The Health and Safety Executive’s guidance for industrial network security.
OG86 is Operational Guidance issued by the UK Health & Safety Executive (the UK government agency tasked with regulating and enforcing health and safety in the workplace) to mitigate the risk of cyber-attacks that could result in health and safety incidents, major accidents and/or the loss of essential services.
what it is
OG86 is designed to provide guidance to duty holders within organisations and HSE inspectors including EC&I (Electrical, Control & Instrumentation), CEMHD (Chemical Explosives and Microbiological Hazards Division), EC & CS (Electrical Control and Cyber Security) and ED (Energy Division) with the implementation of robust industrial networks, systems and data security along with functional safety.
It is considered the HSE benchmark standard for cyber security within the remit of the COMAH (Control of Major Accident Hazards) Competent Authority. It therefore applies to any industry or duty holder that stores or handles large quantities of industrial chemicals of a hazardous nature that require notifying the CA.
OG86 uses the term IACS to define what is more commonly known as ICS (Industrial Control Systems) or OT (Operational Technology). Additionally, given the HSE’s remit to monitor health and safety, IACS includes Safety Instrumented Systems within this definition.
The application of OG86 is expected to be used in full within any basic IACS (Industrial Automation and Control Systems) installation that has occurred since the release of the standard. However, it is accepted that for installations pre-dating the standard, previous revisions may be more practicable.
The HSE recognises that OG86 is not an exhaustive document – it should be used in conjunction with other relevant standards. This is due to the threat landscape evolving continuously and relevant international and industry standards are in the process of being established. However, OG86 does make use of the NCSC’s CAF framework to provide a foundation and the guidance is expected to evolve as established standards gain recognition (eg: IEC62443).
OG86 makes use of the CAF profile to help guide inspectors and organisations – namely the 4 main objectives outlined below and the subsections contained in each:
- Managing security risk
- Protecting against cyber attack
- Detecting cyber security events
- Minimising the impact of cyber security incidents
The main differentiator between CAF and OG86 is that OG86 makes specific reference to IACS and impacts to health and safety, whereas the CAF is a more general set of guidelines encompassing IT and OT. OG86 also puts a greater emphasis on IACS drawings along with the need for network diagrams and the use of the Purdue model. The Purdue model is an enterprise architecture that consists of multiple layers for various devices relating to ICS. It aims to separate out devices ranging from traditional IT infrastructure (level 4) down to actuators or motors (level 0) via a DMZ (demilitarized zone) to separate IT and OT devices
At Sapphire, we leverage our extensive experience and expertise to align every area of your operations with compliance standards including OG86. We’ll show you where you are now, where you need to get to, and work alongside your internal teams to develop an actionable roadmap to full compliance. Our Awen software solutions can help you reach compliance with OG86, including Profile™ for collaboratively tracking and reporting on your compliance, and Dot™, for OT asset discovery and vulnerability management. Our OG86 consultancy can also be bundled with our OT Cyber Review service, giving you 360° visibility of your IACS environment.