Organisations are connecting Operational Technology (ICS / IACS / Scada, PLCs, DCS) to corporate networks for good business reasons but this can expose legacy technologies to malicious attack from the internet.
Regulators are now taking a close interest in how those risks are being managed.
Cyber security standards for IT are unsuitable for OT environments, for example having insufficient treatment of safety aspects. Standards for OT are emerging, such as the international IEC-62443 family and within the UK the HSE’s OG-86 guidance to its inspectors, which is based on the NCSC’s Cyber Assessment Framework. Also, regulatory requirements for providers of critical services came into force in 2018 with the NIS Directive.
Method Cyber Security has been working with its clients and with those developing standards in this quickly changing and maturing topic. =Method offers a range of tried and tested services that provide clients with sufficient knowledge and understanding to manage the cyber security of their OT systems, to meet regulatory and business needs.
Cyber Security Management Briefing
Cyber security of OT can appear daunting and confusing. Method Cyber Security can provide clients with focused, tailored and succinct senior-level workshop-based briefings to explore with busy senior executives the impact of cyber security threats and risks to their business. A key message from the emerging regulations and standards is that organisations are now expected to understand and manage the cyber security risks of their OT systems.
Cyber Security Audit
The Method Cyber Security Audit is an inspection of a client’s approach to IACS / OT security. Mainly based on the requirements of OG86, it simulates the kind of inspection that an HSE Specialist Inspector would carry out and highlights key areas for improvement. The focus and depth of the audit is tailored according to the maturity of the client’s cyber security management system.
Cyber Security Risk Assessment
The Method Cyber Security Assessment is in-depth assessment of the cyber security risks to a client’s OT. It supports the client in selecting the appropriate combination of technical and non-technical risk-reducing controls, for later implementation by the client within its cyber security management system.
Cyber Security Consultancy
Method Cyber Security Consultancy is always customised to the client’s needs. For example, some have asked for specific guidance and support to develop the cyber security policy documents that HSE will expect to see. Other clients have sought advice on producing a Simple Network Diagram that documents and explains their defensive architecture – another key artefact for an HSE inspection.
Cyber Security training
=Method also runs a Cyber Security Risk Management training course that align with the briefing, audit and assessment described above.