Is an OT assessment safe to conduct on live production systems?

Yes, when carried out with a non-intrusive methodology. We do not send active packets or probes that could trigger unexpected responses in PLCs and RTUs. All work is authorized by the Offshore Installation Manager or plant manager before it begins, and every activity is coordinated with the site HSE team. Safety Instrumented Systems are reviewed at the configuration and architecture level only, never actively tested, in line with IEC 61511.

What systems are covered in an upstream oil and gas assessment?

A standard upstream scope includes wellhead control SCADA, pipeline control systems, separation and processing facility DCS, historian servers, and the telecommunications infrastructure linking field sites to the central control room. For midstream operators such as PGN, scope typically covers pipeline SCADA, compressor stations, metering systems, and CNG or LNG terminal controls.

How does this relate to Perpres 82/2022 and SKK Migas requirements?

Presidential Regulation 82/2022 designates the energy sector as one of eleven critical infrastructure sectors requiring protection. SKK Migas technical standards (Pedoman Tata Kerja) govern upstream operations and include evolving OT cybersecurity requirements. Our assessment produces structured findings that operators can use as supporting documentation for regulatory reporting.

How do you handle vendor remote access to SCADA systems?

Vendor remote access is one of the highest-risk vectors in oil and gas operations. OEM vendors often maintain persistent access via cellular modem or VSAT for remote SCADA maintenance. We evaluate whether these connections route through a managed jump server, whether sessions are logged, and whether proper authentication controls exist or the system relies on default credentials.

Does your team have experience with industrial protocols such as Modbus and DNP3?

Yes. Our OT team understands the protocols common across oil and gas: Modbus TCP, DNP3, and serial communications on legacy RTUs. The assessment evaluates whether these protocols are exposed without authentication, a condition frequently found on legacy OT networks and a readily exploitable weakness.

OT VAPT oil gas Indonesia

The operational control systems running Indonesia's oil and gas sector cannot tolerate unplanned downtime: wellhead control, pipeline flow, separation at processing facilities, and emergency shutdown all depend on OT networks that were largely designed before industrial cyberattacks became a documented threat category. Operators under SKK Migas supervision, including Pertamina EP, PGN, Medco Energi, ConocoPhillips, Chevron Pacific Indonesia, and Harbour Energy, operate infrastructure with varying degrees of IT/OT exposure that few have formally assessed.

TRITON/TRISIS, discovered in 2017, was the first malware explicitly designed to attack Safety Instrumented Systems at a Middle East petrochemical facility. It showed that adversaries are willing to target the exact systems designed to prevent industrial accidents. Stuxnet in 2010 demonstrated that industrial control systems could be manipulated remotely without detection. Indonesia's Perpres 82/2022 responded to this reality by classifying the energy sector as one of eleven critical infrastructure sectors requiring mandatory protection.

An OT VAPT (Vulnerability Assessment and Penetration Testing for Operational Technology) is the structured way to understand where your exposure lies before someone else finds it.

Why OT networks in oil and gas are different

Corporate IT networks and field OT networks differ in one fundamental way: a failure in OT is not a service disruption, it is a safety and environmental risk. A PLC misreading pressure, an RTU accepting unauthorized commands, or a historian connected directly to the corporate network without a DMZ all create pathways to consequences far beyond a data breach.

Vendor remote access

Cellular modems and VSAT links maintained by OEM vendors for remote SCADA maintenance are frequently unmanaged entry points. Unlogged sessions and default credentials are a combination found regularly in oil and gas environments.

Historian connections to corporate networks

Historian servers that aggregate data from DCS and SCADA systems are often connected to the IT network for reporting. Without proper segmentation, this link becomes a bridge between two environments that should remain isolated.

Protocols without authentication

Modbus and DNP3 were designed for reliability, not security. On an open OT network, commands from any source are accepted as legitimate. This is the protocol-level condition that makes lateral movement inside an OT segment straightforward.

Scope by operation type

The assessment scope is structured around the type of operation. Upstream and midstream operations carry different architectures and risk profiles.

For upstream operators under Production Sharing Contracts, the scope covers wellhead SCADA, pipeline control systems from wellhead to processing facility, DCS at separation and processing plants, historian servers, and the telecommunications infrastructure connecting field sites to the central control room. Safety Instrumented Systems (ESD/SIS) are reviewed at the configuration and architecture level in accordance with IEC 61511 and are never actively probed.

For midstream operators such as PGN, scope covers gas distribution pipeline SCADA, compressor stations, metering systems, and CNG or LNG terminal control.

Methodology: non-intrusive, authorized, HSE-coordinated

OT assessments cannot use the same approach as IT network penetration testing. Sending active probes to a PLC can trigger unpredictable responses. Our methodology is designed entirely around operational safety.

Scoping & authorization→Passive discovery→Architecture review→Configuration analysis→Report & remediation

Every phase is authorized by the OIM or plant manager before work begins. Passive discovery uses network traffic observation without sending packets that could affect field devices. The architecture review evaluates IT/OT segmentation, DMZ presence, and vendor access paths. Configuration analysis checks PLCs and RTUs for default credentials, unnecessary active services, and firmware versions against known CVEs.

Finding categories that appear most often

Findings in oil and gas OT assessments consistently fall into the same recurring categories.

IT/OT segmentationUnmanaged vendor accessDefault credentials on PLCs/RTUsUnauthenticated protocolsOutdated firmwarePhysical access (USB, console)Absent or inadequate DMZ

Findings are not ranked by CVSS score alone. Each is assessed for exploitability and real operational impact, because OT context can shift priorities significantly from what a standard vulnerability score would suggest.

A report your teams can act on

The final report includes an executive summary for management and complete technical findings for your OT and HSE teams. Each finding includes the specific risk context for an oil and gas environment, remediation steps that avoid disrupting operations, and, where applicable, references to Perpres 82/2022 requirements or IEC 62443 controls. Retest engagements are available after remediation to confirm findings have been closed.

OT VAPT for oil and gas operations in Indonesia: a guide for SKK Migas operators

Why OT networks in oil and gas are different

Scope by operation type

Methodology: non-intrusive, authorized, HSE-coordinated

Finding categories that appear most often

A report your teams can act on

Frequently asked questions

Related

Our services

Ready to strengthen your security posture?