Are you guarding against the physical threat of cyber attacks?
Image credit: Dreamstime
Firms preparing for a Health and Safety Executive review of their industrial control infrastructure need to be aware of how UK requirements have been aligned with EU rules on cyber security.
Industrial organisations across the world are increasingly adopting smart technology to innovate and modernise their operations as part of a shift towards Industry 4.0 and factory automation using the Internet of Things (IoT). As well as offering significant benefits like speeding up processes, reducing costs and helping meet customer demand, however, this trend can also increase exposure to cyber attacks.
One of the key issues with cyber attacks on industrial facilities is that their impact can be twofold. Take the infamous Stuxnet incident, where criminals used a malicious computer worm to halt Iran’s nuclear programme – the attack was carried out virtually, but its consequences were physical.
To help mitigate cyber-physical attacks like this, there has been growing pressure on industrial organisations to improve their security – not only to prevent attacks that affect operations, but also to block those that impact health and safety and could put the public at risk.
Cyber attacks can have a direct link to health and safety as they have the potential to put employees at risk. For instance, if malware was to infect an emergency shutdown system in a nuclear plant, the damage to staff and the public could be catastrophic.
In one of the most infamous attacks of 2014, cyber criminals manipulated and disrupted control systems at a German steel works to such a degree that a blast furnace could not shut down properly. While the attack was carried out through electronic spearphishing, it had a physical impact that undoubtedly impacted staff.
To help educate organisations on the risks that disruption like this can pose to health and safety, the UK Health and Safety Executive (HSE) has updated OG86, its Operational Guidance for Industrial Automation and Control Systems in an effort to mitigate the risks. OG86 outlines the criteria HSE inspectors use when they audit organisations and takes into account that the increasing connection of operational machinery to the internet is making it easier for cyber criminals to carry out attacks that have implications for health and safety.
The countermeasures needed to address low levels of cyber-security risk are based on the National Cyber Security Centre’s basic Cyber Assessment Framework (CAF) profile. Closely aligned with the EU Network and Information Security (NIS) Directive, it explains how HSE inspectors will gain an understanding of the capabilities and maturity of an organisation’s cyber resilience and sets out requirements for organisations to provide effective policies, procedures and controls in their ability to protect against cyber incidents, detect potential incidents, and respond in an appropriate and timely manner
Bringing the NIS Directive into the scope of OG86 is one of the biggest changes to the updated document. By focusing on it, the HSE is encouraging organisations to think more strategically about cyber threats and how to implement a robust security posture. Complying with the guide will help them not only improve their cyber security and limit their exposure to attack, but also pass future HSE audits.
The guidance includes specific information on the workflow inspectors follow to gain an understanding of the capabilities an organisation has in place to protect its systems and networks. They are required to verify the adequacy of the cyber-security management system including competence management, together with the adequacy of countermeasures; for major accident workplaces and operators of essential services covered under the NIS Regulations.
An important first step for organisations preparing to meet the requirements of OG86 is to complete an assessment against the NIS CAF and determine the organisational structure they should have in place to develop an effective cyber-risk management process. This covers roles and responsibilities, board direction, procedural requirements, risk management process, asset management, vulnerability management, backup procedures and also the technical controls implemented to reduce the risk of cyber incidents and increase system resiliency and availability.
When the CAF is complete, organisational structures are in place and security gaps are understood, it’s important to understand what assets an organisation has on its network and use this information to identify both Major Accident and Loss of Essential Services assets. This helps to drive regulatory compliance and allows optimum exploitation of resources.
One of the key elements of OG86 is the importance it places on security network monitoring of critical assets and having countermeasures in place to detect and prevent common cyber attacks. Ensuring all assets are inventoried and not providing an unmonitored entry point for cyber criminals is essential.
Stefan Liversidge is a technical sales engineer with Nozomi Networks.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.