The LOTOS Group is one of the largest companies in the country. It is an oil conglomerate involved in the extraction and refining of crude oil, as well as the wholesale and retail sale of high-quality petroleum products. It is a producer and supplier of, among others, unleaded gasoline, diesel oil, heating oil (light heating oil), aviation fuel, and heavy fuel oil. The company also specializes in the production and sale of lubricants and asphalt.

In the mid-1970s, a highly modern refinery was established in Gdańsk, which was said to be the most advanced in the world and had the largest Oil Block in Europe. It was the first investment in the Polish People’s Republic based on Western technologies. Over time, the refinery lost its modernity, but the creative workforce and the “development gene” led to major investments and expansion from 1998 to 2020, making it one of the most modern refineries in the world again. During this time, production increased fourfold, and the company evolved from a regional refinery into a national fuel conglomerate, integrating southern refineries and expanding its extraction operations both in Poland and abroad.

We verified the LOTOS Group’s readiness to meet the requirements and obligations arising from the regulations of the Act on the National Cybersecurity System (KSC). We collected and examined the existing documentation, conducted interviews, and carried out assessments based on checklists. Through extensive consultations and analyses, we defined the boundaries of the cybersecurity management system for the critical service and determined which IT/OT systems, and to what extent, should be included in the development or optimization of internal procedures.

We developed a risk management model in the area of cybersecurity and ensured the alignment of procedures with those already existing in the corporate risk management area. This approach enabled the use and adaptation of the existing methodology for risk description and probability assessment, considering changes in impact evaluation (ISO standards aspects – integrity, confidentiality, and availability) and the identification of information assets.

We addressed the biggest challenge, which was related to the dispersion of documentation. We proposed a modification of the structure that took into account the dispersion of its individual elements and the development of overarching documents that reference the already existing procedures. From the perspective of the end user of the documentation, we reduced and minimized the number of changes introduced, and ultimately, the developed structure allowed for better understanding of the KSC regulation requirements and access to internal information.

We organized training for employees of the LOTOS Group who are involved in the operation and supervision of the critical service, including its security oversight. The scope of the training was tailored to the skill level of each participant. The training covered basic, intermediate, and advanced levels. The applied training techniques enabled the exchange of experiences and the learning of best practices in the field of cybersecurity.