EY presented at the 22 World Petroleum Congress, focusing on the current cyber threats for oil and gas companies, the impact of new security architecture and the rise of IIOT.

1. Evolution of cyber
threats and the
development of new
security architecture
Piotr Ciepiela — Executive Director
Ernst & Young sp. z o.o.
EMEIA OT/IoT Security & Critical Infrastructure Leader, EY
Bala V. Venkateshwaran — EY, India

2. Page 2 Evolution of cyber threats and the development of new security architecture
Digitalization’s inexorable march will transform the O&G sector
But its full benefits are contingent on effective risk mitigation and harnessing market trends
Trends in the oil industry:
Increasing emphasis on
reducing per barrel lifting
cost as industry cuts capital
expenditure
Dramatic growth in
unconventional oil and gas
production reliant on
technological innovations
Increasing pressure to ensure
cost competitiveness due to
the rise of alternatives such
as renewable energy
sources
Rising complexity of
refineries and increasing
integration of refining with
petrochemicals
Digital enablers
► Industrial IoT and increased connectivity improves
asset performance management
► Industry value chain integration improves the entire
supply chain
► Increased bandwidth and reliability allows for remote
control room operations in distant harsh locations
► Advanced analytics allows for both margin
improvements and growth strategies enablement
Digital risks
► Cyber risks (ransomware, malware, DoS, unauthorized
access/control)
► Information security risks (financial information, IP)
► Safety risks (functional safety, process safety)
► The “network effect” multiplies an impact of
cyber attacks

3. Page 3 Evolution of cyber threats and the development of new security architecture
The benefits of smart connected assets come with a price
We need to learn a lesson from the past looking further into the future
1969 — Arpanet 1989 —
world wide web
93/94 — Trojan House
Coffee Pot and WearCam
2000–2003 — Big Chill, Cooltown,
Internet 1.0, Disappearing Computer
2010 — Google
introduces
self-driving car
Blockchain — distributed ledger
2010 — Stuxnet attack
2016 — Mirai attack
1960 1970 1980 1990 2000 2005 2010 2015 2020
1990 1995 2000 2005 2010 2015 2020
1974 — TCP/IP
1990 — First IoT device —
connected toaster
2004 — RFID in
US DD Savi
and Walmart
3.1
Augmented realityIndustry 4.0
Billions of
connected devices
Billions of
internet users
1999 — Internet of Things
term coined by Kevin Ashton
8.7
12
30
2011 — IPv6
Internet
Human-to-human connectivity
Information assets are targeted
Common threats — limited impact
Internet of Things
Machine-to-machine connectivity
Physical assets are targeted
Sophisticated threats — very high impact
VSUnsolved
problems
Opportunities
to protect

4. Page 4 Evolution of cyber threats and the development of new security architecture
Cybersecurity in O&G faces multiple internal and external challenges
It has to shield the entire O&G value chain from threats that are complex and evolving
Busines
Process
Connect
Things
Communi
tech
Network
&Infra
ServicesSuppliers
System integrators
Support teams Hardware manufacturers
Product development
Enerprise services
Cloud services Analytics services
Orchestration services
Private network and infrastructure
Public network and infrastructure
Mobile dev.
Instruments
Machines
Industrial networks
Wireless technologies
Mesh networks

5. Page 5 Evolution of cyber threats and the development of new security architecture
The O&G sector has made some progress in handling today’s cyber attacks
But developing cyber resilience and cyber agility need systemic focus now onward
► Organizations need to take an unconventional approach to meet new challenges emerging. They need to design
systems that are safe-to-fail rather than fail-safe!
► Plan for situations where we may need to sacrifice portions of information or operations in the interests of protecting
the larger network
GISS survey2 of O&G companies shows that only
6%
have a robust incident
response program and
regularly conduct
table-top exercises.
46%have had a
recent significant
cybersecurity incident
22%do not have an incident
response plan.
Top focus areas where companies plan to spend their
cybersecurity budget in the coming year
47%Business Continuity Planning
41%SIEM and SOC3
Components of cyber resilience
Sense: see the threats coming
Resist: the corporate and
operations shield
React: recover from unplanned
disruption
+
+

6. Page 6 Evolution of cyber threats and the development of new security architecture
Effective cybersecurity will be essential to benefit from digitization in O&G
Increase industry maturity through new capabilities and collaboration
Do I really know my OT
environment?1
Do I know the risks associated
with my OT environment?2
Can I monitor my environment?3
Do I work with my vendors?
(SLA, security standards)4
Am I prepared for cyber
incidents? (IRP, BC/DR)5
nnn
Asset
SDLC
Identify
Protect
Detect
Respond
Recover
Engineer
4.0
Leadership
Engineering
Process
automation
Cyber
security
Industrial
process

7. Page 7 Evolution of cyber threats and the development of new security architecture
Thank You!
Piotr Ciepiela
Executive Director,
EY EMEIA Advisory Center,
OT/IoT Security & Critical Infrastructure Leader
Bala V. Venkateshwaran — EY, India

8. Page 8 Evolution of cyber threats and the development of new security architecture
For information visit
Ey.com/digitaloil

9. Page 9 Evolution of cyber threats and the development of new security architecture
References
1. Author name(s): EY, Why it’s time to invest in digital oil, EYG no.
03448-164Gbl 1609-2041453, Ernst & Young LLP., 2016,
Available at http://www.ey.com/Publication/vwLUAssets/ey-why-
the-time-is-right-for-digital-oil-companies/$FILE/ey-why-the-time-
is-right-for-digital-oil-companies.pdf.
2. Author name(s): EY, EY 19th Global Information Security Survey
2016–17, EYG no. 01430-174Gbl, Ernst & Young LLP., 2017,
Available at http://www.ey.com/Publication/vwLUAssets/ey-oil-
and-gas-information-security-survye-2016-17/$FILE/ey-oil-and-
gas-information-security-survye-2016-17.pdf.
3. SIEM stands for Security Information and Event Management,
SOC for Security Operations Centre.

10. EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we deliver
help build trust and confidence in the capital markets and in
economies the world over. We develop outstanding leaders
who team to deliver on our promises to all of our stakeholders.
In so doing, we play a critical role in building a better working
world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or
more, of the member firms of Ernst & Young Global Limited,
each of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not provide
services to clients. For more information about our
organization, please visit ey.com.
How EY’s Global Oil & Gas Sector can help your business
The oil and gas sector is constantly changing. Increasingly
uncertain energy policies, geopolitical complexities, cost
management and climate change all present significant
challenges. EY’s Global Oil & Gas Sector supports a global
network of more than 10,000 oil and gas professionals with
extensive experience in providing assurance, tax, transaction
and advisory services across the upstream, midstream,
downstream and oil field subsectors. The Sector team works
to anticipate market trends, execute the mobility of our global
resources and articulate points of view on relevant sector
issues. With our deep sector focus, we can help your
organization drive down costs and compete more effectively.
© 2017 EYGM Limited.
All Rights Reserved.
EYG no. 04495-174GBL
BMC Agency
GA 1005401
ED None
This material has been prepared for general informational purposes only and is not
intended to be relied upon as accounting, tax, or other professional advice. Please
refer to your advisors for specific advice.
ey.com