ISO/IEC 27019

ISO/IEC 27019:2017 – Information technology – Security techniques – Information security controls applied to the energy industry (2nd edition)

Introduction

Organizations in “the energy industry” (non-nuclear) can use this standard to secure their electronic process control systems and interpret the international standard ISO/IEC 27002.

Scope and objectives

As stated in the draft standard’s introduction:

This document focuses on the administration, control, and supervision of electric power generation, transmission, and distribution, as well as the control of facilitating processes. In this category are control and automation systems, protection and safety systems, and measurement systems, together with their telecontrol applications.

There are fundamentally the same risk management challenges across all contexts for information security management, but the real-time nature of process control systems and the safety and environmental criticality of organizations in the energy industry make some of the challenges especially severe. Additionally, the standard provides more detailed information security management guidance than that described in ISO/IEC 27002, designed for use in energy utility industries for the control and monitoring of production, transmission, storage, and distribution of electricity, gas and heat, as well as controlling associated processes.

The following are included:

– Automation, monitoring, and control technology, along with programming and parameterizing tools;
– Digital controls and automation components, including control and field devices, or Programmable Logic Controllers (PLCs), as well as digital sensors and actuators;
– Additional support systems, such as supplementary data visualization, and control, record-keeping, monitoring, reporting, as well as document management;
– Process control communication technology, such as telemetry, remote control applications, and networks;
– Advanced Metering Infrastructure (AMI) devices, such as smart meters;
– Measurement instruments, such as those for emissions;
– Digital protection and safety mechanisms, for example, protection relays, safety PLCs, and automatic emergency governors;
– Energy management solutions such as Distributed Energy Resources (DER) systems and electric charging infrastructures for homes and businesses;
– Intelligent distributed systems in grid environments, for example in energy grids, offices, homes, and industrial facilities;
– Software associated with the distribution process, e.g. DMS (Distribution Management System) and OMS (Outage Management System);
– A facility for housing all of the above, as well as remote maintenance systems.

Note: This standard specifically excludes process control for nuclear facilities from its scope. In its place, IEC 62645 states “Nuclear power plants – Instrumentation and control systems – Requirements for computer-based security programs”.

The structure and content

The German standard DIN SPEC 27009:2012-04, based on ISO/IEC 27002:2005, gave rise to this standard. In addition to closely following the structure of ‘27002, it provides additional guidance where necessary.

Note: Since ISO/IEC 27019 does not incorporate the content of ‘27002, it must be used in conjunction with ISO/IEC 27002. There are also other ISO27k standards that can be used to fill in the broader picture, for example, ISO/IEC 27001 for a comprehensive Information Security Management System that encompasses process control and commercial systems, networks and processes, along with ISO/IEC 27005 practices to manage risks associated with information.

The standard’s status

In 2013, the standard was published as a Technical Report by fast-tracking it into a DIN standard.

It was published in 2017 as an international standard that added the 2013 version of ISO/IEC 27001 and 27002 and the IEC TC 57 standards (IEC 62443-2-1) and the IEC SC45A standards (IEC 62645).

August 2019 saw the publication of a corrigendum to change a stray “should” with a “shall” in the annex.

Commentary

Due to the potential consequences of explosions, oil spills, radioactive releases, etc., the global energy industry has a strong safety culture. I think everyone knows the names (Bhopal, Three-Mile Island, Chernobyl, Exxon Valdez, Gulf of Mexico, Fukoshima, Alcatraz). In addition to the industry’s environmental obligations, some of its downstream products have an impact on the environment.

Additionally, the industry values physical and information security as a result of the risks posed by:

– Natural disasters and deliberate attacks (terrorism, insider threat, pressure groups, etc.) by hackers, APTs, infiltrators, terrorists, pressure groups, in addition to incidents, competition, electromechanical failures, malware, etc.;
– The vulnerability of their processes and systems. A system that is (in some way) interconnected or exposed to the Internet and other networks can be hacked if the system is not well designed, managed and maintained (such as patches that are difficult to apply to safety-critical systems); and
– Loss of availability of information deemed critical to the operation or safety of the company (power outages), insufficient supplies (such as overvoltage or undervoltage), harmful incidents (e.g. catastrophic releases of energy) and environmental disasters (i.e. oil, gas, and chemical leaks). Despite their obvious strategic significance, energy sector organizations, both public and private, are usually classified as part of the critical national infrastructures.

The energy industry is extremely automated, relying heavily on electronic control systems such as Programmable Logic Controllers, Industrial Internet of Things, Industrial Control Systems, as well as the associated networks and workflows to monitor, direct and control its production activities in real time. Modern plants, for instance, rely on computer networks with electronic monitoring and electrically-operated valves, switches, and actuators for nearly all safety-related operations, with manual controls serving primarily as backups or overrides. In some systems, monitored and controlled, extreme heat, pressure, corrosion and/or vibration are present, and some are remotely located or distributed, requiring physical access, monitoring and access control that is very costly.

With or without electronic control systems and networks, the industry cannot function efficiently and reliably, while serious, widespread, or extended incidents can have a major impact.

This standard is still deemed too vague as well as having overlap with other standards groups (non-ISO27k). Original DIN standards did not cover the energy industry but covered ‘process control’ (SCADA/ICS) in a broader sense. The following standards and regulations exist as well: IEC 62443, IEC 602351, and ISA99.