OG86 is Operational Guidance issued by the UK Health & Safety Executive (the UK government agency tasked with regulating and enforcing health and safety in the workplace) to mitigate the risk of cyber-attacks that could result in health and safety incidents, major accidents and/or the loss of essential services. 

OG86 is designed to provide guidance to duty holders within organisations and HSE inspectors including EC&I (Electrical, Control & Instrumentation), CEMHD (Chemical Explosives and Microbiological Hazards Division), EC & CS (Electrical Control and Cyber Security) and ED (Energy Division) with the implementation of robust industrial networks, systems and data security along with functional safety.  

It is considered the HSE benchmark standard for cyber security within the remit of the COMAH (Control of Major Accident Hazards) Competent Authority. It therefore applies to any industry or duty holder that stores or handles large quantities of industrial chemicals of a hazardous nature that require notifying the CA.   

OG86 uses the term IACS to define what is more commonly known as ICS (Industrial Control Systems) or OT (Operational Technology). Additionally, given the HSE’s remit to monitor health and safety, IACS includes Safety Instrumented Systems within this definition.

The application of OG86 is expected to be used in full within any basic IACS (Industrial Automation and Control Systems) installation that has occurred since the release of the standard. However, it is accepted that for installations pre-dating the standard, previous revisions may be more practicable.

The HSE recognises that OG86 is not an exhaustive document – it should be used in conjunction with other relevant standards.  This is due to the threat landscape evolving continuously and relevant international and industry standards are in the process of being established.  However, OG86 does make use of the NCSC’s CAF framework to provide a foundation and the guidance is expected to evolve as established standards gain recognition (eg: IEC62443). We wrote about what the CAF is and why it’s important in a recent blog post.

OG86 makes use of the CAF profile to help guide inspectors and organisations – namely the 4 main objectives outlined below and the subsections contained in each:

·        Managing security risk

·        Protecting against cyber attack

·        Detecting cyber security events

·        Minimising the impact of cyber security incidents

The main differentiator between CAF and OG86 is that OG86 makes specific reference to IACS and impacts to health and safety, whereas the CAF is a more general set of guidelines encompassing IT and OT.  OG86 also puts a greater emphasis on IACS drawings along with the need for network diagrams and the use of the Purdue model.  The Purdue model is an enterprise architecture that consists of multiple layers for various devices relating to ICS.  It aims to separate out devices ranging from traditional IT infrastructure (level 4) down to actuators or motors (level 0) via a DMZ (demilitarized zone) to separate IT and OT devices.

We, at Awen Collective, can help your organisation meet compliance objectives using Profile which offers an easy to use interface and a compliance gap analysis. Our flagship product Dot can assist with initial asset discovery and risk assessment in addition to robust ongoing maintenance of your systems and networks - please get in touch for a no obligation consultation.