In an increasingly interconnected global environment, information is exposed to a rapidly growing variety of risks, threats, and vulnerabilities. OMV Petrom invests in information and cybersecurity to protect technology, assets, and critical information as well as to protect our reputation and avoid any damage or monetary loss resulting from unauthorized access to our systems and data. Keeping OMV Petrom free from security gaps and potential security risks is essential for the whole business. The IT and OT Security regulations apply to all the Group’s IT and OT assets and shall be followed by all our employees and contractors.
Specific policies and Commitments
Our internal IT/OT Security Directive lays out the details of the IT/OT Security Framework, through which topic or security domain related security standards and policies are continually aligned and managed. The security framework in total consists of approximately 50 regulatory documents and is harmonized with the ISO 27000-series recommendations for IT controls and domains.
Management and due diligence processes
We run an Information Security Management System (ISMS) which is based on ISO 27000 standard and accordingly certified, with annual external surveillance and re-certification processes applied. One of the basic principles of an ISMS is covering the continuous improvement cycle in order to identify, prevent, mitigate and remediate potential information security leakages or gaps.
Preventive, Technical, Detective and Reactive Measures
We lower the risk of security breaches by introducing new tools, individual detection strategies, and response plans in order to maintain a strong perimeter for our on-premises as well as our cloud environment. Our technical housekeeping measures ensure a solid foundation with up-to-date hardware and software as well as adequate information security processes. The detective and reactive measures are designed and executed on an ongoing basis to create transparency around existing risks, security gaps, and vulnerabilities. To further protect our assets and eliminate intruders, we integrate detective and reactive measures to mitigate possible damage and take remediation measures to ensure a fast and total recovery. Examples of detective and reactive measures include:
- permanent vulnerability scans on cyber assets
- implementing a holistic MFA functionality
- running continuous internal & external penetration tests on critical applications/systems
- external audits as quality insurance (ISO 27K, PCI-DSS, NIS etc.)
Training
We run regular and intensive measures to keep our employees’ information security awareness on a high level. The awareness efforts are either based on general topics of infosec interest, on ad-hoc demands as timely countermeasure on dedicated use-cases or even target-group focused, and set upon different formats such as:
- mandatory e-learnings including knowledge check
- topic based videos
- classroom trainings
- phishing email campaigns
- MyNews shared via intranet and blog postings.
Incident Reporting and Escalation Processes
OMV Petrom operates a continuous 7-day x 24hours security monitoring. Potential findings are processed via a Security Information and Event Management (SIEM) intelligence and enriched by Level 1, Level 2 and Level 3 analysts. Escalation procedures exist to ensure timely remediation of security incidents on a 7×24 basis. Our Cyber Defense Team classifies the incident, triggers the incident response process, and activates all required functions via automatic and manual alerting via voice phone and SMS. All remediation actions are following pre-defined “runbooks” to ensure efficient and timely processing. A clear communication concept ensures the proper information of all relevant stakeholders. Moreover, the Group runs on a yearly basis, and with external expertise as steer, cyber emergency exercises on dedicated realistic threat scenarios in order to verify related mitigation procedures and processes.
We made progress by the introduction, in 2021, of the KnowBe4 platform, a state-of-the-art tool to provide information security awareness and training content on modern and attractive formats, in order to further increase employee awareness. We ran several initiatives to further increase and develop its cyber-attack resilience and reduce the cyber risk exposure, including a holistic InfoSec program consisting of a bunch of targeted projects to implement or enhance technical or procedural measures with focus on infosec capabilities, a continuous program to constantly evaluate the IT maturity level and its progress by external assessments and an intensive set of activities to keep the information security awareness on a high level.
2021 Activities
We did not face any noteworthy incident as defined by the Romanian legislation, which implements the NIS Directive – local Law 362/2018 according to which we have been identified as an essential service operator.
OMV Petrom ran several initiatives to further increase, develop its cyber-attack resilience, and reduce cyber risk exposure, such as:
- a holistic information security program consisting of a series of targeted projects to implement or enhance technical or procedural measures with focus on information security capabilities,
- a continuous program to constantly evaluate the IT maturity level and its progress using external assessments,
- an intensive set of activities to keep information security awareness at an adequate level.
OMV Petrom is dedicated to continuous improvement processes and implementing related measures. Other strategic aims and core endeavors are to further increase the basic IT maturity level, to further extend cyber-defense capabilities and threat resilience beyond the already established high level, while maintaining certification of the comprehensive information security governance structures in place.