Cybersecurity
IMPORTANCE AND MISSION
PTTEP strictly complies with Thailand Cybersecurity Act B.E. 2562. Cybersecurity guidelines have been in place, to prevent and tackle cyber threats as well as mitigate the impacts. Presently, PTTEP bases its cybersecurity guidelines on the National Institute of Standards and Technology (NIST)'s standardized framework. Risk assessments in line with ISO 27001 have been conducted since 2014 for PTTEP’s emails and data center facilities. PTTEP has continually invested in technology and obtained PTT Digital's services in preventing and mitigating cyber threats. PTTEP also established Security Operations Center (SOC) that completely connected Security Information and Event Management (SIEM) with the network firewalls across all petroleum development bases.
GOALS
PTTEP aims to prevent and respond to various cybersecurity threats to minimize damage from cybersecurity incidents that may impact business operations while promoting organizational performance towards the following goals:
No loss from all cyber attacks
Test the IT BCM and incident response procedure > 2 times per year
All IT infrastructures are certified in accordance with international standards
MANAGEMENT APPROACH
Governance Structure
PTTEP has delegated the oversight to the Risk Management Committee to oversee enterprise risk and to the Audit Committee to review the efficiency and effectiveness of governance processes, internal controls, and risk management, covering the Company’s overall cybersecurity issues. In this regard, Mr. Phongsthorn Thavisin, independent director and Chairman of the Risk Management Committee and Member of the Corporate Governance and Sustainability Committee, brings extensive experience in information security and cybersecurity. His expertise plays a key role at the management level, particularly in driving digital transformation. He has also completed executive programs such as the Director's Guide to Legal Obligations and Duties (DLD) by the Thai Institute of Directors Association (IOD), and The Cullinan: The Making of the Digital Board Class by the Digital Economy Promotion Agency (depa) and Thailand Management Association (TMA). Furthermore, PTTEP has established the Digital Steering Committee, chaired by the Executive Vice President of the Operations Support Group (OPS), and the Cybersecurity Incident Response Task Force, chaired by the Chief Information Security Officer (CISO), having Information Management Department and its working team be responsible for the outlining of directions, targets, strategies, policies and information technology standards. Their tasks include the supervision of the IT master plan and roadmap as well as IT risk management, ensuring risks are in line with the Company’s risk appetite. They must also regularly report risk management performance to the Risk Management Committee and the Board of Directors, to ensure that, should there be an emergency, PTTEP would be able to take control of the situation and respond promptly.
Control Measures
PTTEP has implemented control measures for the information system, equipment security as well as data backup and recovery to ensure business continuity. The Company issued an Information Security Management System (ISMS) policy and a Cybersecurity policy. All these policies were announced across the organization and must be honored by all functions in line with the corporate governance guidelines. PTTEP's past efforts related to technology were aimed at ensuring safety and flexibility: for example, joining PTT Group's working team set up under PTT Group Cybersecurity Governance & Assurance Project, to enhance the efficiency of PTT Group’s cybersecurity measures; and the application of Microsoft Office 365 system to increase the Company's work efficiency as well as data security. Furthermore, PTTEP established information technology (IT) infrastructure control and a clear policy to boost IT system efficiency through digital technology. IT strategies are outlined accordingly to the framework of Control Objectives for Information and Related Technology (COBIT 5) and ISO 27001. Cloud Platform is being used for continued development of an information technology system on an agile structure which maintains all efficient control measures as demanded by the Company's security standards.
Additionally, PTTEP has imposed the Security Policy and kept information technology in control to maintain its security, prevent violations, and support data backup and recovery for business continuity. Details are as follows:
General control
refers to control guidelines on IT-related work process and activities, IT-related Business Continuity plan, a Disaster Recovery plan and a Cybersecurity Incident Response plan to ensure preparedness for potential disruptions in information systems and cyber-attacks. These measures are in place to build confidence among stakeholders regarding PTTEP’s ability to handle such challenges. PTTEP requires the testing of readiness and understanding on a biennial basis. PTTEP prepared to handle cyber incidents by conducting three tests per year, covering all departments, and improving the speed of vulnerability remediation.
In 2025 PTTEP is committed to implementing a proactive and integrated cyber risk management framework, achieved through the strategic convergence of Information Technology (IT) and Operational Technology (OT) cybersecurity domains. This approach aims to enhance the resilience and security of its critical infrastructure and operations.
Personnel-level control
refers to the determining of individual employees' access to data; cybersecurity drills; the development of Digital Security Awareness e-Learning; training entitled “Cybersecurity Act” and “Personal Data Protection Act” for directors, employees, other relevant system administrators, etc. Since 2021, PTTEP has implemented Multi-factor Authentication (MFA) to enhance the identity verification of the staff other than conventional username and password to support the company data and system access from anywhere and anytime as per PTTEP’s direction of New Way of Work to promote Work-life Balance of its employee. Furthermore, PTTEP also implemented Data Classification and Labelling with Microsoft Azure Information Protection (AIP) to support permission and sharing management of documents confidentiality.
Starting in 2024, all PTTEP employees are required to complete and pass a compulsory online Cybersecurity Awareness Training Course to stay informed about evolving cyber threats. Additionally, weekly simulated phishing emails are sent to randomly selected employees to test and reinforce awareness. PTTEP has also implemented an Information Security Standard for Supplier Relationships to mitigate risks of unauthorized system/information access and system misuse by temporary personnel, including consultants, vendors, subcontractors, service providers, interns, etc.
System-level control
refers to record keeping of system usage per legal requirement; annual Vulnerability Assessment and external penetration testing by experts to identify and address any gaps that may cause damages and can be improved. Furthermore, PTTEP conducts regular internal and external audits of Information Security Management Systems and cybersecurity protocols. The Company has been granted the Certificate of Registration for Information Security Management System – ISO/IEC 27001:2022 for the scope: The information security management applied to PTTEP Data Center and Supporting Facility Governed by PTT Exploration and Production Public Company Limited.
PTTEP utilized the services of Mandiant Managed Defense, a global expert in cybersecurity, to strengthen the operations of the Security Operations Center (SOC). The Company also received a Certificate of Registration for Information Security Management System – ISO/IEC 27001:2022 for the scope: The information security management applied to PTTEP Data Center and supporting facility governed by PTTEP. The Certificate was effective on September 2, 2023.