cyber security for industrial automation and control systems … · 2021. 4. 20. · cyber security...

Cyber Security for Industrial Automation and Control Systems (IACS) Inspection Guide Open Government Status Fully Open Publication Date 19 March 2021 Review Date 19 March 2024 Review History

Version Date Changes Approved 1 First Draft for Comment 01/12/2018 First issue John Pirie

2 Revised following Stakeholder Engagement collaboration

01/11/2019 Introduction of BCS Inspection pack for Non-NIS installations

John Pirie

3 Issued for IPAG approval 09/01/2020 Comments from v2 added

John Pirie

4 Issued to external stakeholders for comment

22/04/2020 Comments from IPAG added

John Pirie

5 Issued to IPAG for final approval 25/01/2021 Comments from external stakeholders added.

John Pirie

6 Final Issue approved for use

12/03/2021 None

John Pirie

Target audience Energy Division offshore inspection management teams (IMT), specialist inspectors and IACS responsible persons

Contents Summary ................................................................................................................... 2

Introduction .............................................................................................................. 3

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

NIS Regulated Installations ..................................................................................... 4

Non-NIS Regulated Installations ............................................................................. 4

Cyber Security Category Inspection Selection Matrix .......................................... 5

Action ........................................................................................................................ 7

Safety Case and Thorough Reviews ....................................................................... 7

Performance Standards ........................................................................................... 7

Background .............................................................................................................. 7

Organisation ............................................................................................................. 8

Targeting ................................................................................................................ 8

Timing ..................................................................................................................... 8

Resources .............................................................................................................. 8

Recording and Reporting ........................................................................................ 8

Health and Safety ................................................................................................... 9

Diversity .................................................................................................................. 9

Relevant Legislation ................................................................................................ 9

Contacts .................................................................................................................... 9

Glossary of Terms .................................................................................................... 9

Appendix 1 Category 1 Cyber Security Inspection ............................................. 11



Appendix 4 - Basic Cyber Security Inspection Pack (BCSIP) ............................ 17

Summary The purpose of this inspection guide (IG) is to provide information and guidance to Offshore Safety Directive Regulator (OSDR) inspectors to support the delivery of consistent and effective inspection of both duty holder’s (DH) and operators of essential services (OES) arrangements of cyber security for industrial automation and control systems (IACS) used on the United Kingdom Continental Shelf (UKCS).

It implements the process described in HSE’s OG86 guidance Cyber Security for Industrial Automation and Control Systems (IACS) EDITION 2, and applies to both NIS and Non-NIS regulated installations.

It delivers a proportional and targeted approach to cyber security inspections for initial and subsequent cyber security inspections on both network information systems (NIS) and non-NIS installations via the following three categories Category 1

Initial onshore cyber security inspection of cyber assessment framework (CAF) self-assessment responses and improvement plans for all NIS regulated installations

https://www.hse.gov.uk/foi/internalops/og/og-0086.pdf


CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Category 2

Initial onshore cyber security inspection of basic cyber security inspection pack (BCSIP) self-assessment responses and improvement plans for targeted non-NIS regulated installations. Category 3

Onshore/offshore cyber security inspection as part of a planned intervention multi-topic inspection of all subsequent NIS and non-NIS installations and those not targeted for a category 2 cyber inspection in accordance with the Cyber Security Category Inspection Selection Matrix shown in figure 2.

Figure 1 shows the relationship between the three categories of inspection

Introduction HSE have published Operational Guidance document OG86 Cyber Security for Industrial Automation and Control Systems (IACS) for use on major hazardous workplaces for onshore (COMAH regulated sites), offshore (SCR2015 regulated installations) and loss of essential services NIS regulated sites (OES sites) (onshore and offshore).

The primary objective of OG86 being to enable HSE inspectors to verify or otherwise the adequacy of an OES/DH IACS cyber security management system, including competence management and the effectiveness of cyber security countermeasures on major accident workplaces and operators of essential services covered under the NIS Regulations.

IACS typically includes basic process control systems (having the ability to view and manipulate the equipment under control or containing any independent protection layer functions (IPLs) that are providing risk reductions), safety systems, electrical control / data acquisition systems and the associated information and business systems connected via the IACS network infrastructure.



CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

For offshore this may also include systems such as marine, drilling and helicopter motion monitoring systems.

NIS Regulated Installations The competent authority for the Network and Information Systems Regulations 2018 (NIS) is the secretary of state for Business, Energy and Industrial Strategy (BEIS), who signed an agreement in May 2018 for HSE to carry out the functions described in the regulations on behalf of BEIS.

NOTE: The Offshore Petroleum Regulator for Environment and Decommissioning (OPRED) do not carry out any of the functions described in the NIS Regulations

One of the requirements from BEIS is for OESs to complete a cyber security self-assessment based on the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) Indicators of Good Practice (IGP), along with delivering a Cyber security improvement plan arising out of the assessment. This provides systematic and structured “indicators of good practice “(green/amber/red) of the OES’s cyber “hygiene” along with a gap analysis against their “target profile” and action plan which must be submitted to BEIS.

Energy Division (ED) uses the output from the completed self-assessment as a starting point for NIS inspections. The objective being to use the information to carry out a sample-based inspection of the CAF objectives, principles, and outcomes against the requirements of OG86 (or an equivalent standard). Note 1 OG86 guidance is aligned to the CAF objectives, principles, and outcomes.

Note 2 Version 3 of the CAF replaced the term “Loss of Essential Services” to “Loss of Essential Functions” in order for the CAF tool to be used for health and safety consequences and can be used on non-NIS regulated installations. The initial inspection of all NIS regulated installations will include an onshore CAF progress inspection followed by an onshore detailed cyber security inspection against the requirements of OG86 (or an equivalent standard). This type of inspection is called a Category 1 cyber security inspection and is described in Appendix 1. Subsequent inspections of NIS regulated installations will form part of a multi-discipline onshore/offshore intervention which will align with ED’s intervention plans. This type of inspection is called a category 3 cyber security inspection and is described in Appendix 3.

Non-NIS Regulated Installations Non-NIS regulated installations will follow a similar inspection process to NIS installations in that some targeted DHs operating these types of installations will be required to complete an equivalent CAF self-assessment (and improvement plan) Note 3 The CAF for these installations has been reformatted and only requires a response from those IGPs of outcomes related to the basic level of countermeasures

https://www.legislation.gov.uk/uksi/2018/506/contents

https://www.hse.gov.uk/aboutus/howwework/framework/hse-beis-agency-agreement.pdf

https://www.ncsc.gov.uk/collection/caf

https://www.ncsc.gov.uk/collection/caf

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

to address the lower levels of risk in the CAF. The non-NIS reformatted CAF is called a basic cyber security inspection pack (BCSIP) and is included in Appendix 4. The initial inspection of those targeted non-NIS regulated installations will use the BCSIP response and improvement plan to facilitate a targeted onshore detailed cyber security inspection against the requirements of OG86 (or an equivalent standard). This type of inspection is called a category 2 cyber security inspection and is described in Appendix 2. Subsequent inspections of non-NIS regulated installations will form part of a multi-discipline onshore/offshore intervention which will align with ED’s intervention plans. This type of inspection is called a category 3 cyber security inspection and is described in Appendix 3.

Cyber Security Category Inspection Selection Matrix Figure 2 below is the qualitative matrix which will be used by ED inspectors to determine the category of inspection.

Maroon coloured boxes - Category 1 Cyber Security Inspection Initial onshore cyber security inspection of CAF self-assessment responses and improvement plan for all NIS regulated installations shown in figure 1 and described in Appendix 1.

Notes

NIS regulated installations have the highest inspection planning priority.

There may be requirement to re-submit a revised CAF to BEIS prior to a NIS subsequent category 3 inspection.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

There is a requirement for the OES to provide a high-level cyber security GANTT chart for all remaining installations showing progress against the improvement plan covering all the installations they operate. Red coloured boxes - Category 2 Cyber Security Inspection

Initial onshore cyber security inspection of BCSIP self-assessment responses and improvement plan for targeted non-NIS regulated installations shown in Figure 1 and described in Appendix 2.

Notes Targeted non-NIS regulated installations have the second highest inspection planning priority.

A short validation review with the DH will be carried out prior to the issuing of a BCSIP to confirm the major accident hazard (MAH) risk and complexity of their IACS

For DHs operating multiple installations, the category 2 initial inspection may be waived if they have satisfactorily completed and responded to a previous category 1 or 2 cyber security inspection. In this case the installation would only be subject to a category 3 inspection which will take cognisance of the generic CSMS outcomes and improvement plans arising from the category 1 or 2 inspections. There is a requirement for the DH to provide a high-level cyber security GANTT chart for all remaining installations showing progress against the improvement plan covering all the installations they operate.

Amber coloured boxes - Category 3 Cyber Security Inspection

Onshore/offshore cyber security inspection as part of a planned intervention multi-topic inspection of all subsequent category 1 NIS, category 2 non-NIS and the initial inspection of installations not subject to a category 2 inspection shown in Figure 1 and described in Appendix 3.

Notes

Under some circumstances there may be a requirement for a DH to complete a BCSIP prior to, or shortly after, a non-NIS subsequent category 3 inspection. Under some circumstances there may be requirement for a DH to complete a BCSIP if they only have category 3 installations.

There is a requirement for the OES to provide a high-level cyber security GANTT chart for all remaining installations showing progress against the improvement plan covering all the installations they operate.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Action By the conclusion of the inspection it should be possible to have

• an understanding of the cyber health of the OES/DHs cyber security position • an acknowledgement of any improvement plan and some assurance that the

plan will be resourced and executed • revealed any findings related to cyber security that require enforcement action

When carrying out inspections covered by this IG inspectors should

• check the issues against the success criteria in the Appendices • Use the cyber security enforcement management model (EMM) to

o form an opinion on the initial enforcement expectation o consider how and when the issues raised during an inspection are to be

closed out

Safety Case and Thorough Reviews Duty holders must ensure that cyber security is adequately described in the current accepted safety case by reference to risk assessments and necessary measures for complying with the requirements of OG86 or equivalent standards.

Performance Standards OESs and DHs must now also consider any cyber security related safety and environmental critical elements (SECEs) arising out of the risk assessment which must become part of the verification scheme Such SECEs could typically have their own performance standard or be merged into existing relevant performance standards.

Background Cyber security as a specific ED topic for inspection evolved out of the introduction of the NIS Regulations and HSE’s OG86 in 2018 and as a consequence of the realisation that IACS installed on offshore installations could be vulnerable to exploitation, either intentionally or accidentally, which could lead to a major accident or a loss of essential services (for those NIS regulated installations). It was recognised in 2018 that the development of a cyber security inspection guide would benefit from an input from external stakeholders so a small focused team of IACS specialists was set up. Acknowledgements go to the Oil & Gas UK C&I Special Interest Group (previously known as OGOCIN), DNV GL Ltd, Lloyds Register and IADC who provided resources for this cyber security HSE/stakeholder group.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Since 2018 this final version has gone through a continuous improvement process via trial and actual inspection findings, discussion and feedback/comments from the stakeholder group and their members. Whilst it is expected that relevant standards for IACS cyber security will continue to evolve, this document, along with OG86, provides guidance to inspectors with a practical interpretation of the standards. OG86 makes it clear that it may be used as good practice by OESs/DHs. However, OESs/DHs are free to follow other good practice so long as it provides equivalent protection. i.e. international standards, such as ISA/IEC62443, which continue to evolve and provide standards for analysing cyber risk and to specify the design, installation, inspection, maintenance and testing of cyber security countermeasures.

Organisation Targeting

Major accident workplaces where cyber security could pose a major risk to the health and / or safety of employees and / or members of the public and / or environment. Operators of essential services, as defined in the NIS Regulations, in the energy sector where cyber security could pose a risk to loss of essential services. This guidance will be applicable to DHs who own / operate IACS along with IACS manufacturers, suppliers, system integrators and 3rd party support companies. HSE will also use intelligence gathered from safety case assessments, thorough reviews, and combined operation notifications in the intervention strategy.

Timing

Ongoing

Resources

Energy Division EC&I specialist inspectors during interventions at major accident workplaces or operators of essential services.

Recording and Reporting

Due to the sensitivity around the documentation required to carry out the inspection, any information collected or created (i.e. enforcement letters or reports) will be transmitted through a secure file sharing system and only retained in restricted access folders for a maximum of one year after the last issue item has been satisfactorily completed. All material collected or generated during the inspection is classified as “Official Sensitive” and as such must be restricted and managed in accordance with HSE’s approach to dealing with sensitive cyber security information.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

When inspecting the outputs from the systems, a decision will have to be reached on whether the risk control measures implemented led to compliance with the relevant legislation. This decision will be made in the same way as for other inspection topics by comparing the standard of control achieved against the relevant benchmarks and applying the principles of EMM. The inspection will reach conclusions on overall effectiveness of the DH’s or operators of essential services systems. For NIS regulated installations inspection findings will be separated into NIS-related and MAH related matters. Due to the sensitivity of the information revealed during the inspection cyber related performance scores will not be recorded.

Health and Safety No special requirements. Diversity No special requirements.

Relevant Legislation Refer to OG 86

Contacts Energy Division ED3.5 Electrical, Control and Instrumentation team

Glossary of Terms AV Anti-virus BCSIP Basic Cyber Security Inspection Pack CAF Cyber Assessment Framework CSMS Cyber Security Management System DMZ Demilitarized Zone Duty holder The person(s) or corporate body that has legal duties under relevant

health and safety legislation. In the context of this guidance it will typically be the IACS owner or the IACS operator.

GANTT Chart

A project management tool assisting in the planning and scheduling of projects of all sizes

IACS Industrial Automation and Control System including Safety Instrumented Systems and any SECEs at risk from a Cyber threat.

IG Inspection Guide IDS Intrusion Detection Systems IoC Indicators of Compromise LES Loss of essential service (an incident resulting in reduction or

disruption of service provision by an OES)

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

MA Major accident (as defined in legislation (excluding NIS) shown in the ‘relevant regulations’ section of this operational guidance)

Major accident workplace

Any place regulated under the legislation (excluding NIS) defined in the ‘relevant regulations’ section of this operational guidance

NCSC National Cyber Security Centre NIS Network Information Systems NIS installation

Installation covered by Network Information Systems Regulations (NIS)

Non-NIS installation

Installation not covered by Network Information Systems Regulations (NIS)

IGP Indicator of good practice IT Information Technology (the use of computers to store, retrieve,

transmit, and manipulate data or information. IT is typically used within the context of business operations)

OES Operator of Essential Service - The person(s) or corporate body that has legal duties under relevant NIS legislation. In the context of this guidance it will typically be the IACS owner or the IACS operator.

OSDR Offshore Safety Division Regulator OT Operational technology (the hardware and software dedicated to

detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, etc.)

Responsible Person

Person or group of persons responsible for IACS cyber security (typically not under the management controls of an IT department)

Threat Any circumstance or event with potential to adversely impact the IACS UKCS United Kingdom Continental Shelf

Vulnerability Flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s integrity or security

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Appendix 1 Category 1 Cyber Security Inspection

Category 1 - Initial onshore cyber security inspection of CAF self-assessment responses and improvement plan for all NIS regulated installations

Fundamental Requirement

The OES must have completed the CAF self-assessment tool, identified any gaps, and must have produced an improvement plan to close such gaps.

A CAF progress inspection will be carried out onshore where the OES will be required to present the CAF assessment and the output from the tool (gap analysis and improvement plan).

A more detailed onshore inspection will be carried out either after the improvement plan has been completed or during the life of the improvement plan to inspect the progress against the identified improvements to meet the requirements in OG86 (or an equivalent standard). The inspection agenda will include but not be limited to

• recap of CAF self-assessment results • presentation from the OES on their cyber security improvement plan including

the stage of budgets required for implementing the work arising out of the gaps identified from the BCSIP self-assessment

• inspection of network topology and IACS • sample inspection of CAF responses against OG86 or an equivalent standard

which may include, but not be limited to, an inspection of the CSMS, zoning, risk assessments, asset register and countermeasures from a sample zone/conduit

• cyber security planning review of the OES’s remaining (NIS and non-NIS) installations to establish when the following milestones are included in the plan

o CSMS o cyber security asset register o zone and conduit simple network drawings o risk assessment and identification of improvements arising out of the

risk assessment o liquidation of improvements

Note: The output from this planning review will be to submit a high-level GANTT chart detailing when these milestones will be completed. (i) Success Criteria

The inspection revealed that there were no deficiencies/findings between the sample inspection of the outputs from the CAF assessment tool and the requirements of OG86 (or its equivalent). In that

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

the OES had achieved an effective level of cyber security for the installation OR

the OES had identified all gaps from the assessment and had produced an improvement plan which is being resourced and budgeted for and is expected to be completed within a reasonable timeframe

AND

any cyber security related SECE has been identified and have (or are part of) a performance standard AND any findings related to cyber security that require enforcement action have been identified AND the OES has provided a GANTT chart detailing the cyber security milestones for all their installations

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Appendix 2 Category 2 Cyber Security Inspection Category 2 - Initial onshore cyber security inspection of BCSIP self-assessment responses and improvement plan for targeted non-NIS regulated installations. Duty holders (DHs) selected by HSE for a category 2 cyber security basic cyber hygiene inspection are required to complete the basic cyber security inspection pack (BCSIP) in Appendix 4. Refer to Figure 2 and notes for information on selection process. The objective of the BCSIP is to inspect the DHs cyber hygiene profile against OG86 Cyber Security for Industrial Automation and Control Systems (IACS). It comprises a sub-set of indicators of good practice (IGPs) from the outcomes of fourteen principles related to four objectives set by the NCSC, that enable

• an assessment of a DHs cyber security arrangements against a basic cyber hygiene profile

• a sample inspection of the BCSIP outcomes and principles against OG86 Using the selection matrix in Figure 2 HSE will contact the DH to arrange a short category 2 validation meeting to confirm that the installation selected satisfies the criteria in Figure 2. Once this is validated HSE will issue a BCSIP (ref Appendix 4), and a date will be agreed for completion of the BCSIP and subsequent improvement plan. (i) Fundamental Requirement

The DH must have completed the BCSIP and have identified any gaps between arising from the assessment.

They must have identified an improvement plan to close such gaps.

A detailed onshore inspection will be carried out either after the improvement plan has been completed or during the execution of the plan to inspect the BCSIP responses against the requirements in OG86. The inspection agenda will include, but not be limited to

• feedback from the DH on the BCSIP self-assessment process. Who was

involved in completing the assessment? how it was completed? how long did it take to complete? what DH’s standards/guidance/codes of practice etc. were used and general observations/comments?

• presentation from the DH on their cyber security improvement plan including the stage of budgets required for implementing the work arising out of the gaps identified from the BCSIP self-assessment

• inspection of the installations network topology and IACS • sample inspection of BCSIP responses against OG86 or an equivalent

standard which may include, but not be limited to, an inspection of the CSMS,


CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

zoning, risk assessments, asset register and countermeasures from a sample zone/conduit

• cyber security planning review of the DH’s remaining installations to establish when the following milestones are included in the plan

o CSMS o cyber security asset register o zone and conduit simple network drawings o risk assessment and identification of improvements arising out of the

risk assessment o liquidation of improvements

Note: The output from this planning review will be to submit a high-level GANTT chart detailing when these milestones will be completed. (ii) Success Criteria

The inspection revealed that there were no deficiencies/findings between the sample inspection of the outputs from the CAF assessment tool and the requirements of OG86 (or its equivalent). In that

the DH had achieved an effective level of cyber security for the installation OR

the DH had identified all gaps from the assessment and had produced an improvement plan which is being resourced and budgeted for and is expected to be completed within a reasonable timeframe

AND

any cyber security related SECE has been identified and have (or are part of) a performance standard Any findings related to cyber security that require enforcement action have been identified

AND

the DH has provided a GANTT chart detailing the cyber security milestones for their remaining installations

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Appendix 3 Category 3 Cyber Security Inspection Category 3 - Onshore/offshore cyber security inspection as part of a planned intervention multi-topic inspection of all subsequent NIS and non-NIS installations and those installations not targeted for a category 2 inspection in accordance with the Cyber Security Category Inspection Selection Matrix shown in figure 2. Subsequent inspections of NIS and non-NIS regulated installations will form part of a multi-discipline onshore/offshore intervention which will align with ED’s intervention plans. For DHs that have been subjected to a category 1 or 2 inspection, the category 3 inspection will take cognisance of the generic CSMS outcomes and improvement plans arising from the category 1 or 2 inspections. This may include a cyber security event as part of a multi topic MAH scenario. This enables the inspection of the relevant cyber security barriers (described in OG86 or an equivalent standard) relied on to prevent or mitigate against a loss of essential service or major accident. (i) Fundamental Requirement The DH must have, or be working towards, the completion of a CSMS, cyber security asset register, zone and conduit simple network drawings, a cyber security risk assessment, identification of countermeasures required to meet the requirements of OG86 (or an equivalent standard) and a plan to liquidate any work arising out of the risk assessment.

An onshore inspection will be carried out as part of a multi-topic inspection. The inspection agenda will include, but not be limited to

• presentation by the OES/DH of their CSMS and current state of IACS cyber

security on the installation being inspected. Taking cognisance of previous category 1 or 2 inspections carried out by the DH and any work outstanding to meet the requirements of OG86 (or an equivalent standard)

• selection and discussion of a hypothetical cyber security related MAH even • inspection against OG86 (or an equivalent standard) of the cyber security

arrangements, systems, documents, and drawings for the compromised zone or conduit related to the selected MAH event. Typically, this may include, but not be limited to, zone and conduit simple network drawings, cyber security risk assessments, cyber security policies and procedures, cyber security asset register

• review of any cyber security related performance standards invoked by the cyber security related MAH event

The Offshore inspection agenda will include, but not be limited to

• follow up of findings from the onshore inspection • site visit and identification and inspection of the cyber security MAH event

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

(ii) Success Criteria

The OES/DH had achieved an effective level of cyber security for the installation OR

AND

the OES/DH has implemented the CSMS on the installation being inspected and the control measures in place are effective

AND

any cyber security related SECE has been identified and have (or are part of) a performance standard

AND

any findings related to cyber security that require enforcement action have been identified

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Appendix 4 - Basic Cyber Security Inspection Pack (BCSIP)

Basic Cyber Security Inspection

OF ************ Basic Cyber Security Inspection

of Safety and Environmental

Essential Functions

BCS INSPECTION PACK

AND

RESPONSE TEMPLATE

V5.2 – 01/01/21

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Introduction Cyber security of industrial automated control systems (IACS) is now an inspection topic for HSE’s Energy Division (ED) regulating and inspecting duty holders operating in the UKCS. You have been selected by ED for a category 2 cyber security inspection which requires you to complete this basic cyber security inspection pack (BCSIP). This BCSIP comprises of a sub-set of indicators of good practice (IGPs) from the outcomes of fourteen principles related to four objectives, set by the National Cyber Security Centre (NCSC), that provide a starting point for a targeted initial inspection of the duty holders (DH) cyber security arrangements against HSE’s Cyber Security for Industrial Automation and Control Systems (IACS) Operational Guidance OG86 (or an equivalent standard). You are required to

1. Provide a short description of installed IACS in section 1 of this BCSIP

2. Review the tables in Section 2 for the objectives, principles, and outcomes, assess the Indicators of Good Practice (IGP’s) and record that they are either

• Achieved - A

Note that the response for “some” in the IGP table needs to include the highest risks to the DH (not the easiest) in accordance with OG86

• Not Achieved - NA

• Are Not Required – NR

3. Provide a time-based improvement plan in Section 3 to liquidate any work revealed from the self-assessment in order to meet the requirements of OG86 (or an equivalent standard)



CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Section 1 - Installed IACS Provide a short description of the IACS installed on the installation

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Section 2 – BCSIP tables Complete the following tables.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Objective A

Managing security risk

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Principle A1

Governance The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.

Typical documents required to

demonstrate compliance

• cyber security policy • records of monitoring (e.g. key performance indicators

(KPIs)) and senior management review • role and responsibility descriptions • risk assessment processes

Outcome A1a Board Direction

The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.

Demonstrate that ….. these indicators of good practice (IGPs) are achieved/not achieved/not required

A/NA/NR

1. Your organisation's approach and policy relating to the security of networks and information systems supporting the operation of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.

2. Regular board discussions on the security of network and information systems supporting the operation of your essential function take place, based on timely and accurate information and informed by expert guidance.

3. There is a board-level individual who has overall accountability for the security of networks and information systems and drives regular discussion at board-level.

4. Direction set at board level is translated into effective organisational practices that direct and control the security of the networks and information systems supporting your essential function.

Response

Outcome A1b Roles and responsibilities

Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.


A/NA/NR

1. Necessary roles and responsibilities for the security of networks and information systems supporting your essential

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

function have been identified. These are reviewed periodically to ensure they remain fit for purpose.

2. Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties.

3. There is clarity on who in your organisation has overall accountability for the security of the networks and information systems supporting your essential function.

Response

Outcome A1c Decision Making

You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks.


A/NA/NR

1. Senior management have visibility of key risk decisions made throughout the organisation.

2. Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function, as set by senior management.

3. Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need.

4. Risk management decisions are periodically reviewed to ensure their continued relevance and validity.

Response Principle

A2 Risk Management

The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the operation of essential functions. This includes an overall organisational approach to risk management.



• risk assessment records • IACS drawing(s) • risk assessment review records and improvement

management plan

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Outcome A2a Risk Management Process

Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.


A/NA/NR

1. Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.

2. Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function.

3. The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.

4. Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.

5. You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.

6. You perform threat analysis and understand how generic threats apply to your organisation.

Response

Outcome A2b Assurance

You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.


A/NA/NR

1. You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.

2. You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential functions.

3. Your confidence in the security as it relates to your technology, people, and processes can be justified to, and verified by, a third party.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

4. Security deficiencies uncovered by assurance activities are assessed, prioritised, and remedied when necessary in a timely and effective way

5. The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use.

Response

Principle

A3

Asset Management Everything required to deliver, maintain, or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people, and systems, as well as any supporting infrastructure (such as power or cooling).



• IACS simple network drawing(s) • asset register(s) • plan for ageing and obsolete hardware and software

Outcome A3a

Asset Management


A/NA/NR

1. All assets relevant to the secure operation of essential functions are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date.

2. Dependencies on supporting infrastructure (e.g. power, cooling etc) are recognised and recorded.

3. You have prioritised your assets according to their importance to the operation of the essential function.

4. You have assigned responsibility for managing physical assets.

5. Assets relevant to essential functions are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal.

Response

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Principle A4

Supply Chain The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.



• list of third parties used, their roles and responsibilities • definition of cyber security requirements for the third parties • reports of completed assessment and assurance of third parties

Outcome A4a

Supply Chain

Demonstrate that ….. these indicators of good practice (IGPs) are achieved/Not achieved/Not required

A/NA/NR

1. You understand the general risks suppliers may pose to your essential functions.

2. You know the extent of your supply chain for essential functions, including sub-contractors.

3. You engage with suppliers about security, and you set and communicate security requirements in contracts.

4. You are aware of all third-party connections and have assurance that they meet your organisation’s security requirements.

5. Your approach to security incident management considers incidents that might arise in your supply chain.

6. You have confidence that information shared with suppliers that is necessary for the operation of your essential function is appropriately protected from well-known attacks and known vulnerabilities.

Response

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Objective B

Protecting against

cyber-attack

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Principle B1

Function protection policies and processes



• published and controlled policies, procedures, and work instructions etc.

• personnel security records (recognising data protection requirements)

• configuration records (e.g. for firewalls, etc.) • management of change records • organisational and procedural change control record • validation test records • audit reports, review reports and management of resulting

actions Outcome B1a Policy and Process Development

You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function.


A/NA/NR

1. Your policies and processes document your overarching security governance and risk management approach, technical security practice and specific regulatory compliance.

2. You review and update policies and processes in response to major cyber security incidents.

Response

Outcome B1b Policy and Process Implementation

You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.


A/NA/NR

1. Most of your policies and processes are followed and their application is monitored.

2. Your policies and processes are integrated with other organisational policies and processes, including HR assessments of individuals' trustworthiness.

3. All staff are aware of their responsibilities under your policies and processes.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

4. All breaches of policies and processes with the potential to adversely impact the essential function are fully investigated. Other breaches are tracked, assessed for trends and action is taken to understand and address.

Response

Principle B2

Identity and access control The organisation understands, documents, and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated, and authorised.



• authentication and authorisation approach definition (including for remote and highly privileged access)

• records of current authorised users / assets and the level of access / privilege etc. (noting data security requirements)

• records of change management for users, control of physical tokens / cards etc.

• records of physical access control authorisation and physical access control measures, e.g. key distribution or electronic access control records

Outcome B2a Identity Verification, Authentification, and Authorisation

You robustly verify, authenticate, and authorise access to the networks and information systems supporting your essential function.


A/NA/NR

1. All authorised users with access to networks or information systems on which your essential function depends are individually identified and authenticated.

2. User access to essential function networks and information systems is limited to the minimum necessary.

3. You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, for privileged access to sensitive systems such as operational technology.

4. You individually authenticate and authorise all remote user access to all your networks and information systems that support your essential function.

5. The list of users with access to essential function networks and systems is reviewed on a regular basis at least annually.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Response

Outcome B2b Device Management

You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function.


A/NA/NR

1. Only corporately owned and managed devices can access your essential function's networks and information systems.

2. All privileged access occurs from corporately management devices dedicated to management functions.

3. You have sought to understand the security properties of third-party devices and networks before they can be connected to your systems. You have taken appropriate steps to mitigate any risks identified.

4. The act of connecting to a network port or cable does not grant access to any systems.

5. You are able to detect unknown devices being connected to your network and investigate such incidents. Function are fully investigated. Other breaches are tracked, assessed for trends and action is taken to understand and address.

Response

Outcome B2c Privileged User Management

You closely manage privileged user access to networks and information systems supporting the essential function.


A/NA/NR

1. Privileged user access requires additional validation, but this does not use a strong form of authentication (e.g. two-factor, hardware authentication or additional real-time security monitoring).

2. The identities of the individuals with privileged access to your essential function systems (infrastructure, platforms, software, configuration, etc) are known and managed. This includes third parties.

3. Activity by privileged users is routinely reviewed and validated. (e.g. at least annually).

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

4. Privileged users are only granted specific privileged permissions which are essential to their business role or function.

Response Outcome B2d Identity and Access Management (IdAM)

You assure good management and maintenance of identity and access control for your networks and information systems supporting the essential function.


A/NA/NR

1. You follow a robust procedure to verify each user and issue the minimum required access rights.

2. You regularly review access rights and those no longer needed are revoked.

3. User permissions are reviewed when people change roles via your joiners, leavers, and movers process.

4. All user access is logged and monitored.

Response

Principle

B3

Data security Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause an adverse impact on essential functions. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the operation of essential functions. It also covers information that would assist an attacker, such as design details of networks and information systems.



• relevant procedures for identification of sensitive data and assets containing this data and how this is protected

• specification of encryption algorithms and keys used • records of essential data, services and connections

identified and how these are protected where required Outcome B3a Understanding Data

You have a good understanding of data important to the operation of the essential function, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This also

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

applies to third parties storing or accessing data important to the operation of essential functions.


A/NA/NR

1. You have identified and catalogued all the data important to the operation of the essential function, or that would assist an attacker.

2. You have identified and catalogued who has access to the data important to the operation of the essential function.

3. You periodically review location, transmission, quantity, and quality of data important to the operation of the essential function.

4. You have identified all mobile devices and media that hold data important to the operation of the essential function.

5. You understand and document the impact on your essential function of all relevant scenarios, including unauthorised access, modification, or deletion, or when authorised users are unable to appropriately access this data.

6. You occasionally validate these documented impact statements.

Response

Outcome B3b Data in Transit

You have protected the transit of data important to the operation of the essential function. This includes the transfer of data to third parties.


A/NA/NR

1. You have identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function.

2. You apply appropriate technical means (e.g. cryptography) to protect data that travels over non-trusted or openly accessible carriers, but you have limited or no confidence in the robustness of the protection applied.

Response

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Outcome B3c Stored Data

You have protected stored data important to the operation of the essential function.


A/NA/NR

1. All copies of data important to the operation of your essential function are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and/or as a read-only copy.

2. You have applied suitable physical or technical means to protect this important stored data from unauthorised access, modification, or deletion.

3. If cryptographic protections are used, you apply suitable technical and procedural means, but you have limited or no confidence in the robustness of the protection applied.

4. You have suitable, secured backups of data to allow the operation of the essential function to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.

Response

Outcome B3d Mobile Data

You have protected data important to the operation of the essential function on mobile devices.


A/NA/NR

1. You know which mobile devices hold data important to the operation of the essential function.

2. Data important to the operation of the essential function is only stored on mobile devices with at least equivalent security standard to your organisation.

3. Data on mobile devices is technically secured. Response

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Principle B4

Data security System security Network and information systems and technology critical for the operation of essential functions are protected from cyber attack. An organisational understanding of risk to essential functions informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.



• procedures setting out requirements for network architecture, segregation, and access

• IACS simple network drawings • asset hardening procedures / instructions / templates • vulnerability / threat records • patch management procedures and records and associated

change management records Outcome B4a Secure by Design

You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.


A/NA/NR

1. You employ appropriate expertise to design network and information systems.

2. You design strong boundary defences where your networks and information systems interface with other organisations or the world at large.

3. You design simple data flows between your networks and information systems and any external interface to enable effective monitoring.

4. You design to make network and information system recovery simple.

5. All inputs to operational systems are checked and validated at the network boundary where possible, or additional monitoring is in place for content-based attacks.

Response

Outcome B4b Secure Configuration

You securely configure the network and information systems that support the operation of essential functions.


A/NA/NR

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

1. You have identified and documented the assets that need to be carefully configured to maintain the security of the essential function.

2. Secure platform and device builds are used across the estate. 3. Consistent, secure, and minimal system and device

configurations are applied across the same types of environment.

4. Changes and adjustments to security configuration at security boundaries with the networks and information systems supporting your essential function are approved and documented.

5. You verify software before installation is permitted.

Response

Outcome B4c Secure Management

You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security.


A/NA/NR

1. Your systems and devices supporting the operation of the essential function are only administered or maintained by authorised privileged users from dedicated devices.

2. Technical knowledge about networks and information systems, such as documentation and network diagrams, is regularly reviewed and updated.

3. You prevent, detect, and remove malware or unauthorised software. You use technical, procedural, and physical measures as necessary.

Response

Outcome B4d Vulnerability Management

You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essential function


A/NA/NR

1. You maintain a current understanding of the exposure of your essential function to publicly-known vulnerabilities.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

2. Announced vulnerabilities for all software packages, network equipment and operating systems used to support your essential function are tracked, prioritised, and externally exposed vulnerabilities are mitigated (e.g. by patching) promptly.

3. Some vulnerabilities that are not externally exposed have temporary mitigations for an extended period.

4. You have temporary mitigations for unsupported systems and software while pursuing migration to supported technology.

5. You regularly test to fully understand the vulnerabilities of the networks and information systems that support the operation of your essential function.

Response

Principle

B5

Resilient Networks and Systems The organisation builds resilience against cyber-attack and system failure into the design, implementation, operation, and management of systems that support the operation of essential functions.



• records of review of limitations, constraints, and weaknesses

• disaster recovery strategy • software/firmware/application/configuration libraries and

safes • restoration test records

Outcome B5a Resilience Preparation

You are prepared to restore the operation of your essential function following adverse impact


A/NA/NR

1. You know all networks, information systems and underlying technologies that are necessary to restore the operation of the essential function and understand their interdependence.

2. You know the order in which systems need to be recovered to efficiently and effectively restore the operation of the essential function.

Response

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Outcome B5b Design for Resilience

You design the network and information systems supporting your essential function to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.


A/NA/NR

1. Operational systems that support the operation of the essential function are logically separated from your business systems, e.g. they reside on the same network as the rest of the organisation, but within a DMZ. Internet access is not available from operational systems.

2. Resource limitations (e.g. network bandwidth, single network paths) have been identified but not fully mitigated.

Response

Outcome B5c Backups

You hold accessible and secured current backups of data and information needed to recover operation of your essential function


A/NA/NR

1. You have appropriately secured backups (including data, configuration information, software, equipment, processes and key roles or knowledge). These backups will be accessible to recover from an extreme event.

2. You routinely test backups to ensure that the backup process functions correctly, and the backups are usable.

Response

Principle

B6

Staff Awareness and Training Staff have appropriate awareness, knowledge, and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the operation of essential functions.

Typical documents

• definition of competence requirements for defined IACS roles and responsibilities

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

required to demonstrate compliance

• cyber security awareness training programme • competence management records

Outcome B6a Cyber Security Culture

You develop and pursue a positive cyber security culture.


A/NA/NR

1. Your executive management understand and widely communicate the importance of a positive cyber security culture. Positive attitudes, behaviours and expectations are described for your organisation.

2. All people in your organisation understand the contribution they make to the essential function's cyber security.

3. All individuals in your organisation know who to contact and where to access more information about cyber security. They know how to raise a cyber security issue.

Response

Outcome B6b Cyber Security Training

The people who support the operation of your essential function are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed.


A/NA/NR

1. You have defined appropriate cyber security training and awareness activities for all roles in your organisation, from executives to the most junior roles.

2. You use a range of teaching and communication techniques for cyber security training and awareness to reach the widest audience effectively.

3. Cyber security information is easily available.

Response

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Objective C

Detecting cyber

security events

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Principle C1

Security Monitoring The organisation monitors the security status of the networks and systems supporting the operation of essential functions in order to detect potential security problems and to track the ongoing effectiveness of protective security measures.



• procedures setting out security monitoring requirements including malicious code detection

• records of periodic monitoring (e.g. of security logs, virus detection logs, intrusion detection logs etc.)

• analysis and interpretation of the threat intelligence and periodic monitoring records and management of resulting actions

Outcome C1a Monitoring Coverage

The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function.


A/NA/NR

1. Data relating to the security and operation of some areas of your essential functions is collected.

2. You easily detect the presence or absence of IoCs on your essential function, such as known malicious command and control signatures.

3. Some user monitoring is done, but not covering a fully agreed list of suspicious or undesirable behaviour.

4. You monitor traffic crossing your network boundary (including IP address connections as a minimum).

Response

Outcome C1b Securing Logs

You hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted.


A/NA/NR

1. Only authorised staff can view logging data for investigations. 2. Privileged users can view logging information. 3. There is some monitoring of access to logging data. (e.g.

copying, deleting or modification, or even viewing).

Response

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Outcome C1c Generating Alerts

Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.


A/NA/NR

1. Alerts from third party security software are investigated, and action taken.

2. Some logging datasets can be easily queried with search tools to aid investigations.

3. The resolution of alerts to a network asset or system is performed regularly.

4. Security alerts relating to some essential functions are prioritised.

5. Logs are reviewed at regular intervals.

Response

Outcome C1d Identifying Security Incidents

You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.


A/NA/NR

1. Your organisation uses some threat intelligence services, but you don't choose providers specifically because of your business needs, or specific threats in your sector (e.g. sector-based infoshare, ICS software vendors, anti-virus providers, specialist threat intel firms).

2. You receive updates for all your signature based protective technologies (e.g. AV, IDS).

3. You apply some updates, signatures and IoCs in a timely way. 4. You know how effective your threat intelligence is (e.g. by

tracking how threat intelligence helps you identify security problems).

Response

Outcome C1e

Monitoring staff skills, tools, and roles, including any that are outsourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Monitoring Tools and Skills

they need to use. Monitoring staff have knowledge of the essential functions they need to protect.


A/NA/NR

1. Monitoring staff have some investigative skills and a basic understanding of the data they need to work with.

2. Monitoring staff can report to other parts of the organisation (e.g. security directors, resilience managers).

3. Monitoring staff are capable of following most of the required workflows.

4. Your monitoring tools can make use of logging that would capture most unsophisticated and untargeted attack types.

5. Your monitoring tools work with most logging data, with some configuration.

6. Monitoring staff are aware of some essential functions and can manage alerts relating to them.

Response

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Objective D

Minimising the impact of

cyber security incidents

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Principle D1

Response and Recovery Planning There are well-defined and tested incident management processes in place, that aim to ensure continuity of essential functions in the event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise are also in place.



• incident response plan • incident response exercise plans and records

Outcome D1a Response Plan

You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function and covers a range of incident scenarios.


A/NA/NR

1. Your response plan covers your essential functions. 2. Your response plan comprehensively covers scenarios that

are focused on likely impacts of known and well-understood attacks only.

3. Your response plan is understood by all staff who are involved with your organisation's response function.

4. Your response plan is documented and shared with all relevant stakeholders.

Response

Outcome D1b Response and Recovery Capability

You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function. During an incident, you have access to timely information on which to base your response decisions.


A/NA/NR

1. You understand the resources that will likely be needed to carry out any required response activities, and arrangements are in place to make these resources available.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

2. You understand the types of information that will likely be needed to inform response decisions, and arrangements are in place to make this information available.

3. Your response team members have the skills and knowledge required to decide on the response actions necessary to limit harm, and the authority to carry them out.

4. Back-up mechanisms are available that can be readily activated to allow continued operation of your essential function (although possibly at a reduced level) if primary networks and information systems fail or are unavailable.

5. Arrangements exist to augment your organisation’s incident response capabilities with external support if necessary (e.g. specialist cyber incident responders).

Response

Outcome D1c Testing and Exercising

Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.


A/NA/NR

1. Exercise scenarios are based on incidents experienced by your and other organisations or are composed using experience or threat intelligence.

2. Exercise scenarios are documented, regularly reviewed, and validated.

3. Exercises are routinely run, with the findings documented and used to refine incident response plans and protective security, in line with the lessons learned.

4. Exercises test all parts of your response cycle relating to your essential functions (e.g. restoration of normal function levels).

Response

Principle

D2

Lessons Learned When an incident occurs, steps are taken to understand its root causes and to ensure appropriate remediating action is taken to protect against future incidents.

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47



• post incident / exercise root cause analysis • improvement management plan • evidence of review of incident response plans

Outcome D2a Incident Root Cause Analysis

When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.


A/NA/NR

1. Root cause analysis is conducted routinely as a key part of your lessons learned activities following an incident.

2. Your root cause analysis is comprehensive, covering organisational process issues, as well as vulnerabilities in your networks, systems, or software.

3. All relevant incident data is made available to the analysis team to perform root cause analysis.

Response

Outcome D2b Using incidents to drive Improvements

Your organisation uses lessons learned from incidents to improve your security measures.


A/NA/NR

1. You have a documented incident review process/policy which ensures that lessons learned from each incident are identified, captured, and acted upon.

2. Lessons learned cover issues with reporting, roles, governance, skills, and organisational processes as well as technical aspects of networks and information systems.

3. You use lessons learned to improve security measures, including updating and retesting response plans when necessary.

4. Security improvements identified as a result of lessons learned are prioritised, with the highest priority improvements completed quickly.

5. Analysis is fed to senior management and incorporated into risk management and continuous improvement.

Response

CM9: 2021/72600

Owner: ED3.5

Revision: 6 of 47

Section 3 – Improvement Plan Provide a time-based improvement plan to liquidate any work revealed from the self-assessment in order to meet the requirements of OG86 (or an equivalent standard).

cyber security for industrial automation and control systems … · 2021. 4. 20. · cyber security...

Documents