Reducing the risk of a major accident often includes the application of E, C&I related plant and equipment to contribute to risk reduction. Therefore, the overall risk reduction may depend on the correct functioning of E, C&I systems.
In the context of cyber security these E, C&I systems are often termed Industrial Automation and Control Systems (IACS), Industrial Control Systems (ICS) or Operational Technology (OT).
Duty holders may operate a range of IACS, these typically include:
- Control systems which comprise: Distributed Control Systems (DCS), Programmable Logic Solvers (PLC), Supervisory Control and Data Acquisition systems (SCADA) and/or other programmable systems.
- Safety Instrumented Systems (SIS), which may range from simple logic systems to complex programmable safety PLC type systems.
- Plant Information systems such as data historian, programming interfaces, and data servers.
- Network infrastructure to provide connectivity to the above.
- Connectivity to systems outside the IACS (often known as the corporate network etc.)
- Virtual machine environments
- Programmable switchgear, drives, sensors and actuators
IACS are commonly programmable (software based) and may, therefore, be vulnerable to cyber threats, potentially leading to undetected faults, failure, downtime and ultimately an increased risk of a major accident occurring.
In this context, Cyber Security (CS) is a term used to define measures taken to protect IACS against threats to security through accidental circumstances, actions / events or through deliberate attack.
The threats can originate from the internet, corporate networks, maintenance activities, software upgrades and unauthorised access etc. with the potential to result in incidents with major health, safety or environmental consequences.
In relation to COMAH, the topic of cyber security does not cover protection of critical infrastructure (eg utility networks) or protection of information on corporate networks, but the HSE's interpretation of current standards on industrial communication network and system security, and functional safety in so far as they relate to major hazards workplaces.
CS is therefore part of the overall safety of plant and equipment that depends on the protection of IACS.
HSE Trial of Operational Guidance for Cyber Security for Industrial Automation and Control Systems (IACS)
HSE published its operational guidance OG86 'Cyber Security for Industrial Automation and Control Systems (IACS)' in March 2017. Operational guidance is primarily aimed at HSE inspectors, providing them with guidance on the standards expected to facilitate a consistent approach to regulation. However, the OG is also freely available to COMAH operators, providing useful guidance on how compliance might be achieved (see link below).
In order to test the OG, the inspection approach and also get an early sense of where various industry sectors were compared to the OG, a series of trial inspections were carried out between November 2017 and May 2018.
The report below provides a summary of the findings of the trial and includes both recommendations for industry and HSE
Cyber Security Trial Inspections Summary Report
Technical Standards and Guidance
COMAH Competent Authority E,C&I Operational Delivery Guide
- Control of Major Accident Hazards Regulations
- The Management of Health and Safety at Work Regulations 1999
- BS EN 61511 (Edition 2) Functional safety - Safety instrumented systems for the process industry sector
- BS EN 62682 Management of alarm systems for the process industries
- ISA-TR84.00.09-2013 Security Countermeasures Related to Safety Instrumented Systems (SIS).
- NCSC Security for Industrial Control Systems
- NIST Guide to Industrial Control Systems (ICS) Security
- NCSC 10 steps to Cyber security
HSE Operational Guidance
OG86 - Cyber Security for Industrial Automation and Control Systems (IACS)