ISO/IEC TR 27019:2013 — Information technology — Security techniques — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
This standard (a Technical Report) is intended to help organizations in “the energy industry” interpret and apply ISO/IEC 27002:2005 in order to secure their electronic process control systems.
Scope and purpose
The introduction to the draft standard states:
“At the focus of application of this document are the systems and networks for controlling and supervising the generation, transmission and distribution of electric power, gas and heat in combination with the control of facilitating processes. This includes control and automation systems, protection and safety systems and measurement systems, including their associated communications and telecontrol applications.”
Information security management presents fundamentally the same risk management challenges in all contexts, but the real-time nature of process control systems and the safety and environmental criticality make some of the challenges particularly extreme for organizations in the energy industry. The standard will therefore provide additional, more specific guidance on information security management than the generic advice provided by ISO/IEC 27002.
Structure and content
This standard was derived from the German standard DIN SPEC 27009:2012-04, which is itself based on ISO/IEC 27002:2005. It follows the structure of ’27002 closely, providing additional guidance where appropriate.
Note that ISO/IEC TR 27019 must be used in conjunction with ISO/IEC 27002 since it does not incorporate the content of ’27002. Other ISO27k standards are also recommended to fill-in the broader context e.g. ISO/IEC 27001 for an overarching Information Security Management System that encompasses process control as well as general commercial systems, networks and processes, plus ISO/IEC 27005 for information risk management practices.
Status of the standard
The standard was published in 2013 by fast-tracking DIN SPEC 27009:2012-04.
A revision project is under way to harmonize 27019 with the 2013 version of ISO/IEC 27001 and 27002, plus IEC TC 57 standards, IEC TC 65 standards (IEC 62443-2-1) and IEC SC45A standards (IEC 62645). Publication is expected by the middle of 2017.
The editors have proposed merging the project with IEC 62443-2-1 to avoid unnecessary duplication, leading to a dual-numbered standard.
Status: the revision is at FDIS stage. This will become a full International Standard. The scope will include the generation, storage, transmission and distribution of electric power, gas, oil and heat, but not nuclear power (an explicit exclusion). It will have a new, snappier title: “Information security controls for the energy utility industry”
The revision is on track for publication at the end of 2017.
The global energy industry has a strong safety culture since the devastating physical impacts caused by explosions, oil and chemical spills, radioactive releases etc. are readily apparent (Bhopal, Three-mile Island, Chernobyl, Exxon Valdiz, Gulf of Mexico, Fukoshima ... need we say more?). The industry also has a strong awareness of its environmental obligations both in terms of its own operations and the downstream impacts of some of its products. Furthermore, the industry has a strong culture of physical and information security due to the substantial risks arising from:
- Threats such as natural disasters and deliberate attacks (sabotage) from hackers, malware, social engineers, terrorists, insiders, pressure groups and foreign states, as well as more mundane threats from accidents, competitors, electro-mechanical failures, malware etc.;
- Vulnerabilities inherent in their systems and processes. Process control systems that are (in some manner) connected to, exposed to or accessible from the Internet and other networks are vulnerable to the full range of cyber-threats, including those resulting from design flaws and bugs in software especially if they are not well designed, managed and maintained (e.g. security patching is challenging on safety-critical systems); and
- Impacts, particularly limited availability and/or integrity of business- or safety-critical information leading to supply interruptions (power cuts), out-of-specification supplies (e.g. over/under-voltage supplies), safety incidents (e.g. the catastrophic release of vast amounts of energy) and environmental incidents (e.g. oil/gas/chemical leaks). Energy sector organizations, both public and private, are generally classed as part of the critical national infrastructures due to their obvious strategic significance.
With an extremely high level of automation, the energy industry relies heavily on electronic process control systems such as Programmable Logic Controllers (PLCs), IIoT (Industrial Internet of Things), Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA), plus the associated networks and procedures, to monitor, direct and control its production activities in real time. Most of the safety-related operations, for example, in a modern plant depend heavily on networked computer systems with electronic monitoring and electrically-operated valves, switches and actuators, while manually-operated controls are often limited to specific backup or emergency override functions. Many of the monitored and controlled systems are located in physically stressful locations subject to extreme heat, pressure, corrosion and/or vibration, and some are distributed remotely, sometimes very remotely, making physical access, monitoring and access control quite costly.
In short, the industry cannot function normally and safely without its electronic process control systems and networks, while serious, widespread or extended incidents cause severe national if not international repercussions.
There are lingering concerns over the scope of this standard, and overlaps with other (non-ISO27k) standards groups. The primary DIN standard is not specific to the energy industry but covers ‘process control’ (SCADA/ICS) in a wider context. Other standards and regulations include: IEC 62443, IEC 62351, IEC 62443 and ISA99. This is a complex and dynamic area with limited international agreement (which I personally would argue implies the need for a strong good-practice standard!). Some national bodies (presumably under pressure from their energy industry contacts) appear to be resisting any possibility of additional regulation that might flow from the publication of a wide-scope security standard - in particular, they are concerned to exclude nuclear power which apparently is already covered adequately by IEC 62645 “Nuclear power plants - Instrumentation and control systems - Requirements for security programmes for computer-based systems”.