By Jonny Keiller, Principal OT Security Consultant, Logiq
As an ISA/IEC 62443 specialist (the global series of standards for securing industrial automation and control systems) with experience across Control of Major Accident Hazards (COMAH) sites in multiple sectors, I’ve seen a clear shift in what “good” looks like for cyber security in industrial environments.
The message to leadership is now unmistakable: cyber security is no longer a technical add‑on. It is a board‑level responsibility directly tied to safety, business operations
This leadership-focused summary explains recent changes in cyber security expectations, why they are important, and how COMAH operators can respond. It highlights how the Health and Safety Executive’s Operational Guidance 86 (OG‑86) for Industrial Automation and Control Systems (IACS), together with the UK National Cyber Security Centre’s Cyber Assessment Framework (CAF Version 4), can help build a unified cyber security programme spanning both operational technology (OT) and IT environments.
It also highlights how aligning an industry recognised standard supports wider business objectives enabling growth and efficiency through the adoption of new technologies, while reducing safety, regulatory, and operational risks, and minimising long-term downtime.
COMAH sites operate in a world where a cyber incident can escalate into a safety event. Regulators increasingly look for visible, informed leadership and expect senior leaders to:
- Understand cyber risk in the same way they understand process safety
- Provide clear direction and resources
- Ensure cyber security is embedded into governance, not delegated solely to technical teams
- These expectations are set out clearly in OG‑86 and reinforced by NCSC CAF Version 4.
OG‑86: The Foundation for Safe Industrial Operation
OG‑86 is the HSE’s guidance for managing cyber risk in industrial systems. It reinforces a simple principle: loss of control caused by a cyber incident is a major accident hazard.
For leadership, OG‑86 provides clarity on:
- The need for structured, repeatable cyber security practices
- The requirement to treat OT cyber risk as part of overall safety management
- The expectation that organisations can demonstrate control, not just claim it
This aligns naturally with ISA/IEC 62443, which provides the recognised global standard for securing industrial systems.
ISA/IEC 62443 OT Series of Standards
ISA/IEC 62443 is a globally recognised, consensus-based family of standards for securing IACS. It covers the full lifecycle of OT cyber security, setting out what asset owners (operators), system integrators, and product suppliers should do to manage risk and implement proportionate controls.
In practice, it helps organisations move from high-level “good practice” statements to clear, auditable requirements (for example, defining zones and conduits, setting target security levels, and embedding security into design, change, and maintenance).
Naturally, this approach also aligns with established IT industry standards such as ISO 27001 and NIST. By mapping these frameworks together, organisations can build robust defence in depth capabilities, which is particularly important when considering remote access requirements and supply chain access.
For COMAH duty holders, this aligns well with OG‑86: OG‑86 describes the HSE’s expectations for managing cyber risk in IACS where loss of control could contribute to a major accident hazard, while ISA/IEC 62443 provides the structured management system and technical requirements to implement those expectations consistently and demonstrate evidence of control.
The Updated NCSC CAF (Version 4): What Leaders Need to Know
The CAF is the UK National Cyber Security Centre’s outcomes-based framework used to assess and improve cyber resilience (commonly used across essential services and critical infrastructure). Version 4 introduces updates that directly affect COMAH operators and strengthen the link between cyber security, safety and regulatory oversight.
Together, OG‑86, ISA/IEC 62443 and the NCSC Cyber Assessment Framework (CAF) form a coherent picture for COMAH operators: OG‑86 explains what the regulator expects for managing cyber risk in IACS, ISA/IEC 62443 provides a recognised way to implement those expectations in OT, and the CAF provides an outcomes-based lens for assessing and evidencing cyber resilience at organisational level.
Key leadership-level changes include:
Clearer expectations for OT environments: CAF Version 4 recognises that industrial systems have unique risks. Leadership should ensure visibility of OT assets, control over system changes, and resilience during incidents.
Stronger alignment with NIS regulation
The CAF now mirrors NIS requirements more closely, making it easier to build one programme that satisfies both cyber regulatory obligations and COMAH safety expectations.
Greater emphasis on supply chain assurance
Leadership is expected to ensure that integrators, vendors, and remote support providers meet defined security expectations, and that this is evidenced and governed.
Improved guidance on incident response
Boards should ensure that incident response plans include OT scenarios and are regularly exercised, not treated as a purely IT activity.
Enhanced governance and accountability
CAF Version 4 places responsibility for cyber risk firmly with senior leadership; evidence of oversight, decision-making, and appropriate resourcing will be expected.
What This Means for COMAH Operators
For COMAH operators, the practical “so what” is straightforward: OG‑86 and CAF Version 4 translate cyber risk into clear leadership expectations, and they provide a defensible way to organise, prioritise and evidence cyber security across both OT and IT.
- One joined-up programme: align OT and IT into a single coordinated model, reducing duplication, removing silos and improving decision-making.
- Safety-led risk management: treat OT cyber security as part of the safety management system, with controls governed and assured like other major accident hazard barriers.
- Clear, defensible assurance: use CAF Version 4 to assess maturity, identify gaps, prioritise investment and demonstrate “evidence of control” to regulators.
- Implementation anchored in ISA/IEC 62443: adopt a globally recognised OT standard to make the approach repeatable (e.g., segmentation, secure remote access, asset management and lifecycle security).
Summary: Key Takeaways for Leaders
The direction of travel is clear: regulators expect COMAH operators to treat OT cyber risk with the same discipline as other major accident hazards and to be able to demonstrate this in practice.
- Make cyber security a safety-led priority, owned and governed at senior level.
- Use OG‑86 and CAF Version 4 to set expectations and evidence assurance and use ISA/IEC 62443 to implement them consistently in OT.
- Bring OT and IT into one coherent programme (defence in depth), with clear roles, interfaces and decision rights.
- Prioritise governance and evidence: risk decisions, investment, supplier assurance and incident readiness should be visible and auditable.
- Reduce risk and disruption by standardising ways of working, rather than building site-by-site exceptions.
This is not just a documentation exercise. A joined-up OT/IT programme, anchored in recognised guidance and standards, reduces major accident risk, improves operational resilience and gives regulators confidence that cyber security is being managed as a core part of safe operation.
By embedding these principles, organisations are also better positioned to develop business growth without introducing unnecessary cyber security risks. This approach enables more accurate and justified investment decisions, as risk management and assurance activities are clearly aligned with both regulatory expectations and organisational strategy.
Ultimately, this leads to a more robust and sustainable growth trajectory, where investment paths are transparent and fully supported by evidence-based justifications.
How Logiq Can Help
Logiq supports COMAH organisations to turn OG‑86, CAF Version 4 and ISA/IEC 62443 into a practical, deliverable programme. Our teams combine industrial OT engineering experience with enterprise IT cyber security expertise, helping leadership align safety, operational priorities and regulatory assurance.
Typical support includes:
- OT cyber risk and maturity assessments mapped to CAF and ISA/IEC 62443, with clear remediation priorities
- Target operating model, governance and evidence packs to support regulatory conversations
- OT network architecture and segmentation (zones and conduits), secure remote access and supplier assurance design
Please get in touch to start a short discovery session to confirm scope, current maturity and the most effective first steps for your sites.
About Logiq:
Logiq is a NCSC-assured cyber security consultancy and secure solutions provider focused on safeguarding critical organisational data. Our clients are amongst the most demanding in the world and have some of the most stringent and complex security needs. We help to design and develop innovative solutions that enable them to focus on delivering their business securely.
