Written by Ian Thomas
The last few years have seen industrial sectors being impacted by the most cyber incidents, driving up cyber insurance costs and increasing Government concern due to the impact on the resilience of our critical national infrastructure and the potential to impact health and safety significantly. As a result, the UK Health & Safety Executive (the UK government agency tasked with regulating and enforcing health and safety in the workplace) has issued OG86, Operational Guidance to mitigate the risk of cyber-attacks that could result in health and safety incidents, major accidents and/or the loss of essential services.
OG86 is designed to provide guidance to duty holders within organisations and HSE inspectors, including EC&I (Electrical, Control & Instrumentation), CEMHD (Chemical Explosives and Microbiological Hazards Division), EC & CS (Electrical Control and Cyber Security) and ED (Energy Division) with the implementation of robust industrial networks, systems and data security along with functional safety.
It is considered the HSE benchmark standard for cyber security within the remit of the COMAH (Control of Major Accident Hazards) Competent Authority. It, therefore applies, to any industry or duty holder that stores or handles large quantities of industrial chemicals of a hazardous nature that require notifying the CA.
OG86 uses the term IACS to define what is more commonly known as ICS (Industrial Control Systems) or OT (Operational Technology). Additionally, given the HSE’s remit to monitor health and safety, IACS includes Safety Instrumented Systems within this definition.
The application of OG86 is expected to be used in full within any basic IACS (Industrial Automation and Control Systems) installation that has occurred since the release of the standard. However, it is accepted that previous revisions may be more practicable for installations pre-dating the standard.
The HSE recognises that OG86 is not an exhaustive document – it should be used with other relevant standards. This is due to the threat landscape evolving continuously, and relevant international and industry standards are being established. However, OG86 does make use of the NCSC’s CAF framework to provide a foundation, and the guidance is expected to evolve as established standards gain recognition (e.g., IEC62443). We wrote about what the CAF is and why it’s important in a recent blog post.
OG86 makes use of the CAF profile to help guide inspectors and organisations – namely, the 4 main objectives outlined below and the subsections contained in each:
- Managing security risk
- Protecting against cyber attack
- Detecting cyber security events
- Minimising the impact of cyber security incidents
The main differentiator between CAF and OG86 is that OG86 makes specific reference to IACS and impacts on health and safety, whereas the CAF is a more general set of guidelines encompassing IT and OT. OG86 also puts a greater emphasis on IACS drawings, along with the need for network diagrams and the use of the Purdue model. The Purdue model is an enterprise architecture that consists of multiple layers for various devices relating to ICS. It aims to separate out devices ranging from traditional IT infrastructure (level 4) down to actuators or motors (level 0) via a DMZ (demilitarised zone) to separate IT and OT devices.
At Sapphire, we leverage our extensive experience and expertise to align every area of your operations with compliance standards, including OG86. We’ll show you where you are now and where you need to get to and work alongside your internal teams to develop an actionable roadmap to full compliance. Our Awen software solutions can help you reach compliance with OG86, including Profile™ for collaboratively tracking and reporting on your compliance and Dot™ for OT asset discovery and vulnerability management. Our OG86 consultancy can also be bundled with our OT Cyber Review service, giving you 360° visibility of your IACS environment and a pathway to better cyber resilience.
To find out more about how Sapphire can help with your OG86 compliance, contact us today.