Guest blogger Stephan Beirer is a Senior Information Security Consultant and head of Industrial Control Systems Security at GAI NetConsult GmbH, Berlin/Germany. He is the project editor of TR 27019 at ISO/IEC JTC 1 SC 27 and a domain expert for process control systems security and smart grids at SC27, DIN and DKE.
ISO/IEC JTC1 SC27, the international standardisation body responsible for information security and home of the 2700x family of standards, recently published its ISO/IEC TR 27019 “Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry”. A sector-specific 27000 information security management guideline aimed at the control systems domain of energy utilities, TR 27019 is a translation of the German national DIN SPEC 27009 specification, adopted as an international Technical Report via the so-called Fast Track process of ISO and IEC.
Background
Control systems are essential for the safe, secure and reliable operation of our energy infrastructure, especially when it comes to future smart grid scenarios. Against this background, regular readers of the Digital Bond blog will understand the essential need for security standardisation in this area. To this end, the German 27009 project (launched in 2010) set out to devise a way to meet the energy sector’s specific security requirements as these are not fully covered by other industrial security standards like ISA99 / IEC 62443 or the German VDI/VDE 2182. Examples of related gaps in standardisation include domain specific operational procedures, organisational and regulatory processes or operating environments that are specific to the energy sector.
The development of DIN SPEC 27009 was initiated by DKE 952.0.15, the German mirror committee to IEC TC 57/WG 15 with responsibility for the energy sector’s information security. Conducted in close collaboration with the mirror committee to ISO/IEC JTC 1/SC 27 within the German national standardisation organisation, DIN, the project also involved the German energy industry association BDEW to ensure adequate consideration of the actual, tangible needs of the affected utility industry.
When implementing an information security management system (ISMS) in the process control domain of energy utilities, the security controls defined in TR 27019 can be used in conjunction with ISO/IEC 27001. Since many utility organisations already employ an ISMS based on 27001 for their office IT, TR 27019 now facilitates implementation by offering these entities the chance to pursue an encompassing, standardised information security approach that extends from the business to the process control level. This unified approach was the overriding reason for the development of TR 27019.
Scope and contents of TR 27019
The scope of 27019 covers “…process control systems for controlling and monitoring the generation, transmission, storage and distribution of electric power, gas and heat in combination with the control of supporting processes”.
Examples include:
- Central and distributed process control, monitoring and automation technology
- Digital controllers and automation components, metering and measurement devices, protection and safety systems
- Supporting IT systems used in the process control domain, e. g. for visualisation, data archiving, programming and parameterisation devices
- Communications technology, e. g. networks, telemetry, telecontrol and remote control applications
As a domain-specific 2700x standard, TR 27019 builds directly on ISO/IEC 27002 and includes energy utility-specific recommendations on the implementation of existing 27002 controls as well as additional, sector-specific control objectives and security controls. All in all, the new standard features 42 energy utility-specific additions and recommendations. Examples of sector-specific contents include physical security controls for control centres, equipment rooms and peripheral sites like substations or distributed generation sites. In terms of communications and operations management, TR 27019 also covers controls for the treatment of potential insecure legacy systems, securing of process control data communication or malware protection and patch management for critical systems.
The Working Group Smart Grid Information Security of the European Union M/490 standardisation mandate for Smart Grid considers TR 27019 a major milestone and an important step in closing several information security management gaps prevalent in the smart grid environment. Against this background, 27019 is expected to play a key role in defining the security requirements for smart grid and energy critical infrastructures in both European and national regulation.