For plant owners and operators in the chemical industry, process availability, integrity and safety are key concerns. The resilience of their processes to cyber compromise is a key measure of business risk. It's growing in significance at a Board level, and the link to safety only makes it more crucial.
Many organisations reach for cyber security standards to guide them in focusing their protection and recovery measures. However, this represents a challenge, as choosing which standards to use can be difficult and adhering to multiple standards is time-consuming and costly.
HSE Operational Guidance
I've found that many of our customers in the chemical industry are now focused on the Health and Safety Executive’s (HSE) Operational Guidance note 86 [OG86]1. This covers best practice for Cyber Security within the Operation Technology section of the facility. For chemical facilities which fall under the Control of Major Accident Hazards Regulations [COMAH]2 – these are generally the more critical of plants - alongside NIS(D), OG86 is becoming enforceable but it is also suggested best practice for non-COMAH sites.
The concerns raised by our customers in the industry centre around how to map their compliance with other standards to OG86. In addition, ensuring overall compliance across their entire operating environment is a concern, especially considering suppliers often only offer solutions for a small portion of their Operational Technology.
As you can well imagine this can be a challenging task for already overstretched, and potentially under-qualified staff. In order to successfully prepare for a HSE OG86 audit the current business policies and procedures need to be reviewed and mapped in line with this standard. This will often mean converting the original policies and procedures in place e.g. NIST800-53 or IEC-62443 to the new standard.
We can support you to obtain OG86 compliance
This challenge has led the team here at SolutionsPT to develop an innovative and efficient method to determine customers current compliance status across multiple standards, including OG86. This allows for the creation of a measurable baseline and compliance action plan for organisations from which they can develop clear improvement-based business cases which demonstrate solid return-on-investment to the board, as well as delivering comprehensive Cyber-enabled Business Resilience.
Fig 3: Cyber Security Framework we follow
Alongside determining the current compliance status, our experts have the specialist IT, OT, cyber security domain and industry knowledge to look across the organisation’s technology, policies and procedures to identify the most critical shortcomings. We are then able make prioritised recommendations for improvements which will deliver the greatest benefit. These recommendations are optimised against cost and time, using independent, vendor agnostic solutions where applicable. This allows rapid improvement in both resilience and performance at audit, realising the associated benefits to risk management that are key to successful business operations.
If you’re concerned about OG86 compliance, or you simply want to discuss improving your business resilience get in touch.