The Health and Safety Executive (HSE) has recognised the impact that cyber attacks could have when it comes to increasing Health and Safety risks – releasing a new Operational Guidance document to help mitigate the risks. The guidance is aimed at companies who operate Industrial Automation and Control Systems (IACS).
This type of machinery can be linked to the internet or a company network – allowing the exchange of data with other systems. In theory, this type of link should make activities easier, but the HSE has recognised that this also poses a huge risk, opening up the systems to cyber attacks or accidental circumstances such as a failed software upgrade. There could be catastrophic consequences if a virus affected a system that was controlling an emergency shutdown system, for example.
What does the guidance document contain?
A key suggestion within the guidance is for the implementation of a Cyber Security Management System. The Operational Guidance document does not specify the format that this type of Management System should take, but it does suggest that one option is to use the Plan Do Check Act structure, commonly used within ISO Standards. ISO 27001 would therefore be a great foundation for organisations looking to incorporate these guidelines within an Information Security Management System.
The guidance covers:
- Network hardening – securing your businesses networks against unauthorised access
- Patch management – keeping software up-to-date without losing functionality
- Social engineering – assigning appropriate roles to, training and screening employees
- Managing obsolescence – industrial assets have a longer lifespan than the IT systems they use
- Awareness of threats – identifying potential risks through Risk Assessments and keeping up-to-date with the ever changing cyber threat landscape
- Ongoing evaluation – the focus on continual improvement including testing and auditing the measures you have in place to prevent cyber security incidents
It is important to note that the guidance is not set in stone. The HSE has made it clear that the nature of cyber security is open to change as new threats are identified or current ones evolve. Their advice is aimed at providing a guide for inspectors who are already familiar with the practicalities of this area. It is important, therefore, to take the Operational Guidance document as a general guide, and not as a specific list of rules to follow.
You can read more about the guidance in the HSE’s Cyber Security for Industrial Automation and Control Systems (IACS) leaflet.
Do the HSE consider Cyber Security in other areas?
At the moment, the HSE has only released the one Operational Guidance document described above however, they have made it clear that Cyber Security is a topic of interest to them. In fact, in their 2017/18 strategy, the HSE stated that it was one of their four main priorities for the year.
HSE priorities for 2017/18:
- Work with stakeholders, including trade associations, on strengthening leadership and worker engagement across all the major hazard sectors
- Participate in the UK’s agenda on dealing with security risks, including cyber security
- Develop regulatory approaches to decommissioning and ageing infrastructure, and to ensure the integrity of new assets and emerging technologies
- Deliver targeted interventions focusing on the control of high-consequence risks from cooling towers, fairgrounds and major construction projects.
Given this increased focus, businesses should be prepared for further advice from the HSE in the future. It could even be prudent to look out for opportunities to address the potential Health and Safety risks caused by cyber security issues in advance of this advice.
If you would like information on the what you can do to reduce risks from cyber security incidents, please speak with one of our experienced information security specialists today by calling 0333 344 3646 or by emailing [email protected].