Cyber risk is now an executive energy-security question.
Sanket converts public threat signals into decisions a CMD, secretary, CISO, or asset owner can act on without waiting for a post-incident technical memo.
- Executive decisionOEM access
Recorded jump hosts, named ownership, and time-bound vendor sessions remain the first control order.
- India surfaceEnergy corridors
Ports, refineries, pipelines, LNG, retail, and policy systems are treated as one operating architecture.
- Browser postureLocal scan
The browser check produces an executive brief, CISO brief, IT queue, and raw evidence export.
Top risk, affected surface, operating consequence, decision owner, and first control action in one view.
West coast import gates, eastern refineries, trunk pipelines, LNG terminals, policy workflows, and retail trust surfaces.
No claim about live PSU systems. Browser checks remain local and do not inspect LAN, VPN, EDR, routers, DNS, or OT assets.
Risk posture, priority pathway, control order, and sector consequence.
02 Browser posture25 local checks translated into executive, CMD, CISO, admin, and evidence views.
03 IT handoffFindings, evidence, remediation text, JSON export, and scope boundary.
India energy surface
Where cyber pressure becomes operating risk
Map the digital surfaces that matter to energy security: import gates, refineries, pipelines, LNG, retail/LPG, upstream production, and policy data flows.
Map mode
82
Priority
Executive brief
Tracked risk signals
Public inputs only. Each signal is translated into a decision, owner, and operating consequence.
Priority decision
Process control
OEM support path into dual-homed engineering context - broker every OEM session through recorded jump hosts.
OEM remote-access concentration
Vendor support paths can become a high-leverage bridge into plant context.
Third-party vendor support paths bypass perimeter controls entirely. A single compromised OEM account can reach historians, DCS engineering stations, and control networks through a trusted support relationship — without triggering standard corporate perimeter alerts.
- Key action
- Issue an OEM access governance order — jump-host brokering, session recording, time-bound credentials, and named ownership for every active support path across CII-designated assets.
- Decision point for CMD
- Is every active OEM support path inventoried, recorded, and terminable in under one hour?
Plant SOC and enterprise SOC handoff
Watch the handoff gap between OT detection, corporate identity, and escalation.
The detection gap between OT monitoring and corporate security operations is where lateral movement most often goes undetected. Shift handoffs and high alert volumes widen this window. The adversary's advantage is the delay between a plant-level alarm and a decision-maker being notified.
- Key action
- Define the escalation path from plant alarm to CMD notification. Run a cross-boundary drill before the next board cycle; the test, not the policy, reveals the actual gap.
- Decision point for CMD
- Who notifies you personally, at what threshold, if a plant control network is accessed?
Policy-document lures
Oil-and-gas decoys and cybersecurity-guideline lures hit executive and policy workflows.
SideCopy APT reporting shows HPCL-themed cybersecurity-guideline decoys and remote-access tooling. Oil-and-gas documents can reach executive and secretariat inboxes because they resemble legitimate regulatory traffic.
- Key action
- Run a targeted phishing simulation against executive and ministry-adjacent workflows. Harden document-sharing and email attachment handling before the next policy cycle.
- Decision point for CMD
- Have you and your senior leadership completed a phishing simulation in the last 12 months?
Retail and consumer fraud surface
Dealer portals, loyalty flows, LPG subsidy messages, and fuel-discount scams convert cyber events into public-trust events quickly.
Dealer portals, LPG subsidy channels, and consumer apps are high-volume, publicly visible surfaces. A breach here becomes a customer trust and reputational event within hours — before the technical picture is clear to leadership. The communications gap is as damaging as the breach itself.
- Key action
- Implement step-up authentication on dealer and high-risk consumer login flows. Pre-stage customer fraud communications before an event occurs — do not draft them during one.
- Decision point for CMD
- Is there a pre-approved customer communication template ready for a fraud event today?
Frontier cyber-AI gap
AI-assisted vulnerability discovery shortens defender timelines.
AI-assisted vulnerability discovery compresses the window from known flaw to active exploitation. Legacy OT systems and unpatched edge devices that previously had weeks of triage runway now face days. Security teams using old patch-cycle assumptions are already behind.
- Key action
- Move patch triage to an executive-scheduled decision rather than a backlog queue. Include AI-assisted attack assumptions in the next sector tabletop exercise.
- Decision point for CMD
- What is the current patch cycle for your process control and pipeline SCADA systems?
Refinery-sim telemetry
Public telemetry showed sustained hits against simulated refinery-sector sensors, including common industrial protocols.
CyberPeace / Autobot honeypot data recorded 3.6 lakh attack events against simulated refinery sensors using Modbus, DNP3, and similar industrial protocols. This establishes documented threat interest — the attack techniques are known and being exercised against this sector's specific control system surface.
- Key action
- Audit exposed services against common industrial protocol lists. Segment any internet-facing service using Modbus, DNP3, or similar from plant and control networks.
- Decision point for CISO
- Does your team have an up-to-date inventory of industrial protocol services exposed beyond plant network boundaries?
Evidence tracker
Public-source events feeding v0
- Anthropic announces Project Glasswing and Claude Mythos Preview. Flag: frontier cyber-AI capability. Use: compress patch and compensating-control timelines. Source
- Public reporting says unauthorized users accessed Mythos through a third-party environment. Flag: control-plane risk around powerful defensive/offensive cyber models. Source
- Seqrite reports SideCopy lures using HPCL-themed cybersecurity-guideline documents. Flag: policy-document lure. Use: harden mailbox, file-share, and executive-document workflows. Source
- Oil India Duliajan ransomware incident becomes the key public Indian oil-and-gas precedent. Flag: ransomware business-continuity stress. Use: rehearse recovery and executive communications. Source
- CyberPeace / Autobot refinery-sector simulated sensors record roughly 3.6 lakh attack events. Flag: protocol pressure. Use: model common exposed-service and industrial-protocol attack paths. Source
Scenario timelines
Oil and gas cyber pathways
Switch between dated pathways. The score is derived from scenario context and the public signal spine, not editable pretend-control variables.
v0.2
Public data only
Baseline watch
Known Indian oil-and-gas incidents, public lures, AI capability shifts, and refinery-sim telemetry create the standing watch picture.
- Oil India ransomware becomes the core Indian sector precedent.
- HPCL-themed cybersecurity-guideline lures show policy-document targeting.
- Frontier cyber-AI capability shortens patch and compensating-control timelines.
Danger index
74
Elevated
Process-control, OEM support, and pipeline-SCADA handoffs are the first places to look.
Likely pathway
- Targeted phishing or credential reuse lands in the corporate estate.
- VPN/session abuse reaches vendor or engineering support access.
- Dual-homed workstation or OEM laptop bridges into plant context.
- Detection gap appears between plant SOC and corporate SOC.
Action queue
What moves first
- Issue OEM remote-access governance order.Jump-host brokering, session recording, time-bound credentials, and access inventory across CII-designated assets.
- Convene MD-level classified threat brief.Move the threat picture from CISO desk to CMD agenda before budgets are frozen.
- Run cross-PSU adversary-emulation tabletop.One refinery-and-pipeline scenario, all CMDs present, debrief chaired at ministry level.
Browser posture check
Run the local security check
Click once. 25 local checks. No data leaves the device, and permission state is read without camera, microphone, location, notification, or storage prompts. Results are structured as executive, CISO, IT-admin, and evidence views.
Browser score
--
Not run
Run the check to produce a local browser-side posture report.
Run the check to see the plain-English verdict.
Run the check to see what the public edge can infer from this connection.
This browser will compare the next run with recent local results.
The first action will be generated from the scan, not fixed copy.
Run once, then switch between executive, CMD, CISO, IT-admin, and evidence views.
Run the check to generate the first concrete step.
The next step will be based on this browser, public edge, and findings.
Sanket will point to the next browser-only layer before any native collector path.
Executive output
Priority findings and first actions
- No report yet. Run the check to generate executive-level guidance.
CMD brief
Decision view
- No CMD brief yet. Run the check to generate the decision view.
CISO brief
Control view
- No CISO brief yet. Run the check to generate the control view.
IT admin
Work queue
- No work queue yet. Run the check to generate admin tasks.
Evidence handoff
Technical fixes and evidence
- No IT report yet. Run the check to build the handoff.
Run the check to generate a browser-side JSON log.
Permission prompts can test this browser and this site. They still cannot inspect routers, EDR, internal DNS, VPN split tunneling, open ports, or OT assets. That requires a signed local collector with written authorization.
Browser + edge
Run the browser check, capture the public edge, save local history, and export role briefs.
Managed-browser policy
Turn scan findings into Chrome/Edge policy guidance for permissions, WebRTC, device APIs, and privacy controls.
Evidence upload
Let IT paste or upload approved exports from EDR, DNS, MDM, firewall, or vulnerability tools for Sanket to normalize.
Browser extension
Add optional deeper browser/tab/header checks through a Chrome or Edge extension, without a full native endpoint collector.
Source spine
Public evidence behind v0
- CyberPeace / Autobot refinery-sector attack telemetry Use as pressure evidence, corrected to roughly 3.6 lakh events on simulated refinery-sector sensors, not 3.6 million real refinery breaches.
- Seqrite SideCopy analysis Use as phishing and oil-and-gas lure evidence: HPCL-themed cybersecurity-guideline decoys, MSI staging, CurlBack RAT, Spark RAT, and Xeno RAT.
- Oil India ransomware incident record Use as Indian oil-and-gas incident precedent: ransomware demand, G&R workstation, network outage, and central-agency response.
- Anthropic Project Glasswing Use as frontier-cyber-AI context: restricted Mythos Preview access for defensive vulnerability discovery and critical-software hardening.
- Guardian reporting on Mythos access concerns Use as control-plane caution: powerful defensive cyber-AI access itself becomes a security object.