Skip to main content

Vulnerability Assessment

Vulnerability assessment for Indonesian oil and gas operators

In short

How Indonesian oil and gas operators run recurring vulnerability assessment across IT and OT with passive, OT-safe scanning that never probes live SCADA or DCS.

Security assessment

Vulnerability assessment for an oil and gas operator is the recurring job of finding weaknesses across both the corporate IT estate and the OT that runs production, before someone else finds them. It is a different thing from a one-off penetration test: a vulnerability assessment runs on a schedule and keeps a running picture of exposure at scale, rather than proving a single exploit path once. This page covers how that assessment works across both sides of an oil and gas estate. For how vulnerability assessment works in general, see our Vulnerability Assessment service page.

Why vulnerability assessment matters here

The corporate IT side of an oil and gas operator looks like most other enterprise IT and tolerates standard scanning. The OT side does not, and it is also where the least-mapped parts of the estate tend to sit.

Unmapped contractor paths and asset discovery

Drilling, pipeline, and maintenance vendors connect through remote access the primary operator often cannot see, and those links rarely show up in a standard IT asset inventory. A recurring assessment that starts with passive discovery is often the first time an operator gets a complete list of what is actually on the OT network.

Fragile OT needing non-intrusive scanning

PLCs and RTUs on wellhead, pipeline, and refinery networks were built for control reliability, not for handling unexpected traffic. An active scan that is routine against a server can cause a controller to fault, with a physical consequence rather than a logged error, which is why the OT side gets passive discovery instead.

Safety and environmental monitoring left unaudited

Safety and environmental monitoring systems often sit under operational engineering rather than IT governance, so they fall outside the normal scanning scope entirely. A tampered or unpatched monitoring system can mask a real condition, which makes its absence from the assessment a gap worth closing deliberately.

The IT/OT boundary

The historian layer and other reporting connections between OT and corporate IT are where a purely IT-focused scan stops short of the most consequential findings. An assessment that treats the boundary as in scope, rather than the edge of the map, is what surfaces the bridge between the two environments.

How a vulnerability assessment compares with a penetration test

Operators often ask which one they need. They answer different questions, and the honest answer is usually both, sequenced so the recurring assessment sets priorities and the pentest goes deep where it counts.

 Vulnerability assessmentPenetration test
CadenceRecurring, on a schedule (IT monthly or continuous, OT quarterly or per maintenance window)Point-in-time, typically annual or before a major change
DepthBroad coverage of known vulnerabilities, missing patches, and weak configurations across the estateDeep, targeted attempt to exploit a defined scope and chain findings together
Disruption riskLow, with passive discovery on the OT side and no active probing of live control systemsHigher, so OT exploitation is constrained and coordinated tightly with operations
OutputA tracked, repeatable list of findings prioritized by exploitability and operational impactA narrative of what an attacker could actually reach, with proof and a free retest

For a fuller treatment of where each one fits and how to sequence them, see our page on vulnerability assessment vs penetration testing.

How we deliver it

The estate gets one assessment programme, but two distinct methods, matched to what each side of the network can tolerate.

Authenticated and unauthenticated scanning of IT servers and endpointsCloud workload and application vulnerability scanningPassive network discovery for OT asset inventoryFirmware version checks against known CVEs for PLCs and RTUs, without active probingContractor and vendor remote access path reviewSafety and environmental monitoring system coverageHistorian and IT/OT boundary configuration review
Inventory IT and OT assets across upstream, midstream, offshore, and downstream sitesScan IT assets on a recurring schedule, actively and safely, including credentialed scans where access allowsRun passive discovery and configuration review on OT assets, scheduled with site teamsAssess each finding for exploitability and operational impact, not CVSS score aloneReport and track remediation across both IT and OT

Scanning on the IT side is tuned to be thorough, using credentialed scans where access allows, because a credentialed scan sees the patch state an unauthenticated one only guesses at. On the OT side the same programme runs passively and in coordination with operations, so the assessment never becomes the reason a control system faults. For the OT/ICS security assessment that goes deeper on architecture and IEC 62443 alignment rather than recurring scanning, see our OT/ICS security assessment for Indonesian oil and gas operators page, and for OT-specific VAPT scope, our OT/ICS VAPT services page.

Perpres 82/2022 designates oil and gas infrastructure as critical national infrastructure for the energy sector, and PP 71/2019 sets security management duties for the electronic systems that support it, both of which point toward a recurring assessment rather than a single snapshot. Sector-specific figures for OT vulnerability counts or remediation timelines in Indonesian oil and gas are not backed by a primary source we could verify at the time of writing, so this page leads with the methodology rather than an invented number.

If large parts of your OT estate have never been assessed at all, even at the passive, non-intrusive level, that is usually the more useful place to start than debating scan frequency.

References

  1. 1.Republic of Indonesia, Perpres No. 82 Tahun 2022 on Vital Information Infrastructure Protection
  2. 2.Republic of Indonesia, PP No. 71 Tahun 2019 on Electronic System and Transaction Operation
  3. 3.ISA, ISA/IEC 62443 Series of Standards for Industrial Automation and Control Systems Security
  4. 4.Republic of Indonesia, UU No. 27 Tahun 2022 (UU PDP)

Reviewed by Karina Kosasih, Offensive Security Lead

Frequently asked questions

A vulnerability assessment is the recurring, broad-coverage layer. It runs on a schedule across IT and OT and flags known vulnerabilities, missing patches, and weak configurations at scale, so you can see how exposure changes over time. A penetration test is a deeper, point-in-time exercise that tries to exploit a defined scope to prove what an attacker could actually reach. For an operator, the vulnerability assessment keeps a running picture of the whole estate, and the pentest goes deep on the parts that matter most. The two answer different questions and are usually run together, not chosen between.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.