active scanning is never run against a live SIS or DCS. Work is scheduled around operations and authorized by plant management and the HSE team before it begins.

Scope and authorize with plant management and HSEPassive discovery across the OT estate, no active scanning of live SIS or DCSArchitecture review of IT/OT segmentation and contractor access pathsConfiguration analysis mapped to IEC 62443 zones and conduitsReport prioritized by exploitability and operational impact

If your immediate need is a single upstream site under SKK Migas oversight rather than the full estate, our deep dive on OT VAPT for oil and gas operations in Indonesia covers wellhead SCADA, separation and processing DCS, and vendor remote access at that level of detail. If your goal is to measure the estate against the standard itself, our IEC 62443 compliance assessment page sets out how that gap analysis works.

Perpres 82/2022 puts oil and gas in the same critical-infrastructure category as the country's other strategic sectors, which is the clearest signal that an assessment is expected to be a standing practice rather than a one-off. Sector-specific figures for OT incident frequency or downtime cost in Indonesian oil and gas are not backed by a primary source we could verify at the time of writing, so this page leads with the regulatory and technical framing rather than a number that would not hold up to scrutiny.

If your estate has never had a consistent assessment against IEC 62443 across every site, our team can help you scope where to start.

References

  1. 1.Republic of Indonesia, Perpres No. 82 Tahun 2022 on Vital Information Infrastructure Protection
  2. 2.Republic of Indonesia, PP No. 71 Tahun 2019 on Electronic System and Transaction Operation
  3. 3.ISA, ISA/IEC 62443 Series of Standards for Industrial Automation and Control Systems Security
  4. 4.Republic of Indonesia, UU No. 27 Tahun 2022 (UU PDP)

Reviewed by Karina Kosasih, Offensive Security Lead

Frequently asked questions

There is no single line in Indonesian law that says every operator must run an OT security assessment on a fixed date. The obligation exists in substance. Perpres 82/2022 designates oil and gas infrastructure as critical national infrastructure for the energy sector, with BSSN as the oversight body, and PP 71/2019 sets security management and incident-reporting duties for electronic systems. An assessment mapped against IEC 62443 is one of the clearest ways to show those obligations are met in the control environment rather than on paper. Across the sector, maturity varies widely: some operators are already ahead of the rules, while many are still mapping which OT assets they even have.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.