Mr. Vivekanand, Director (Finance, Taxation & Legal), FIPI began the session with the opening remarks. He said that cybersecurity has moved beyond just being an IT concern to a strategic business priority. He mentioned that we living in an era where question is no longer if an organisation will face cyber threat, but when. He further stated that in 2025, the global cost of cybercrime is projected to hit approximately $10.5 trillion annually, resulting from AI-Powered phishing to sophisticated Supply Chain attack. In the Indian context, according to Cisco 2025 Cybersecurity Readiness Index, only about 7% of organisations (from 4% last year) in India are adequately prepared to defend against modern cyber-threats. This demonstrates that despite an improvement from last year, cybersecurity preparedness remains low as hyper-connectivity and AI introduce new complexities for many practitioners. In this context, he mentioned the significance of cyber resilience today as it helps companies to anticipate, withstand, and rapidly recover from inevitable cyberattacks, preventing catastrophic downtime, data loss, and reputational damage, thereby maintaining business continuity and customer trust.

In case of oil and gas sector, he talked about many cybersecurity challenges ranging from breach of confidential information or data pertaining to operations, cyber-threats related to supply chain logistics, distribution networks, refinery information, consumer data, etc. These challenges could lead to expensive damage to facilities, lengthy supply disruptions, compromise intellectual property & pose data security risks for business information. Companies thus, need to proactively strengthen its cyber systems in the face of evolving risks.

Mr. Akshay Tiku, Partner, EY India began his address by presenting case studies on recent cyber-attacks (Suncor Energy, 2023; Halliburton, August 2024) which mainly happened due to lack of security controls as well as supply chain vulnerability within the organisation. In the Indian context, he cited the report from Data Security Council of India (DSCI) that mentioned approximately 369 million malware deductions during the reporting period which meant about 702 malwares were detected every minute. Further, ransomware attacks on the oil and gas industry increased by 935% between April 2024 to April 2025. He therefore mentioned that while digitalization increases cyber vulnerabilities, the solution is not to halt progress but to strengthen security.

He then talked about the rapid digital adoption within oil and gas sector as IoT and AI are being deployed to reduce operational expenses. The historical maintenance logs and real-time data are fed into AI algorithms to detect machine failure. Also, digital twins are used to simulate drilling scenarios to increase efficiency by 10-20%. So, the need of the hour is to keep cybersecurity in pace to tackle cyber threats such as - ransomware attacks, phishing attacks, etc. He also mentioned that air gap between IT and OT is a myth as real time data feeding exists from OT systems into the cloud increasing the convergence of IT & OT.

He then talked about the reasons behind Oil & Gas as a primary target of cyber-attacks. Since energy is foundation layer for all other sectors and any disruption creates a force multiplier, affecting the entire economy. For instance, in 2025, 50% of ransomware attacks in 2025 were aimed at critical sectors, one of which is energy. Secondly, because of legacy debt which means that while IT assets are refreshed every 5 to 6 years, OT assets have a 15–20-year life cycle, therefore many of refineries are still running on legacy systems that are difficult to monitor & patch, thus creating a vulnerability for attackers. Another reason is geopolitical weaponization where there is rise of gray zone cyber warfare such that energy sector is primarily targeted. Lastly, ransomware ROI paradox wherein the global ransomware attacks against critical industries like energy has surged by 34%.  Therefore, the need of the hour is to improve cyber resilience by focusing on cyber visibility, monitoring, business continuity, and recovery.

He mentioned 4 strategies to redefine cyber resilience. The organisations need to anticipate by using AI driven threat intelligence to foresee attacks before they happen; withstand by ensuring critical-OT functions continue; recover and restore systems via immutable backups; and adapt by feeding lessons from near-misses back into the systems to evolve defences.

Then he talked about the ways and methods to respond and recover. He said that all organizations in the oil and gas sectors are bound to have a, Cyber Crisis Management Plan (CCMP). Firstly, an Incident Response Plan (IT & OT) that uses incident response playbooks that accounts not just IT but OT specific aspects like manual overrides and physical safety. Backup & Recovery Environment which talks about backups that must be “Write -Once- Read- Many” (WORM) to prevent ransomware from encrypting. Thirdly, tabletop exercises, where organisations should perform cross functional drills which include all other functional teams (apart from IT).  Cross-functional teams have to do these activities, and under the latest certain guidelines, critical sectors are encouraged to run these quarterly. Lastly building organisation trust by ensuring there is a transparent communication between all the stakeholders – regulators, investors & public.

He then talked about the human firewall wherein he mentioned that 20% of the organizations surveyed by IBM in the year 2025 suffered a breach due to use of shadow AI; 68% of the breaches are caused due to a human element and 4,151% increase in phishing attacks since advent of ChatGPT in 22. Therefore, with Gen AI, it has become easier to do a phishing attack on an organization. So, the need of the hour is human firewall, i.e. turning vulnerability into strength. This includes- targeted training and awareness sessions for operators, engineers, and maintenance staff; training sessions need to be done to detect QR code phishing, deepfake impersonality smishing, and other emerging threats; run phishing simulations or tabletop exercises specifically for OT scenarios; train employees on acceptable and responsible use of AI in sensitive networks and environments; and vendor training to ensure third parties comply with organizational security policies.

Lastly, he spoke about the regulatory landscape defined in India. The Indian Computer Emergency Response Team (CERT-In) has introduced significant directives such as -an annual audit, where every public and private organization must undergo a third-party cybersecurity audit annually by a CERT-In certified auditor; legal obligation on account of the organization to report cyber incidents classified as ransomware, data breach, or unauthorized access within 6 hours of detection; the National Critical Information Infrastructure Protection Centre (NCIIPC) has designated  oil and gas assets as CII, which is Critical Information Infrastructure, so there are many compliances pertaining to cyber security; Vulnerability Disclosure which is the mandatory participation in the Responsible Vulnerability Disclosure Program for Industrial Systems, and lastly, failure to implement reasonable security safeguards as part of the DPDP Act has financial penalty up to 250 crores.

Mr. Tiku, then conducted the Q&A session and provided his views and opinions on various queries posted by participants.

Lastly, FIPI complimented the EY team for an elaborative presentation on the topic covering recent case studies and lessons drawn from cyber incidents in the oil & gas sector; insight into Indian regulations and industry best practices with respect to cyber resilience; & discussed the practical steps to minimize operational disruptions arising out of cyber-attacks. FIPI also thanked the participants from the energy industry for their active and interactive participation during the event.