Chapter I Introduction PDF Free Download
1 / 20/20
100%
17
Chapter I Introduction
I.1 Background
In the last decade, the oil and gas (O&G) industry and information technology (IT) services
have experienced rapid digital development 1. The change in business processes from
manual to digital (digitization), and from digital to automated (Internet of Thing), and from
automated to the ability to add knowledge to IT systems (Data analysis & Artificial
intelligence) makes digital data and information increasingly vital and expensive 2. These
technological advances are utilized by various industrial sectors to make complex
processes more efficient 3, track sources of loss and inefficiency and respond more
effectively to disruptions or incidents that arise 4.
Figure I. 1 Cyberthreats continue to increase in type and frequency (Source McKinsey Analysis5)
However, these digital developments have also been accompanied by an increase in the
number and type of cyber-attacks on systems that have increased the vulnerability of the
IT service infrastructure of companies (and governments), banks, and other prestigious
institutions. Due to the development of information and technology, companies in the
1 Thomas Hansmann, K. T. (2022, September 1). Harnessing volatility: Technology transformation in oil and
gas. Retrieved from McKinsey.com: https://www.mckinsey.com/capabilities/operations/our-
insights/harnessing-volatility-technology-transformation-in-oil-and-gas
2 Javaid, S. (2023, January 4). 5 Digital Technologies Transforming the Oil & Gas Sector in ’23. Retrieved from
research.aimultiple.com: https://research.aimultiple.com/digital-transformation-oil-and-gas/
3 IBM. (2019). IBM solutions for energy transition in Oil, Gas and Chemical industries. 2019. Retrieved from
ibm.com.
4 Digiteum. (2021, May 10). IoT Revolution. Retrieved from Digiteum: https://www.digiteum.com/iot-oil-gas-
industry/
5 Jim Boehm, C. L. (2022, March 10). Cybersecurity trends: Looking over the horizon. Retrieved from
mckinsey.com: https://www.mckinsey.com/capabilities/risk-and-resilience/our-
insights/cybersecurity/cybersecurity-trends-looking-over-the-horizon#/
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
18
O&G sector are implementing digital transformation, and this makes the risk of data,
information, and IT infrastructure security higher 6. This makes the O&G industry a target
of cyberattacks with various motives 7. Given the importance of the oil and gas industry in
the global economy and in a country, it is very important for companies (and governments)
to formulate policies 8, risk governance 9 and IT infrastructure security in securing data
and information, as well as considering budget needs and increasing awareness of
technology users.
The increase in cyber threats with various types and numbers, requires vigilance and the
ability of the Company (especially oil and gas) to deal with emerging threats. This drives
the need for cyber resilience and strengthening cyber security risk management. Moreover,
cyber threats for oil and gas companies greatly affect the company's image, company
operations, and costs incurred due to IT system leaks that have an impact on the theft of
data related to oil and gas.
As a national company engaged in the Oil and gas sector with extensive and diverse fields,
PT PHE (Pertamina Hulu Energi) Top Management encourages to implement effective
and comprehensive cybersecurity risk management. Company is also required to be able
to identify, detect, respond to, and overcome potential cyber threats as an implementation
of this risk management. PT PHE, which is a subsidiary of Pertamina (Persero) in 2021,
has undergone considerable organizational changes and is currently an Subholding
Upstream, which oversees various oil and gas subsidiaries. So that all policies and
procedures (especially for cybersecurity) require updating and a more structured and
applicable risk management strategy.
Based on the survey results from the AXA Future Risk Report 202310, it shows that even
Cyber Security Risk is included in the top 5 (five) risks that will be faced globally in
various business sectors, including risks from the development of Artificial Intelligence
6 Aon Empower Results. (2019). 2019 Cyber Security Risk Report. 2019.
7 IEF International Energy Forum. (2022, August 25). Energy is the Top Target for Cyberattacks. How Can the
Sector Respond? Retrieved from IEF International Energy Forum: https://www.ief.org/news/energy-is-the-
top-target-for-cyberattacks-how-can-the-sector-respond.
8 Rob S. (2021, August 17). What is a cybersecurity policy and why do you need one? Retrieved from
CyberSmart: https://cybersmart.co.uk/blog/what-is-a-cybersecurity-policy-and-why-do-you-need-one/
9 IMPORTANCE OF RISK MANAGEMENT IN CYBER SECURITY. (2020, January). Retrieved from
GLOBAL RISK MANAGEMENT INSTITUTE: https://grm.institute/blog/importance-of-risk-management-
in-cyber-security/.
10 Éric Avenel, C. B. (2023). Future Risks Report 2023 10th Edition. Retrieved from axa.com: https://www-axa-
com.cdn.axa-contento-118412.eu/www-axa-com/464f15a8-2d73-4d53-adeb-
32ae9796a419_AXA_Future+Risks_Report_2023_English.pdf
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
19
and Big Data and risks in the energy sector. The survey was conducted from May 10 to
June 16, 2023, involving 3226 experts covering 50 countries in Europa, Asia-Pacific, the
Americas, and Africa.
Figure I. 2 Expert Risk Ranking (Source: AXA Future Risk Report 2023)
I.2 Company Profile
I.2.1 Business Profile
Based on the Decree of the Minister of SOEs dated June 12, 2020, Pertamina Holding
carries out portfolio management activities and business synergies throughout the
Pertamina Group, accelerates new business development, and runs national programs. To
carry out these oil and gas activities, since 2020 Pertamina has carried out a governance
transformation by forming several Subholdings. In carrying out upstream activities which
include exploration, exploitation and production for oil and gas, Pertamina Holding formed
Subholding Upstream.
SUBHOLDING
PERTAMINA
HOLDING
UPSTREAM REFINING &
PETROCHEMICAL
COMMERCIAL &
TRADING POWER & NRE GAS
INTEGRATED
MARINE
LOGISTIC
SERVICES/
PORTFOLIO
SUBSIDIARIES
PERTAMINA
HULU ENERGI
PERTAMINA KILANG
PERTAMINA
INTERNATIONAL
PERTAMINA
PATRADIAGA
PERTAMINA POWER
INDONESIA
PERTAMINA
GAS NEGARA
PERTAMINA
INTERNATIONAL
SHIPPING
Figure I. 3 Pertamina’s Subholding Organization
PT Pertamina Hulu Energi, which is a subsidiary of Pertamina Holding with the task of
managing the portfolio and operations of upstream activities, was appointed as Subholding
Upstream in April 2021. The establishment of the Subholding Upstream also incorporates
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
20
all Pertamina subsidiaries engaged in upstream oil and gas into one Subholding Upstream
organization.
On September 1, 2021, based on the Shareholders' Decision, PT PHE took over all shares
of 8 (eight) Subsidiaries of PT Pertamina Holding such as PT Pertamina Hulu Rokan, PT
Pertamina EP, PT Pertamina Hulu Indonesia, PT Pertamina EP Cepu, PT Pertamina EP
Cepu ADK, PT Pertamina International EP, PT Pertamina East Natuna, PT Pertamina
Drilling Services Indonesia and Pertamina E&P Libya Ltd. In addition, PT PHE also
received a transfer of shares for PT Elnusa Tbk, whose shares were previously owned by
PT Pertamina Holding. On October 1, 2021, PT PHE also took over the shares owned by
PT Pertamina Holding in PT Badak NGL.
SUBHOLDING UPSTREAM
(PERTAMINA HULU ENERGI)
REGION 1 REGION 2 REGION 3 REGION 4 REGION 5
PT PERTAMINA
DRILLING
SERVICES
INDONESIA
PT ELNUSA Tbk
PT BADAK NGL
PT PERTAMINA
HULU ROKAN PT PERTAMINA EP PT PERTAMINA HULU
INDONESIA
PT PERTAMINA EP
CEPU
PT PERTAMINA
INTERNATIONAL EP
All Pertamina Holding
Upstream Subsidiaries
in Sumatera Area
All Pertamina Holding
Upstream Subsidiaries in
Java Area
All Pertamina Holding
Upstream Subsidiaries in
Kalimantan Area
All Pertamina Holding
Upstream Subsidiaries in
East Indonesia Area
All Overseas Pertamina
Holding Upstream
Subsidiaries (Iraq,
Algeria, Malaysia, etc)
Figure I. 4 Subholding Upstream Group Organization
Considering the aspects of production volume, regional and operational complexity, PT
PHE manages the Working Area which is divided into 5 (five) Regions. As of the end of
2021, PT PHE has 68 (sixty-eight) subsidiaries and 6 (six) joint venture companies. The
working areas include domestic and international working areas. For domestic working
areas, PT PHE manages 40 (forty) Working Areas consisting of 27 (twenty-seven) operator
blocks and 13 (thirteen) non-Operator blocks. For international working areas, PT PHE
manages 27 (twenty-seven) working areas located in 13 (thirteen) countries covering
Southeast Asia, Africa, Europe, and the Middle East.
I.2.2 Vision
To become a world-class oil and gas company.
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
21
I.2.3 Mission
To manage operations and business portfolios in the oil and gas sector in a professional
and highly sustainable manner that provides added value to stakeholders.
I.2.4 Organization Structure
In carrying out the company's mission, in 2021 PT PHE as the holder of the Subholding
Upstream role made organizational changes which can be seen in the following figure.
Until January 2023, there were several organizational changes within PT PHE.
CEO/
Managing Director
Strategic Planning &
Business Development
Director
VP
Upstream Innovation
Exploration
Director
Development and
Production Director
Corporate Secretary
VP
Legal Counsel
Chief
Audit Executive
Finance
Director
Human Capital &
Business Support
Director
VP
HSSE
VP Human Capital
VP Information
Technology
VP Supply Chain
Management
VP Policy & Risk
Management
VP Controller
VP Financing &
Treasury
Sr. Man Tax
VP Subsurface
Development &
Resources Evaluation
VP Drilling & Well
Intervention
VP Production & Project
VP D&P Technical
Excellence & Coord.
VP Existing Assets
VP New Venture
VP Exploration
Technical Excellence &
Coord.
VP Upstream Business
Planning & Portfolio
Management
VP Upstream Business
Development
VP Commercial &
Monetization
Regional 1 – 5
Directorate
Figure I. 5 The brief organization structure of PT PHE as Subholding Upstream Group (update Jan 2023).
Each Region is led by a director who reports directly to the CEO of PT PHE. At the
Regional level, the organization is divided into several Zones. Each Zone is further divided
into several working areas (fields) that directly manage oil and gas fields in remote areas.
The establishment of the organization was also followed by division of roles for
Subholding Upstream, Regional and Zone. PT PHE as Subholding Upstream plays a role
in strategic planning, policy management and standardization, aggregation of demand &
supply and as a supervisory board. Regional plays a role as integrator, support, optimize
and assurance of operational excellence in the zone under it. Zones act as implementers of
operational excellence.
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
22
Figure I. 6 Organization of IT Department
Regarding the supervision and management of data and information security, IT
Department is appointed as the holder of responsibility for risk management of data
security and the infrastructure that supports it. IT Department in the Subholding Upstream
Group Organization is spread across 4 levels of organizational structure such as at Head
Office of PT PHE, Regional Head Office, Zone Head Office and up to Field Office most
of which are in remote areas.
I.2.5 Business Process
In general, the Subholding Upstream Group business processes refer to APQC (American
Productivity & Quality Centre) with various adjustments that have been managed by
specific departments.
Figure I. 7 Business Process Subholding Upstream Group (Source Internal)
I.3 Business Issue
The oil and gas industry are currently facing challenges in the use of renewable energy,
where renewable energy alternatives become a new business that needs to be run by
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
23
Pertamina Group. However, in running the old business, Pertamina Group must be able to
run the Carbon Capture program or start to commercialise it. In these challenges, various
digital transformations are needed to support various business processes. Data/information
related to upstream data is the target of cyber threats, so to secure the data/information,
Pertamin Subholding Upstream Group (organisational change in 2021) requires improved
cyber risk management so that Cyber Resilience is realised.
I.3.1 General Issue
Pertamina's 2025-2029 Long Term Plan focuses on driving Dual Growth, namely
strengthening the legacy business and Building Low Carbon Business. In this regard,
Subholding Upstream Group is boosting production and reserves and scaling up CCUS
and starting to commercialise CCS. This is coupled with the implementation of ESG. In
the implementation of ESG, Subholding Upstream Group also focuses on the Cyber
Security domain. Within the domain, cyber risk management has become a target for the
BOD to achieve. This is related to several cyber-attacks that have occurred recently.
Where, Cyber resilience and data/information security become more important, especially
in supporting the company's long-term plans. The appendix 11 lists cyber-attacks or threats
that have occurred in the Upstream Group Subholding.
Cyber threats that occur in Pertamina Group have a concerning impact, in addition to
threatening the cessation of company operations (which depend on data/information
exchange), impacting the company's image, it is also a concern of several government
agencies, especially as a vital state object. Some Subholding Upstream stakeholders that
are related to data/information security and services are as follows. The appendix 12 lists
stakeholders and their roles related to cyber risk management. Overall, regulations issued
by government agencies (external stakeholders) must be met by the Subholding Upstream
through cyber risk management and information technology in supporting the company's
business.
From several stakeholder identifications, in improving the ability to secure
data/information and cyber resilience, researchers use further analysis to provide
recommendations for managing information technology risks, measuring the level of
readiness, and analysing appropriate controls in dealing with cyber-attacks that have
11 Appendix 2a
12 Appendix 1a
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
24
occurred, especially in the oil and gas industry, both in various parts of the world and
within Pertamina Group.
I.3.2 Business Issues Identification
Cybersecurity risk is a combination of the possibility of incidents in the realm of assets
and information, or technology and communication resources and the impact of these
incidents on an organization 13. Sources of cybersecurity risk can come from internal
(people, process, technology) or external parties of an organization. From the people side,
the source of cybersecurity risk is in the form of the inability of human resources to carry
out tasks related to securing assets and information or lack of security awareness. From
the process side, it includes the design and implementation of business processes that can
cause cyber risks for the Company. The absence of secure channels in data transmission,
security audits that are not carried out regularly, lack of control over operational activities
in securing data transactions, and various other things. From the system/technology side,
the weakness of an organization's information technology and infrastructure is a source of
cyber risk. The lack of security testing, control, and monitoring of threats and
vulnerabilities as well as the unavailability of the security system itself (hardware and
software) is a way to increase the potential for cyber threats. Increased risk of cyber threats
from external factors to people, processes, and technology in the form of lack of security
awareness of workers, and the growing tactics and sophistication of cyber attackers.
Pertamina Subholding Upstream Group implements and updates information security
policies. However, in implementing the policy, the Company still faces cyberattacks that
have the potential to disrupt the Company's operations. The Information Technology
function in responding to these cyberattacks can always overcome them so that they do
not have a major impact on the Company's operations. The information security challenges
faced, of course, become the focus in determining cyber security risks. Among others,
operationally, upstream activities take place every day while IT operational workers who
work outside working hours are still limited. Increasingly organized and massive malware
attacks, for example ransomware attacks that occurred in 2022. And recorded in the year
there have been more than 20,000 attacks every day at PT PHE. In 2017, the Pertamina
Group experienced a WannaCry attack and in 2020 a Ransonware Hive attack. In addition,
the problem in identifying cyber-attacks is that cyber-attacks that use generic
13 Board, T. F. (2018, November 12). Cyber Lexicon. Retrieved from fsb.org: https://www.fsb.org/wp-
content/uploads/P121118-1.pdf
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
25
software/tools are not detected. Another challenge with the development of technology
and the digitalization program that is rampant in Pertamina Subholding Upstream Group,
of course, in the face of increasing variants and numbers of attacks, it is necessary to design
and configure a more secure IT Service system. The design and configuration of the current
IT Service system infrastructure security may not last for the next 5 (five) years.
In general, based on the Regulation of the Minister of defence of the Republic of Indonesia
(82/2014) cyber threats are hardware threats, software threats and data/information threats.
Threats to hardware in the form of installing certain equipment in an IT Service system
can cause disruption to the system, such as jamming and network intrusion. Threats to
software in the form of the entry of certain software (malware) and serves to carry out
theft, destruction, manipulation of data on a system. Threats to data in the form of
spreading certain data/information aimed at certain interests such as propaganda in
information warfare. Losses arising from these threats can have direct impacts such as loss
of assets or indirect impacts such as disruption of Company operations. From the various
threats and impacts caused by cyber-attacks, it is necessary to implement risk management
to reduce the threat of cyber risk 14. Cyber resilience is defined as the Company's ability
to continue operating by anticipating and adapting to cyber threats 15.
Pertamina Subholding Upstream in implementing cybersecurity risk management must
pay attention to identifying cybersecurity inherent risks. These inherent risks pay attention
to at least 5 (five) aspects in the form of technology, distribution channels, products and
activities, organizational character, and track record of cyber threats 16.
Technology Aspect
Subholding Upstream manages working areas from domestic to overseas. So that in terms
of infrastructure design, Subholding Upstream applies segregation to infrastructure design,
namely based on the status of the Company entity, field status (production or exploration),
concentration of worker population, and required services and all in accordance with
applicable regulations. Subholding Upstream also applies modular infrastructure design,
14 Indonesia, T. (2022, Mei 9). Kejahatan Siber Terus Meningkat, ICAEW: Pentingnya Mitigasi Resiko bagi
Dunia Usaha. Retrieved from trendtech.id: https://trendtech.id/kejahatan-siber-terus-meningkat-icaew-
pentingnya-mitigasi-resiko-bagi-dunia-usaha/
15 Board, T. F. (2018, November 12). Cyber Lexicon. Retrieved from fsb.org: https://www.fsb.org/wp-
content/uploads/P121118-1.pdf
16 FFIEC. (2015, june). FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and
Boards of Directors. Retrieved from ffiec.gov:
https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_CEO_Board_Overview_June_2015_PDF1.pdf
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
26
for working areas whose entity status will be terminated soon, or the status of sharing
contracts in non-operational working areas (in mergers and acquisitions).
Aspects of Products, Activities and Distribution Channels
Upstream oil and gas activities consist of exploration, production and lifting 17. Starting
with exploration activities in the form of searching for oil by obtaining a cooperation
contract with the government and starting with conducting geological and geophysical
surveys. Production activities are the process of lifting oil and gas to the surface of the
earth and ends with the lifting process in the form of delivery of oil and gas from producers
to buyers. In this lifting process, the calculation is carried out transparently by the
Regulator (SKKMigas). In the implementation of IT Services for upstream activities in the
Subholding Upstream Group, the design infrastructure network for the status of the
Production field and lifting needs includes Services from the Gathering Station, Gathering
Center, to the point (handover point) which is a station where direct delivery to consumers
(crude oil and natural gas). While in exploration activities, IT services are used in the form
of dominant communication media as needed in remote areas such as VSAT, Radio, GSM
Signal booster, storage media and so on. Basically, IT services for these upstream activities
are closed. In contrast to IT Services for banking or e-commerce which are also open,
where IT Services in addition to internal infrastructure also provide infrastructure for
consumers or the public. In infrastructure design, IT Services tend to be mostly used to
support operational needs within the Company. However, upstream activities remain a
cyber threat, so that data transaction security needs to be carried out to the production field.
With organizational changes in all Pertamina Upstream Subsidiaries, it is necessary to
assess the cybersecurity risk management process in the Subholding Upstream Group.
Aspects of Organizational Character
Organizationally, the Subholding Upstream Group is divided into several Regions. Each
region is divided into zones, and each zone is divided into PSCs. Each PSC is divided into
several field offices. Each field has several Central Gathering Station offices and is the
center of several Gathering Station offices. In each Gathering Station office, it is the
distribution center of several production wells. The distribution of workers is from the
17 Kumparan. (2023, Juli 20). Mengenal Industri Hulu Migas dan Tahapan Kegiatannya dari Awal hingga Akhir.
Retrieved from kumparan.com: https://kumparan.com/berita-bisnis/mengenal-industri-hulu-migas-dan-
tahapan-kegiatannya-dari-awal-hingga-akhir-20pOEJber4U/full
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
27
head office to the collecting station offices. The overall worker population is centered at
the Regional Headquarters and Subholding Upstream. And the worker population
decreases for Zone Offices to Gathering Station offices. Since the Subholding Upstream
Group consists of several legal entities with different PSC status, the contractual and
outsourcing mechanism for IT Services has its own challenges. Where IT Services require
integrity for IT systems, monitoring, evaluation, and control between one PSC and another
PSC, under the Subholding Upstream.
Cyber Threat Track Record Aspect
The increasing volume and types of cyber-attacks on upstream oil and gas activities pose
a major threat to the Company. Subholding Upstream Group, which was initially formed
in 2021, implemented digital transformation for several business processes, so that the
resulting digital transactions require cyber security. The data generated and processed in
these digital transactions makes securing data and its distribution channels increasingly
risky. IT services to support the business processes of upstream oil and gas activities are
becoming increasingly vital and the target of cyber-attacks. In securing data and data
transactions, it is necessary to study the track record of cyber threats not only within
Pertamina Group but also oil and gas activities in companies around the world.
1.3.2.1 IT Business Risk and Information Security Risk Problem
The implementation of risk management refers to the Regulation of the Minister of State-
Owned Enterprises Number: PER-01/MBU/2011 dated August 01, 2011, concerning the
Implementation of Good Corporate Governance in State-Owned Enterprises, specifically
article 25 concerning Risk Management. The types of risks managed 18 refer to the Risk
Intelligence Map (RIM) in the form of Governance-Compliance-Legal, Business Strategy,
Financial Management, Operations, Business Environment and Corporate Image. Of these
types of risks, information security management is included in governance-compliance-
legal, operational, and corporate image risks. From 2021 to 2024, the risk of cyberattack
events, apart from being included in the top risks in the IT Function, the risk is also
included in the top enterprise risk in the Subholding Upstream. This is also associated with
the many cyber-attacks that have occurred in the Pertamina Group which are quite
18 Consulting, P. P. (n.d.). Pokok- pokok Kebijakan Manajemen Risiko PT. pertamina Training & Consulting.
Retrieved from pertamina-ptc.com: https://www.pertamina-ptc.com/assets/pdf/Pokok-Pokok-Kebijakan-
Manajemen-Risiko-PTC-
1.pdf#:~:text=Sebagai%20upaya%20dalam%20menerapkan%20pengelolaan%20risiko%20yang%20baik,Te
rstuktur%20dan%20Menyeluruh%20Disesuaikan%20Dengan%20Kebutuhan%20Pengguna%20Inklu
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
28
disruptive to the Company's operations and image even though the relevant parties within
the Company can carry out countermeasures, prevention, and repairs.
Digital transformation intensified by the Subholding Upstream also makes cyber threats
more serious because of the increasing amount of data traffic in operational activities. A
report from Deloitte in 2022 19, explained that the cyber risk issue increased in the
renewable energy industry. This is also triggered by the amount of digitization and control
of remote devices in the exploration, production, and lifting processes in critical IT Service
infrastructure. Where in dealing with cyber risk requires additional teams and more reliable
cyber risk management. This is a challenge at Pertamina Group, where in risk
management, climate change is included in the Risk Intelligence Map (RIM) 20. Problems
arise, where in the management of IT Business Risk in each region does not have the same
level of risk management maturity. This makes the risk treatment plan implemented not in
line with the Enterprise Risk that has been determined for the entire Upstream Group
Subholding. So, it is necessary to assess and enforce the implementation of IT Business
risk management from Subholding Upstream to Regional.
IT Business Risk covers business risk management aimed at all risks that arise and are
related to the implementation of the IT Department Strategy in the KPI Objective, based
on the business processes carried out by the IT Department. In contrast to Information
Security Risk, which includes risk management aimed specifically at information security
based on business processes specifically related to information security. The following is
a snapshot of the difference between IT Business Risk and Information Security Risk
implemented in the Subholding Upstream Group.
Table I. 1 Difference between IT Business Risk and Information Security Risk
Risk IT Business Risk Information Security
Risk
IT Department
Strategy in KPI
Objective
All IT Department
Strategy Risks.
IT Department Strategy
for information security
19 Schlaak, M. M. (2022, September 9). 2023 renewable energy industry outlook. Retrieved from deloitte.com:
https://www.deloitte.com/an/en/Industries/power-utilities-renewables/analysis/renewable-energy-industry-
outlook.html
20 Persero, P. P. (n.d.). Climate Change Strategies. Retrieved from pertamina.com:
https://www.pertamina.com/en/climate-change-strategies
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
29
Proses Business All risks in the Business
Process.
Risks from business
processes that are only
related to information
security.
Reference ISO 31000:2018 ISO 27005:2022
Impact category Governance-
Compliance-Legal,
Business Strategy,
Financial Management,
Operasional, Business
Environment dan
Corporate Image.
Confidentiality, Integrity,
Availability
From the table above, it can be concluded that Information Security Risk is part of IT
Business Risk, but its management refers to different standards, and is specifically related
to information security.
The problem that arises is that in 2021 in the Subholding Upstream there are no specific
guidelines and guidance for managing information security risks. And in 2022, the
information security risk management guidelines were issued. However, until 2023
information security risk management in each region has not been implemented properly,
where the Information Security Risk Register is only owned by the Subholding Upstream.
1.3.2.2 Cyber-attacks Trends in Oil and Gas Industry
In implementing cybersecurity risk management, one aspect of the 5 (five) aspects of
inherent risk identification is to consider the track record of cyber threats. The quantity
and type of cyber-attacks, whether attempted attacks or successful attacks, will affect the
inherent risk exposure of the Company. Based on information from statista.com 21, by
2022, the energy industry ranks fourth in cyberattacks worldwide. In the previous
explanation, Subholding Upstream is often the target of cyber-attacks, which means that
21 Petrosyan, A. (2023, September 19). Distribution of cyber-attacks across worldwide industries in 2022.
Retrieved from statista.com: https://www.statista.com/statistics/1315805/cyber-attacks-top-industries-
worldwide/
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
30
an appropriate risk management mechanism is needed in response to the type of attack so
that the appropriate technical mechanism for countermeasures can be determined.
Figure I. 8 Distribution of cyber-attacks across worldwide industries in 2022 (source: statista.com)
The types of cyberattacks and their countermeasures are not only a knowledge base in
cyber defence, but also a historical reference for determining infrastructure design and
updating cyber security support devices.
Figure I. 9 Cyber vulnerability/severity matrix by upstream operations (source: deloitte.com)
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
31
Of the various activities in the upstream oil and gas industry, based on a survey from
Deloitte22, shows production activities, development drilling and exploratory & appraisal
drilling to be the top processes targeted by cyber-attacks worldwide. Three upstream
operational activities are the dominant ones carried out in the Subholding Upstream. Thus,
a more in-depth analysis is needed to study the trend of cyber-attacks that occur throughout
the world, especially in the upstream oil and gas industry.
1.3.2.3 Procurement Strategy
Initially, each Pertamina subsidiary engaged in the upstream sector is a separate entity,
standing alone and has certain rules in the procurement mechanism.
PSC Gross Split
PSC Cost Recovery
Non-PSC
Number of PSC
types in one
Organization
Holding
Terder Mechanism
Problem
Compliance: Each PSC Status has a
different tender mechanism
Financial: Price reasonableness in
multiple contracts of the same IT
service. NonCostRecovery Issue if not
following PSC Cost Recovery rules.
Operational: System can be integrated
for the entire Upstream Group
Subholding
Timing: Routing reviews and approvals
for each entity can take a long time.
Fairness: Selection of a more
competitive tender mechanism and
brand for parties outside Pertamina
Group.
Figure I. 10 Procurement Mechanism Problem
In the procurement mechanism for the same IT Services, often each working area that has
the same status uses a joint contract mechanism, to get a more efficient price, a more
coordinated IT Service operation (because it uses the same vendor at the time of the
contract), with a more consolidated procurement amount (fewer but comprehensive). In
addition to taking a lot of time for the procurement process, budget requirements become
larger, due to the number of contracts for similar work with different price reasonableness.
In addition, the distribution of IT Workers in Subholding Upstream, Regional, Zone and
Field are limited, requiring a more consolidated contract mechanism at the PT PHE and
Regional levels. Legal Entity of Subholding Upstream Group listed in appendix23.
22 Anshu Mittal, A. S. (2017, June 26). Protecting the connected barrels Cybersecurity for upstream oil and gas.
Retrieved from deloitte.com: https://www2.deloitte.com/us/en/insights/industry/oil-and-gas/cybersecurity-
in-oil-and-gas-upstream-sector.html
23 Appendix 1b
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
32
In addition to this, differences in contracts in organizing the same IT Services in the Region
or Zone, causing IT systems not to be integrated with each other. For example, in securing
data networks, the Cost Recovery PSC area uses Brand A, while the Gross Split PSC uses
Brand B, in accordance with the results of their respective procurement processes related to
securing data networks. Brand A and Brand B cannot be fully integrated and make the
burden of managing IT Services double or cannot be integrated at all. Given the very limited
position of IT workers in each production field, the integration of IT systems and manage
available services (which is realized in the procurement mechanism) must be more simply
consolidated.
The time factor is also a consideration. IT services are expected to always run to support
data transactions from the production field to the head office (in many kinds of services). In
organizing these IT services, similar PSCs must use a joint contract mechanism. To obtain
a more integrated IT system and managed service, a reasonable and comprehensive price
for the PSCs involved, as well as the right timing in organizing the IT Service. The obstacle
faced is that each PSC/Zone/Regional with the same status has its own Procurement, Legal,
Finance and Management functions. The process of approval and routing of contract
documents has become longer than before the formation (organizational change) of the
Subholding Upstream. This time-consuming document approval and routing process, makes
the previous IT Services contract expected to be extended or changed in such a way that the
replacement IT Services in the new contract are properly organized. This extension of the
previous contract has the potential to become non-compliant with the use of IT Service
prices that do not match the prices when the contract is finalized. For certain IT Services
such as internet, radio, servers, and others, the price tends to decrease due to competition
from IT Service providers, increasingly competitive hardware/lisence prices, and increasing
IT Service alternatives (such as choosing to use public cloud services, cloud on premise, or
other dedicated services).
Another issue is fairness. In planning the needs of IT services that will be provided through
an outsourcing mechanism, before the selection of the procurement mechanism (in the form
of Open Procurement, Direct Selection, or Direct Agreement), of course Pertamina Group
has its own policies. As in drilling procurement, Pertamina has a subsidiary that specializes
in drilling business. Of course, to manage the Company's cash flow, Pertamina implements
a policy in drilling activities at Upstream Subsidiaries to use drilling services from other
subsidiaries engaged in drilling. Likewise with IT Services. As a Holding, Pertamina
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
33
manages certain IT services that are fully integrated and used for all subsidiaries under it
(Upstream, Midstream, Downstream). Pertamina's subsidiaries also have business fields
related to Information Technology. Like managing the Company's cashflow, the Subholding
Upstream Group as an entity can use internal policies/guideline in the form of using IT
Services from the appropriate Pertamina subsidiaries. The use of Pertamina Group's internal
policy can be implemented legally for NonPSC and Gross Split PSC subsidiaries with A7-
001 Procurement Guideline, by using a cooperation contract without going through a
procurement mechanism. However, for PSC Cost Recovery, PTK 007 Procurement
Guideline must use a procurement mechanism. In addition to this, for providers/vendors
outside Pertamina Group, this is very unfavourable. Where providers/vendors outside
Pertamina Group do not have the opportunity as potential participants or procurement
winners in selling their services. In the social aspect, fairness is often an issue in terms of
business competition, which has an impact on the Company's image. Although there is
already an internal Pertamina Group policy that can be legally complied with.
From the descriptions of the procurement mechanism problems above, the researcher looked
for several alternatives to choose the right procurement mechanism and reduce the risks
faced, in the aspects of compliance, finance, timing, fairness, and operational burden.
I.4 Research Question
As digital transformation continues and the risk of cyber threats expands, to support cyber
resilience, there are some basic questions as follows:
1. What needs to be improved in the enhancement of cyber security tools to avoid losses
arising from several cyber security events that occurred around the world, especially in
the oil and gas sector?
2. What needs to be implemented in managing IT Business Risk and Information Security
Risk in Subholding Upstream?
3. What is the recommendation for an appropriate procurement mechanism for the
procurement of SOC (Security Operation Centre) services to be implemented in all
Upstream Entities with various procurement regulations, economics and timelines and
various scenarios that could potentially arise in the Subholding Upstream Group?
I.5 Research Objectives
Study and research objectives for this issue,
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
34
1. To improve the reliability of IT infrastructure spread across the Subholding Upstream
Group by identifying the volume and types of cyber-attacks and their countermeasures
that occur in the upstream oil and gas industry.
2. To improve the implementation of cyber risk management in managing IT business
Risk and Information Security Risk in the Subholding Upstream Group.
3. To identify appropriate and applicable procurement mechanism solutions based on
compliance, financial, timing, operational and fairness.
Basically, all these objectives are to support the implementation of cyber resilience in
Subholding Upstream Group.
I.6 Research Scopes and Limitation
Scopes:
1. The scope of this research focuses on determining information security controls,
looking for gaps in the fulfilment of the capability level of IT Business Risk, looking
for gaps in compliance fulfilment of ISMS Implementation and IS Risk, looking for
the best alternative in the Security Operation Center (SOC) procurement strategy
covering almost the entire Subholding Upstream Group.
2. In determining problem identification, stakeholders involved, risk management
assessment and ISMS involving related PICs using various applicable international
and national standards.
3. Mapping cyber-attacks/threats with tactics and techniques based on various references
obtained through exposure in the security incident database website, Security Provider
Report, Organizational Report, Journal, books, and company reports. Mapping tactics
and techniques with cyber security controls based on documents issued by NIST as a
basic reference.
4. Procurement guidelines based on guidelines used by Cost Recovery PSC, Gross Split
PSC and Non-PSC.
Limitations:
1. Cyber threat trends only include cyber threat events/potentials that occur within
Pertamina and valid information that occurs throughout the oil and gas industry that
occurs from 1982 until 2022 (60 records). For cyber events/threats in 2023 are not
included as a limitation of official information from several researchers or publications
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
35
from several related parties. In this research, the author collects data on cyber-
attacks/threats from internal or some published documents/articles.
2. IT Business Risk management implemented in Subholding Upstream is monitored and
evaluated annually. This research uses the 2023 Risk Register that has been defined in
2022 by Subholding Upstream, Regional 1, Regional 2, Regional 3, Regional 4,
Regional 5 and PSC Rokan Working Area. Because in April 2021, there was a change
in the Subholding organization so that risk management for 2022 could not be used as
a reference. The evaluated IT Business Risk only covers risk management in Upstream
and Regional Subholding. Because the Zone and Field levels are not required to compile
a risk register.
3. Information Security Risk management only covers Subholding Upstream. Since
management in the Regional and PSC Rokan Working Area has not been carried out
and cannot be used as a research reference.
4. Enterprise Risk is managed by a specialized department using the ISO 31000:2018
standard approach. The standard is used as an audit reference to manage risks from all
departments based on the strategies and objectives set by the company. In this study, IT
Business Risk does not use the standard approach because IT Business Risk
management is specifically for the IT Department. In its development, a level of
maturity is needed in risk management, so it will use the approach to the IT governance
Framework.
5. In the research, IT Business Process data that will be used as a reference is the Business
Process in 2022, after the Subholding Upstream Group was formed in April 2021. In
2023, the business process has not been officially updated.
6. In selecting the procurement mechanism, researchers use references in the form of
procurement regulations that apply to each company entity. Basically, this procurement
mechanism is not only intended for Security Operation Center (SOC) program but can
also be a reference for other IT services covering multiple entities. The SOC service
itself is expected to start running in 2024 in stages in the Subholding Upstream Group.
7. At the procurement strategy research stage, determining aspects and assessing the
weight of each aspect is obtained from the results of internal interviews with the IT
Department. This is because the preparation and procurement strategy are things that
have the potential for Conflic of Interest (CoI).
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
36
8. This research has limitations in financial calculations related to the impact or costs
required in implementing risk management. This is due to the confidentiality of data
and information from the company.
The following is a systematic presentation of this research writing:
Chapter 1 explains the basic background, company profile, business issues in general.
In this chapter, the question, objective, scope, and limitation of the research are
determined.
Chapter 2 explains the references, analysis methods and basic theories used. This
chapter also explains the conceptual framework and various literature to answer the
research questions.
Chapter 3 describes the research method consisting of the research flow (design), data
collection methods, and methods of analysing the results found.
Chapter 4 explains the various analysis processes in this research. This chapter also
explains the implementation plan for the results of the analysis.
Chapter 5 presents the conclusions and recommendations of this research. This chapter
also describes potential research on the same topic.
Koleksi digital milik UPT Perpustakaan ITB untuk keperluan pendidikan dan penelitian
