Why is this important?
An increasingly interconnected global environment exposes information to a wide range of risks, threats, and vulnerabilities. OMV Petrom invests in information and cybersecurity to protect technology, assets, and critical information as well as to maintain our reputation and avoid any damage or monetary loss resulting from unauthorized access to our systems and data. Keeping OMV Petrom free from security gaps and potential security risks is essential for the whole business.
Our commitment
Our internal IT ⓘInformation Technology (IT) is a set of cybersecurity strategies that prevents unauthorized access to organizational assets, such as computers, networks, and data. It maintains the integrity and confidentiality of sensitive information, blocking the access of sophisticated hackers./OT ⓘOT Security is defined as Operational Technology (OT) hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprise. OT is common in Industrial Control Systems (ICS), such as a SCADA system. Security Directive details the IT/OT Security Framework, which aligns and manages topic- or domain-related security standards and policies. Approximately 50 regulatory documents are included in the Security Framework, which is aligned with ISO 27000-series recommendations for IT controls and domains. OMV Petrom is committed to securing its services operating in dedicated areas, including filling stations, as well as meeting PCI-DSS ⓘPayment Card Industry – Data Security Standard (PCI-DSS) requirements.
Incident Reporting and Escalation Processes
OMV Petrom operates continuous 24/7 security monitoring. Potential findings are processed via Security Information and Event Management (SIEM)” intelligence and supplemented by Level 1, 2, and 3 analysts. Escalation procedures exist to ensure timely remediation of security incidents on a 24/7 basis. OMV Petrom’s Cyber Defense team classifies incidents and triggers the incident response process, then activates all required functions via alerting processes, also supported through voice messaging and SMS. All remediation actions follow predefined “runbooks” in order to ensure efficient and timely processing. A clear communication plan ensures the proper information is disseminated to all relevant stakeholders.
The Information Security Management System (ISMS) we operate is based on ISO 27000 and certified accordingly, with external surveillance and recertification processes applied annually. A full recertification assessment was successfully completed in July 2022 and the OMV Petrom certification period was extended until 2025. One of the basic principles of an ISMS is covering the continuous improvement cycle in order to identify, prevent, mitigate, and remediate potential information security leakages or gaps.
Preventive, Technical, Detective, and Reactive Measures
To maintain a strong perimeter for our physical and cloud environments, we implement new tools, individual detection strategies, and response plans to reduce the risk of security breaches. Our technical housekeeping measures ensure up-to-date hardware and software, as well as adequate information security procedures. We implement security patches and provide guidelines to ensure consistent hardware and software lifecycles.
Continual detective and reactive measures are implemented to identify existing risks, security gaps, and vulnerabilities. To protect our assets and eliminate intruders, we integrate detective and reactive measures to mitigate possible damage and take remediation measures to ensure a fast and complete recovery. Examples of such measures include:
- permanent vulnerability scans on cyber assets
- breach and Attack simulations to evaluate potential attack surfaces
- running continuous internal and external penetration tests on critical applications/systems
- external audits as quality insurance (ISO 27000, PCI-DSS, NIS, etc.)
To keep our employees’ information security awareness at an appropriate level, we conduct regular and intensive training programs. A variety of formats are used to deliver awareness initiatives, including general topics of information security interest, ad hoc demands for timely countermeasures on dedicated use-cases, or even target-group focused topics:
- mandatory e-learnings including knowledge check
- topic-based videos
- classroom trainings
- Anti-phishing-mail campaigns
- My News platform to share news via the intranet and internal blog posts.
Business Continuity/Contingency Plans and Incident Response Procedures
OMV Petrom tests its business continuity plans and incident response procedures annually, through cyber emergency exercises. The cyber emergency exercises, which are run with external experts, focus on specific, realistic threat scenarios in order to test related mitigation procedures and processes. The tabletop exercise consists of a series of “injects.” Each “inject” represents an event or a piece of information that is discovered as the scenario unfolds and is related to the security incident at hand. The audience of this scenario usually consists of an extended number of participants up to 30 participants, including representatives from the IT Security, senior IT Management, and OT Security teams, among others. After each injection, a corresponding review and evaluation of the process is conducted, including an appraisal determining lessons learned.
In 2022, OMV Petrom performed the following activities:
- Our information security awareness program included a variety of formats for employees, focusing on measures dedicated to email phishing threats as this is the main source of potential attacks
- We maintained an extensive IT security program to bundle all projects related to IT security and aim for further IT maturity development. Consequently, there is an increased level of resilience and preparedness against cyber-security-threats
- IT security penetration tests were continuously conducted at OMV Petrom as part of its internal and external processes ensuring a detailed technical layer of security surveillance
- OMV Petrom implemented a tool which enables the user to classify their information in terms of confidentiality and hence to apply the related security measures to protect these data accordingly
- As part of OMV Petrom’s Cyber Defense initiative, we implemented a tool to simulate breach & attacks to continually validate its resilience and vigilance level
- 0 noteworthy cyber security incident
- 50 regulatory documents of the IT security framework reviewed & updated
- 70 awareness measures on different types of formats conducted
- 500 projects guided to ensure coverage of defined security requirements
A major part of the Group’s commitment is continuous improvement and implementing related measures. As part of the strategic objectives and core endeavors, we will further improve the basic IT maturity level, further enhance cyber-defense capabilities and threat resilience beyond what has already been established and ensure comprehensive information security governance structures are certified according to multiple frameworks (ISO, PCI-DSS, NISG, BSI). An additional focus is placed on topics in the context of the emerging IT & OT areas, particularly considering cyber-attacks and to secure critical infrastructure assets and facilities from both functional perspectives.