Safely move on from COVID-19

Understanding ISO 27019

Information Security Management Controls for Energy Utility Process Controls

What is ISO/IEC 27019:2017?

ISO/IEC 27019 is a set of guiding principles for information security management of the process control systems (PCS) used in the energy utility sector.

The main aim of the document is to increase the breadth of the ISO/IEC to the automation technology and PCS domain. This is to provide a specific and standardised Information Security Management System (ISMS) to protect the hardware and software technology systems responsible for monitoring and controlling the generation, transmission, storage, and distribution of oil, gas, electric power, and heat, among other energy utilities.

Information Controls for the Energy Utility Industry

The global energy industry has been responsible for some of the most cataclysmic disasters humankind has experienced.

Examples of destructive mishandling of energy resources include:

It comes as no surprise that there is a strong culture of safety controls in the energy utility industry. This ethos comes from the awareness of the long term effects of some operations and programs going wrong.

The energy utility industry is one of the biggest beneficiaries of automation. Most of the systems used rely heavily on electronic PCSs such as:

  • Industrial Internet of Things (IIoT)
  • Programmable Logic Controllers (PLC)
  • Supervisory Control and Data Acquisition (SCDA)
  • Industrial Control Systems (ICS)

Together with other associated procedures and networks, these are responsible for:

  • Real-time monitoring of the production activities
  • directing of the production activities
  • controlling of the production activities.

In short, failure or disruptions in the electronic process control systems used will cause the whole system to go down.

For instance, the failure of a monitor in a geothermal powerplant will lead to overheating, and at the very worst, a disastrous explosion.

While the ISO/IEC 27002 standards describe important guidelines to control the protection of information security assets, its scope does not dive deep enough into the protection of energy utility processes.

This is why the ISO/IEC 27019:2017 exists.

The history of ISO 27019

ISO and IEC first published ISO 27019 in 2013 as a Technical Report (TR), made by fast-tracking a DIN standard. In 2017, a second edition of the standard was published, making it a full International Standard in harmony with the 2013 version of ISO/IEC 27001 and ISO/IEC 27002. So, why is ISO 27019 so important?

What are the benefits of ISO 27019?

Without the energy industry, we wouldn’t have the level of technological advancement we do now. At the heart of the sector are the electronic process control systems and networks responsible for keeping the system functional, without which there would be massive and even catastrophic failures. Take, for instance, the electric grid. Due to limited large scale energy storage, the effective distribution of electric energy for domestic and industrial consumption depends on keeping a balance between the energy produced and the one consumed.

If the PCSs used were to fail, there would be no way to control the energy flow in real-time, and the result would be outages and overloads, resulting in interruptions in the distribution of power. If the electric infrastructure of any country were to go down, almost every other sector would follow suit due to how heavily reliant on automation technology, most of them are.

You get a clear idea of how important ISO/IEC 27019 when you take into consideration the threats, vulnerabilities, and impacts of threats on energy utilities

Threats Facing Energy Utilities

Some of the threats facing the energy resources include natural disasters and deliberate sabotages from social engineers, Advanced Persistent Threats (APTs), hackers, insiders, terrorists, foreign states and pressure groups. There are other more mundane threats such as those from electro-mechanical failures, competitors, accidents, malware, etc.

Vulnerabilities of the Energy Industry

There are some unavoidable vulnerabilities inherent in the processes and systems. An example of such weaknesses is the process control systems that are accessible from, connected to, or exposed to the internet and other networks. This makes them vulnerable to a manner of cyber threats, including those that result from software bugs and design flaws caused by poor design, management, or maintenance. These vulnerabilities are especially prevalent since performing a security patch for safety-critical systems could be challenging.

The Impact of Threats on Energy Resources

The consequences of the failure of energy utilities are well understood. Some of the most serious impacts include:

  • The lack of, or compromising of business and safely-critical information that would in turn cause interruptions in the supply of power,
  • Supply that is out of specification; such as under/over-voltage.
  • The release of a catastrophic or vast amount of energy and environmental incidents such as chemical and oil leaks.

The strategic significance of both public and private organisations in the energy utility industry has led to them being classified as part of critical national infrastructures. This is why all the organisations covered in the scope of ISO/IEC 27019 should take all measures possible to implement the standard to secure their process control systems used.

Relationship with other standards

ISO developed ISO/IEC 27019 to ensure it adheres to the language of ISO/IEC 27001 and ISO 27002. Establishing the standard in this way ensures that you can implement ISO 27001 and ISO 27002 internationally as an accepted guidance system for securing the PCSs used in the energy utility industry.

ISO 27019 and ISO 27002

ISO/IEC 27019 follows the structure of IEC 27002 closely, with additional guidance provided where necessary. During implementation, an organisation in the energy utility industry must use ISO/IEC 27019 together with ISO/IEC 27002 since the former does not incorporate the content of 27002.

ISO 27019 and ISO/IEC 27001

When implementing ISO 27019, organisations should also refer to ISO/IEC 27001 to fill in the broader context for your ISMS. Your system should include not only the process control but also other general commercial networks, systems used, and processes applicable to the energy utility industry.

Other ISO standards

You should also consider other standards, such as ISO/IEC 27005 when implementing ISO 27019 to cater to information risk management practices used by the energy utility industry.

Who can implement ISO 27019?

The following are the specific areas where the implementation of ISO/IEC 27019:2017 controls is critical to protect and ensure the security of critical energy infrastructure:

1. Central and distributed technology for the management, monitoring and automation of the operating processes and the information systems used such as parameterisation and programming that facilitate them.
2. Automation components and digital controllers such as Programmable Logic Controller (PLCs), together with actuator elements and digital sensors.
3. All other supporting information systems that are applied in process control such as those that supplement the visualisation of data and those that involved in the monitoring, controlling, historian logging, data archiving, documentation and reporting purposes.
4. The communication technologies applied in the domain of process control such as telemetry, networks, remote control technology and telecontrol applications.
5. Components of Advanced Metering Infrastructure (AMI) such as smart meters.

6. The measurement devices such as those used in emission values.
7. Digital protection and safety systems such as safety PLCs, protection relays, and emergency governor mechanisms.
8. Systems for the management of energy such as infrastructure for electric charging, Distributed Energy Resources (DER), industrial customer installations, residential buildings and even in private households.
9. Smart grid environment distributed components such as in private households, energy grids, industrial customer installations and residential buildings.
10. All firmware, applications and software installed on the systems mentioned above, including Outage Management Systems (OMS),
11. Distribution Management System (DMS), etc.
Any premises that house the systems and equipment mentioned above.
12. The remote maintenance systems for the systems mentioned above.

How to Implement ISO 27019

After conducting a security assessment and coming up with security risks and objectives and decisions on how to deal with the identified risk, the necessary control should be selected and implemented to ensure the risks are reduced to an acceptable level.

On top of the controls offered by a comprehensive ISMS, ISO 27019 provides additional sector-specific measures and assistance to aid in the process control used by the energy utility industry, concerning the particular requirements of the specific environments. If need be, an organisation could take further measures to fulfil individual requirements.

The controls that an organisation will decide on depends on:

  • The organisation’s risk management approach and their risk acceptance
  • Other relevant international and national laws, regulations and legal ordinances

Information security for energy utilities

Besides the measures and security guidelines presented in ISO/IEC 27002:2013, the process control systems for energy suppliers and energy utilities have additional requirements. Compared to other conventional ICT environments such as energy trading systems and office Information Technology, the energy utility sector has fundamental differences regarding the operation, development, maintenance, repair, and operating environment of PCSs.

Since some of the process control technologies described in ISO/IEC 27019:2017 describe integral components of some critical infrastructures, they are therefore essential in ensuring reliable and secure operation of such infrastructures.

When you take into consideration their function and design, you should regard the energy utility sector PCSs as information processing systems. Data on the status of the physical processes are monitored using sensors. This data is then processed and control outputs generated to regulated the actions using actuators. Although the process is automatic, operating personnel can manually intervene when needed.

Since information and information processing systems are an essential part of how the energy utilities operate, organisations must take the necessary protection measures to safeguard their information like other organisational units.

The energy utility process control environments are increasingly using hardware and software components. An example of this is programmable logic based on standard ICT technology. Numerous interconnections also form complex systems. It would help if you considered these new risks during a risk assessment and the necessary measures taken to rectify it.

How to Get Started With ISO 27019?

To get started with 27019, organisations in the energy utility industry should conduct a risk assessment of their systems used to know their threats, vulnerabilities and possible impacts of risks. Depending on the specific hardware and software automation technology used by the energy utility organisations, they should select the appropriate guidelines and controls to ensure the security of their systems.

The availability of information security software and tools makes it easy for organisations to benchmark their compliance with ISO 27019. With the help of such tools, those involved with the security management or process control used by the energy utility industry will have a clearer picture of how their policies and controls compared with the set ISMS requirements. Knowing the areas in need of improvement makes it possible to apply the relevant controls based on the ISO 27019 standards.

ISO 27019 certification

To attain ISO certification, an organisation should follow a specific procedure to ensure all they address risks as they relate to the particular business environments.

The first step to attaining certification is to identify the core business process, documenting it to the relevant members of the organisation. The documentation should indicate the procedures and the measure taken to protect the various information systems and automation technology.

The next step is to implement the procedures as described in the documentation, and ensuring all the employees are qualified to perform the tasks required of them. There should be an effective reporting system to cater for the testing, inspection, preventive actions, corrective actions, statistical techniques, management review meetings, monitoring of objective, etc.

The effectiveness of these processes should then be monitored using measurable data where possible. Energy utility organisations should also conduct the necessary review and system audit.

These audits ensure you implement all the controls and guidelines suggested by ISO 27019 properly. System audits should:

  • Identify and report the strengths and weaknesses of the management system
  • Take the necessary corrective or preventative measures

The final step for organisations in the energy utility industry wishing to gain ISO/IEC 27019 certification is to select an independent audit body dealing in external registration.

The management system documentation should then be submitted for review to ensure compliance with the applicable standards.

ISO 27019 requirements

To comply with ISO/IEC 2019, energy utility organisations need to identify their security requirements based on their automation technology. These requirements are mainly from:

  1. An organisation’s risk assessment results. They should take into consideration the general business objectives and strategies of an organisation. Risk events and sources, together with the likelihood of occurrence and the potential consequences of the occurrence of a given risk.
  2. Other requirements will result from bye-laws and legislation, contracts and regulations, and other sociocultural conditions an organisation is required to fulfil. Some particular examples include safeguarding a supply of energy that is reliable, secure and effective, and also the fulfilment of a deregulated energy market requirements.
  3. The specific business requirements, principles and objectives placed on the processing of information as developed by the business to support its operations.

Energy utility organisations should make sure that all the PCSs security requirements are properly analysed and covered in their information security policies. Some of the considerations in place include:

  • The restriction of energy flow
  • The danger of physical injury
  • The Effects on information privacy
  • Financial impacts