Positive and Negative Impacts 

PTT recognizes and prioritizes the strategic application of digital technologies across all operational facets to bolster business capabilities and competitiveness. This includes addressing potential negative impacts stemming from cyber threats such as data breaches, ransomware incidents, and cyber extortion, which directly undermine the organization and infringe upon the human rights of data stakeholders like employees and customers. Such occurrences can severely tarnish the organization's image, reputation, and operational technology (OT) control systems, ultimately leading to business disruptions. Cybersecurity stands out as a critical corporate risk, meticulously tracked and evaluated, with ongoing plans for enhanced efficiency aimed at reducing risk exposure and mitigating consequences. This entails investments in technology, process optimization initiatives, and fostering cyber threat awareness among personnel, while simultaneously expediting the adoption of suitable digital technologies within the organization.

Management Approach

Driving Digital Transformation

From PTT's digital vision of leading in digital innovation solutions and expediting the acceptance of appropriate digital technologies, the emphasis lies in seamlessly integrating digital technology into the organization's operations. PTT underscores the synergy between developing the capabilities and potential of its personnel and technology concurrently. PTT has established strategic directions for developing and enhancing the strategic framework for the advancement of PTT's digital technology as a long-term plan for the period of 2024-2028. The operational plan outlines six primary objectives as follows:

1. Empowering every business process to foster sustainability.
2. Cybersecurity goals aligned with the zero-trust paradigm.
3. Utilizing data analytics and AI technology to bolster business decision-making.
4. Overseeing digital operations with auditable processes and leveraging digitalization to drive business value.
5. Facilitating the adoption of digital technology for emerging businesses.
6. Harnessing digital technology to craft exceptional customer experiences.

• People: PTT prioritizes workforce readiness across all levels. From executives capable of instigating and advocating policy changes to employees adept at leveraging cutting-edge technology in organizational workflows and service provisions, fostering an appropriate and effective digital culture within the organization is crucial. This commitment ensures PTT maintains its leadership in digital competitiveness while emphasizing the significance of cybersecurity awareness among employees and stakeholders. This cohesive approach enables the organization to drive efficiently towards its objectives.
• Process: PTT has implemented a structured approach for developing a Digital Roadmap. This involves aggregating internal factors like the operational strategies of individual business units, their challenges and requirements, and the digital performance data accumulated over time. External factors such as technological and economic risks, global technology development trends, and relevant governmental policies or regulations are also taken into account. These inputs are then analyzed to define the vision, strategy, and objectives for digital operations. PTT has established a clear digital investment framework, criteria for evaluating investments, and methods for assessing the ROI of digital initiatives. Moreover, there are well-defined processes for project and digital technology management, along with comprehensive quality management systems in place.
• Technology: PTT possesses critical digital technologies essential for supporting digital operations, including data analytics and AI. The emphasis is on broadening the utilization of AI across all business units and establishing an Enterprise Data Platform (EDP) as the organization's centralized database, managed, and governed to ensure the accuracy, precision, and completeness of organizational data for both present and future use. Cloud Platform technology, in a Hybrid Cloud format, is tailored to meet diverse usage requirements, whether for maintaining privacy (Private Cloud) or expanding operations in the future (Public Cloud). Cybersecurity technology integrates Information Technology (IT) systems with Operational Technology (OT) systems to bolster cybersecurity measures.

Information Technology and Cyber Security

To mitigate the escalating risks of cybercrime and data breaches, which are on a rapid rise, PTT, identified as a Critical Information Infrastructure (CII) entity in the energy and public utility sectors under the Cybersecurity Act, B.E. 2562 (A.D. 2019), has instituted vigilant oversight and management of information security and cyber systems. This is in accordance with established best practices and standards for cybersecurity, encompassing government agencies and critical infrastructure organizations, as outlined in guidelines and standards for cyber resilience, consisting of:

1. Operating in accordance with cybersecurity standards
   
   • Identifying risks (Identify)
   • Implementing measures to prevent potential risks (Protect)
   • Establishing systems to detect and monitor cyber threats (Detect)
   • Having protocols in place to respond to cybersecurity incidents (Response)
   • Implementing procedures to recover from cybersecurity incidents and mitigate any damage incurred (Recovery)
2. Executing cybersecurity audit plans
3. Assessing cybersecurity risks
4. Developing cyber threat response plans

In line with the cybersecurity framework established by the National Institute of Standards and Technology (NIST) of the United States, PTT has unveiled policies for managing information security and cybersecurity, encompassing both Information Technology (IT) and Operation Technology (OT). These policies are designed to safeguard PTT's information systems against threats and to efficiently manage cybersecurity risks. Furthermore, they aim to ensure operational compliance with internationally recognized frameworks and standards. PTT has adopted the ISO/IEC 27001 Information Security Management Systems (ISMS) standard and the ISO/IEC 27701 Privacy Information Management System (PIMS) standard.

PTT has entrusted PTT Digital Solutions Co., Ltd. with the responsibility of providing and managing cybersecurity services for companies within the PTT Group. The Cyber Security Operation Center (CSOC) is tasked with round-the-clock monitoring and detection of abnormalities stemming from cyber attacks across the PTT Group, utilizing cutting-edge technology tools and staffed by globally certified personnel.

To enhance preparedness, PTT conducts regular cyber attack response drills (Cyber Drills) in tabletop format at least once a year.  These drills include well-defined incident response plans and the engagement of top-tier experts for incident response retainers. Additionally, PTT collaborates closely with the Thai Computer Emergency Response Team (ThaiCERT) and other international communities to facilitate the exchange of the latest cyber security threat intelligence.

Furthermore, PTT conducts regular training sessions to raise cybersecurity awareness and conducts phishing mail tests for employees and contractors every two months. Supplementary e-learning modules are also provided to individuals who do not pass the test, ensuring a comprehensive understanding of the repercussions of cyber attacks.

Digital and Cyber Security Governance

PTT has implemented robust oversight of its digital management, ensuring optimal resource allocation and clearly defined digital responsibilities throughout the organization. The Board of Directors conducts annual reviews of the Company's vision, direction, strategy, policies, and significant plans, addressing recurring risk issues, with the guidance of experts like Mr. Chansin Treenuchagron, an independent director who possesses relevant expertise. As for the management level, the Chief New Business and Infrastructure Officer (CNBO), equivalent to the Chief Information Security Officer (CISO) / Chief Security Officer (CSO), heads the PTT Group Digital Steering Committee responsible .for establishing directions, policies, strategies, and digital objectives for the PTT Group, overseeing and coordinating digital collaboration among subsidiaries to ensure alignment, efficiency, and effectiveness. Moreover, the committee drives the establishment of policies, standards, management frameworks, and digital management systems across the PTT Group, encompassing project development management, data governance, digital governance, and information security management. It provides timely and effective consultation and recommendations to various units under its purview, conducts regular assessments, monitors progress, and evaluates the outcomes of digital initiatives, functioning akin to a "Digital and Information Security Governance Committee." Meetings are convened at least biannually or as needed to deliberate on pertinent matters. At the operational level, the Digital Strategy Department formulates strategies that harmonize PTT's digital direction, policies, strategies, and objectives.

PTT has implemented robust processes to oversee and manage digital aspects of the organization, ensuring efficiency and transparency across operations. This includes strict adherence to laws, regulations, and guidelines pertaining to digital technology development. The Company has introduced digital policies, information security management policies, and cybersecurity policies, all endorsed by the Chief Executive Officer and President. These policies empower the organization to leverage digital technology for heightened operational efficiency, value addition in business endeavors, and the cultivation of agility, transparency, and security, all aligned with principles of good governance. The aim is to cultivate a highly adept organization, fostering collaboration within the PTT Group's business operations and supporting the sustainable growth of energy and petrochemical ventures. This strategy opens doors to novel business opportunities through technological innovation, enhancing competitiveness, elevating operational standards, and keeping pace with swiftly evolving global trends. Additionally, standardized digital protocols have been established to guide PTT employees at all levels, ensuring uniformity and maximizing operational efficiency across various domains such as information technology equipment, standard software, information system operations, infrastructure security, training, and service level agreements. This comprehensive approach is complemented by proactive management of cybersecurity risks, which are treated as integral operational risks within the organization. Measures/controls, mitigation plans, and key risk indicators (KRIs) are diligently monitored and reported to the Strategic Planning and Risk Management Committee, the Risk Management Committee, and the PTT Board of Directors in line with established protocols. 

Key Plans/Initiative

Digital Citizen

The Digital Citizen initiative is designed to elevate essential knowledge and skills required for effectively leveraging digital technology in alignment with departmental objectives. It aims to cultivate competencies among employees across all levels, fostering a digital-oriented culture within PTT (Digital Citizen). The project encompasses various activities tailored to this goal, including courses covering foundational digital knowledge like cybersecurity awareness, basic proficiency with collaboration tools, and advanced skills such as data analysis, automation, and predictive modeling. These activities are structured to suit the specific needs of employees, with post-training assessments ensuring a minimum 80% accuracy to gauge learning success. Moreover, employee development and learning histories are compiled to ensure the efficient utilization of digital capabilities. Additionally, the initiative endeavors to instill a culture of cybersecurity awareness among employees and stakeholders, promoting understanding and recognition of its significance through activities such as phishing mail tests and communication campaigns.

The Project of examining the feasibility of implementing Generative AI technology at PTT

As part of its initiative to enhance the Enterprise Data Platform for establishing a standardized central data repository, PTT has delved further into Generative AI in 2023. This involved conducting additional studies and creating a proof of concept to explore various AI applications, including data summarization, speech-to-text conversion, and leveraging AI with the organizational knowledge base, among others.

Enhancing data security measures for improved efficiency and safety
Multi-Factor Authentication (MFA)

PTT has embraced recognized technology as a standard for identity verification before allowing access to devices or applications, aiming to prevent unauthorized data access by external parties. This involves a secondary identity confirmation step after entering a password, utilizing predefined methods such as OTP (One Time Password) entry or approval/denial via a smartphone application owned by the data controller. This process verifies and validates the user's identity as legitimately authorized for access, serving to safeguard against data breaches, financial losses resulting from cyber theft, expenses related to data recovery, damage to reputation, and erosion of organizational trust. PTT has instituted a two-step authentication system (MFA) for accessing both email and internal systems, with an expanded enforcement scope encompassing internal staff as well as partners/customers accessing internet-connected systems directly.

Phishing Test Campaign

The initiative involves conducting exercises to enhance employee awareness regarding cybersecurity threats, specifically through simulated phishing emails designed to coax users into opening files or divulging user/password information. Such actions significantly heighten organizational vulnerabilities. Presently, PTT conducts these assessments every two months, followed by debriefing sessions to inform and educate employees about cyber threats, thereby reducing the likelihood of them becoming easy targets. If an email is suspected of being a phishing attempt, employees can promptly report it to the PTT Digital Contact Center through various channels such as phone, email, Line Official Account (OA), or by utilizing the automatic reporting feature within the organization's email application.

Identifying and addressing cyber vulnerabilities within the organization

At present, PTT has implemented a policy supporting remote working or work from home arrangements. Accessing the organization's systems now requires going through external networks, which poses an increased risk of encountering cyber attacks evolving on a daily basis. To mitigate this risk, PTT employs Attack Surface Management (ASM) technology, incorporating artificial intelligence (AI) for data analysis to identify vulnerabilities exposed to the internet. This approach covers emerging attack methods and threats, enabling PTT to manage risks effectively. Furthermore, vulnerability scanning and penetration testing are conducted as part of these security measures.

Business continuity management plan dril

PTT conducts regular business continuity management drills at the organizational level every year. In 2023, specific scenarios were formulated, particularly focusing on cyber threats. The aim is to instill confidence among stakeholders regarding PTT's readiness in the event of a cyber attack and its potential impact on vital processes or systems. These exercises encompass preventive measures, continuous operational management, and strategies for restoring normalcy.

Future Implementations

There will be a digital knowledge and skills development project aiming to enhance employees' digital proficiency through tailored courses. It commences with the objective of cultivating digital citizens among all staff members, equipped with the knowledge and capabilities to effectively apply technology within PTT. The project comprises three distinct tracks including Core Track – focused on instilling knowledge and comprehension in utilizing a broader array of digital tools to revolutionize work methodologies and foster technology integration within PTT, Innovator Track – geared towards nurturing expertise in digital application within the innovation process, thereby spearheading the creation of novel businesses in the foreseeable future, Expert Track – targeted at deepening understanding, refining skills, and mastering digital tools to proficiently tackle challenges and adapt to swift technological transformations.

The AI Adoption Initiative involves establishing governance structures, developing policies, implementing best practices, and facilitating user education within the organization to ensure the proper and effective utilization of AI by PTT. It seeks to cultivate a secure Core AI platform that meets the needs of business units, prepare for AI tool deployment, and conduct knowledge and skills enhancement programs for employees.

The POWER (Powering Digital Organization with ERP) project is focused on aligning processes with the deployment of Enterprise Resource Planning (ERP) systems and modern digital solutions to support and drive business operations, with the goal of fostering operational excellence.

The Cybersecurity Efficiency Enhancement Project aims to enhance preparedness and response to cyber threats, including building cyber resilience to swiftly restore operations. It encompasses three key aspects: continuous promotion of cybersecurity awareness at all levels, from tabletop exercises for executives to ongoing training programs for employees starting from their first day at PTT. Additionally, it involves refining cybersecurity governance processes, such as developing comprehensive cybersecurity protection plans covering both IT and OT, managing vulnerabilities, conducting cybersecurity readiness assessments, and integrating modern technologies to bolster effectiveness. This includes scenario simulations for cyber attacks, ensuring the security of personal computers matches that of corporate devices, and aligning internet-facing applications with PTT's cybersecurity policies.

Besides, there will also be an enhancing and optimizing digital applications project.This encompasses aligning cost reduction strategies with real-world usage patterns, establishing robust data linkages to enhance life cycle management, conducting assessments and formulating a Green IT Roadmap to aid the organization in achieving future greenhouse gas emission reduction targets, and standardizing and certifying PTT's digital governance processes to meet international standards.

Awards and Certications

ISO/IEC 27001:2022 Certificate (13th consecutive year) ISO/IEC 27701:2019 Certificate ISO/IEC 38500 :2015 Certificate Prime Minister Awards: Thailand Cybersecurity Excellence Award 2022

Key reviews of the past year

IT Governance Implementation

The IT Governance Implementation project focuses on aligning information technology governance with the ISO/IEC 38500:2015 standard. It involves a comprehensive review and analysis of PTT's current IT governance and management landscape, followed by the design of a tailored governance framework covering critical aspects such as accountability, strategy, resource management, criteria, regulations, and employee practices. Furthermore, the project includes the formulation and adoption of an IT Governance Policy, which encompasses activities related to technology assessment both in the present and future (Evaluate), setting strategic directions to ensure IT aligns with business objectives (Direct), monitoring progress against plans (Performance), and ensuring compliance with regulations (Conformance) in the IT domain (Monitor). PTT has received certification from external auditors within the specified scope.

Information Security Controls Implementation

The process of reviewing information security management to comply with the ISO/IEC 27001:2022 standard has been diligently undertaken. This encompasses the incorporation of vital security controls, such as measures to regulate environmental threats that may pose risks to the organization, controls for managing and safeguarding information security concerning cloud services, readiness assessments, and testing of information and communication systems to ensure seamless business continuity and adherence to information communication continuity requirements. Additionally, controls for detecting and thwarting unauthorized physical access have been implemented. An assessment and analysis of the current status of information security management, including a thorough review of policy documents, guidelines, manuals, processes, and all associated forms, have been conducted. PTT has obtained certification from external auditors within the specified scope. 

Enterprise Architecture Implementation

Analysis and development of organizational architecture in Information Technology (IT) are undertaken with a primary focus on integrating digital technology across all facets of the organization. This encompasses refining processes, fostering product innovation, enhancing marketing strategies, shaping organizational culture, and aligning future growth objectives consistently and according to standardized principles. To ensure coherence, a dedicated working group on organizational architecture has been established to oversee project management processes and digital technology operations, adhering closely to established principles and standards.

Powering Digital Organization With ERP Project: POWER) in the Assessment & Preparation Phase

As the current Enterprise Resource Planning (ERP) system utilized by PTT is SAP ECC 6.0, which is approaching the end of its product support lifecycle, PTT has initiated a project to evaluate various factors, develop plans, and prepare for the implementation of SAP S/4HANA. This new system has been developed to address various limitations and comes equipped with advanced intelligent technologies such as AI and Machine Learning, alongside support for Big Data and Business Network. This enables swift processing of massive amounts of data and rapid access to information. In 2023, the assessment phase was completed, and the project has now transitioned into the implementation phase with the goal of completion by 2025.