Assigning IACS cybersecurity responsibility conformant with the UK Network and Information Systems Regulations 2018
Industrial plants constituting a society’s critical infrastructure, for example electricity-generation and water-supply, contain industrial automation and control systems (IACS). IACS nowadays increasingly contain many digital-electronic components whose behaviour is software-controlled. Amongst engineered artifacts, software and thus software-controlled systems are particularly susceptible to functional weakness (‘bugs’ and ‘vulnerabilities’). Such weakness can be exploited by nefarious parties (‘hackers’) to disrupt the critical operation of the plant; a phenomenon called cyber-insecurity whose contrary, cybersecurity, refers to the resistance of the plant to such exploitation. The UK Network and Information Systems Regulations 2018 SI 2018 No. 506 (NIS Regulations) address the cybersecurity of systems within the critical infrastructure, establishing response and reporting requirements for cybersecurity incidents. In January 2022, Her Majesty’s Government issued a call for comments on enhancing the NIS Regulations, following a 2020 review. We derive here detailed organisational reporting and response requirements based on a computer-scientific understanding of the engineering issues, in an environment which includes a central vulnerability-reporting organisation (ICS-CERT, now part of US CISA (CISA, no date), or cyber security incident response team (CSIRT)) as required under the NIS Regulations.
Index words: IACS, ICS, cybersecurity, responsibility, safety, software, vulnerabilities, organisational responsibility, duties, mandate.