ISO/IEC TR 27019 — Information technology — Security techniques — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy industry (DRAFT)
Scope and purpose
This standard (a Technical Report) is intended to help organizations in the energy industry interpret and apply ISO/IEC 27002 in order to secure their electronic process control systems.
The global energy industry or sector has a strong culture of safety since the devastating physical impacts caused by explosions, oil/chemical spills etc. are readily apparent (Bhopal, Three-mile Island, Chernobyl, Gulf of Mexico, Fukoshima ... need we say more?). The industry also has a strong awareness of its environmental responsibilities both in terms of its own operations and the downstream impacts of some of its products. Furthermore, the industry has a strong culture of security (both physical and information security) due to the enormous capital value of the investments necessary to produce energy products efficiently and effectively, and due to its customers’ extreme reliance on its products. Energy sector organizations, whether governmental or commercial, are generally classed as part of the critical infrastructures of the countries in which they operate due to their obvious national significance.
The industry faces substantial information security risks as a consequence of:
Threats including natural disasters and deliberate attacks from hackers, malware, social engineers, terrorists, insiders, pressure groups and foreign states, as well as more mundane threats from accidents, competitors, mechanical failures etc.;
Vulnerabilities inherent in their systems and processes, particularly process control systems that are (in some manner) connected to, exposed to or accessible from the Internet and other networks; and
Impacts, particularly limited availability and/or integrity of critical information leading to supply interruptions (e.g. power cuts), out-of-specification supplies (e.g. over/under-voltage supplies) and safety issues (e.g. oil/gas/radiation leaks or explosions).
With an extremely high level of automation, the energy industry relies heavily on electronic process control systems such as Programmable Logic Controllers (PLCs), Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA), plus the associated networks and procedures, to monitor, direct and control its production activities in real time. Most of the safety-related operations, for example, in a modern plant depend first and foremost on networked computer systems with electronic monitoring and electrically-operated valves, switches and actuators, while manually-operated controls are often limited to specific backup/emergency functions. Many of the monitored and controlled systems are located in physically stressful locations subject to extreme heat, pressure, corrosion and/or vibration, and some are distributed remotely.
In short, the industry cannot function normally and safely without its electronic process control systems and networks, while serious, widespread or extended incidents cause severe national if not international repercussions.
The introduction to the draft standard states:
“At the focus of application of this document are the systems and networks for controlling and supervising the generation, transmission and distribution of electric power, gas and heat in combination with the control of facilitating processes. This includes control and automation systems, protection and safety systems and measurement systems, including their associated communications and telecontrol applications.”
Information security management presents fundamentally the same risk management challenges in all contexts, but the real-time nature of process control systems and the safety and environmental criticality make some of the challenges particularly extreme for organizations in the energy industry. The standard will therefore provide additional, more specific guidance on information security management than the generic advice provided by ISO/IEC 27002.
The donor text for this standard consists of an English translation of the existing German standard DIN SPEC 27009:2012-04, which is itself based on ISO/IEC 27002:2005. It follows the structure of ’27002 closely, providing additional guidance where appropriate.
Note that ISO/IEC TR 27019 must be used in conjunction with ISO/IEC 27002 since it does not incorporate the content of ’27002. Other ISO27k standards are also recommended to fill-in the broader context e.g. ISO/IEC 27001 for an overarching Information Security Management System that encompasses process control as well as general commercial systems, networks and processes, plus ISO/IEC 27005 for information security risk management practices.
Status of the standard
An existing, published German standard is being fast-tracked to become an ISO/IEC international standard. If things go to plan, ISO/IEC TR 27019 should be published soon.
The text is available to SC27 for approval.
The standard will need to be revised when the new, substantially revised version of ISO/IEC 27002 is released in 2013 (hopefully!).