Introduction to Cyber Security Management Systems and HSE OG86 Training Course

A 1-day Introduction to Cyber Security Management Systems and HSE OG86 training course for those responsible for the security of industrial automation, control and safety systems – known as “operational technology” (OT) to differentiate it from “information technology” (IT).

The course recognises that the optimum approach to Cyber Security in OT may be quite different to what might be considered good practice in an IT environment and would encourage both IT and OT Cyber Security professionals to attend.

Course Content

Part 1.

The presentation material will describe the constituent parts of the CSMS, how they are assembled and finish with important external interfaces:

• The origins of HSE guidance to inspectors for cyber security, OG86 Edition 2, and the direction of travel of HSE thinking – OG86 Edition 3 is anticipated
• OG86 quotes the UK NCSC’s CAF, US NIST Framework, international IEC-62443
• Why vendors generally talk about IEC-62443 but regulators speak a different language
• Threats, vulnerabilities and risk, including whether to consider likelihood
• Assembling the parts, establishing and operating the cyber security management system
• Important relationships including with IT, with safety, personnel and physical security.
• Addressing the challenges of supply chain security.

Part 2.

There will also be an opportunity for discussion with participants about the key artefacts that an HSE inspector will want to see for OT cyber security, including exploring the following using a simplified case study:

• Simple Network Diagram for OT, preferably using the Purdue / ISA-95 architecture model
• Assessment of criticality functions and adverse outcomes (including safety top events)
• CMDB / asset register for OT systems including specific fields about software configuration
• Policy document setting out governance, OT risk ownership
• Evidence of threat and vulnerability management for OT
• Evidence of activities to deliver staff awareness, skills, competencies
• Evidence of a gap analysis against the NCSC’s CAF and a resourced mitigation plan.
  

Who should attend

Engineers and professionals who are responsible for the management of OT cyber security within their workplace and those who are in a supporting role, including consultants and contractors.

We would also encourage company OT and IT delegates to attend this course together.

Pre-reading

Although not essential we would recommend that you obtain a copy of OG86 - Cyber Security for Industrial Automation and Control Systems (IACS) (PDF) that can be downloaded from the HSE website here https://www.hse.gov.uk/eci/cyber-security.htm

After this training course you will be able to

To describe in practical terms the activities, artefacts and relationships that make a cyber security management system, as expected by HSE according to its OG86 guidance and as described in the leading international standards.

What you will get

All delegates receive:

• The course material in printed or electronic format.
• A Certificate of Attendance for each delegate that attends the full course.

Course Options

• The course can be delivered on-line or at a venue across the UK, according to the balance of demand.
• The course is also available to be delivered at a client's premises in a closed session in which part 2 can explore specific circumstances of that client.
• For those wanting more detail than is offered on the one-day course, there is a 2-day cyber course here.

Course Enquiries

If you have any further questions, please contact us and if you wish to proceed, check your diary and reserve a place.

See other OT Cyber Security training courses