New HMI made successfully OG86 cyber security compliant

OG86 Cyber Security

EPS have again partnered with IACS (Operational Technology Cyber Security, Aberdeen) to ensure a customer’s new HMI meets the demands of the HSE’s (Health and Safety Executive) operational guidance for Industrial Automation and Control Systems – called OG86.

The collaboration worked extremely well and required both sets of engineers to use the full extent of their knowledge to ensure that the HMI became OG86 cyber security compliant.

The HMI was benchmarked before and after system hardening, full hard-drive images taken at every step (to allow rollback), and fully FAT tested with the customer’s simulated PLC on our Rustronic test chassis.

OG86 Cyber security is becoming much more prevalent in recent years in the oil & gas sector, and EPS are here to help you achieve a more secure OT infrastructure.

What is OG86 and how does it relate to Cyber Security

OG86, also known as the “UK HSE (Health and Safety Executive) Oil and Gas Operational Guidance 86,” is a specific standard or guidance document related to health, safety, and environmental practices in the oil and gas industry in the United Kingdom. It is designed to provide guidance and best practices for managing major accident hazards in offshore oil and gas operations.

OG86 focuses on ensuring the safety of personnel, preventing major accidents, and minimising their potential consequences. The guidance covers various aspects such as risk assessment, emergency response planning, safety management systems, asset integrity, and much more.

It’s important to note that while OG86 is specific to the UK oil and gas industry, other regions may have their own standards or guidance documents that address similar concerns and follow industry best practices.

OG86 Cyber Security guidance

Cyber attacks are becoming more common, and with greater automation and interconnectivity between systems, these attacks are a significant risk to business. There have been several high-profile incidents in recent years, including those on the National Health Service and the Ukraine power network. Recent research published by an insurer indicated that over 60% of firms had reported an attack in 2019, up from 45% in 2018. These figures suggest that businesses should assume that they have, are, or will shortly be attacked.

Computer systems are integral to everyday operations and are often used in many different applications including industrial control and automation systems, email and document services, power management, buildings management and telephone systems. A convergence of technologies has meant that these different applications can run on the same computers and networks, reducing costs for business, but potentially exposing sensitive systems to attack. Any business can be targeted – size and function are unimportant. OG86 Cyber security is a high priority for Government. The Health and Safety Executive (HSE) has been active at operational level and now includes cyber security within their front-line intervention activities.

OG86 cyber security guidance provides a summary of why cyber security is a risk to safety for all chemical and downstream oil industries. There are additional requirements under the Control of Major Accident Hazards (COMAH) Regulations, and in the context of the Network Information Systems (NIS) Regulations, security of essential services.

OG86 cyber security guidance provides advice for senior managers to ensure that risks are being managed and minimised. In doing so businesses  will also reduce risk to commercial activities and protect their reputation, this guidance includes:

• Governance: Roles and responsibilities, reporting, accountability, organisation structure, vision and culture.
• Staff competencies: Knowledge, skills and experience.
• Management system documentation: letting people know what’s required.
• Audit of management systems and technical aspects, and monitoring of key performance indicators: making sure procedures and countermeasures keep working.
• Managing supply chain risk

OG86 cyber security guidance is principally aimed at Industrial Automation and Control Systems (IACS) however many of the principles also apply to the corporate Information Technology (IT) system