The trade department has awarded a contract for a supplier to investigate the cyber posture of chemical facilities and then create guidance to help the sector address supply chain risks
Government has signed a six-figure deal for a supplier to probe the cyber set-up of chemical facilities that form part of the UK’s critical national infrastructure.
On 4 February the Department for Business and Trade entered into a short-term contract with PA Consulting. The engagement, which is valued at about £200,000 and runs until the end of March, will see the firm provided “targeted on-site cybersecurity maturity assessments for chemical CNI operators”
The consultancy will then be asked to “develop a framework and guidance for the sector to enable operators to complete their own supply-chain mapping” and address risks, according to the text of the contract.
Facilities in scope of the assessments will include those that, during the 2024/25 year, have not otherwise undergone an inspection by the Health and Safety Executive, under the terms of its OG-86 cyber standards for industrial networks and essential national services.
In place of these inspections, PA Consulting has been retained to provide “assessments [that] will review current cybersecurity practices, identify vulnerabilities, and evaluate the sites’ adherence to established cybersecurity standards”.
The tech firm will then be tasked with “utilising insights gained from the assessments to support and update the sector’s assurance model… [by] analysing aggregated data to identify common vulnerabilities, best practices, and trends that can inform sector-wide cybersecurity strategies”.
The engagement also addresses the creation of “supply chain maps… with areas for improvement in resilience identified”.
Related content
- Defra seeks trio of suppliers for £5m deal to test cyber defences
- Home Office offers £145k for top techie to oversee ‘700 IT platforms and 11 CNI systems’
- MPs to probe cyber defences of critical infrastructure
To enable facilities to create their own such maps, the deal covers the provision of a “mapping framework” that enables “a structured approach and template for chemical CNI operators to map their digital supply chains which incorporates the learning from the mapping and is detailed enough for operators to use in-house”.
This framework will then be supported via the supplier’s delivery of “two workshops to socialise this guidance with CNI operators and to build any feedback into a final guidance document with examples of best practice”.
The provider will also create “vulnerability assessment tools… to help operators assess and understand vulnerabilities within their mapped supply chains”, as well as a code of practice for suppliers of industrial control systems within the sector”.
The agreement will conclude with the creation of “a final report which details the work undertaken and references the appropriate standards and regulatory requirements used to develop the approach as well as proposing next steps”, the contract says.
“The report should be highlighting risks and suggested remediation measures… include a detailed document outlining best practices for contractual assurance that operators can integrate into their procurement processes and set of recommended contractual clauses focused on cybersecurity and supply-chain risk management.”
