Method Functional Safety
What is the Cyber Security Lifecycle?
About the Cyber Security Lifecycle
How do i start?
I am new to this, how do I start?

Define IACS Scope

To defend a system you first need to understand its components and interactions. The scope of the control system(s) requires to be comprehensively defined and recorded to enable accurate risk assessment and ongoing management of cyber security.

It is recommended that the control system is recorded as a simple network diagram and associated asset management data (IACSIndustrial Automation and Control Systems asset register). As cyber security risk management is an ongoing iterative process, updating the simple network diagram and IACS asset register is a continuous process which should for part of the organisation’s Change Management process.

The boundary of an IACS / OTOperational Technology system must include all physical and logical (i.e. network interfaces, trust relationships and data flows) digital technology assets involved in process control and safety actions and should be physically and logically segregated from non-IACS networks e.g. Corporate Local Area Network (LAN) or internet-facing networks.

The IACS scope can be recorded using a system-by-system (bottom up) or system-of-systems (top down) analysis approach. For organisations beginning their cyber security journey, the bottom up approach, starting with critical process control and safety systems, would be recommended.

Identification of Assets

The following (suggested but not exhaustive) list of assets to be included in the IACS scope is an excerpt from OG86 (Edition 2):

  • Basic Process Control Systems (BPCS). Including (but not limited to) Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), Supervisory Control and Data Acquisition (SCADA) system, Human-Machine interfaces (HMI) / operator interfaces, remote assets.
  • Safety Instrumented Systems (SIS) within the scope of IEC 61511 and other safety critical protection / mitigation systems.
  • Electrical Control Systems (ECS) including electrical control or data acquisition systems, HMIs / operator interfaces, programmable switchgear, drives, protection systems, etc.
  • Process plant / electrical system sensors, actuators or other similar devices.
  • Assets that support the BPCS, SIS and ECS, including data historians, domain controllers, engineering workstations, application stations and network infrastructure assets such as switches, routers, firewalls etc.
  • Note that where assets (e.g. operator interfaces), are implemented in virtual machine environments both the server and the client assets should be included.
  • All network connections within the IACS (both permanent and temporary) between all IACS assets and the other systems, including identification of the protocols that are used.
  • All network connections (both permanent and temporary) to systems outside the IACS boundary.
  • Supporting services necessary for the above systems, e.g. fire and gas detection, power, HVAC, and VoIP communications etc.
  • Associated software services such as business systems, databases, cloud services etc.
  • Standalone or Air-GappedThe term air-gapped is often used for systems that have no physical network connections to other systems. For example, an IACS would be considered air-gapped from another network if there were no network connections between the IACS and any other device that was connected to that other network. This does not however eliminate the risk, as for example, malware can still be imported via USB drives and maintenance laptops, and therefore countermeasures need to be applied. Therefore, the IACS scope should include any air-gapped systems so that these countermeasures can be selected and managed..

Simple Networking Diagram Diagram 2. Example of a Simple Network Diagram for a medium-sized organisation (from HSE OG86)

Cyber Security Lifecycle

Cyber Security Lifecycle
OT Cyber Security
OT Cyber Security
Cyber Security Lifecycle

Contact =Method Consultants

You can contact =Method below:

p: +44 (0)1462 713313


Contact us online

E: T: 44 (0)1462 713313. W:

LinkedinMethod Functional Safety member of InstMC

Functional Safety + Process Safety + Cyber Security + Compliance Assessment + Competency Register + Software Solutions = Method Safety and Security

Address: Method Cyber Security Ltd. Method House, Davis Crescent, Hitchin, SG5 3RB
Phone: +44 (0)1462 713313 Email: Website:

Terms and Conditions | Privacy Policy. Registered In England 08453480. VAT No. GB 96 3453 69. Site © Copyright Method Cyber SecurityLtd 2024