HFL Consulting

What are you looking for?

Events Form

  • We reserve the right to accept or decline any application.


As business advances technologically, new threats and vulnerabilities develop; one such threat is of a cyber-attack. Although the term cyber- attack creates a vision of state sponsored attacks, or the theft of personal information, the subject is relevant to Industrial Automation and Control Systems (IACS) used in high hazard industries.

The UK’s Health and Safety Executive (HSE) is in the process of inspecting sites with high hazard potential, after performing initial trial inspections.  Early indications are that while organisations do manage cybersecurity, this is generally from the perspective of data / financial protection; sites are therefore weak at applying cybersecurity principles to the control of major accidents. Operators of sites regulated under COMAH have a legal requirement to demonstrate that risks are managed to As Low and Reasonably Practicable (ALARP), and therefore improvement in Cybersecurity will be required throughout the industry.

An easy misconception would be to assume that this work is for IT and computer specialists, however such assumptions could not be further from the truth.  While appropriate (i.e. functional) protection against Cyber-attacks requires computer specialists, protection also needs to be sufficient (i.e. proportionate) to the risk.  Good cybersecurity performance is, therefore, based on effective Cybersecurity Management Systems which bring together the skills of the computer specialists and risk specialists to;

  • Identify vulnerabilities and assess the risks from the perspective of Major Accident potential.
  • Identify existing countermeasures and ensure that they are both appropriate and proportionate.
  • Maintain the counter measures and assure effectiveness through audit, monitoring and review processes.

The approach that the HSE are expecting to see is set out within operational guidance OG86 Edition 2, Appendix 1, Figure 1.

As specialists in the field of COMAH, Risk Assessment and Risk Management, HFL Consulting are well positioned to assist the industry with understanding how to manage cybersecurity in a proportionate manner for sites with major accident potential. Our services include;

  • GAP analysis and Audits of Cybersecurity Management Systems
  • Development of Cybersecurity Management Systems
  • Assisting in the definition of IACS boundaries which are linked to Major Accident Potential
  • Cybersecurity Risk Assessments
  • Assistance in proportionality considerations for ALARP demonstrations