The global malware attack which petrified the NHS earlier this year, and a number of high profile cyber attacks before and since, has thrown into sharp focus that IT security is a health and safety issue.
It can easily be imagined that if an organisation has no access to vital health and safety documentation such as risk assessments, lone worker systems and the like, that can only heighten operational health and safety risk.
In response to this, the Health and Safety Executive (“HSE”) has now approved a new cyber strategy in line with its 2017/18 business plan.
The strategy focuses on cyber attacks on Industrial Automation and Control Systems (IACS) in major hazard industries, including the oil and gas sector. The new threat posed by intentional cyber security attacks lends additional risk in this already high risk arena.
Both upstream and downstream, the oil and gas sector uses a growing number of automated processes – from managing itineraries to controlled pressure valves or temperature systems, duty holders must be prepared to manage the health and safety risks arising from a breakdown in cyber security.
In its new cyber strategy, the HSE’s main priorities include identification of emerging health and safety-related cyber risks and working to address deficiencies in HSE knowledge or action; engaging with others and providing leadership to reduce the likelihood of major incidents from cyber risks; and ensuring that the HSE has a proportionate and transparent approach to regulation, compliance and good practice.
The HSE’s operational guidance on the issue, raises that cyber attacks can come from various sources including software upgrades and corporate networks – not just through the internet – and that it is the responsibility of the duty holder (usually the owner/operator of the IACS) to prevent and mitigate accidents.
Where either organisations fail to apply or uphold these principles, enforcement action would be the natural and expected consequence with financial and reputational pain not only for the organisations but for responsible individuals within them.
For those who have perhaps been critical of the HSE for being somewhat behind the curve in this area, this is a clear message of intent that it is catching up at pace. In addition to conducting duty holder cyber inspections which the HSE is to begin in 2018, it is also to appoint eight additional cyber security control and instrumental inspectors over the next two years, in addition to the existing four already trained up.
As the HSE continues to increase its focus on cyber security in the context of health and safety issues, all businesses would be prudent to consider how a cyber attack might impact upon their ability to fulfil their health and safety obligations and that their risk assessment processes are such to ensure that the threat of cyber security is adequately addressed.
Ray Gribben the is a Health, Safety and Corporate Crime partner at Burness Paull.