Zero Trust Is a Requirement for Connected Oil and Gas Workers

Author photo: Larry O'Brien
By Larry O'Brien


Keywords: PETRONAS, Xage, Zero Trust, Connected Worker, Secure Remote Access, Digital Transformation, ARC Advisory Group.


ARC was fortunate enough to have leading oil and gas company PETRONAS present their views on some key OT cybersecurity issues at the most recent ARC forum in Orlando. Rahayu Ramli, head of cyber strategy and architecture at PETRONAS, presented Zero Trustabout the digital journey PETRONAS is on, and the crucial role that zero trust access management and remote access plays in achieving PETRONAS cybersecurity goals. Based in Malaysia, PETRONAS is one of the largest oil and gas companies in the world with close to 48,000 employees and over $83 billion in revenue. Ramli discussed the oil major’s path to digital transformation, its impact on the company’s cybersecurity strategy, and how it eventually led to the adoption of a zero trust solution to adapt to the increasing number of connected workers and increased use of remote operations. 

The PETRONAS presentation reflected many of the concerns that end users in the process industries face today as they adopt digital transformation. Many organizations have discovered that digital transformation requires a complete revamping of their cybersecurity organization, breaking down barriers between the IT and OT domains when it comes to cybersecurity governance and best practices. 

Digitalization also means a larger number of connected workers and a push to remote operations. End users like PETRONAS are discovering that their current implementations for secure remote access no longer meet their needs, and they are instead adopting true zero trust fabrics. In this case study, PETRONAS has decided to implement the Xage Zero Trust Fabric. 

Digitalization Effort Spurs Merger of IT and OT Cybersecurity Domains

As with many oil and gas companies today, PETRONAS is increasingly focused on digitalization. The company is in the middle of a three-phase corporate digitalization effort, which started in 2018 with efforts to define new ways of working and to create a digital organization. In 2023, PETRONAS began phase 2 of its initiative, which focuses on taking the digitally enabled enterprise to provide a path to net zero operations and to provide increased resilience and improved governance. The third phase, scheduled for 2027, will create a fully digital organization with a fully democratized, self-sustainable organization with digital hard coded into the company’s business DNA. 

With the adoption of digitalization, PETRONAS found it increasingly difficult to keep traditional boundaries between IT and OT. Traditionally, the IT cybersecurity organization was focused on the traditional CIA triad of confidentiality, integrity, and availability. IT security personnel had to deal with assets that typically had a five-year lifecycle. Most cybersecurity vulnerabilities could be managed centrally, 

On the OT side, the cybersecurity organization was primarily concerned with people, the environment, assets, and reputation (PEAR), followed by the CIA triad. Assets and operating systems had a 10–20-year lifecycle instead of a 5-year lifecycle. On the OT side, cybersecurity vulnerabilities cannot typically be addressed remotely and require some level of physical intervention. Systems can often be isolated, in remote locations, and can often require extensive physical effort to gain access. 

With the adoption of a digitalization strategy, however, PETRONAS has found that cybersecurity must be approached from a more holistic perspective. The boundaries of IT and OT must be dissolved to adopt this holistic perspective. PETRONAS is now looking at cybersecurity through the lens of how it can benefit the business and create a data-driven organization that can enable new ways of working. 

Increasing Focus on Resilience and Being Proactive Leads to New Cybersecurity Organization

For successful digitalization, cybersecurity must become more proactive and focused on building a more resilient enterprise. This means proactively seeking out threats to the organization, knowing where the risks and exposures can be, and protecting the enterprise. Being able to respond and recover if an incident occurs is also essential to this strategy. 

With these two primary strategic objectives in mind – increasing resilience and being increasingly proactive – PETRONAS formed its new unified IT and OT cybersecurity organization. The mandate from PETRONAS to the entire cybersecurity organization within the company is that there is single accountability across all of PETRONAS IT and OT. 


ARC Advisory Group clients can view the complete report at the ARC Client Portal. 

Please Contact Us if you would like to speak with the author.

You can learn more about cybersecurity at Industrial Cybersecurity Market Analysis Research


Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients