Following on from our last blog the Health and Safety Executive (“HSE”) has now approved a new cyber strategy in line with its 2017/18 business plan.

At this time the strategy focuses on cyber attacks on operating systems known as Industrial Automation and Control Systems (IACS) in major hazard industries. The new threat posed by intentional cyber security attacks lends additional risk in this already high risk arena.

The main priorities of the new cyber strategy are:

  • identifying emerging health and safety-related cyber risks and working to address deficiencies in HSE knowledge or action;
  • engaging with others and providing leadership to reduce the likelihood of major incidents from cyber risks; and
  • ensuring that the HSE has a proportionate and transparent approach to regulation, compliance and good practice.

The HSE’s operational guidance on the issue, available on its website raises that cyber attacks can come from various sources including software upgrades and corporate networks - not just through the internet - and that it is the responsibility of the duty holder (usually the owner/operator of the IACS) to prevent and mitigate accidents.

In addition to conducting duty holder cyber inspections which the HSE are to begin in 2018, the HSE is also to appoint eight additional cyber security control and instrumental inspectors over the next two years, in addition to the four who have already been trained up.

As discussed in the previous blog, the HSE continues to increase its focus on cyber security in the context of health and safety issues. So cyber security as a health and safety issue continues to evolve. Although at present these developments are targeted at the highest risk sectors, they indicate the general direction of travel in which the regulator is moving.

All businesses would be prudent to consider how a cyber attack might impact upon their ability to fulfil their health and safety obligations and that their risk assessment processes are such to ensure that the threat of cyber security is adequately addressed.