Evolution of cyberthreats and thedevelopment of newsecurity architecturePiotr Ciepiela — Executive Director

Ernst & Young sp. z o.o.EMEIA OT/IoT Security & Critical Infrastructure Leader, EY

Bala V. Venkateshwaran — EY, India

Page 2 Evolution of cyber threats and the development of new security architecture

Digitalization’s inexorable march will transform the O&G sectorBut its full benefits are contingent on effective risk mitigation and harnessing market trends

Trends in the oil industry:

Increasing emphasis onreducing per barrel liftingcost as industry cuts capitalexpenditure

Dramatic growth inunconventional oil and gasproduction reliant ontechnological innovations

Increasing pressure to ensurecost competitiveness due tothe rise of alternatives suchas renewable energysources

Rising complexity ofrefineries and increasingintegration of refining withpetrochemicals

Digital enablers

► Industrial IoT and increased connectivity improvesasset performance management

► Industry value chain integration improves the entiresupply chain

► Increased bandwidth and reliability allows for remotecontrol room operations in distant harsh locations

► Advanced analytics allows for both marginimprovements and growth strategies enablement

Digital risks

► Cyber risks (ransomware, malware, DoS, unauthorizedaccess/control)

► Information security risks (financial information, IP)► Safety risks (functional safety, process safety)► The “network effect” multiplies an impact of

cyber attacks

Page 3 Evolution of cyber threats and the development of new security architecture

The benefits of smart connected assets come with a priceWe need to learn a lesson from the past looking further into the future

1969 — Arpanet 1989 —world wide web

93/94 — Trojan HouseCoffee Pot and WearCam

2000–2003 — Big Chill, Cooltown,Internet 1.0, Disappearing Computer

2010 — Googleintroducesself-driving car

Blockchain — distributed ledger

2010 — Stuxnet attack

2016 — Mirai attack

1960 1970 1980 1990 2000 2005 2010 2015 2020

1990 1995 2000 2005 2010 2015 2020

1974 — TCP/IP1990 — First IoT device —connected toaster

2004 — RFID inUS DD Saviand Walmart

3.1

Augmented realityIndustry 4.0

Billions ofconnected devices

Billions ofinternet users

1999 — Internet of Thingsterm coined by Kevin Ashton

8.712

30

2011 — IPv6

Internet

Human-to-human connectivity

Information assets are targeted

Common threats — limited impact

Internet of Things

Machine-to-machine connectivity

Physical assets are targeted

Sophisticated threats — very high impact

VSUnsolvedproblems

Opportunitiesto protect

Page 4 Evolution of cyber threats and the development of new security architecture

Cybersecurity in O&G faces multiple internal and external challengesIt has to shield the entire O&G value chain from threats that are complex and evolving

Bus

ines

Pro

cess

Con

nect

Thin

gsC

omm

uni

tech

Net

wor

k&

Infra

Ser

vice

sS

uppl

iers System integrators

Support teams Hardware manufacturers

Product development

Enerprise services

Cloud services Analytics services

Orchestration services

Private network and infrastructure

Public network and infrastructure

Mobile dev.InstrumentsMachines

Industrial networksWireless technologiesMesh networks

Page 5 Evolution of cyber threats and the development of new security architecture

The O&G sector has made some progress in handling today’s cyber attacksBut developing cyber resilience and cyber agility need systemic focus now onward

► Organizations need to take an unconventional approach to meet new challenges emerging. They need to designsystems that are safe-to-fail rather than fail-safe!

► Plan for situations where we may need to sacrifice portions of information or operations in the interests of protectingthe larger network

GISS survey2 of O&G companies shows that only

6%have a robust incidentresponse program andregularly conducttable-top exercises.

46%have had arecent significantcybersecurity incident

22%do not have an incidentresponse plan.

Top focus areas where companies plan to spend theircybersecurity budget in the coming year

47%Business Continuity Planning

41%SIEM and SOC3

Components of cyber resilience

Sense: see the threats coming

Resist: the corporate andoperations shield

React: recover from unplanneddisruption

+

+

Page 6 Evolution of cyber threats and the development of new security architecture

Effective cybersecurity will be essential to benefit from digitization in O&GIncrease industry maturity through new capabilities and collaboration

Do I really know my OTenvironment?1

Do I know the risks associatedwith my OT environment?2

Can I monitor my environment?3

Do I work with my vendors?(SLA, security standards)4

Am I prepared for cyberincidents? (IRP, BC/DR)5

nnnAssetSDLC

Identify

Protect

Detect

Respond

Recover

Engineer4.0

Leadership

Engineering

Processautomation

Cybersecurity

Industrialprocess

Page 7 Evolution of cyber threats and the development of new security architecture

Thank You!Piotr CiepielaExecutive Director,EY EMEIA Advisory Center,OT/IoT Security & Critical Infrastructure Leader

Bala V. Venkateshwaran — EY, India

Page 8 Evolution of cyber threats and the development of new security architecture

For information visitEy.com/digitaloil

Page 9 Evolution of cyber threats and the development of new security architecture

References

1. Author name(s): EY, Why it’s time to invest in digital oil, EYG no.03448-164Gbl 1609-2041453, Ernst & Young LLP., 2016,Available at http://www.ey.com/Publication/vwLUAssets/ey-why-the-time-is-right-for-digital-oil-companies/$FILE/ey-why-the-time-is-right-for-digital-oil-companies.pdf.

2. Author name(s): EY, EY 19th Global Information Security Survey2016–17, EYG no. 01430-174Gbl, Ernst & Young LLP., 2017,Available at http://www.ey.com/Publication/vwLUAssets/ey-oil-and-gas-information-security-survye-2016-17/$FILE/ey-oil-and-gas-information-security-survye-2016-17.pdf.

3. SIEM stands for Security Information and Event Management,SOC for Security Operations Centre.

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction andadvisory services. The insights and quality services we deliverhelp build trust and confidence in the capital markets and ineconomies the world over. We develop outstanding leaderswho team to deliver on our promises to all of our stakeholders.In so doing, we play a critical role in building a better workingworld for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one ormore, of the member firms of Ernst & Young Global Limited,each of which is a separate legal entity. Ernst & Young GlobalLimited, a UK company limited by guarantee, does not provideservices to clients. For more information about ourorganization, please visit ey.com.

How EY’s Global Oil & Gas Sector can help your businessThe oil and gas sector is constantly changing. Increasinglyuncertain energy policies, geopolitical complexities, costmanagement and climate change all present significantchallenges. EY’s Global Oil & Gas Sector supports a globalnetwork of more than 10,000 oil and gas professionals withextensive experience in providing assurance, tax, transactionand advisory services across the upstream, midstream,downstream and oil field subsectors. The Sector team worksto anticipate market trends, execute the mobility of our globalresources and articulate points of view on relevant sectorissues. With our deep sector focus, we can help yourorganization drive down costs and compete more effectively.

© 2017 EYGM Limited.All Rights Reserved.

EYG no. 04495-174GBL

BMC AgencyGA 1005401

ED None

This material has been prepared for general informational purposes only and is notintended to be relied upon as accounting, tax, or other professional advice. Pleaserefer to your advisors for specific advice.

ey.com