< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27019:2017 — Information technology — Security techniques — Information security controls for the energy utility industry (second edition)
“ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes ...”
[Source: ISO/IEC 27019:2017]
This standard is intended to help organisations in “the energy industry” (excluding nuclear power) to interpret and apply ISO/IEC 27002 in order to secure their electronic process control systems - their Operational Technology as opposed to Information Technology.
Scope and purpose
Information security management presents fundamentally the same risk management challenges in all contexts, but the real-time nature of process control systems and the safety and environmental criticality make some of the challenges particularly extreme for organisations in the energy industry. The standard therefore provides additional, more specific guidance on information security management than the generic advice provided by ISO/IEC 27002:2013, tailored to the specific context of process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes:
- Central and distributed process control, monitoring and automation technology, and operational systems such as programming and parameterization devices;
- Digital controllers and automation components such as control and field devices or Programmable Logic Controllers, including digital sensors and actuators;
- Other supporting systems e.g. supplementary data visualization, and controlling, monitoring, archiving, logging, reporting and documentation purposes;
- Communication technology used in process control e.g. networks, telemetry, telecontrol applications and remote control technology;
- Advanced Metering Infrastructure components e.g. smart meters;
- Measurement devices e.g. for emissions;
- Digital protection and safety systems e.g. protection relays, safety PLCs, emergency governor mechanisms;
- Energy management systems e.g. Distributed Energy Resources and electric charging infrastructures in homes and industrial situations;
- Distributed components of smart grid environments e.g. in energy grids, homes and industry;
- Associated software e.g. Distribution Management System and Outage Management System;
- Premises housing the above plus remote maintenance systems.
Note: the scope of ISO/IEC 27019 explicitly excludes process control in nuclear facilities. See instead IEC 62645 “Nuclear power plants - Instrumentation and control systems - Requirements for security programmes for computer-based systems”.
Structure and content
Note: ISO/IEC 27019 must be used in conjunction with ISO/IEC 27002 since it does not incorporate the content of ’27002. Other ISO27k standards are also recommended to fill-in the broader context e.g. ISO/IEC 27001 for an overarching Information Security Management System that encompasses process control/OT as well as general commercial systems, networks and processes, plus ISO/IEC 27005 concerning the management of information risk.
Status of the standard
The first edition was published as a Technical Report in 2013 by fast-tracking the German standard DIN SPEC 27009:2012-04 based on ISO/IEC 27002:2005.
The second edition was published in 2017 becoming a full International Standard harmonized with the 2013 version of ISO/IEC 27001 and 27002, plus IEC TC 57 standards, IEC TC 65 standards (IEC 62443-2-1) and IEC SC45A standards (IEC 62645).
A corrigendum to replace a stray “should” with a “shall” in the second edition annex was published to critical acclaim in 2019. Hurrah! Crisis averted!
The standard is now being revised to align with ISO/IEC 27002:2022. The third edition is entering Committee Draft stage, with publication due in 2025, perhaps sooner.
The global energy industry has a strong safety culture since the devastating physical impacts caused by explosions, oil and chemical spills, radioactive releases etc. are readily apparent (Bhopal, Three-mile Island, Chernobyl, Exxon Valdiz, Gulf of Mexico, Fukoshima ... need we say more?). The industry also has a strong awareness of its environmental obligations both in terms of its own operations, the upstream primary industries (e.g. mining) and the downstream impacts of some of its products. Furthermore, the industry has a strong culture of physical and information security due to the substantial risks arising from:
- Threats such as natural disasters and deliberate attacks (sabotage) from hackers, Advanced Persistent Threats, social engineers, terrorists, insiders, pressure groups and foreign states, as well as more mundane threats from accidents, competitors, electromechanical failures, malware etc.;
- Vulnerabilities inherent in their systems and processes. Process control systems that are (in some manner) connected to, exposed to or accessible from the Internet and other networks are vulnerable to the full range of cyber-threats, including those resulting from design flaws and bugs in software especially if they are not well designed, managed and maintained (e.g. security patching is challenging on safety-critical systems); and
- Impacts, particularly limited availability and/or integrity of business- or safety-critical information leading to supply interruptions (power cuts), out-of-specification supplies (e.g. over/under-voltage supplies), safety incidents (e.g. the catastrophic release of vast amounts of energy) and environmental incidents (e.g. oil/gas/chemical leaks). Energy sector organisations, both public and private, are generally classed as part of the critical national infrastructures due to their obvious strategic significance.
With an extremely high level of automation, the energy industry relies heavily on OT, principally electronic process control systems such as Programmable Logic Controllers, Industrial Internet of Things, Industrial Control Systems and Supervisory Control And Data Acquisition, plus the associated networks and procedures, to monitor, direct and control its production activities in real time. Most of the safety-related operations, for example, in a modern plant depend heavily on networked computer systems with electronic monitoring and electrically-operated valves, switches and actuators, while manually-operated controls are often limited to specific backup or emergency override functions. Many of the monitored and controlled systems are located in physically stressful locations subject to extreme heat, pressure, corrosion and/or vibration, and some are distributed remotely, sometimes very remotely, making physical access, monitoring and access control quite costly.
In short, the industry cannot function normally and safely without its electronic process control systems and networks, while serious, widespread or extended incidents cause severe national if not international repercussions.
There are lingering concerns over the scope of this standard, and overlaps with other (non-ISO27k) standards groups. The original DIN standard was not specific to the energy industry but covered ‘process control’ (SCADA/ICS) in a wider context. Other relevant standards and regulations include: IEC 62443, IEC 62351 and ISA99. This is a complex and dynamic area with limited international agreement (which I personally would argue implies the need for a strong good-practice standard!). Some national bodies, presumably under pressure from their energy industry contacts, resisted any additional regulation that might flow from the publication of a wide-scope security standard. From my perspective, their self-interest is holding everyone back ... but maybe I misunderstand their position.
< Previous standard ^ Up a level ^ Next standard >