Cyber Security for Industrial Automation and Control Systems

Cyber Security for Industrial Automation and Control Systems

Blog by Jane Chappell, Arcanum’s Operations Director.

Following the trial inspection of COMAH Operators and associated IACS, ICS and OT in 2017, the Health & Safety Executive (HSE) revised its Operational Guidance (OG) 86 “Cyber Security for Industrial Automation and Control Systems”. The inspection was conducted to measure the level of compliance against OG 86 and the then emerging requirements of the NCSC Network Information System (NIS) Principles and guidance.

Positive outcomes of the 2017 trial revealed that security was being considered and built into the design of new systems.  Significant areas of failure found across all Operators included: an absence of cyber security within the governance process; lack of detection of cyber security events and management of the impact of incidents; minimal cyber security risk management within the supply chain.

Feedback from inspected Operators was used as a measure of the OG usability and the 2018 revised version provides NIS Regulation requirements and basic level cyber security countermeasures based on the NCSC basic cyber assessment framework (CAF).

The results of the 2018-19 HSE inspection of COMAH Operators and associated IACS, ICS and OT should be an improvement on the 2017 findings, particularly as Operators have the revised OG 86; the latest IEC62443-2-1 risk assessment and the results of the HSE Trial Inspections Report, to help improve their cyber security posture.  Operators of essential services subject to the NIS Regulations, which came into force on 10 May 2018, now have guidance published by their respective Competent Authorities to enable them to work towards compliance.

Key for most Operators will be the establishment of a formal governance structure and the implementation of a cyber security culture within their organisations. Once this is in place their next steps will be to set security policy; allocate roles and responsibilities; create risk management and decision making processes and to increase security training and awareness.  Not all Operators of COMAH establishments will have personnel with the relevant skill sets or experience to implement and maintain security risk management effectively. Therefore, it is expected that it will be several years before they are in a position to manage cyber security appropriately and to demonstrate compliance with the regulations.

Arcanum is one of only 15 consultancies certified by the NCSC for Risk Assessment and Risk Management. We have been providing expert security advice for over 10 years and we are already working with Operators of Essential Services to support them with NIS Regulations compliance. We have experience of carrying out assessments using the CAF and can guide you through the process.

For more information, please give us a call on 01558 669140 or email


Read more about the NIS Regulations and download our free guide here:

View HSE’s Cyber Security Trial Inspections Summary Report here: