The Health and Safety Executive’s guidance for industrial network security.

OG86 is Operational Guidance issued by the UK Health & Safety Executive (the UK government agency tasked with regulating and enforcing health and safety in the workplace) to mitigate the risk of cyber attacks that could result in health and safety incidents, major accidents and/or the loss of essential services.

what it is

Operational Guidance.

OG86 is designed to provide guidance to duty holders within organisations and HSE inspectors, including EC&I (Electrical, Control & Instrumentation), CEMHD (Chemical Explosives and Microbiological Hazards Division), EC & CS (Electrical Control and Cyber Security), and ED (Energy Division), on implementing robust industrial networks, systems, and data security along with functional safety.

It is considered the HSE benchmark standard for cyber security within the remit of the COMAH (Control of Major Accident Hazards) Competent Authority. It, therefore, applies to any industry or duty holder that stores or handles large quantities of industrial chemicals of a hazardous nature that require notifying the CA.
OG86 uses the term IACS to define what is more commonly known as ICS (Industrial Control Systems) or OT (Operational Technology). Additionally, given the HSE’s remit to monitor health and safety, IACS includes Safety Instrumented Systems within this definition.

The application of OG86 is expected to be used in full within any basic IACS (Industrial Automation and Control Systems) installation that has occurred since the release of the standard. However, it is accepted that previous revisions may be more practicable for installations pre-dating the standard.

The HSE recognises that OG86 is not an exhaustive document – it should be used with other relevant standards. This is due to the threat landscape evolving continuously, and relevant international and industry standards are being established. However, OG86 uses the NCSC’s CAF framework to provide a foundation, and the guidance is expected to evolve as established standards gain recognition (e.g., IEC62443).

OG86 makes use of the CAF profile to help guide inspectors and organisations – namely, the 4 main objectives outlined below and the subsections contained in each:

  • Managing cyber security risk
  • Protecting against cyber attack
  • Detecting cyber security events
  • Minimising the impact of cyber security incidents

The main difference between CAF and OG86 is that OG86 makes specific references to IACS and its impacts on health and safety, whereas the CAF is a more general set of guidelines encompassing IT and OT. OG86 also puts a greater emphasis on IACS drawings, along with the need for network diagrams and the use of the Purdue model. The Purdue model is an enterprise architecture that consists of multiple layers for various devices relating to ICS. It aims to separate out devices ranging from traditional IT infrastructure (level 4) down to actuators or motors (level 0) via a DMZ (demilitarised zone) to separate IT and OT devices.

At Sapphire, we leverage our extensive experience and expertise to align every area of your operations with compliance standards, including OG86. We’ll show you where you are now and where you need to get to and work alongside your internal teams to develop an actionable roadmap to full compliance. Our Awen software solutions can help you reach compliance with OG86, including Profile™ for collaboratively tracking and reporting on your compliance and Dot™ for OT asset discovery and vulnerability management. Our OG86 consultancy can also be bundled with our OT Cyber Review service, giving 360° visibility of your IACS environment.