Skip to main content

SOC-as-a-Service

Managed SOC for Indonesian oil and gas operators

In short

How Indonesian oil and gas operators run a 24/7 managed SOC across IT and OT with OT-aware detection that meets Perpres 82/2022 incident reporting duties.

Security monitoring

An oil and gas operator does not choose when it gets attacked. A refinery runs overnight, a pipeline moves product around the clock, an offshore platform stays on the network whether anyone is watching or not, and Perpres 82/2022 expects the operator to notice a major incident and report it. A security operations centre is the function that watches for those incidents continuously, across both the corporate IT estate and the OT that runs production. This page is about running that SOC for an oil and gas operator specifically. For how a SOC works in general terms, see our SOC-as-a-Service service page.

Why oil and gas operators need a managed SOC

A single incident can move between corporate IT and OT, and a SOC that only watches one side sees half the picture. The threat profile that reaches an operator shapes what the SOC has to watch for.

OT attacks on DCS and safety systems

TRITON/TRISIS showed that malware can be built specifically to attack a safety instrumented system, and an unauthorized setpoint change on a DCS can push a process outside safe limits. Detection logic for changes to SIS and DCS configuration is a standing SOC use case, even though the systems themselves are never actively probed.

Offshore and pipeline SCADA

Offshore platform control networks reachable over satellite links and pipeline SCADA that watches for leaks are both exposed in ways a corporate network is not. A compromise that manipulates a leak-detection reading or a platform control can run longer before anyone is present to respond, which is exactly why continuous monitoring matters.

Contractor remote access

Drilling, pipeline, and maintenance vendors keep remote access links open for SCADA and DCS maintenance, and those sessions need to be logged and monitored like any other privileged access. Treating them as outside the SOC's scope because the protocol is unfamiliar is how an unmanaged path stays invisible until it is used.

IT/OT boundary blind spots

The historian layer and other reporting connections between OT and corporate IT are a common bridge for an incident to cross from one environment to the other. Ransomware that starts on the IT side can reach OT through a shared connection, and a production shutdown is a materially different outcome than an office outage.

Perpres 82/2022 designates oil and gas infrastructure as critical national infrastructure for the energy sector, with BSSN as the oversight body, and requires operators and designated contractors to report major incidents. Continuous monitoring is one of the more direct ways an operator shows that protection is operating day to day rather than existing only as a policy document. The table below maps the monitoring-related obligations to what the SOC actually does. Governance, the asset register, and the regulatory relationship itself are separate responsibilities the operator keeps.

Regulatory obligationWhere it comes fromHow the managed SOC meets it
Report major incidents affecting critical national infrastructurePerpres 82/2022 (BSSN)Detection and triage feed the incident notification, and the investigation record supports the report to BSSN
Continuous protection of designated critical infrastructurePerpres 82/202224/7 monitoring and correlation across IT and OT telemetry
Security management and incident reporting for electronic systemsPP 71/2019Log collection and an incident record sized to support the reporting duty
Breach notification when personal data is involvedUU PDP (UU 27/2022)Incident record supports the 3x24 hours notification to the data subject and the authority

How we deliver it for operators

Monitoring an OT-heavy environment means collecting from sources an IT-only SOC would never see, and interpreting them with rules built for industrial protocols rather than corporate applications.

SCADA (upstream, pipeline, and plant)Distributed control systems (DCS)Refinery and plant historiansPipeline SCADA and leak-detectionOffshore platform control networksIT/OT boundary and DMZ trafficEndpoints, servers, and cloud workloadsIdentity and privileged access systems

The service runs in continuous phases, and the constraint that shapes all of them is that OT telemetry is collected passively, with no disruption to control systems. Telemetry flows one way out of the OT network through a properly configured DMZ, so the SOC gains visibility without opening a new path into the control network. Analysts triage OT alerts against a playbook built with HSE coordination in mind, since a false positive escalated like a routine IT alert wastes response time an actual safety event cannot afford to lose.

Onboard IT and OT log sources through the DMZ, one way out of the OT networkSet OT-specific baselines for normal SCADA, DCS, and protocol behaviorMonitor and correlate IT and OT telemetry 24/7Triage and contain per playbook, coordinated with site HSE for OT alertsFeed the incident-reporting record and tune detection

The architecture and IEC 62443 alignment work that a SOC's detection logic depends on is a separate exercise, covered on our OT/ICS security assessment for Indonesian oil and gas operators page, since detection is only as good as the picture it has of what the OT estate is supposed to look like. When an incident escalates beyond containment, our incident response service takes over the deeper forensic investigation and recovery, coordinated with the operator's HSE and operations teams throughout.

Perpres 82/2022 puts oil and gas in the same critical-infrastructure category as the country's other strategic sectors, which is the clearest signal that continuous monitoring is treated as a baseline expectation rather than an optional upgrade. Sector-specific figures for detection time or incident frequency in Indonesian oil and gas OT are not backed by a primary source we could verify at the time of writing, so this page leads with what the SOC actually monitors and how, rather than a number that would not hold up to scrutiny.

If your OT estate has never had continuous monitoring at all, that gap is usually the more urgent one to close first, and our team can set out a concrete first step.

References

  1. 1.Republic of Indonesia, Perpres No. 82 Tahun 2022 on Vital Information Infrastructure Protection
  2. 2.Republic of Indonesia, PP No. 71 Tahun 2019 on Electronic System and Transaction Operation
  3. 3.Republic of Indonesia, UU No. 27 Tahun 2022 (UU PDP)

Reviewed by Naren Krishnan, Cybersecurity Manager

Frequently asked questions

Yes, on the detection and evidence side. Perpres 82/2022 designates oil and gas infrastructure as critical national infrastructure for the energy sector and requires operators and designated contractors to report major incidents, with BSSN as the oversight body. A managed SOC provides the round-the-clock monitoring that catches an incident early and the investigation record that describes what happened and when, which is what a report to BSSN has to contain. It does not replace the operator's own governance, asset register, or the relationship it holds with the regulator, which are separate responsibilities.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.