Documente Academic
Documente Profesional
Documente Cultură
Publication history
First published May 2018
PAS 1085:2018
Contents
Foreword...................................................................................................... ii
0 Introduction .............................................................................................. iv
1 Scope.......................................................................................................... 1
2 Normative references............................................................................... 1
5 Security governance................................................................................. 13
Bibliography ................................................................................................ 49
List of figures
Figure 1 – The manufacturing organization and its digital ecosystem.... iv
Figure 2 – Illustrative manufacturing organization with a supply chain.. v
Figure 3 – The manufacturing value chain................................................. vi
Figure 4 – Overview of security-minded manufacturing........................... vii
Figure 5 – Holistic approach to security...................................................... 9
Figure 6 – Establishing the organization’s context.................................... 14
Figure 7 – Security concepts and relationships........................................... 17
Figure 8 – Risk management approach...................................................... 20
Figure 9 – Supplier security triage process................................................. 27
Figure 10 – Generic data and information lifecycle................................... 34
Figure 11 – Security goals for the organization’s data and information.. 39
Figure 12 – Data and information security triage process......................... 41
Figure 13 – Personally identifiable information test................................. 42
Foreword
This PAS (Publicly Available Specification) was sponsored by Innovate UK.
Its development was facilitated by BSI Standards Limited and it was published
under licence from The British Standards Institution. It came into effect on
31 May 2018.
Acknowledgement is given to Hugh Boyes of Bodvoc This PAS is not to be regarded as a British Standard.
Ltd., as the technical author and the following It will be withdrawn upon publication of its content in,
organizations that were involved in the development or as, a British Standard.
of this PAS as members of the steering group:
• Arup The PAS process enables a specification to be rapidly
developed in order to fulfil an immediate need
• B.H. Development
in industry. A PAS can be considered for further
• Bodvoc Ltd development as a British Standard, or constitute part
• BuroHappold Engineering of the UK input into the development of a European
• Centre for Process Innovation (CPI) or International Standard.
• Co-opted member
• Costain Group plc Use of this document
• Cranfield University
It has been assumed in the preparation of this PAS
• Digital Catapult that the execution of its provisions will be entrusted
• High Value Manufacturing Catapult (HVMC) to appropriately qualified and experienced people, for
• Innovate UK whose use it has been produced.
• The Manufacturing Technologies Association (MTA)
• National Cyber Security Centre (NCSC)
Presentational conventions
• Rockwell Automation
The provisions of this PAS are presented in roman
• Warwick Manufacturing Group (WMG)
(i.e. upright) type. Its requirements are expressed in
sentences in which the principal auxiliary verb is “shall”.
Acknowledgement is also given to the members of
a wider review panel who were consulted in the
Commentary, explanation and general informative
development of this PAS.
material is presented in italic type, and does not
constitute a normative element.
The British Standards Institution retains ownership
and copyright of this PAS. BSI Standards Limited as the
Where words have alternative spellings, the preferred
publisher of the PAS reserves the right to withdraw
spelling of the Shorter Oxford English Dictionary is used
or amend this PAS on receipt of authoritative advice
(e.g. “organization” rather than “organisation”).
that it is appropriate to do so. This PAS will be
reviewed at intervals not exceeding two years, and
Requirements in this PAS are drafted in accordance with
any amendments arising from the review will be
Rules for the structure and drafting of UK standards,
published as an amended PAS and publicized in Update
subclause G.1.1, which states, “Requirements should
Standards.
be expressed using wording such as: ‘When tested as
described in Annex A, the product shall ...’”. This means
that only those products that are capable of passing the
specified test will be deemed to conform to this PAS.
0 Introduction
An increasing use of digital technologies in the design,
manufacture, delivery, operation and disposal of
products, systems, assets and services has led to the
use of the terms digital manufacturing and industrial
digitalization. As a consequence, manufacturing
organizations typically exist within a complex digital
ecosystem as illustrated in Figure 1.
All organizations are dependent to some degree on Within a manufacturing organization there is a
a supply chain and unless they sell directly to their value chain, which is based on a process view of
customers or end users are part of a wider supply the organization’s operations and comprises a
chain as illustrated in Figure 2. For manufacturing set of activities that are performed to deliver its
organizations, their supply chain is likely to include manufactured outputs. Whilst an organization might
organizations that provide: engage in hundreds of activities in the process of
• supplies or consumables, raw materials and any converting inputs and resources into the manufactured
equipment or systems and software used in the outputs, these activities can be classified generally as
manufacturing process; either primary or support. Figure 3 illustrates a generic
value chain that comprises:
• professional services, e.g. technical, financial and legal
services; and • primary activities, i.e. inbound logistics,
manufacturing operations, outbound logistics
• resourcing services, e.g. recruitment of personnel or
and any product related service delivered to the
provision of temporary labour, sourcing of supplies,
organization’s customers; and
raw materials, etc.
• supporting activities, i.e. enterprise ICT equipment
The manufacturing organization therefore needs to be and systems, OT, sales and marketing, resource
aware of and manage security risks relating to it and management and procurement, financial and legal
those that might arise through its supply chain. activities.
NOTE 1 The organization’s supply chain forms part of The principles upon which drafting of this PAS was
the organization’s overall value chain, e.g. through undertaken were that:
supplies delivered via its inbound logistics processes and a) the manufacturing organization’s security is
the wider digital ecosystem. owned, governed and promoted at board-level;
NOTE 2 Organizations should consider the impact b) security risks to the manufacturing organization,
of risks both downstream and upstream of their its assets, manufacturing processes and outputs
operations and the potential need for additional are assessed and managed appropriately and
testing and/or verification of automated updates to proportionately, including those specific to its
systems, software data and/or information. supply chain;
c) the manufacturing organization appreciates the
The security issues that might affect a manufacturing
value of data and/or information it processes,
organization include:
whether owned by itself or a third-party, and takes
• loss or theft of intellectual property (IP) and/or steps to protect it across its lifetime;
commercially sensitive information;
d) where a manufactured item embodies digital
• criminal acts, for example computer misuse, fraud, technology or information the manufacturer
sabotage, theft and vandalism; ensures that the item is secure-by-design and
• counterfeit supplies, including the potential effects of provides aftercare and incident response to ensure
counterfeiting when the organization’s products are that the item remains secure over its lifetime; and
deployed or operated; NOTE It is the responsibility of the manufacturer
• cyber security incidents affecting all aspects of the to provide information and communicate to the
organization’s operations; customer and/or end user the lifetime support of the
• accidental or deliberate alteration or corruption of products and/or systems, and any associated services.
manufacturing information and/or software; and e) the manufacturing organization works with its
• loss of sensitive customer or personal information. supply chain to implement an appropriate and
proportionate level of security in the delivery of
In the past, many of these issues would have required the digitally manufactured items and any related
physical access to the manufacturing process or its services and/or information.
inputs and outputs, but with the increasing digital NOTE In determining what is appropriate and
connectivity of both manufacturers and their systems, proportionate, the organization’s board-level
the threats now emanate from both local sources, and management should ensure that consideration
those around the globe. is given to the nature, likelihood and severity of
security threats and the potential impact(s) on the
organization and its stakeholders in the event that
the risk(s) occur.
vi © The British Standards Institution 2018
PAS 1085:2018
1 Scope
This PAS specifies requirements for the security-minded a manufacturing value chain to deliver a holistic
management of manufacturing organizations and the approach encompassing: safety; authenticity;
associated value chain utilizing information, digital availability (including reliability); confidentiality;
technologies and associated control systems for the integrity; possession; resilience; and utility.
design, production, operation, maintenance and
disposal of products and systems. These requirements This PAS addresses the steps required to create and
aim to protect organizational reputation and cultivate an appropriate security mind-set and culture
liability, intellectual property, safety and security of within a manufacturing organization and across its
manufacturing assets, and the integrity and value of supply chain, including the need to monitor, audit and
the manufactured items. evaluate effectiveness.
It covers how to identify security threats throughout The approach outlined in this PAS is applicable to any
the manufacturing value chain and product lifecycle: manufacturing organization and its ecosystem where
design; manufacture (including processing and manufacturing information is processed and used in
mixing); commissioning and handover; operation and digital form.
maintenance; performance management; change NOTE This PAS also aligns with the approach
of use/modification; and disposal. It also addresses advocated by the Centre for the Protection of National
security issues within the digital ecosystem that the Infrastructure (CPNI) for raising security-mindedness
organization and its supporting supply chain operate. across sectors.1)
This PAS covers the following elements of security: The PAS is for use by senior executive managers,
people, physical, process and technological. operational managers, engineers, and operatives
in manufacturers of products and systems and their
It explains the need for, and application of, associated supply chains and its ecosystem. It might also
trustworthiness and security controls throughout be of use to insurers and trainers.
2 Normative references
1)
Further information is available from CPNI’s website:
https://www.cpni.gov.uk.
3.1.1 asset NOTE Good cyber safety and security practices are not
dissimilar to good health practices related to infection
item, thing or entity that has potential or actual value
and disease control, i.e. taking appropriate steps to
to an organization
prevent infection (e.g. malware), seeking advice in
NOTE 1 An asset can be fixed, mobile or movable. It the case of a suspected infection, and when infection
can be an individual item, plant, a system of connected occurs, isolating it or taking steps to prevent further
equipment, a space within a structure, a piece of land, spread.
an entire piece of infrastructure, an entire building, or
a portfolio of assets. 3.1.6 data
NOTE 2 An asset might also comprise data, information series of marks, digital or analogue signals or encoded
in digital or in printed form, as well as an organization’s characters stored or transmitted electronically
internal processes.
NOTE 1 Marks can include writing, printed characters or
NOTE 3 Digital information can be localized (i.e. based graphics.
on a single data source) or distributed (i.e. derived from
NOTE 2 There are alternative definitions of data;
multiple data sources and/or locations).
this specific definition builds on that contained in
NOTE 4 The value of an asset might vary throughout PAS 183:2017 and is being used in the context of
its life and an asset might still have value at the end of security-mindedness.
its life. Value can be tangible, intangible, financial and
NOTE 3 Analogue data varies continuously and
non-financial.
relates to natural phenomena such as sounds, natural
[SOURCE: BS ISO 55000:2014, 3.2.1] light, river levels, waves and time. It can also include
images such as sketches, drawings and text which
have been produced by hand rather than using digital
3.1.2 asset data
technologies.
data relating to the specification, design, construction
NOTE 4 Digital data is represented as binary digits (bits)
or acquisition, operation and maintenance, and
that have only two states, 0 and 1. These data can be
disposal or decommissioning of an item, thing or entity
a digital representation of analogue data, captured
that has potential or actual value to an organization
through a quantization process, or data that was
created in digital form, for example as a result of a
[SOURCE: PAS 1192-5:2015, 3.1.2, modified]
computer process or by entry using a human interface
device (keyboard, touchscreen, stylus, etc.).
3.1.3 asset information
NOTE 5 The distinction between data and information
information relating to the specification, design, is that data does not need to have any meaning
construction or acquisition, operation and maintenance, attached to it; data becomes information via context.
and disposal or decommissioning of an item, thing
or entity that has potential or actual value to an
3.1.7 data controller
organization
person who (either alone or jointly or in common with
NOTE Asset information can include design information
other persons) determines the purposes for which and
and models, documents, images, software, spatial
the manner in which any personal data are, or are to
information and task or activity-related information.
be, processed
[SOURCE: PAS 1192-5:2015, 3.1.2, modified] NOTE 1 The wording of the definition given in the Data
Protection Act 1998 [1] (DPA) is due to be amended
3.1.4 context by the General Data Protection Regulation (GDPR) [2]
Article 4(7).
circumstances that form the setting for an asset, event,
data and/or information, which allow its significance
and/or meaning to be better understood
NOTE 2 Whilst few manufacturers may fall within the 3.1.12 information
scope of the Security of Network and Information one or more data items that have a context and
Systems Directive (also known as the NIS Directive) therefore convey a message or meaning
[11], data controllers should be aware of its objective
NOTE 1 A string of characters might be referred
regarding managing security risks, protecting against
to generally as data; but if these characters are
cyber attacks, detecting cyber security events and
understood by a person or a computer program (for
minimizing the impact of cyber security incidents.
example, as someone’s name), then the characters
convey information. Information always involves the
{SOURCE: Data Protection Act 1998 [1], Section 1(1)}
presence of data in some format, on some medium,
which could be, for example, a physical document, a
3.1.8 data sharing document image on a screen, or the contents of an
provision of data from one or more organizations electronic file.
to a third-party organization or organizations, the NOTE 2 There are alternative definitions of
reciprocal exchange of data between organizations, information, but from a security-mindedness
or the sharing of data between different parts and/or perspective the information’s context can increase the
systems of the same organization sensitivity of the information.
NOTE 1 There are two main types of data sharing:
a) systematic, routine data sharing where the 3.1.13 information management
same data sets are shared between the same policies, processes, procedures and tasks applied to
organizations, or parts of an organization, for an the data and/or information across its lifecycle to
established purpose; and ensure its accuracy, authenticity, confidentiality,
b) exceptional, one-off decisions to share data, for integrity and utility
example, in unexpected or emergency situations, NOTE See also Figure 9 which illustrates the generic
the provision of medical or social care data to data and information lifecycle.
emergency service first responders when they are
responding to an incident. [SOURCE: PAS 1192-5:2015, 3.1.17, modified]
NOTE 2 Data sharing might take place implicitly as well
as explicitly with outsourced services via the use of 3.1.14 information sharing
cloud services where appropriate security measures are
provision of information from one or more organizations
not in place.
to a third-party organization or organizations,
the reciprocal exchange of information between
{SOURCE: ICO’s Data Sharing Code of Practice [12],
organizations, or the sharing of information between
May 2011, modified}
different parts and/or systems of the same organization
NOTE 1 There are two main types of information
3.1.9 data and information sharing agreement (DISA)
sharing:
set of rules to be adopted by the various organizations
a) systematic, routine information sharing where the
involved in a data and/or information sharing operation
same information sets are shared between the
same organizations, or parts of an organization,
3.1.10 disclosure for an established purpose; and
action of making sensitive, classified or private data b) exceptional, one-off decisions to share information,
and/or information known for example, in unexpected or emergency
situations, the provision of medical or social care
3.1.11 hostile reconnaissance data to emergency service first responders when
activity of acquiring information about a target with they are responding to an incident.
the view to planning to attack, compromise, disrupt or NOTE 2 Information sharing might take place implicitly,
destroy that target as well as, explicitly with outsourced services via the use
NOTE 1 The target might be an individual, organization, of cloud services where appropriate security measures
enterprise or built asset, in whole or in part. are not in place.
NOTE 2 The planned hostile action might be physical or
cyber in nature. {SOURCE: ICO’s Data Sharing Code of Practice [12],
May 2011, modified}
NOTE 3 Reputational damage might result from such
physical or cyber hostile actions.
[SOURCE: PAS 1192-5:2015, 3.1.26, modified] {SOURCE: Data Protection Act 1998 [1], Section 2}
4.1 Understanding the need for security 4.2 Holistic approach to digital
in manufacturing manufacturing security
The organization’s board-level management shall 4.2.1 The organization’s board-level management shall
research, document and demonstrate an understanding appreciate that effective security requires a holistic
of the range of potential security issues that are approach, as illustrated in Figure 5 that addresses
applicable to its business, assets, personnel and security in respect of the following aspects as a
the environments and ecosystems in which its minimum:
manufactured products, systems and/or related services a) people, i.e. the personnel that have access to the
are or might be used. organization’s assets;
NOTE 1 Security operates on a number of levels ranging b) physical, i.e. the physical environment in which the
from national security issues (e.g. the protection against organization’s assets are designed, created, used,
terrorism, tackling organized crime and detecting stored, and transported;
hostile acts by nation states), to preserving the value,
c) processes, i.e. the business processes used to:
longevity and ongoing use of an enterprise’s assets,
whether tangible (e.g. a factory or physical stock), or 1) acquire, transport, store, manage, maintain,
intangible (e.g. preventing the loss or disclosure of and dispose of the organization’s assets;
intellectual property and nationally or commercially 2) design the product(s) and/or system(s) and any
sensitive information). It also includes the handling related service(s);
of privacy issues (e.g. the protection of personally 3) manage the classification and sharing of data
identifiable information). and information, both within the organization
NOTE 2 Good security can offer competitive advantage and with its supply chain, professional advisers,
to the manufacturing organization by protecting their customers and potential customers; and
key assets and engendering trust by their stakeholders d) technology, i.e. the design, operation, maintenance
and owners or users in the products, systems and or support, decommissioning and disposal of
related services that are provided. For those involved electronic storage media, ICT equipment and
in the design and delivery of new or modified systems, and the OT used by the organization.
products or services or the systems that use them, it
NOTE Effective security reduces security risks to the
can also provide competitive global positioning in an
lowest reasonably practicable level having due regard
international market.
for the severity and likelihood of risks both individually
NOTE 3 Good security requires holistic risk assessment and in combination and their impact on both the
and applying the principles of proportionality to organization and its stakeholders. When assessing and
achieve an appropriate balance of the costs and treating risks, organizations should focus on developing
constraints associated with protecting an asset versus and adopting appropriate and proportionate controls
the impact that its loss, compromise or failure can or countermeasures rather than focusing primarily on
have on the organization and the organization’s adopting specific physical or technological measures.
stakeholders.
NOTE 4 It is important to recognize that once data
and information has been published on the internet,
or otherwise made publicly available, it is virtually
impossible to delete, destroy, remove or secure all
copies of the released data and information. In
addition, the release of aggregated, apparently
innocuous data and information can result in
exposing sensitive or security information. Therefore,
appropriate checks should be made before any data
and/or information is made widely available.
!
!
!
NOTE The eight security goals (confidentiality, availability, safety, resilience, possession, authenticity, utility and
integrity) are applicable across the four security domains (people, physical, process and technical). For example,
the physical composition of a digital processing system can affect the integrity of the data and/or information
it processes, which can result in a loss of availability of a safety critical process leading to potential harm to the
vehicle’s user or to a pedestrian.
4.2.2 The organization’s board-level management shall 4.3 Digital manufacturing security issues
be aware of the cyber-physical security risks that arise
where digital assets and processes have an impact on 4.3.1 Loss or disclosure of intellectual property
the physical characteristics of a manufactured asset The organization’s board-level management shall
associated with a product or service. research, document and demonstrate an understanding
of the need to protect its own and others’ intellectual
property, which it holds, or which might be developed,
and shall assess and record the potential consequences
of the loss of, unauthorized access to, or improper use
or re-use of that information.
NOTE 1 Intellectual property encompasses a range of
material, including trade secrets, proprietary processes,
technical specifications and detailed calculations or
methodologies. Organizations often invest heavily in
the development of intellectual property and through
its use, licensing and sale can deliver significant
commercial and economic benefits. The piracy, theft
or unauthorized use of intellectual property can be
damaging to the organization and a country’s economy
as a whole.
4.3.4 Loss or disclosure of commercially sensitive • customers or end users of directly purchased items; and
information • customer/user data and/or information relating to
The organization’s board-level management shall warranty or support enquiries.
research, document and demonstrate an understanding NOTE 2 Unauthorized access to personally identifiable
of the need to protect pricing, price sensitive or market information can enable more targeted social
sensitive data and/or information, especially during engineering and phishing attacks.
a tender, procurement or merger and acquisition
NOTE 3 Increasingly manufactured products, systems
processes, and shall understand the potential
and related services handle personal data and/or
consequences of the loss of, or unauthorized access to,
information, so should be designed with the privacy
that information.
requirements and responsibilities of their users/owners
NOTE 1 In competitive markets, there is a need to and operators in mind.
address the risks of commercial espionage, including
NOTE 4 The objectives of the Security of Network
measures to prevent the loss of, or unauthorized access
and Information Systems Directive (also known as the
to, pricing or price sensitive data. Failure to provide
NIS Directive) [11] and its supporting principles are
adequate protection of sensitive information during
relevant when considering the protection of data and
tendering processes can damage both purchasers
information, and/or seeking to reduce the risk and
and suppliers.
impact of cyber-attacks.
NOTE 2 During preliminary discussions, negotiations
and due diligence phases of a merger or acquisition,
4.3.6 Pattern-of-use information
the organization might be required to disclose
sensitive information relating to its business and The organization’s board-level management shall
manufacturing operations and its intellectual property. research, document and demonstrate the need to
The organization’s board-level management should safeguard pattern-of-use information, which might be
be aware of the risk of this information being used as a source of intelligence regarding the:
compromised or issued, particularly in the event a) use of its manufacturing equipment;
that the merger or acquisition does not proceed NOTE The move towards servitization of assets,
to completion. e.g. power-by-the-hour rental of generators, and
NOTE 3 In situations where professional advisers the use of remote monitoring to support predictive
(for example lenders, financial advisers, accountants, maintenance, remote diagnostics and reactive
legal advisers, patent agents, etc.) are involved in a support contracts might result in significant
transaction, for example supporting the negotiation volumes of sensitive pattern-of-use data being
of a major sale or acquisition, appropriate and collected, processed and stored by third-parties.
proportionate protection of any sensitive information b) operation of its supply chain; and
held or accessed by the advisers should be addressed NOTE Analysis of delivery patterns, volumes, etc.
in the advisers’ contracts, including remedies available can reveal commercially sensitive information
in the event of loss or compromise of the information about the operation of a plant, or the preparations
whilst in the possession or control of the advisers. for launch of a new product, etc.
c) location and use of manufactured artefacts once
4.3.5 Release of personally identifiable information
deployed and in operation.
The organization’s board-level management shall
NOTE The presence or absence of telemetry data
research, document and demonstrate an understanding
from industrial systems, plant and machinery
of the need to safeguard personally identifiable
can provide market sensitive information about
information, in particular when responding to requests
the state of a plant or site and its readiness for
for information under Environmental Information
production.
Regulations [4] or where applicable the Freedom of
Information Act [5 and 6]. NOTE Pattern-of-use information can assist a hostile
or malicious party when they are performing hostile
NOTE 1 At a minimum, all manufacturing organizations
reconnaissance by revealing data and information
are likely to hold personally identifiable information
about how a process, system or manufactured artefact
about their current, former and potential new
operates, frequency and duration of use, and in some
personnel. Depending on the nature of the products
cases the location at which it is being used.
or systems manufactured by the organization, it might
also hold personally identifiable information about
stakeholders, for example information about:
• suppliers, professional advisers;
5 Security governance
ii) internal factors such as the organization’s 5.1.3 The organization’s security strategy shall:
plans and objective, its scope of a) be aligned with the organization’s broader mission
operations; and and objectives;
iii) the nature and use to which its b) be consistent with and supportive of the
manufactured items are put, the organization’s context as determined in 5.1.2;
security threats to which it and similar
c) establish the security goals in respect of:
organizations are exposed, and the nature
of vulnerabilities in the products or systems 1) the business architecture and its through-life
it manufactures. management of the organization, its data,
information, products, systems, services,
4) risk appetite (see 5.4).
processes and structures;
NOTE Where an organization has existing
2) capability development through security
products, systems or services in use the
awareness initiatives, training and development
security context relates to historic, current
so that personnel can acquire and maintain
and emergent security issues. For example,
awareness and competence to fulfil their roles in
where a legacy product is still in use and
a security-minded fashion and contribute to an
a security vulnerability emerges, which
effective security culture; and
if exploited would have serious safety or
security consequences, the organization might 3) management of security risks across the
have a legal responsibility to mitigate the organization, its supply chain, customers and
vulnerability. the users or operators of its products, systems
and/or related services;
d) establish the need for and scope of a reporting 2) the organization’s ICT equipment and systems,
system used to inform the organization’s board- including any outsourced or externally hosted
level management of the effectiveness of security components;
measures, including handling of security incidents 3) the organization’s OT;
and any subsequent mitigation activities or
NOTE The organization’s OT, at a minimum,
improvement initiatives;
comprises the organization’s manufacturing
e) set out the process that is to be regularly used to systems and might also include systems used to
review and maintain the organization’s security to secure and control the manufacturing and/or
reflect changes in the security context through: storage environments.
1) implementation of new or amended c) type of items manufactured, encompassing:
legislation, regulation and standards;
1) items likely to still be in use, but no longer
2) developments in: and manufactured;
i) the organization’s structure, processes, 2) currently manufactured items and services
business plans and objectives; associated with them;
ii) its data, information, products, systems, 3) planned new manufactured items and services
services; associated with them; and
iii) the operating environment for the 4) any services offered in support of 5.2.1c) 1)
business and its products and/or systems, and 2).
and any related services; and
NOTE The purpose of this activity is for the
iv) stakeholder needs; business to make decisions about what markets
3) changes to the security threat landscape, for it wishes to operate in. Depending on the nature
example emerging threat actors, threats, of the manufacturer’s products, systems and any
opportunities and vulnerabilities; related services moving into different markets or
f) be reviewed at least annually or earlier if there are: territories may change the security threats that the
organization is exposed to.
1) significant changes to any of the items listed in
5.1.3e); or d) organization’s supply chain, to include suppliers of:
2) following a security incident, or a near miss 1) raw materials or ingredients;
(i.e. a narrow avoidance of a security incident). 2) physical products (e.g. components, sub-
assemblies, systems and equipment) which are:
5.1.4 The organization’s board-level management shall i) incorporated in the manufactured items;
ensure that its business plans and strategies are aligned
ii) used during the manufacture, storage,
to the organization’s security strategy.
shipping and maintenance of the
NOTE For example, if the organization’s human manufactured items; and
resource strategy involves employment of contractors
NOTE An appropriate and proportionate
to fill certain roles or give flexibility to meet varying
approach is required, for example, the
demand, then the security strategy should address
arrangements for storage or shipping
the need to have appropriate policies, processes and
may not be an issue unless they involve
procedures in place to manage security vetting of
specific handling conditions and packaging
contractors employed in sensitive roles.
to: protect very fragile items; prevent
contamination; deter, prevent and/or detect
any interference with the shipped items.
5.2 Determining the organization’s scope
iii) used to manage the manufacturing
5.2.1 The organization’s board-level management processes;
shall establish, document and maintain a record of
3) digital products/artefacts that are used by or to
the organization’s scope, which as a minimum shall
manufacture, shipped with or incorporated in
comprise an overview of the:
the items listed in 5.2.1d) 2).
a) organization’s assets, both physical and digital;
NOTE See 8.2 regarding understanding the
b) organization’s current operations, to include: organization’s supply chain
1) the locations at which it operates;
NOTE When identifying security risks, it is appropriate • legal, arising from non-compliance with legislation or
to consider them from a number of perspectives, regulations, e.g. data protection; and
including: • third-parties, arising from harm caused to one or
• operational, i.e. the potential impact on the business more third-parties, for example spreading malware
through disruption of business and/or manufacturing to third-party products or systems, provision of
activities, reputational damage; inaccurate or misleading data and/or information
• confidentiality and privacy, i.e. the loss of or leading to corruption of databases, etc.
unauthorized access to sensitive information and/or
personally identifiable information;
• safety, i.e. the potential harm to individuals, assets or
6.1 Security risk management approach
the environment arising from the failure, in whole or 6.1.1 The organization’s board-level management shall
in part, or misuse of manufacturing-related systems establish, document and operate an appropriate and
or the manufactured products and/or systems and any proportionate approach to security risk management.
related services;
• financial, i.e. the costs associate with managing and 6.1.2 The organization’s risk management processes
responding to a security incident, any subsequent shall encompass identification, categorization,
legal costs, fines, etc., and the potential loss of prioritization and treatment of security risks.
income or profit as a result of diverting resources
during a security incident response; 6.1.3 The organization shall acquire knowledge of the
concepts and relationships illustrated in Figure 7 as
they relate to the organization’s assets, particularly its
manufacturing-related assets, and the manufactured
products and/or systems, and any related services.
6.1.4 The security risks to be considered shall include 6.2.2 The asset-based risk register, shall be developed
those to the organization’s: using the approach outlined in Figure 8, where the key
a) business operations, critical assets and functions; steps are:
b) manufacturing assets; a) to identify and decompose organization’s assets to
an appropriate level;
c) manufactured products and/or systems and any
related services; NOTE 1 In a similar manner to techniques such as
Failure Mode Effects Analysis (FMEA) there is likely
d) supply chain, considering both the suppliers and
to be a need to decompose complex or hybrid
the materials or services they supply; and
assets into their constituent parts. For example, in
e) to others arising from a failure to implement a cyber-physical system there is a need to consider
appropriate and proportionate security measures in the risks associated with the physical elements, the
respect of 6.1.4a) to d). cyber (digital elements) and their combination. The
NOTE 1 There is a complex relationship between safety decomposition might therefore consider the risk
(hazards) and security (threats) in all cyber-physical of vandalism or malicious damage to key physical
products and systems. Both can result in adversity. components as well as the threats arising from hackers
Products and/or systems, and any related services, are or malware that affect the digital control systems.
unlikely to be safe if not appropriately secured. The NOTE 2 When considering what is an appropriate
organization should aim to reduce the risk of a threat level to decompose the assets to, the objective is to
actor exploiting a vulnerability that could result in identify the lowest level at which risk is going to be
damage to the manufactured products and/or systems, managed. For example, when considering an office
other assets or the environment, or result in serious injury computer, the minimum decomposition might be
or death as a consequence of the failure or misuse of the applications, operating system, processing hardware
manufactured items or manufacturing-related assets. and any networking or communications connectivity.
NOTE 2 In December 2014, the German government Depending on the nature of its use and the sensitivity
released an annual report, in which they noted that of any data and/or information processed on it,
a threat actor had infiltrated a steel manufacturing additional decomposition might be required to cover
facility by using a spear phishing email to gain access to data storage and any access control mechanisms.
the corporate network and then moved into the plant b) to asses and identify for each asset:
network. According to the report, the threat actor was
1) its criticality and the impact of:
able to cause multiple components of the system to
fail. This security incident specifically impacted critical i) its loss, corruption or compromise;
process components to become unregulated, which ii) its failure, either partially or as a whole;
resulted in massive physical damage to the asset.2) iii) its misuse or abuse (whether unintentional
or malicious); and
iv) its incorrect operation on the
6.2 Asset-based risk register manufactured item;
6.2.1 The organization’s board-level management shall 2) its vulnerabilities;
develop, document and maintain an asset-based risk 3) its hazards; and
register, which encompasses the known security risks
4) potential threats and opportunities;
to an organization’s assets as defined in 6.1.4, and
where the scope of the risk assessment for the assets is c) to assess and determine the attractiveness of each
consistent with: asset to specific threat actors by considering their
motivation and capability;
a) the security context of the organization; and
d) to use the information gathered in 6.2.2a) to c),
b) the security strategy that has been approved by
to synthesize and prioritize the potential risks to
organization’s board-level management.
the organization, its manufacturing processes, its
NOTE In considering known risks this should be manufactured products and/or systems, and any
interpreted as encompassing the security risks which it related services;
could reasonably be judged to affect the items listed
e) to consider the security risks that arise through
in 6.1.4. For example, if the organization is delivering
the composition, integration and/or interaction of
a web-based customer support service, it would be
components, sub-systems and systems, and where
reasonable to expect that the website has addressed
appropriate their interaction as systems-of-systems;
known technical vulnerabilities including, for example,
the OWASP 3) top 10 web application vulnerabilities. NOTE The composition, integration and/
or interaction risks arise from the selection
of elements and how they are integrated.
Complementary weaknesses in two or more
products that are being integrated can significantly
2)
For further information on this incident see: https://ics.sans.org/ increase the risks of exposure of the combined
media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf [15]. vulnerability and subsequent exploitation.
3)
See: www.owasp.org [16].
f) to consider risks arising from data and/or NOTE 2 It is important that risks are not
information aggregation: considered in isolation. In a complex
1) within the organization; and manufacturing process or environment there
might be considerable interaction between
2) through the data and/or information
risks. For example, a manufacturing system
generated and/or processed by its products
might include a digital component that has
and/or systems, and any related services;
a known vulnerability. A risk assessment
NOTE See 4.3.7 for further information on concludes this to be of low risk as the system is
aggregation of data and/or information, and behind the enterprise’s firewall. However, the
11.2 regarding aggregation of public/published risk of the known vulnerability being exploited
data and/or information. is likely also to be contingent on the protection
g) to take each of the risks in turn, as part of an of any remote diagnostic capability with the
iterative process considering the acceptability of factory, the policies regarding the use of
the risk, taking into account: removable media, bring your own devices and
1) the available risk capacity of the organization; the handling of email attachments.
NOTE The organization’s risk appetite h) where a risk is considered to be acceptable, review
is determined when considering the and update the organization’s risk capacity to
organization’s context. reflect the risk being carried;
2) the combinational effects of risks; and i) where a risk is considered unacceptable:
NOTE Combinational effects occur where 1) identify and assess potential mitigation
there is a linear path of negative events. In measures;
the context of a cyber incident, this is often 2) select and apply as appropriate;
called an “attack path”. For example, in the 3) record the risk treatment; and
security incident involving loss of customer
4) return the residual risk to the identification
card data from Target stores,4) the supplier’s
and analysis stage;
use of a home anti-virus product failed to
detect password logging malware attached j) to consider for the portfolio of risks: and
to an email, which allowed capture of the 1) the nature of the threat environment(s);
login credentials for Target’s supplier portal, 2) an appropriate and proportionate frequency
and the poor configuration, use of default for the scheduling of risk reviews to re-
passwords and failure to apply security patches evaluate the risk portfolio; and
allowed the criminals to install malware
NOTE The organization’s board-level
on the company’s point of sale systems,
management might consider that annual
thus harvesting information on some 40
or biennial reviews are sufficient, however
million consumer credit and debit cards. This
the frequency should be determined by how
combination of risks created the environment
dynamic the threat environment is.
that made the attack possible.
3) the triggers that would prompt an ad hoc
3) the cascading effects of risks;
review of some or all of the risk portfolio;
NOTE 1 Cascading effects occur where there is
NOTE Triggers can include: the emergence of a
a non-linear path of events occurring, including
new threat actor; changes in the security context;
amplification and subsidiary negative events
identification of new/emerging vulnerabilities;
or outcomes. The cascade effect is particularly
and identification or publication of new exploits
likely to occur in complex systems, i.e. systems
enabling easier access to vulnerabilities or
of systems, where there is not a simple linear
increasing their impact.
relationship between systems or sub-systems.
In these cases, rather than the effect of k) to maintain situational awareness by monitoring:
the risk spreading in a simple longitudinal 1) risks and opportunities;
fashion, instead the effect spreads like a ripple 2) emerging threats and vulnerabilities; and
affecting multiple assets that might not be
3) the organization’s scope and security context.
directly connected to each other.
4)
US Senate Report on the incident. Available from: www.
commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-
b8db-a3a67f183883/23E30AA955B5C00FE57CFD70962159
2C.2014-0325-target-kill-chain-analysis.pdf [17].
6.2.3 The asset-based risk register shall contain: e) the stakeholders, both internal and external,
a) a list of the organization’s: and their expectations in the event that a risk
event occurs;
1) business assets; and
f) the risk evaluation, including the likelihood of an
2) manufacturing-related assets;
event occurring and its magnitude, and potential
NOTE The use of the term asset in Clause 6 includes impact or consequence should the risk materialize
asset data and asset information and inventory or at the assessed level;
stock items that are available but not yet in use.
g) any loss experienced, for example information from
b) appropriate and proportionate decomposition of previous incidents and any prior experience of loss
the assets listed in 6.2.2a) to the level at which they events related to this risk;
are supplied to, purchased, licensed or created by
h) risk tolerance or limit for the risk, i.e. the
the organization;
acceptable loss potential or financial impact in the
c) contain the risks related to: and event that a risk event occurs, and any targets for
1) the organization; controlling the risk or limiting performance impact;
2) its supply chain; i) the risk response, treatment and controls, i.e. the
3) its manufacturing-related assets; and mechanisms to be used to manage the risk and
control its impact and the mechanisms to be used
4) its manufactured products and/or systems, and
to monitor and review their performance;
any related services;
j) the potential optimizing of risk management
d) allow separation and analysis of the risks by:
across the portfolio of risks, i.e. the potential
1) the categories listed in 6.2.2a), taking into for cost-effective risk reduction or modification,
account the decomposition required in 6.2.2b); timescales and responsibility for implementation; and
2) individual suppliers in its supply chain; k) the ownership of the risk, i.e. who is responsible for
3) where known, the products, systems or services monitoring compliance with any controls and the
in which the manufactured items, and any risk management strategy.
related services, are used or installed; and NOTE Unless explicitly delegated as part of the
4) customers, where the organization is not security strategy, the risk owner should be a
selling its products, systems or services to the board-level manager.
end consumer. NOTE The consequences or impact of a risk materializing
NOTE Where the organization is selling its can be negative (i.e. hazard risks), positive (i.e.
products, systems or services to a systems opportunity risks) or might result in further uncertainty.
integrator, manufacturer or assembler, it is
the identity of this third-party that should be 6.2.5 The information contained in the asset-based
recorded so that they can be notified of any risk register, either in whole or in part, is sensitive
future security issues. information and access to it shall be managed on a
need-to-know basis, with security measures implemented
6.2.4 For each risk in the asset-based risk register, the that are appropriate to the level of risk, with regard to
following shall be recorded: its creation, storage, distribution and use.
a) a unique risk identifier;
b) a name or title for the risk;
c) the asset(s) affected by the risk;
d) the scope of the risk, including details of the possible
risk event(s) and their size, type and number;
NOTE The scope of the risk determines the
boundaries of the impact, for example whether
the risks affects multiple items as it arises from
a component within them, for example a defect
in an integrated circuit, circuit board or piece
of software.
5) any manufactured products and/or systems e) the review process to be followed after a security
outside of the organization’s premises that are incident, or near miss, including:
affected by a security incident; 1) the process for assessing the ongoing risk;
NOTE The extent to which the manufacturer 2) the process for evaluating the incident and
might be required to provide this depends on the response;
the nature of the manufactured items, the
3) a review of any hosting or cloud service
warranty and contractual provisions and might
provider’s, or other outsourced service
also be determined by legislation or regulation
provider’s incident management plan where
applicable in the jurisdiction in which the
applicable;
manufactured items are located and/or used.
4) the need for changes to the contractual
6) notification by a third-party of a security
provisions to handle security incidents caused
incident concerning the organization’s
by a professional advisor, contractor or
manufactured products and/or systems, or
supplier; and
related services;
5) the mechanisms for reviewing and updating
NOTE Examples of potential third-parties
the SIMP.
include: a supplier to the organization; or
a customer of the organization (where the
7.3.2 Access to any part of the SIMP which
manufactured items or related services are not
details sensitive information (for example, risks
supplied directly to an end user); or the end
to the organization, its function, processes,
user(s) of the organization’s manufactured
manufacturing-related assets, personnel and
products and/or systems, or related services.
third-parties) shall be managed on a strict
7) the disaster/incident recovery actions required need-to-know basis, with the information contained
in the event of serious failure scenarios within it subject to security measures with regard to
affecting or likely to affect; and its creation, storage, distribution and use.
i) the manufacturing-related assets; and
ii) any systems providing or supporting 7.3.3 For those elements of the SIMP which address
services associated with the manufactured policies, processes and procedures relating to incidents
products and/or systems; the initial business continuity actions shall be:
8) steps to be taken to contain and recover from a) written so that, as far as is practicable, they do not
the event. contain sensitive information;
c) the arrangements where applicable to access b) made available to all relevant personnel; and
data and logs on affected or potentially affected c) periodically rehearsed, to maintain awareness and
manufacturing-related systems used by the to test their effectiveness.
organization, including:
1) what can be accessed and why;
7.4 Supply Chain Security Management
2) how the data and/or logs are to be used;
Plan (SCSMP)
3) under what circumstances they can be
accessed; 7.4.1 The organization’s board-level management shall
4) who is authorized to access the data and/or logs; develop, document, implement and maintain a SCSMP
that defines the contractual and operational measures
5) how the data and/or logs are to be protected;
required for the adoption of an appropriate and
and
proportionate security-minded approach throughout
6) the arrangements for the secure deletion of the organization’s supply chain.
the data and/or logs when no longer required.
d) where, in accordance with 7.3.1b) 4), the
organization is required to assist the owner and/
or user of a manufactured product and/or system,
and any related service, the arrangements where
applicable to access data and logs as specified in
7.3.1c); and
7.4.2 The SCSMP shall address the through-life security g) requirements for additional or further security
management of suppliers (i.e. professional advisers, awareness training and the right to audit to
contractors, service providers and OEMs) including: confirm that the training is being delivered; and
a) the processes and procedures based on the h) identification of high-risk roles or positions.
requirements set out in Clause 8 for:
1) mapping of the organization’s supply chain to
the level of individual contracts; 7.5 Organization’s security program
2) security risk profiling each contract to assess 7.5.1 To facilitate a consistent organization-wide
the potential level of risk; and approach to security, the organization’s board-level
3) identification of the baseline security measures management shall establish and maintain a security
expected for a supplier with a given security program, that:
risk profile; a) is aligned to the security strategy (see 5.1);
NOTE The organization’s baseline security b) supports the SMP (see 7.2);
measures for suppliers with differing security c) develops and periodically reviews the
risk profiles should be specified at a high-level organization’s security objectives;
in the organization’s security strategy and
d) plans and implements the steps to achieve these
specified in detail in its SMP. The approach set
objectives;
out in Annex A of DEF STAN 05-138 [18] might
inform the organization’s development of their e) monitors the implementation of the plan and
own measures. fulfilment of the objectives;
b) the pre-contract due diligence/accreditation/ f) assigns and manages ownership of the objectives and
assurance requirements regarding the security any implementation plans to achieve them; and
culture and security management strategy of g) monitors the threat landscape.
suppliers and potential suppliers;
c) the security requirements that are to be addressed
in suppliers’ contracts; 7.6 Organization’s security culture
NOTE 1 Legal advice should be sought regarding 7.6.1 The organization’s board-level management
the wording used to address the security shall embed a security culture within its personnel and
requirements in suppliers’ contracts. suppliers in accordance with 7.6.2 to 7.6.6.
NOTE 2 For example:
7.6.2 The organization’s board-level management
1) adoption of appropriate and proportionate
shall provide general security awareness training to
measures to mitigate risk; and
all personnel, which as a minimum addresses the
2) the provision, where relevant, of risk following topics:
management information regarding the
a) cyber hygiene;
supplier’s products, systems or services.
b) protection of data and information, including
d) the audit and compliance monitoring arrangements,
policies, processes and procedures related to
including handling of security incidents;
sharing with third-parties or publication of data
e) contract exit and termination arrangements; and/or information about manufacturing-related
f) guidance on the use of Data and Information systems; and
Sharing Agreements (DISA) (see 11.7) relating to c) the organization’s policies, processes and
the exchange or supply of data and/or information: procedures regarding the security of its ICT
1) relating to manufacturing-related assets, equipment and systems and the OT.
manufacturing processes and intellectual
property; 7.6.3 The organization’s board-level management
2) individual manufactured products and/or shall identify roles with a high security risk profile
systems, and any related services; and in the lifecycle of its manufacturing-related processes
and systems, and any additional security measures
3) the organization’s structure, business plans
training that might be required by personnel occupying
and personnel;
these roles.
NOTE The use of DISAs is applicable to suppliers,
NOTE This relates to the manufacturing of the
potential suppliers and other third-parties in
organization’s products and/or systems. Any ongoing
respect of both information supplied and received
services related to the products and/or systems are
by the organization.
addressed in 7.6.4.
8.1 Treatment of supply chain security 8.2.3 The organization’s board-level management shall
risks adopt an appropriate and proportionate approach to
the mapping of its supply chains taking into account
The organization’s board-level management shall treat the nature of the materials or services being supplied
supply chain security risks as being an extension of and their criticality to the security of the:
existing arrangements to mitigate security risks within
a) organization and its operations; and
the organization itself.
b) organization’s products and/or systems and any
related services.
8.2 Understanding organization’s supply
8.2.4 Depending on the nature of each upstream
chain contract, i.e. the supply to the organization, it might be
8.2.1 The organization’s board-level management shall necessary to obtain information from the supplier, or
research, document, demonstrate and maintain an potential supplier, to allow decomposition and security
understanding of its supply chain taking into its own risk assessment of the supplier’s own inputs into the
position within the multi-tiered value chain that exists contracts, including organizations that support the
between raw materials or ingredients and the delivery supplier’s operations.
to an end user or customer of manufactured products NOTE For example, if the organization is supplying
and/or systems, and any related services. sensitive data and/or information to a supplier who
NOTE Most supply chains are multi-tiered in nature is processing it in a cloud-based software-as-a-service
where a manufacturer has an upstream element (SaaS), the organization should consider applying the
(suppliers providing raw materials, products, systems NCSC’s Guidance on Cloud Security [19] to assess the
or services to support its business and manufacturing level of risk this processing might pose in respect of
operations) and downstream element (the demand for the sensitive data and/or information. This assessment
the organization’s manufactured products or systems requires information about the SaaS provider’s
and any related services from its customers). technology, hosting and security arrangements.
8.2.2 When undertaking the analysis specified in 8.2, 8.2.5 The organization’s approach to supplier security
the organization’s board-level management shall as risk assessment shall as a minimum apply the security
a minimum cover its existing suppliers of, and when triage process outlined in Figure 9 to identify whether
undertaking new procurements, the potential there is a need for further risk assessment of each
suppliers of: current supplier and any prospective suppliers.
a) security or security-related systems and/or security NOTE The objective of this triage process is to identify
services; suppliers that might create vulnerabilities that affect
b) ICT equipment and systems, and related services the organization, its manufacturing operations and its
that process, or might in future, process sensitive products and/or systems and any related services.
data and/or information;
c) manufacturing and manufacturing-related systems
that currently, or might in future, process sensitive
information and/or are used in the production of
sensitive components, products and/or systems, or
the delivery of any related services;
d) raw materials or ingredients, physical products
(e.g. components, sub-assemblies, systems and
equipment) and digital products/artefacts; and
e) professional, business and support services used by
the organization.
8.2.6 If the outcome of the security triage process b) whether the fact that a supplier has a relationship
in 8.2.5 is a requirement for further risk assessment of with the organization might increase the risk of
the supplier or prospective supplier, the organization’s the supplier being targeted by an adversary so as
board-level management shall: to obtain information about the organization, its
a) apply the risk management approach outlined in products and/or systems and any related services,
accordance with Clause 6 to any affected assets; or about its customers;
b) record the outcome of the assessment(s) in the c) the impact to the organization and its customers
asset-based risk register; and if the availability, integrity, provenance or quality
of sensitive raw materials or ingredients, physical
c) apply any controls or countermeasures required to
products (e.g. components, sub-assemblies, systems
reduce the risk to an acceptable level.
and equipment) and digital products/artefact were
NOTE 1 When assessing the supplier-related risks the compromised either accidentally or deliberately;
organization should take account of:
d) whether the supplier has administrative or similar
a) the nature of any sensitive data and/or information privileged access to the organization’s enterprise
provided or processes by the supplier and the ICT or manufacturing systems, either on-site,
impact to the organization and its stakeholders if it remotely or as part of a hosted or cloud-based
were compromised; service;
9.1 Working outside formal contracts NOTE 1 This separation and protection exercise might
include: redaction or removal of space, room, product
The organization’s board-level management shall take or system labels; removal of information regarding
a security-minded approach when working outside sensitive features, uses of protective measures; and
formal contracts (for example, in pre-contract dealings provision of aggregated data rather than providing
with a potential supplier or customer) in relation to access to detailed information.
the access given to data and information relating to
NOTE 2 The organization should ensure that tender
the organization, its manufacturing operations and
agreements include appropriate confidentiality and
its manufactured products, and/or systems and any
security requirements that cover all parties, including
related services.
sub-contractors and suppliers of a bidding supplier,
associated in the preparation of a tender.
9.2 Bidding to supply products and/or 9.3.2 The requirements in 9.3.1 shall apply when
systems and any related service tendering or re-tendering contracts relating to the
9.2.1 The organization’s board-level management shall procurement of:
apply a security-minded approach in responding to a) advisory, business support, or consultancy services;
pre-qualification processes, requests for quotations b) raw materials, ingredients, consumables,
or tenders so as to protect sensitive information and components, digital artefacts, and any equipment,
prevent disclosure of information that might be used to systems or software used in manufacturing and
infer sensitive information. logistics processes;
NOTE The systems used in manufacturing and
9.2.2 Where a procurement process requires submission
logistics processes generally involve the use
of sensitive information, the organization’s board-level
of OT, for example the cyber elements in
management shall consider the risks associated with
cyber-physical systems. Particular care should be
disclosing such information and formally evaluate and
taken with regards to OT and any equipment
record this risk assessment.
that provides connectivity between the OT and
9.2.3 Depending on the potential impact of the risk on the organization’s enterprise ICT systems and any
the organization, its existing customer base and the remote systems, such as those used for monitoring
products and/or systems and any related services, the of plant and machinery by suppliers.
organization’s board-level management shall determine c) the organization’s ICT equipment and systems used
what controls or countermeasures are required to for the management of its operations, including
manage the risks identified in 9.2.2. any cloud-based applications and/or storage;
NOTE Measures can include requiring the third-party d) facilities management (FM); or
to enter into binding non-disclosure or confidentiality e) maintenance/management.
undertakings, limiting access to specific intellectual
property, requiring the return or certified destruction 9.3.3 Where the tender documentation contains
of material, data and/or information supplied, etc. sensitive information relating to the use of a
manufacturing or business asset, or high-level
information about the level of protection the asset
9.3 Procurement requires, the organization’s board-level management
shall require them to be subject to appropriate security
9.3.1 When tendering or re-tendering contracts and the
measures. These measures shall be sufficient to:
tender process requires sharing or disclosure of sensitive
data and/or information, the organization’s board-level a) limit access to this information to identified key
management shall require that the sensitive data roles;
and/or information is separated and suitably protected b) exclude this information from any published tender
while ensuring sufficient data and/or information is documentation;
available to facilitate the transaction.
9.5.4 Where compliance with specific security 9.5.9 The organization’s board-level management shall
standards is required (e.g. the provision of physical and require that the contracts specify the secure processing
technological protection for ICT and OT equipment and and storage of, secure access to, and ultimately secure
systems to a defined standard, the implementation of disposal of, all sensitive information shared with or
appropriate security regimes, etc.), these shall be clearly provided by the supplier, and that such data and
identified in the contract along with any expected information is retained for no longer than the period
independent, third-party inspection or verification. required to comply with legal or other regulatory
requirements, together with any specific warranty
9.5.5 The organization’s board-level management requirements of the organization, whichever is longer.
shall impose, through its contractual arrangements, NOTE Guidance on secure disposal of digital and
a general obligation on all individuals relating to physical assets can be found on the NCSC 5) and CPNI 6)
acceptable use of models, data and information websites.
provided by the organization.
10.1 The organization’s board-level management shall 10.3 Where the organization’s products and/or systems,
consider the security risks across the lifecycle of its and any related services are being procured by a
products and/or systems, and any related services. third-party who incorporates them in a larger
NOTE 1 From the lifecycle organization’s perspective product and/or system, and any related services, the
the lifecycle depends on the organization’s role, i.e. organization’s board-level management shall ensure
whether it is responsible for the specification, design, that the organization works with its customer and/or
manufacture, assembly and delivery of the products end user to mitigate any security risks arising from the
and/or systems, and any related services or whether use of the goods or services it supplies.
it is only responsible for manufacture, assembly and
delivery and/or operation. 10.4 Where the organization’s products and/or systems,
and any related services are supplied, either directly
NOTE 2 Where the organization is assembling and/
or via a sales channel, to an end user, or class of end
or configuring a product or system that includes
users, the organization’s board-level management
components, sub-assemblies and digital artefacts (for
shall provide appropriate and proportionate support
example, software, data and/or information) that is
to the end user to mitigate any security risks arising
sourced from its supply chain, it should consider and
from their use of the products and/or systems, and
manage the risks arising from its suppliers.
any related services.
10.2 The organization’s board-level management shall
10.5 Where the organization is responsible for
document and inform customers and/or end users
the design of the manufactured products and/or
the security risks that might arise in respect of their
systems, and any related services, to the extent that is
products and/or systems, and any related services,
practicable, the organization’s board-level management
in the event of:
shall ensure that the design is secure-by-default.
a) the sale or transfer of ownership of a product or
system; 10.6 Where the organization is only responsible for the
b) relocation of the product or system at the end of manufacture of a product or system, or the support
a hire period or lease; of any related services, and it becomes aware of a
c) changes in delivery or termination of any related security vulnerability in the design, the organization’s
service; or board-level management shall require that the relevant
design authority is informed of the vulnerability in a
d) relocation of a product or system at the end of
timely and security-minded manner.
a hire period or lease.
NOTE Immediately prior to any of the events listed
in 10.2a) to d) occurring, the customer or end user
should be able to permanently delete any data and/or
information stored in a product, system or associated
service, that allows or might allow inferences to be
drawn about the use of the asset, its location or users.
11.1 Data and information security 11.1.3 The policies, processes and procedures set out
in 11.1.1 shall be applicable across the generic data and
11.1.1 The organization’s board-level management shall information lifecycle, shown in Figure 10, and which
develop, record, implement and manage appropriate comprises:
and proportionate policies, processes and procedures
a) capture – the activity associated with the creation
relating to security-minded data and information
and initial storage of a data value or piece of
management which are based on an understanding
information, including its metadata;
of the security implications associated with the loss,
compromise, unauthorized manipulation or change of b) maintenance – the activities that serve to deliver
data and/or information, as set out in Clause 4. the data and/or information ready for synthesis or
usage in a form and manner that is appropriate
NOTE Principle 7 of the ICO’s Data sharing code of
for these purposes and include: validation and
practice [12] provides information on fulfilling the
verification; cleansing; reformatting; enrichment;
requirements of the DPA in respect of personal data.
movement; integration from multiple systems; and
11.1.2 The policies, processes and procedures set out updating of published data and/or information;
in 11.1.1 shall address the security risks (identified in c) synthesis – the creation of derived data and/or
accordance with the process in Clause 6) associated information through the use of inductive logic
with the potential impact of: using other data and/or information as inputs;
a) the loss or disclosure of intellectual property and/or NOTE For example use of expert opinion or
commercially sensitive data and/or information; judgement or automatic decision making to create
b) the loss or disclosure of personal data; the additional data and/or information.
c) the corruption of, or loss of access or unauthorized d) usage – the application of data and/or information
changes to, metadata; and to activities, functions or tasks;
d) the corruption of, or loss of access or unauthorized e) archival – the replication or placement of data
changes to, referential master data. and/or information in an archive where it is stored
but where no maintenance, usage or publication
11.1.3 The policies, processes and procedures set out occurs;
in 11.1.1 shall also include: f) publication – the process of making the data
a) the security features required for the organization’s and/or information available outside the
data and information architecture (see 11.2); organization; and
b) the security-minded approach to managing g) purging – the removal of every known copy of an
data and information to ensure its accuracy and individual data item or piece of information from
authenticity and preserve its long-term utility an organization.
(see 11.3); and
c) the security-minded approach to be implemented
in relation to data and information that could
be used to cause harm to assets, services and/or
individuals in respect of:
1) data and/or information sharing (see 11.5); and
2) publication of data and/or information.
11.1.4 The policies, processes and procedures related NOTE 2 The frequency of vulnerability assessment
to purging data and/or information shall include and penetration testing can be determined by
measures for the identification and secure removal considering the nature of the system, its criticality to
of any potential unofficial copies of the data and/or the smooth and safe operation of the organization
information or versions, including those that have been and the sensitivity of the data and/or information it
shared with external parties. contains or processes. It is prudent for the frequency
of the penetration testing to be at least annually and
11.1.5 The policies, processes and procedures set more frequently if the system is subject to changes or
out in 11.1.1 shall be embedded within the software upgrades.
non-security-related activities of the organization. NOTE 3 Processes used for maintaining situational
awareness include, monitoring of security alerts,
software patches, etc.
11.2 The organization’s data and NOTE 4 Particular attention should be paid to known
information architecture technical vulnerabilities including, for example, the
11.2.1 The organization’s board-level management shall OWASP top 10 web application vulnerabilities.7)
ensure that any service using data and/or information
that identifies individuals or groups: 11.2.2 The organization’s board-level management
shall identify and undertake an audit of the existing
a) is designed, built and operated using the NCSC
channels that are used in support of its products and/or
guidance on digital service security [NR1]; and
systems to provide data and/or information.
b) is subject to regular vulnerability assessment and
NOTE Examples of such channels include websites,
penetration testing, determined by the processes
smartphone applications, SMS, telephone and
used for maintaining situational awareness.
face-to-face.
NOTE 1 Individuals and other organizations should
be able to trust the manufacturing organization to
protect their privacy and identity if trust in any services
delivered by the manufacturing organization is to
be maintained. 7)
See: www.owasp.org [16].
11.2.3 The audit required in 11.2.2 shall: 1) degraded network performance due to high
a) collect information about the security measures usage or system failures;
employed by each channel to secure access to the 2) damage to network infrastructure, whether
organization’s data and/or information; caused by human or natural causes, leading to
b) use the information collected in 11.2.3a) and a risk loss of connectivity;
assessment based on the data and/or information 3) malware and denial of service attacks on
being handled to establish whether the security network and server systems; and
of individual channels is consistent with best 4) failure of the platforms hosting the data
practice; and and/or information, due to software or
c) where there is a shortfall in the security of a hardware faults, or human error.
channel, put in place an action plan to either: NOTE 2 Where manufacturing systems are being
1) raise the security standard of the channel to designed and implemented that are reliant on
an acceptable level; or remote processing of data and/or information,
2) engineer out the current service through its for example, use of cloud-based monitoring
replacement with a service providing secure and or control, consideration should be given
connectivity between the organization’s digital to the impact of loss of availability or degraded
assets and the service users’ digital devices. performance of the remote processing.
b) maintain the quality of the organization’s data
11.2.4 Where appropriate, technical safeguards shall and information by ensuring that changing and
be included in the architecture to reduce the risk of emergent systems and data and information
inadvertent release of sensitive data and information. architecture are managed to:
NOTE 1 Safeguards might include: 1) ensure appropriate provenance for all data and
a) the use of data loss prevention tools to monitor information; and
and enforce rules regarding email attachments and NOTE This should include data streaming from
web uploads; IoT and other distributed technologies.
b) multi-step authorization of a release, similar to 2) maintain the integrity of the data and
measures used in online banking to authorize new information repositories across the lifecycle of
transactions; and individual data and information sets;
c) introduction of an independent checking step NOTE 1 It is good practice to ensure that an
prior to the actual disclosure or release of the data unmodified version of the shared data and
and/or information. information remains available in order to
NOTE 2 The technical safeguards included should preserve its provenance.
be consistent with, and supported by, the policies, NOTE 2 Loss of integrity of data and
processes and procedures the organization has in place information or disputes about its authenticity
relating to people, physical, data and information and could have significant financial and
technological security. reputational impact on organizations. In
these circumstances, inaccurate or incomplete
records, or the inability to prove their
11.3 Managing accuracy, authenticity and authenticity, could impact on the outcome of
long-term utility of data and information warranty claims and any legal proceedings.
c) maintain the value and medium- to long-term
11.3.1 The organization’s board-level management shall
usefulness of the organization’s data and
take appropriate and proportionate measures to:
information by:
a) ensure the resilience of the data and information
1) maintaining the data and information;
infrastructure and the availability of all of the
organization’s data and information; 2) monitoring and recording changes to:
NOTE 1 Using the internet to share data and/or i) the data and information capture,
information does not provide any guarantee of its maintenance and usage; and
availability when it is required, or the timeliness of ii) the manufacturing environment, including
access. Performance of and access to internet-based processes, systems and sensors;
systems can be affected by a range of technical and 3) understanding and regularly assessing the
environmental factors outside of the control of the effect of changes in the algorithms, logic or
organization, for example: rules used in data synthesis.
container handling by Maersk, costing the business NOTE 1 Loss of possession could arise from a physical
an estimated $200 – 300m in lost business.11) incident of natural or human origin, that affects a
NOTE 4 Where wireless technologies are used for data centre or control room, preventing the system
the transport of data and/or information there are operators from managing the system or online
potential availability, reliability and resilience issues service. It could also arise due to interference with
due to the ease with which radio signals can be the operation of the system(s) through software bugs
jammed or be subject to interferences. This should or crashes, hacking (external or internal), malware or
be taken into account where services are critical to denial of service attacks.
the safe and secure operation of the organization. NOTE 2 Loss of possession, whatever the cause, is
c) safety – products, systems and related processes are especially critical for safety- and/or security-critical
designed, implemented, operated and maintained systems.
so as to prevent the creation of harmful states NOTE 3 oss of possession can also cause economic
which might lead to injury or loss of life, or and/or reputational damage to the data owner and
unintentional environmental damage, or damage data controller.
to assets; NOTE 4 Limiting the risk of inappropriate use of
NOTE 1 The safety of the individuals, including the shared data and/or information is described in
organization’s personnel, should be of paramount Clause 9.
concern when developing and implementing f) authenticity – ensuring that the data and
manufacturing systems and processes and in information input to, and output from products,
the design, manufacture and operation of the systems and any related processes or services,
organization’s products and/or systems and any and that the state of the products and/or system
related services. and any related processes, services, data and/or
NOTE 2 The organization should also consider the information are genuine;
relationship between safety and security of its NOTE Authenticity issues arise if it is not possible
products and/or systems, as security vulnerabilities to establish that data and/or information is
might create hazards affecting the user(s), what it portrays itself to be, for example, that
environment or other assets. data originated from a specific device, from the
d) resilience – the ability of data, information, particular location where that device is sited, and
products, systems and any related services to at a specific point in time. As such, authenticity is
transform, renew and recover in a timely way in heavily dependent on the ability of the data and/or
response to adverse events;
information source to assert its identity and for this
NOTE The increasing dependence on complex to be reliably captured in any associated metadata.
interactions between different organizational g) utility – ensuring that data, information and
components, data and information sets, services systems remain usable and useful across the
and systems can significantly detract from lifecycle of the data and/or information and any
the overall resilience of an organization. The associated asset, individual or organization; and
organization should have rehearsed the handling NOTE 1 Changes to systems, including sensors and
of incidents and to have workable plans to enable processing, asset configuration, referential master
business continuity and disaster recovery based data, etc. should be tracked and managed through
on fall-back service provision, which is either formal change control mechanisms to reduce
predominantly manual or less IT and data intensive. the risk of divergence between the real, physical
e) possession – products, systems and any related world and that which is captured in the data
processes or services are designed, implemented, and/or information. For example, changes to a
operated and maintained so as to prevent system’s sensors might introduce metrology artefacts
unauthorized control, manipulation or interference, such as changes in baseline readings, or increases in
and to ensure that data and/or information are used granularity, which make it more complex to compare
only in accordance with the terms of the compliance readings taken before and after the change.
and contractual rights and obligations;
11)
Interim report from Maersk CEO: http://investor.maersk.
com/releasedetail.cfm?ReleaseID=1037421 [25].
!
!
!
!
11.4.3 When considering the reuse of existing 11.5 Managed sharing of data and
technology and digital assets, the organization’s information
board-level management shall seek appropriate
professional advice about the ability of the systems and 11.5.1 Prior to the sharing and/or publication of a new,
software to deliver the level of cyber security required. or modified, data and/or information set about the
organization, its assets, and its manufactured products
NOTE 1 Where an operating system or application
or systems, and any related services, the organization’s
is close to, or has passed, the end of its support life,
board-level management shall require the application
or there is a significant shortfall in the installation
of the data and information security triage process
of software patches, it is likely to have a number of
shown in Figure 12 to identify the need for a
significant security vulnerabilities that could result in a
security-minded approach to be applied.
security breach or incident.
NOTE A modified data set is one where the scope of
NOTE 2 Depending on the nature of the advice
the data has changed significantly or additional data
required and the technology or digital assets
elements (fields rather than records) are included.
involved, sources of security advice might include
the organization’s own internal security personnel,
11.5.2 In order to identify whether there are any
specialist security consultants and government security
personal data in the data set that the triage process
advisers (e.g. CPNI and NCSC).
is being applied to, the personal data test shown in
Figure 13 shall be applied.
11.4.4 Prior to the implementation of any product,
system or service based on IoT or other distributed NOTE 1 Figure 12 is based on the ICO’s guidance on
technologies, the organization’s board-level ‘Determining what is personal data’ [26] which contains
management shall: an explanation of the individual questions and a
number of examples.
a) commission the production of a detailed security
architecture for the proposed implementation; NOTE 2 The implementation of GDPR [2] could impact
the approach outlined. Some overarching guidance is
b) determine the extent to which the architecture
available in the ICO guidance document ‘Preparing for
meets the security requirements of the
the General Data Protection Regulation (GDPR) – 12
organization and its stakeholders, taking into
steps to take now’ [27].
account personnel, physical and technological
aspects; and
c) assess any security risks against the collective risk
appetite of the organization and the benefits
which it is anticipated can be gained.
NOTE The requirements set out in 11.4.4 apply to both
the organization’s systems and to its manufactured
products and/or systems, and any related services.
11.6 Security, privacy impact and/or data 3) whether it was provided in confidence to the
and information aggregation assessment organization.
NOTE More detailed guidance on legal and data
11.6.1 Where identified as being required by the
protection aspects of data sharing is given in the ICO’s
data and information security triage process, the
Data Sharing Code of Practice [12].
organization’s board-level management shall require
the preparation of a security, privacy impact and/or 11.6.3 Where there is uncertainty as to whether the
data and information aggregation assessment by a data and/or information set contains sensitive data
suitably qualified and experienced person. and/or information, or whether there are security or
privacy issues arising from data and/or information
11.6.2 Each security, privacy impact and/or data and
aggregation, the data owner shall seek advice from
information aggregation assessment shall record:
appropriate security advisers.
a) the composition of the data and/or information
NOTE Sources of advice can include suitably qualified
set or layer;
and experienced persons within the organization
b) who has access to the data and/or information and/or specialist security advisers outside the
being shared, disclosed or published; organization.
c) whether the relevant asset, data, information,
product or system owners are to be consulted 11.6.4 Each security, privacy impact and/or data and
before the data and/or information is shared, information aggregation assessment shall, by following
disclosed or published; the risk management process in accordance with
NOTE This applies to the organization’s own Clause 6:
data and information and to any data and/or a) identify any data protection issues;
information collected from, stored or processes NOTE Data protection is a complex area, with
for customers or end users. detailed interpretation required of what
d) whether the data and/or information set includes constitutes personal data. Data and information
any sensitive data and/or information, or sensitive should be carefully analysed before being made
personal data; available to ensure compliance with the relevant
e) the justification for sharing, disclosing or publishing legislation.
the data and/or information, in particular: b) identify the security risks associated with sharing or
1) the objective of publishing or sharing it; publishing the contents of a specified data and/or
information set;
2) the potential benefits and how they are
captured; c) identify and assess potential appropriate and
proportionate risk mitigation measures to manage
3) the risks to assets and organization if it is not
any unacceptable risks and any data protection
shared disclosed or published;
issues; and
4) demonstration that the proposed sharing
NOTE 1 Risk mitigation measures that might be
is proportionate to the objective and the
appropriate to adopt across a wide range of data
potential benefits; and
and information sets include:
5) whether or not the objective could be
a) removing a sub-set of the data and/or
achieved, or the benefits delivered, without
information from the published data and/or
sharing, disclosing or publishing it;
information set where only that sub-set creates
f) the authority to share or publish the data and/or a risk;
information, in particular:
b) removing outliers, i.e. small number of records
1) whether the organization is the data controller that make it easier to identify assets, groups or
and/or has the right, legal authority and power individuals;
to do so;
c) reducing the precision of the data and/or
2) whether there are any legal obligations to information where the precision of location or
share, disclose or publish (e.g. legislation or a timing increases the risk;
court order); and
d) providing the data and/or information in
summary form to reduce the level of detail
available where the granularity increases the risk;
e) releasing statistical data and/or information b) provides clear examples how these inferences could
rather than underlying data and/or be drawn.
information;
f) anonymization of data and/or information sets; 11.6.6 Where potential harm is identified, sharing,
publication or further/additional disclosure shall
g) modifying key variables to prevent
be prohibited until appropriate and proportionate
re-identification;
measures are implemented to remove the sensitivity or
h) publishing the data and/or information set reduce the associated risks to a level that is acceptable
without the metadata, or remove the sensitive to the organization.
fields, where the metadata creates a risk;
i) reducing the level of detail and/or removing 11.6.7 Access to any part of the security, privacy
some layers of mapped data and/or impact and/or data and information aggregation
information as a user zooms in to view a assessments which details sensitive information shall
locality where the granularity increases the be managed on a strict need-to-know basis, with the
risk; and information contained within it subject to appropriate
j) monitoring access by requiring user security measures with regard to its creation, storage,
registration/login to access specific data distribution and use.
and/or information sets.
NOTE 2 Where the contents of a specified data
and/or information set contains sensitive personal
11.7 Data and information sharing
data, additional controls might be required. agreements
NOTE 3 Where a data and/or information set is NOTE The information in this clause does not constitute
manipulated to reduce the risk of identification legal advice. Users of this PAS should take appropriate
or re-identification, processing should be legal advice regarding the data and information sharing.
independently verified to ensure the effectiveness
of the approach used. 11.7.1 A data and information sharing agreement
d) list any residual risks and remaining data protection (DISA) shall be put in place prior to sharing or
issues. processing of any sensitive or potentially sensitive data
and/or information regarding manufacturing-related
11.6.5 A data and information aggregation assessment systems and the manufactured products and/or systems,
shall, in addition: and any related services.
a) take proportionate steps to identify any data NOTE The term process data should be interpreted as
and/or information sets that have already been encompassing the various aspects of data processing
shared or published, whether intentionally or covered by the UK Data Protection Act [1] and the
unintentionally that, when aggregated with General Data Protection Regulation (GDPR) [2], i.e. the
the specified data, allow a third-party to draw creation or collection, processing, storage, retrieval and
inferences from the disclosed material or create deletion of data and/or information.
unplanned associations, including those which:
11.7.2 A DISA shall detail, as a minimum:
1) identify a specific individual(s) or group(s);
a) the purpose, or purposes, of the sharing;
2) reveal sensitive personal data;
b) the potential recipients, or types of recipient, and
3) establish a pattern-of-life for a specific
the circumstances in which they have access;
individual(s) or group(s);
c) the type of data and/or information to be shared;
4) identify a sensitive asset;
d) the quality of the data and/or information to be
5) reveal sensitive information about an asset;
shared, in particular its authenticity, coverage,
6) establish a pattern-of-use for specific asset(s) or accuracy, relevance and usability;
group(s) of assets; or
7) compromise the safety or security of an asset,
individual(s), group(s) or service; and
e) the requirements in relation to; 11.7.4 The organization’s board-level management shall
1) where relevant, data protection; require the periodic review of all DISAs, to confirm that:
2) permitted and prohibited rights of use of a) there is still a legitimate purpose for the continued
the data; sharing of data and/or information;
3) obligations to notify the data owner b) the recipients of the data and/or information still
and/or data controller in the event of a security need access to it, and where they do not, that
incident or compromise, or any complaints access has been withdrawn;
regarding the quality of the data and/or c) the data and information quality and maintenance
information; are to the agreed standards; and
NOTE The obligations should reference the relevant d) the data security arrangements remain appropriate
security incident management policies, processes and proportionate, and that any complaints have
and procedures (see 7.3). been satisfactorily resolved.
f) data and/or information maintenance, including NOTE The frequency of the periodic reviews should
responding to notification of requests for erasure be determined by the nature and sensitivity of the
or correction; data and/or information that is being shared, and the
g) data and information security, including the impact on the organization in the event that the shared
handling of security incidents and investigations data and/or shared information were compromised or
undertaken by data protection authorities; misused. The frequency might therefore vary between
different data and information sets. The organization’s
h) the arrangements for retention and/or purging of
board-level management might also wish to take into
shared data and/or information;
account the behaviour of the recipient parties with
i) where applicable, i.e. when handling personal whom that data and/or information has been shared.
data, the procedures dealing with data subjects’ For example, if there have been a number of security
rights, including access requests, queries and incidents, the organization’s board-level management
complaints; might decide to increase the frequency of reviews.
a) monitoring and auditing of the
implementation of the sharing agreement; and
b) sanctions for failure to comply with the
agreement and/or a security incident caused by
an individual member of staff.
NOTE 1 The information in this clause does not environment regulator. The Regulations require that
constitute legal advice. Users of this PAS should take some of the submitted information is made publicly
appropriate legal advice where any of the legislation available and searchable.
or regulations in Clause 12 applies to data and/or
information under their control.
NOTE 2 The legislation listed in Clause 12 is set out in 12.3 Data Protection Act 1998 [1]
alphabetical order and is not intended to be exhaustive. The organization’s board-level management shall
require application of a security-minded approach to
handling, storage and use of personal data.
12.1 Computer Misuse Act 1990 [7] NOTE 1 The Data Protection Act 1998 [1] regulates
The organization’s board-level management shall the use of personal data and may apply to asset
require the application of a security-minded approach information, whether held in electronic or paper form,
in the specification, design, operation and maintenance where it includes any set of information relating to
of manufacturing-related systems and the systems individuals. The need for identification and protection
providing services to or in support of manufactured of personal data is addressed in 11.6.
items, so as to ensure that personnel, professional NOTE 2 The provisions of the Data Protection Act
advisors, contractors, suppliers and system users do not 1998 [1] will be affected by the introduction of GDPR
inadvertently commit offences when fulfilling their (Directive 95/46/EC) [2].
contracted duties.
NOTE Offences can arise where an individual accesses
data and/or information where they lack the requisite 12.4 Environmental Information
privileges or authorization. The access might include Regulations 2004 [4]
viewing, printing, moving data and/or information or
altering files or database records. Where a manufacturing organization shares data
and/or information with an organization that falls
within the scope of the Environmental Information
12.2 Control of Major Accident Hazards Regulations 2004 [4], it shall, on a risk-based,
security-minded basis, consider what sensitive
(COMAH) Regulations 2015 [8] information might be released, as part of the public
The organization’s board-level management shall authority’s publication scheme and on request, and
require adoption of a security-minded approach in its where necessary agree with the public authority
disclosure of information that shall be publicly available what sensitive information needs to be protected and
regarding the hazardous substances it employs in its how the protection is to be applied, for example by
manufacturing processes and where there might be providing it in confidence or by identifying specific
security concerns to discuss these with the relevant exemptions that apply to it.
public authorities prior to publishing the information. NOTE 1 The Environmental Information Regulations
NOTE The Control of Major Accident Hazards [4] provides public access to information about the
Regulations 2015 (COMAH) [8] aims to prevent major environment held by public authorities by:
accidents involving dangerous substances and to a) obliging public authorities to proactively publish
mitigate the effects on people and the environment certain information about their activities in
of those that do occur. Depending on the location of accordance with their publication scheme, and
an organization’s site(s) in the UK it might be required
b) entitling members of the public to request
to provide specific details about hazardous substances
information from public authorities.
it uses to: the Health and Safety Executive (HSE), the
Environment Agency (EA), the Natural Resources Body
for Wales (NRW), the Scottish Environment Protection
Agency, and where COMAH applies to nuclear
licensed sites the regulations are enforced by the
Office of Nuclear Regulation (ONR) and the relevant
The Regulations cover any recorded information
held NOTE 2 There is a risk that sensitive information
by the public authority that falls within the definition disclosed to a public authority might be released to
of “environmental information” and can
also apply a competitor or a potentially hostile third-party. A
to environmental information that another person or manufacturing organization that wishes to protect
organization holds on behalf of the public authority. It sensitive information such as intellectual property,
typically covers information about land development, commercially sensitive information, etc. should be
pollution levels, energy production, and waste aware that there are a number of specific exemptions
management, and includes financial information regarding disclosure of information as part of a
where it relates to the costs of redeveloping land publication scheme or in response to a freedom of
and constructing a new built asset, e.g. a new information request. Areas covered by exemptions that
manufacturing facility. the public authority might apply include:
NOTE 2 There is a risk that sensitive information a) health and safety;
disclosed to a public authority might be released to b) environmental Information;
a competitor or a potentially hostile third-party. A
c) personal information;
manufacturing organization that wishes to protect
sensitive information such as intellectual property, d) information provided in confidence;
commercially sensitive information, etc. should be e) legal professional privilege; and
aware that there are a number of specific exemptions f) commercial interests.
regarding disclosure of information as part of a
This is a complex legal area and appropriate advice
publication scheme or in response to an environmental
should be sought with a manufacturing organization
information request.
before sharing it with the public authority.
12.5 Freedom of Information Act 2000 [5] 12.6 General Data Protection Regulation
and Freedom of Information (Scotland) (GDPR) (Directive 95/46/EC) [2]
Act 2002 [6] Organizations shall apply a security-minded approach
to the handling, processing, storage and use of
Where a manufacturing organization shares data
personal data and special categories of personal data
and/or information with an organization that is covered
(i.e. sensitive personal data) that are shared, published
by the Freedom of Information legislation it shall,
or processed as part of its business or manufacturing
on a risk-based, security-minded basis, consider what
operations.
sensitive information might be released as part of the
public authority’s publication scheme and on request, NOTE The government has confirmed that the
and where necessary agree with the public authority UK’s decision to leave the EU does not affect the
what sensitive information needs to be protected and commencement of the GDPR, which applies in the UK
how the protection shall be applied, for example by from 25 May 2018.
providing it in confidence or by identifying specific
exemptions that apply to it.
NOTE 1 The Freedom of Information Acts [5 and 6]
12.7 Government Security Classifications
provide public access to information held by public Where applicable, the organization’s board-level
authorities, by: management shall require application of and
a) obliging public authorities to proactively publish compliance with the Government Security
certain information about their activities in Classifications [NR2] policy with regards to:
accordance with their publication scheme, and
a) all data and information that it collects, stores,
b) entitling members of the public to request processes, generates or shares in order to own,
information from public authorities.
procure, operate or maintain its manufacturing
assets, including information received from, or
Together, the Freedom of Information Act 2000 [5] and
exchanged with, external parties both within and
the Freedom of Information (Scotland) Act 2002 [6]
outside its supply chain; and
cover any recorded information that is held by a public
authority in England, Wales and Northern Ireland, and b) any inventory of sensitive manufactured items
by UK-wide public authorities based in Scotland. or systems and their sensitive raw materials,
components, sub-systems, drawings, schematics,
bills of materials, or supply chain details.
NOTE 1 Compliance with this policy might require NOTE Organizations should carefully consider the
specific security measures to be imposed regarding security implications of making data available that
the access to, storage and processing of data and might be re-used. Whilst individual items might
information, particularly where there are significant not pose a threat, aggregation of data, including
volumes of official and/or sensitive data or where some correlation of data supplied to different public
of the data and/or information requires specific controls bodies, could reveal sensitive commercial or technical
and security measures. information and manufacturing capabilities. Where
NOTE 2 Government Security Classifications apply to security considerations might be applicable, the
all data and information that the government collects, organization should not identify the extent to which
stores, processes, generates or shares to deliver services information the information is or might be available
and conduct business, including information received for re-use and determine what, if any, measures can
from, or exchanged with, external partners. be legitimately used to reduce the risk of disclosing
sensitive information.
NOTE 3 Where central government information is not
processed or stored, it is considered to be good security
practice to apply BS 10010 to all data and information
that the organization collects, stores, processes,
12.10 Sensitive information in planning
generates or shares to design and manufacture items or applications
systems, deliver services and conduct business. Where a planning application relating to the design
or extension of manufacturing facilities contains
sensitive information, the organization’s board-level
12.8 Official Secrets Act 1989 [9] management shall apply a security-minded approach
Where official data and/or information is held in paper to the handling of the application using the principles
or electronic form or sensitive manufactured items, set out in PAS 1192-5 and the government’s published
systems and any related services are delivered, the guidance on sensitive information in planning
organization’s board-level management shall require applications.13) The manufacturing organization shall
application of protective measures in accordance work with their construction professional advisers
with the UK Government guidance on physical and and the planning authority to limit the information
information security 12). available on the open planning register, with sensitive
information being subject to special handling
NOTE The Official Secrets Act [9] applies to the
arrangements.
protection of official information and to sensitive
manufactured items, systems and any related NOTE Manufacturing organizations should be aware
services. Where the data and/or information is, or the that a planning application could contain sensitive
manufactured items, systems and any related services information such as:
are covered by the Official Secrets Act [9], additional a) data and/or information relating to a sensitive
protective measures might be required in accordance manufacturing process which reveals intellectual
with the Government’s guidance on physical and property related to the process;
information security. b) data and/or information relating to the capacity of
the manufacturing plant or its systems; and
c) descriptions of rooms or room layouts which
12.9 Re-use of Public Sector Information might assist a malicious party in conducting
Regulations 2005 [10] hostile reconnaissance, for example to identify the
The organization’s board-level management shall location of sensitive assets.
require application of a security-minded approach The organization should be aware that if such
when responding to requests for information from information is available on an open planning register it
public sector bodies as such information might be made might be accessed by organizations seeking competitive
available for re-use, and the extent to which the data intelligence or potentially hostile parties seeking
is exempt from re-use should be ascertained prior to sensitive information regarding the manufacturing
disclosing it. organization, its facilities and manufacturing assets.
13)
Further information can be found at: http://
planningguidance.planningportal.gov.uk/blog/guidance/
12)
See www.gov.uk/government/publications/government- crown-development/sensitive-information-in-planning-
security-classifications [29]. applications/ [28].
Bibliography
BS 10010:2017, Information classification, marking and [8] GREAT BRITAIN. Control of Major Accident Hazards
handling – Specification Regulations 2015. London: The Stationery Office.
BS ISO/IEC 27001, Information technology – Security [9] GREAT BRITAIN. Official Secrets Act 1989. London:
techniques – Information security management systems The Stationery Office.
– Requirements
[10] GREAT BRITAIN. Re-use of Public Sector Information
PAS 183:2017, Smart cities – Guide to establishing Regulations 2005. London: The Stationery Office.
a decision-making framework for sharing data and
information services [11] DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL concerning
PAS 754:2014, Software Trustworthiness – Governance measures for a high common level of security of
and management – Specification network and information systems across the Union.
(NIS Directive) Available from: http://eur-lex.europa.eu/
PAS 1192-5:2015, Specification for security-minded legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&fro
building information modelling, digital built m=EN [April 2018].
environments and smart asset management
[12] INFORMATION COMMISSIONER’S OFFICE. Data
sharing code of practice. ICO: Cheshire, 2011. Available
Other publications and websites from: https://ico.org.uk/media/for-organisations/
[1] GREAT BRITAIN. Data Protection Act 1998. London: documents/1068/data_sharing_code_of_practice.pdf
The Stationery Office. [viewed April 2018].
[2] REGULATION (EU) 2016/679 OF THE EUROPEAN [13] CHARTERED INSTITUTE OF INTERNAL AUDITORS.
PARLIAMENT AND OF THE COUNCIL on the protection Risk appetite and internal audit. London. Available
of natural persons with regard to the processing of from: https://www.iia.org.uk/resources/risk-
personal data and on the free movement of such management/risk-appetite/ [viewed April 2018].
data, and repealing Directive 95/46/EC (General Data
Protection Regulation). Available from: http://eur-lex. [14] ENGINEERING COUNCIL. Available from: www.
europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:3201 engc.org.uk/security [viewed April 2018 2018].
6R0679&from=EN [viewed April 2018].
[15] INDUSTRIAL CONTROL SYSTEMS. ICS CP/PE
[3] GREAT BRITAIN. Trade Union and Labour Relations (Cyber-to-Physical or Process Effects) case study paper
(Consolidation) Act 1992. London: The Stationery Office. – German Steel Mill Cyber Attack. December 2014.
Available from: https://ics.sans.org/media/ICS-CPPE-case-
[4] GREAT BRITAIN. Environmental Information Study-2-German-Steelworks_Facility.pdf
Regulations 2004. London: The Stationery Office. [viewed April 2018].
[5] GREAT BRITAIN. Freedom of Information Act 2000. [16] OPEN WEB APPLICATION SECURITY PROJECT
London: The Stationery Office. (OWASP). Available from: www.owasp.org
[viewed April 2018].
[17] US SENATE REPORT. Available from: www. [28] Sensitive information in planning applications.
commerce.senate.gov/public/_cache/files/24d3c229-4f2f- Available from: http://planningguidance.
405d-b8db-a3a67f183883/23E30AA955B5C00FE57CFD planningportal.gov.uk/blog/guidance/crown-
709621592C.2014-0325-target-kill-chain-analysis.pdf development/sensitive-information-in-planning-
[viewed April 2018]. applications/ [viewed April 2018].
[18] GREAT BRITAIN. DEF STAN 05-138. Cyber security [29] Government security classifications. Available from:
for defence suppliers. Available from: www.gov.uk/ www.gov.uk/government/publications/government-
government/publications/cyber-security-for-defence- security-classifications [viewed April 2018].
suppliers-def-stan-05-138 [viewed April 2018].