OEM support access and dual-homed engineering context remain the first priority.
HighPolicy lures
Oil-and-gas document lures can reach executive and ministry workflows quickly.
HighRetail trust
Dealer, LPG, and loyalty surfaces convert cyber pressure into public-trust events.
Signals
Tracked risk signals
Public inputs only. No claims about live PSU systems.
Top priority right nowProcess control
OEM support path into dual-homed engineering context — broker every OEM session through recorded jump hosts.
Critical
OEM remote-access concentration
Vendor support paths can become a high-leverage bridge into plant context.
Third-party vendor support paths bypass perimeter controls entirely. A single compromised OEM account can reach historians, DCS engineering stations, and control networks through a trusted support relationship — without triggering standard corporate perimeter alerts.
Key action
Issue an OEM access governance order — jump-host brokering, session recording, time-bound credentials, and named ownership for every active support path across CII-designated assets.
Decision point for CMD
Is every active OEM support path inventoried, recorded, and terminable in under one hour?
Critical
Plant SOC / corporate SOC seam
Watch the handoff gap between OT detection, corporate identity, and escalation.
The detection gap between OT monitoring and corporate security operations is where lateral movement most often goes undetected. Shift handoffs and high alert volumes widen this window. The adversary's advantage is the delay between a plant-level alarm and a decision-maker being notified.
Key action
Define the escalation path from plant alarm to CMD notification. Run a cross-boundary drill before the next board cycle — the test, not the policy, reveals the actual gap.
Decision point for CMD
Who notifies you personally, at what threshold, if a plant control network is accessed?
High
Policy-document lures
Oil-and-gas decoys and cybersecurity-guideline lures hit executive and policy workflows.
SideCopy APT uses HPCL cybersecurity guidelines, OISD circulars, and MoPNG policy documents as phishing bait. These reach executive and secretariat inboxes because they look like legitimate regulatory traffic — the kind of file a CMD or Secretary would open without hesitation.
Key action
Run a targeted phishing simulation against executive and ministry-adjacent workflows. Harden document-sharing and email attachment handling before the next policy cycle.
Decision point for CMD
Have you and your senior leadership completed a phishing simulation in the last 12 months?
High
Retail and consumer fraud surface
Dealer portals, loyalty flows, LPG subsidy messages, and fuel-discount scams convert cyber events into public-trust events quickly.
Dealer portals, LPG subsidy channels, and consumer apps are high-volume, publicly visible surfaces. A breach here becomes a customer trust and reputational event within hours — before the technical picture is clear to leadership. The communications gap is as damaging as the breach itself.
Key action
Implement step-up authentication on dealer and high-risk consumer login flows. Pre-stage customer fraud communications before an event occurs — do not draft them during one.
Decision point for CMD
Is there a pre-approved customer communication template ready for a fraud event today?
AI-assisted vulnerability discovery compresses the window from known flaw to active exploitation. Legacy OT systems and unpatched edge devices that previously had weeks of triage runway now face days. Security teams using old patch-cycle assumptions are already behind.
Key action
Move patch triage to an executive-scheduled decision rather than a backlog queue. Include AI-assisted attack assumptions in the next sector tabletop exercise.
Decision point for CMD
What is the current patch cycle for your process control and pipeline SCADA systems?
Watch
Refinery-sim telemetry
Public telemetry showed sustained hits against simulated refinery-sector sensors, especially common industrial protocols.
CyberPeace / Autobot honeypot data recorded 3.6 lakh attack events against simulated refinery sensors using Modbus, DNP3, and similar industrial protocols. This establishes documented threat interest — the attack techniques are known and being exercised against this sector's specific control system surface.
Key action
Audit exposed services against common industrial protocol lists. Segment any internet-facing service using Modbus, DNP3, or similar from plant and control networks.
Decision point for CISO
Does your team have an up-to-date inventory of industrial protocol services exposed beyond plant network boundaries?
News tracker
Public-source events feeding v0
Anthropic announces Project Glasswing and Claude Mythos Preview.Flag: frontier cyber-AI capability. Use: compress patch and compensating-control timelines.Source
Public reporting says unauthorized users accessed Mythos through a third-party environment.Flag: control-plane risk around powerful defensive/offensive cyber models.Source
Seqrite reports SideCopy lures using HPCL-themed cybersecurity-guideline documents.Flag: policy-document lure. Use: harden mailbox, file-share, and executive-document workflows.Source
Oil India Duliajan ransomware incident becomes the key public Indian oil-and-gas precedent.Flag: ransomware business-continuity stress. Use: rehearse recovery and executive communications.Source
CyberPeace / Autobot refinery-sector simulated sensors record roughly 3.6 lakh attack events.Flag: protocol pressure. Use: model common exposed-service and industrial-protocol attack paths.Source
Key dates and timelines
Oil and gas cyber pathways
Switch between dated pathways. The score is derived from the scenario context and public signal spine, not editable pretend-control variables.
v0.2Public data only
Active timeline
Baseline watch
Known Indian oil-and-gas incidents, public lures, AI capability shifts, and refinery-sim telemetry create the standing watch picture.
Oil India ransomware becomes the core Indian sector precedent.
HPCL-themed cybersecurity-guideline lures show policy-document targeting.
Frontier cyber-AI capability shortens patch and compensating-control timelines.
Danger index74Elevated
Process-control and pipeline-SCADA seams are the first places to look.
Likely pathway
Targeted phishing or credential reuse lands in the corporate estate.
VPN/session abuse reaches vendor or engineering support access.
Dual-homed workstation or OEM laptop bridges into plant context.
Detection gap appears between plant SOC and corporate SOC.
Action queue
What moves first
Issue OEM remote-access governance order.Jump-host brokering, session recording, time-bound credentials, and access inventory across CII-designated assets.
Convene MD-level classified threat brief.Move the threat picture from CISO desk to CMD agenda before budgets are frozen.
Run cross-PSU adversary-emulation tabletop.One refinery-and-pipeline scenario, all CMDs present, debrief chaired at ministry level.
Enterprise posture scan
Run the browser posture scan
Click once. 25 checks. No data leaves the device. Results include a plain-English verdict and role briefs for CMD, CISO, and IT admin.
Readiness score--Not run
Run the check to produce a local browser-side posture report.
Run the check to see the plain-English verdict.
Network edgeNot checked
Run the check to see what the public edge can infer from this connection.
HistoryNo baseline
This browser will compare the next run with recent local results.
Priority actionWaiting
The first action will be generated from the scan, not fixed copy.
Role briefNot ready
Run once, then switch between owner, CMD, CISO, and IT-admin views.
NowWaiting
Run the check to generate the first concrete step.
TodayWaiting
The next step will be based on this browser, public edge, and findings.
This weekWaiting
Sanket will point to the next browser-only layer before any native collector path.
Plain-English output
Issues and simple fixes
No report yet. Run the check to see simple owner-level guidance.
CMD brief
Decision view
No CMD brief yet. Run the check to generate the decision view.
CISO brief
Control view
No CISO brief yet. Run the check to generate the control view.
IT admin
Work queue
No work queue yet. Run the check to generate admin tasks.
IT handoff
Technical fixes and evidence
No IT report yet. Run the check to build the handoff.
Run the check to generate a browser-side JSON log.
Permission prompts can test this browser and this site. They still cannot inspect routers, EDR, internal DNS, VPN split tunneling, open ports, or OT assets. That requires a signed local collector with written authorization.
Live
Browser + edge
Run the browser check, capture the public edge, save local history, and export role briefs.
Next
Managed-browser policy
Turn scan findings into Chrome/Edge policy guidance for permissions, WebRTC, device APIs, and privacy controls.
Next
Evidence upload
Let IT paste or upload approved exports from EDR, DNS, MDM, firewall, or vulnerability tools for Sanket to normalize.
Later
Browser extension
Add optional deeper browser/tab/header checks through a Chrome or Edge extension, without a full native endpoint collector.
Seqrite SideCopy analysisUse as phishing and oil-and-gas lure evidence: HPCL-themed cybersecurity-guideline decoys, MSI staging, CurlBack RAT, Spark RAT, and Xeno RAT.
Oil India ransomware incident recordUse as Indian oil-and-gas incident precedent: ransomware demand, G&R workstation, network outage, and central-agency response.
Anthropic Project GlasswingUse as frontier-cyber-AI context: restricted Mythos Preview access for defensive vulnerability discovery and critical-software hardening.