ISO/IEC 27019:2017 — Information technology — Security techniques — Information security controls for the energy utility industry (second edition)
This standard is intended to help organizations in “the energy industry” (non-nuclear) interpret and apply ISO/IEC 27002:2005 in order to secure their electronic process control systems.
Scope and purpose
The introduction to the draft standard states:
“At the focus of application of this document are the systems and networks for controlling and supervising the generation, transmission and distribution of electric power, gas and heat in combination with the control of facilitating processes. This includes control and automation systems, protection and safety systems and measurement systems, including their associated communications and telecontrol applications.”
Information security management presents fundamentally the same risk management challenges in all contexts, but the real-time nature of process control systems and the safety and environmental criticality make some of the challenges particularly extreme for organizations in the energy industry. The standard therefore provides additional, more specific guidance on information security management than the generic advice provided by ISO/IEC 27002, tailored to the specific context of process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes:
- Central and distributed process control, monitoring and automation technology, and operational systems such as programming and parameterization devices;
- Digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensors and actuators;
- Other supporting systems e.g. supplementary data visualization, and controlling, monitoring, archiving, logging, reporting and documentation purposes;
- Communication technology used in process control e.g. networks, telemetry, telecontrol applications and remote control technology;
- Advanced Metering Infrastructure (AMI) components e.g. smart meters;
- Measurement devices e.g. for emissions;
- Digital protection and safety systems e.g. protection relays, safety PLCs, emergency governor mechanisms;
- Energy management systems e.g. Distributed Energy Resources (DER) and electric charging infrastructures in homes and industrial situations;
- Distributed components of smart grid environments e.g. in energy grids, homes and industry;
- Associated software e.g. DMS (Distribution Management System) and OMS (Outage Management System);
- Premises housing the above plus remote maintenance systems.
Note: the scope of ISO/IEC 27019 specifically excludes process control in nuclear facilities. See instead IEC 62645 “Nuclear power plants - Instrumentation and control systems - Requirements for security programmes for computer-based systems”.
Structure and content
This standard was derived from the German standard DIN SPEC 27009:2012-04, which was based on ISO/IEC 27002:2005. It follows the structure of ’27002 closely, providing additional guidance where appropriate.
Note: ISO/IEC 27019 must be used in conjunction with ISO/IEC 27002 since it does not incorporate the content of ’27002. Other ISO27k standards are also recommended to fill-in the broader context e.g. ISO/IEC 27001 for an overarching Information Security Management System that encompasses process control as well as general commercial systems, networks and processes, plus ISO/IEC 27005 for information risk management practices.
Status of the standard
The standard was first published as a Technical Report in 2013 by fast-tracking a DIN standard. It was revised in October 2017 becoming a full International Standard harmonized with the 2013 version of ISO/IEC 27001 and 27002, plus IEC TC 57 standards, IEC TC 65 standards (IEC 62443-2-1) and IEC SC45A standards (IEC 62645). The title was revised.
The global energy industry has a strong safety culture since the devastating physical impacts caused by explosions, oil and chemical spills, radioactive releases etc. are readily apparent (Bhopal, Three-mile Island, Chernobyl, Exxon Valdiz, Gulf of Mexico, Fukoshima ... need we say more?). The industry also has a strong awareness of its environmental obligations both in terms of its own operations and the downstream impacts of some of its products. Furthermore, the industry has a strong culture of physical and information security due to the substantial risks arising from:
- Threats such as natural disasters and deliberate attacks (sabotage) from hackers, APT (Advanced Persistent Threats), social engineers, terrorists, insiders, pressure groups and foreign states, as well as more mundane threats from accidents, competitors, electro-mechanical failures, malware etc.;
- Vulnerabilities inherent in their systems and processes. Process control systems that are (in some manner) connected to, exposed to or accessible from the Internet and other networks are vulnerable to the full range of cyber-threats, including those resulting from design flaws and bugs in software especially if they are not well designed, managed and maintained (e.g. security patching is challenging on safety-critical systems); and
- Impacts, particularly limited availability and/or integrity of business- or safety-critical information leading to supply interruptions (power cuts), out-of-specification supplies (e.g. over/under-voltage supplies), safety incidents (e.g. the catastrophic release of vast amounts of energy) and environmental incidents (e.g. oil/gas/chemical leaks). Energy sector organizations, both public and private, are generally classed as part of the critical national infrastructures due to their obvious strategic significance.
With an extremely high level of automation, the energy industry relies heavily on electronic process control systems such as Programmable Logic Controllers (PLCs), IIoT (Industrial Internet of Things), Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA), plus the associated networks and procedures, to monitor, direct and control its production activities in real time. Most of the safety-related operations, for example, in a modern plant depend heavily on networked computer systems with electronic monitoring and electrically-operated valves, switches and actuators, while manually-operated controls are often limited to specific backup or emergency override functions. Many of the monitored and controlled systems are located in physically stressful locations subject to extreme heat, pressure, corrosion and/or vibration, and some are distributed remotely, sometimes very remotely, making physical access, monitoring and access control quite costly.
In short, the industry cannot function normally and safely without its electronic process control systems and networks, while serious, widespread or extended incidents cause severe national if not international repercussions.
There are lingering concerns over the scope of this standard, and overlaps with other (non-ISO27k) standards groups. The original DIN standard was not specific to the energy industry but covered ‘process control’ (SCADA/ICS) in a wider context. Other standards and regulations include: IEC 62443, IEC 62351, IEC 62443 and ISA99. This is a complex and dynamic area with limited international agreement (which I personally would argue implies the need for a strong good-practice standard!). Some national bodies, presumably under pressure from their energy industry contacts, resisted any additional regulation that might flow from the publication of a wide-scope security standard.