Hindustan Petroleum Corporation Ltd (HPCL) is one of India’s leading oil and gas refining companies, which relies on its state-of-the-art IT infrastructure for its diversified operations. Strengthening the cybersecurity of this behemoth organisation, is the key responsibility of Sukla Mukhopadhyay, GM (Security & Governance) & CISO, Hindustan Petroleum Corporation Ltd (HPCL).
Mukhopadhyay shares her expert insights on cybersecurity and OT (Operational Technology) vulnerabilities in this sector.
- What are the current IT security challenges that you are facing in your organisation?
The area of cybersecurity is always full of challenges and there is never a moment that one can be absolutely complacent about it, as it is an ongoing and continuous process. One may always feel that they are two steps behind when it comes to having a completely secure environment.
Talking about the challenges that we frequently encounter would be:
- The level of consciousness amongst the business: It is not like that one person does the entire cybersecurity requirement for the entire corporation; rather everybody in the organisation should participate and be conscious about the security aspects.
- OT (Operational Technology) security area: When we talk about cybersecurity we normally talk about IT security part which is fairly mature. And, we do have support from certain agencies like NCIIPC (National Critical Information Infrastructure Protection Centre) who are doing a very good job. But in the OT area we barely have any support; often we are held hostage by the OEMs (Original Equipment Manufacturer) where we really can’t do much about it. And for the same, we have been seeking help from multiple organisations, even our management has acknowledged that and they have formed a team to tackle it.
One of the learnings was – we realised that we cannot keep the OT systems at a pause. So, in our organisation we made a committee, where we took representatives from all the refineries, pipelines which really helped in addressing the issue.
- What in your view is the best way to carry the IT vulnerabilities to the OT and the OT vulnerabilities to the IT?
Our first and foremost plan is to give adequate knowledge and awareness to the maintenance team and the OT administrators about cybersecurity. And we have planned to come out with a clear roadmap for the OT security and also thinking about having app controls.
One of the major issues that we are facing with regards to OT systems is that we have a lot of OSs (Operating Systems) which are slightly outdated, out of support and it becomes difficult to change them. And to change the current scenario, it requires a proper business decision to be undertaken as the upgrade is usually very expensive. So we have come up with a few exceptions, by allowing our employees with secured accesses, proper filtering of data, app controls, cordon off any suspicious activities, putting a layer of security, making sure to not provide internet connection at certain vulnerable areas such as the refineries and the pipelines.
Like there have been instances when we have been asked to give access to someone sitting in Germany, how they want to assess the temperature from our heat exchangers. So we try to give permissions to them to make sure that their business or projects don’t suffer and at the same time making sure that there is a protective layer of security around.
(Compiled by Shibul Pavithran)
(These views were expressed by Sukla Mukhopadhyay during a panel discussion on cybersecurity at Technology Sabha 2022).