About the Cyber Security Lifecycle

The Health and Safety Executive (HSE) OG86 “Cyber Security for Industrial Automation and Control Systems (IACS)” guidance to inspectors (currently at Edition 2) outlines the minimum expected cyber hygiene standards and technical countermeasures for “Major Accident” workplaces e.g. sites requiring to comply with COMAH regulations and “Operators of Essential Services” e.g. those with legal duties under the Network and Information Systems (NIS) Regulations.

The OG86 guidance represents the HSE’s interpretation of current and developing international standards relating to industrial network, systems and data security, and functional safety as it relates to major accident hazard sites and essential services operators, however, as it maps closely to the National Cyber security Centre’s (NCSC) Cyber Assessment Framework (CAF), it can be taken as “industry best practice” guidance for any UK-based organisation with a requirement to manage their cyber security risk whether that is driven by health and safety, environmental, financial or business continuity concerns.

The lifecycle diagram presented here outlines the OG86 process for management of cyber security on industrial automation and control systems (IACS), commonly referred to as Operational Technology (OT).

The first step is to recognise the need for an organisation to manage cyber security risk to IACS / OT / cyber physical control systems. Any system reliant on digital technology can be vulnerable to attack, including those systems which are not programmable by the end user or are deemed to be physically separate or “air gapped” from networks.