ISO/IEC 27019 is a set of guiding principles for information security management of the process control systems (PCS) used in the energy utility sector.
The main aim of the document is to increase the breadth of the ISO/IEC to the automation technology and PCS domain. This is to provide a specific and standardised Information Security Management System (ISMS) to protect the hardware and software technology systems responsible for monitoring and controlling the generation, transmission, storage, and distribution of oil, gas, electric power, and heat, among other energy utilities.
The global energy industry has been responsible for some of the most cataclysmic disasters humankind has experienced.
Examples of destructive mishandling of energy resources include:
It comes as no surprise that there is a strong culture of safety controls in the energy utility industry. This ethos comes from the awareness of the long term effects of some operations and programs going wrong.
The energy utility industry is one of the biggest beneficiaries of automation. Most of the systems used rely heavily on electronic PCSs such as:
Together with other associated procedures and networks, these are responsible for:
In short, failure or disruptions in the electronic process control systems used will cause the whole system to go down.
For instance, the failure of a monitor in a geothermal powerplant will lead to overheating, and at the very worst, a disastrous explosion.
While the ISO/IEC 27002 standards describe important guidelines to control the protection of information security assets, its scope does not dive deep enough into the protection of energy utility processes.
This is why the ISO/IEC 27019:2017 exists.
ISO and IEC first published ISO 27019 in 2013 as a Technical Report (TR), made by fast-tracking a DIN standard. In 2017, a second edition of the standard was published, making it a full International Standard in harmony with the 2013 version of ISO 27001 and ISO 27002. So, why is ISO 27019 so important?
ISMS.online is a
one-stop solution that radically speeded up our implementation.
With ISMS.online, challenges around version control, policy approval & policy sharing are a thing of the past.
Without the energy industry, we wouldn’t have the level of technological advancement we do now. At the heart of the sector are the electronic process control systems and networks responsible for keeping the system functional, without which there would be massive and even catastrophic failures. Take, for instance, the electric grid. Due to limited large scale energy storage, the effective distribution of electric energy for domestic and industrial consumption depends on keeping a balance between the energy produced and the one consumed.
If the PCSs used were to fail, there would be no way to control the energy flow in real-time, and the result would be outages and overloads, resulting in interruptions in the distribution of power. If the electric infrastructure of any country were to go down, almost every other sector would follow suit due to how heavily reliant on automation technology, most of them are.
You get a clear idea of how important ISO/IEC 27019 when you take into consideration the threats, vulnerabilities, and impacts of threats on energy utilities
Threats Facing Energy Utilities
Some of the threats facing the energy resources include natural disasters and deliberate sabotages from social engineers, Advanced Persistent Threats (APTs), hackers, insiders, terrorists, foreign states and pressure groups. There are other more mundane threats such as those from electro-mechanical failures, competitors, accidents, malware, etc.
Vulnerabilities of the Energy Industry
There are some unavoidable vulnerabilities inherent in the processes and systems. An example of such weaknesses is the process control systems that are accessible from, connected to, or exposed to the internet and other networks. This makes them vulnerable to a manner of cyber threats, including those that result from software bugs and design flaws caused by poor design, management, or maintenance. These vulnerabilities are especially prevalent since performing a security patch for safety-critical systems could be challenging.
The Impact of Threats on Energy Resources
The consequences of the failure of energy utilities are well understood. Some of the most serious impacts include:
The strategic significance of both public and private organisations in the energy utility industry has led to them being classified as part of critical national infrastructures. This is why all the organisations covered in the scope of ISO/IEC 27019 should take all measures possible to implement the standard to secure their process control systems used.
ISO developed ISO/IEC 27019 to ensure it adheres to the language of ISO/IEC 27001 and ISO 27002. Establishing the standard in this way ensures that you can implement ISO 27001 and ISO 27002 internationally as an accepted guidance system for securing the PCSs used in the energy utility industry.
ISO/IEC 27019 follows the structure of IEC 27002 closely, with additional guidance provided where necessary. During implementation, an organisation in the energy utility industry must use ISO/IEC 27019 together with ISO/IEC 27002 since the former does not incorporate the content of 27002.
When implementing ISO 27019, organisations should also refer to ISO/IEC 27001 to fill in the broader context for your ISMS. Your system should include not only the process control but also other general commercial networks, systems used, and processes applicable to the energy utility industry.
You should also consider other standards, such as ISO/IEC 27005 when implementing ISO 27019 to cater to information risk management practices used by the energy utility industry.
Download your free guide to fast and sustainable certification
We just need a few details so that we can email you your guide to achieving ISO 27001 first-time
Download your free guide now and if you have any questions at all then Book a Demo or Contact Us. We’ll be happy to help.
The following are the specific areas where the implementation of ISO/IEC 27019:2017 controls is critical to protect and ensure the security of critical energy infrastructure:
After conducting a security assessment and coming up with security risks and objectives and decisions on how to deal with the identified risk, the necessary control should be selected and implemented to ensure the risks are reduced to an acceptable level.
On top of the controls offered by a comprehensive ISMS, ISO 27019 provides additional sector-specific measures and assistance to aid in the process control used by the energy utility industry, concerning the particular requirements of the specific environments. If need be, an organisation could take further measures to fulfil individual requirements.
The controls that an organisation will decide on depends on:
Besides the measures and security guidelines presented in ISO/IEC 27002:2013, the process control systems for energy suppliers and energy utilities have additional requirements. Compared to other conventional ICT environments such as energy trading systems and office Information Technology, the energy utility sector has fundamental differences regarding the operation, development, maintenance, repair, and operating environment of PCSs.
Since some of the process control technologies described in ISO/IEC 27019:2017 describe integral components of some critical infrastructures, they are therefore essential in ensuring reliable and secure operation of such infrastructures.
When you take into consideration their function and design, you should regard the energy utility sector PCSs as information processing systems. Data on the status of the physical processes are monitored using sensors. This data is then processed and control outputs generated to regulated the actions using actuators. Although the process is automatic, operating personnel can manually intervene when needed.
Since information and information processing systems are an essential part of how the energy utilities operate, organisations must take the necessary protection measures to safeguard their information like other organisational units.
The energy utility process control environments are increasingly using hardware and software components. An example of this is programmable logic based on standard ICT technology. Numerous interconnections also form complex systems. It would help if you considered these new risks during a risk assessment and the necessary measures taken to rectify it.
I certainly would recommend ISMS.online, it makes setting up and managing your ISMS as easy as it can get.
To get started with 27019, organisations in the energy utility industry should conduct a risk assessment of their systems used to know their threats, vulnerabilities and possible impacts of risks. Depending on the specific hardware and software automation technology used by the energy utility organisations, they should select the appropriate guidelines and controls to ensure the security of their systems.
The availability of information security software and tools makes it easy for organisations to benchmark their compliance with ISO 27019. With the help of such tools, those involved with the security management or process control used by the energy utility industry will have a clearer picture of how their policies and controls compared with the set ISMS requirements. Knowing the areas in need of improvement makes it possible to apply the relevant controls based on the ISO 27019 standards.
To attain ISO certification, an organisation should follow a specific procedure to ensure all they address risks as they relate to the particular business environments.
The first step to attaining certification is to identify the core business process, documenting it to the relevant members of the organisation. The documentation should indicate the procedures and the measure taken to protect the various information systems and automation technology.
The next step is to implement the procedures as described in the documentation, and ensuring all the employees are qualified to perform the tasks required of them. There should be an effective reporting system to cater for the testing, inspection, preventive actions, corrective actions, statistical techniques, management review meetings, monitoring of objective, etc.
The effectiveness of these processes should then be monitored using measurable data where possible. Energy utility organisations should also conduct the necessary review and system audit.
These audits ensure you implement all the controls and guidelines suggested by ISO 27019 properly. System audits should:
The final step for organisations in the energy utility industry wishing to gain ISO/IEC 27019 certification is to select an independent audit body dealing in external registration.
The management system documentation should then be submitted for review to ensure compliance with the applicable standards.
To comply with ISO/IEC 2019, energy utility organisations need to identify their security requirements based on their automation technology. These requirements are mainly from:
Energy utility organisations should make sure that all the PCSs security requirements are properly analysed and covered in their information security policies. Some of the considerations in place include:
Book a tailored hands-on session based on your needs and goals.
100% of our users achieve ISO 27001 certification first time