Information and Cybersecurity

In an increasingly interconnected global environment, information is exposed to a rapidly growing variety of risks, threats, and vulnerabilities. The OMV Group invests in information and cybersecurity to protect technology, assets, critical information, and our reputation, and to avoid any damage or financial loss resulting from unauthorized access to our systems and data. Keeping OMV Group free of security vulnerabilities and potential security risks is essential for the whole business.

Specific Policies and Commitments

Our internal IT¹ Information Technology (IT) Security is a set of cybersecurity strategies that prevents unauthorized access to organizational assets, such as computers, networks, and data. It maintains the integrity and confidentiality of sensitive information, blocking the access of sophisticated hackers./OT² OT Security is defined as Operational Technology (OT) hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprise. OT is common in Industrial Control Systems (ICS), such as a SCADA system. Security Directive lays out the details of the IT/OT Security Framework, through which topic- or security domain-related security standards and policies are continually aligned and managed. The Security Framework consists of approximately 50 regulatory documents in total and is harmonized with the ISO 27000 series (ISO₂7k) of recommendations for IT controls and domains. It also covers OMV’s commitment to securing the operation of its services in dedicated areas, such as within the filling stations retail business and the related PCI DSS³ Payment Card Industry Data Security Standard requirements.

Management and Due Diligence Processes

We run an Information Security Management System (ISMS), which is based on ISO₂7k standards and certified accordingly, with external monitoring and recertification processes carried out annually. A full recertification assessment was successfully completed in July 2022 and the OMV certification period was extended until 2025. One of the basic principles of an ISMS is incorporating a continuous improvement cycle in order to identify, prevent, mitigate, and remediate potential information security leaks or weaknesses.

Preventive, Technical, Detective, and Reactive Measures

We lower the risk of security breaches by introducing new tools, individual detection strategies, and response plans in order to maintain a strong perimeter for our physical and our cloud environment.
Technical housekeeping measures ensure a solid foundation with up-to-date hardware and software, as well as adequate information security processes. We implement security patches and offer guidelines in order to provide consistent hardware and software life cycles.

Detective and reactive measures are designed and executed on an ongoing basis to create transparency around existing risks, security gaps, and vulnerabilities. In order to protect our assets and keep intruders out, we integrate detective and reactive measures to mitigate possible damage and take remediation measures to ensure a fast and total recovery. Examples of such measures include:

• Permanent vulnerability scans on cyber assets
• Breach and attack simulations to evaluate potential attack surfaces
• Running continuous internal and external penetration tests on critical applications/systems
• External audits as quality assurance (ISO₂7k, PCI-DSS NIS, etc.)

Training

We run regular and intensive training sessions to keep our employees’ information security awareness at an adequate level. The awareness efforts are either based on general topics of information security interest, ad hoc demands as timely countermeasures on dedicated use cases, or even target-group-focused topics, and are based on different formats, such as:

• Mandatory e-learning sessions including knowledge check
• Topic-based videos
• Classroom training sessions
• Anti-phishing email campaigns
• “My News” platform to share news via the intranet and internal blog posts

Incident Reporting and Escalation Processes

OMV operates continuous 24/7 security monitoring. Potential findings are processed via Security Information and Event Management (SIEM) intelligence and supplemented by Level 1, 2, and 3 analysts. Escalation procedures exist to ensure timely remediation of security incidents on a 24/7 basis. OMV’s Cyber Defense team classifies incidents and triggers the incident response process, then activates all required functions via automatic and manual alerts sent by voice message and SMS. All remediation actions follow predefined “runbooks” in order to ensure efficient and timely processing. A clear communication plan ensures the proper information is disseminated to all relevant stakeholders.

Business Continuity/Contingency Plans and Incident Response Procedures

OMV tests its business continuity plans and incident response procedures annually through cyber emergency exercises. The cyber emergency exercises, which are run with external experts, focus on specific, realistic threat scenarios in order to test related mitigation procedures and processes. The tabletop exercise consists of a series of “injects.” Each inject represents an event or a piece of information that is discovered as the scenario unfolds and is related to the security incident at hand. The audience of this scenario usually consists of up to 30 participants, including representatives from the IT Security, superior IT Management, and OT Security teams, among others. After each inject, a corresponding review and evaluation of the process is conducted, including an appraisal determining lessons learned.

2022 Actions

The following key activities were carried out across the Group in 2022:

• We continued to operate an extensive information security awareness program for our employees based on several formats. There was a focus on measures dedicated to email phishing threats, as this is the main source of potential attacks.
• We continued to run an extensive IT security program to bundle all projects related to IT security, aiming for further IT maturity development. Consequently, there is now an increased level of resilience and preparedness against cybersecurity threats.
• We permanently ran IT security penetration tests alongside our networks and platforms to also cover a detailed technical layer in our security surveillance measures. The tests are processed both internally and externally.
• We started implementing a tool that enables the user to classify their information in terms of confidentiality, and hence to apply the relevant security measures to protect the data accordingly.
• In the area of cyber defense, we implemented a tool to perform breach and attack simulations to continuously validate the current resilience and vigilance level.

Outlook

The OMV Group is dedicated to continuous improvement processes and implementing related measures. Other strategic aims and core endeavors are to further increase the basic IT maturity level, to further extend cyber defense capabilities and threat resilience beyond the already established high level, and to be certified according to the comprehensive information security governance structures based on several frameworks (ISO, PCI-DSS, NISG, BSI). Additional focus is placed on topics in the context of the emerging IT and OT areas, especially in light of cyber­attacks, to secure critical infrastructure assets and facilities from both functional perspectives.