ISO IEC 27019:2017 download free.Information technology — Security techniques — Information security controls for the energy utility industry.
c) Energy providers require Information security in order to safeguard their business interests, meet customers’ needs and comply with the legal regubtions.
0.3 InFormation security requirements
It is essential that energy utility organizations identify their security requirements. There are three main sources of security requirements:
a) The results of an organization’s risk assessment, taking into account the organizations general business strategies and obfrctlves. Through a risk assessment, risk sources and events are Identified; potential consequences and likelihood of the occurrence olthe risks are assessed
b) The requirements which result from legislation and bye-laws, regulations and contracts which have to be fulfilled by an organization, and soclocultural requirements. Particubr examples Include safeguarding a reliable, effective and secure energy supply as well as the reliable fulfilment of the requirements of a deregubted energy market, in particular the reliable and secure transfer of data with external parties.
c) The specific principles. obectives and business requirements placed on information processing. which were developed by the organization for supporting its business operations.
NOTE It Is Important that the energy utility organization ensure that security requirements of process control sysem are analysed and adequately covered In policies for rnlormatlon security. The analysis of the Information security requirements and obiectives include the consideration of all relevant criteria For a secure energy supply and delivery. e.g.
— Impairment o(the security of energy supply;
— Restriction olenergy flow:
— Affctrd share of population;
— Danger of physical lnjury
— Effects on other critical lnfrasti-uctures
— Effects on Information pflvacy
— Financial impacts
The necessary security measures or controls are determined by the methodical assessment of security risks. It is necessary that the cost of controls be balanced against the economic losses that can be incurred due to security issues. The results of the risk assessment facilitate:
— the definition of adequate management actions and priorities fur the management of information security risks; and
— the implementation of the controls chosen to protect against these risks.
The risk assessment should be repeated periodically in order to rake all changes into account, which can affect the results assessed.
Requirements for the risk assessment and control selection are given in 1501 IEC 27001:2013.
0.4 Selecting controls
Once the security requirements and risks have been identified and decisions taken on how to deal with the risks, appropriate controls are then selected and implemented in order to ensure that the risks are reduced to an acceptable leveL
In addition to the controls provided by a comprehensive Information security management system. this document provides additional assistance and sector-specific measures for the process control systems used by the energy utility sector, taking into consideration the special requirements In these environments. If necessary, further measures can be developed to fulfil particular requirements.
ii’ mobile devices are used on process control networks, energy utilities should Include the following in their mobile device security policies:
a) define and assign roles allowed to perform tasks that require access to process control systems via a mobile device;
b) identify the actions that these devices are allowed to perform, the times during which those actions are allowed and explicitly state emergency exceptions;
c) specify what changes may be made to the device, who Is allowed to make those changes, and how those changes may be made.
d) specify locations and communications networks which these devices are allowed to use for access, e,g. home, office, remote office, or service vehicles.
e) define any processes required for managing security mechanisms such as key management, access control, configuration management, and identify management.
1) state how each device may he connected to the process control network. e.g. through a gateway, DM2, VPN tunnelling;
g) separate the use In process control and other networks (e.g. business networks):
h) specify types of data that may be transferred and explicitly disallow all other types of data transfers.
6.2.2 Teleworklng
Additional imolementation guidaace for ISOIIEC 27002:2013.6.2.2:
Remote access to process control systems performed by the energy utility organization’s personnel, by vendors or other external parties should be subject to multiple security measures including:
a) multi4actor authentication;
b) adoption of echnlques that prohibit anything other than an Indirect connection to the target system or network;
c) minimizing the functions the remote party can execute, e.g. remote control, remote configuration and programming of process control systems:
d) verification of the security status of the remote access system (e.g. up-todate patch level and anti.malware status, absence of known blacklisted programmes) and protection against the transmission of maiware from the remote access system (see 1LL1);
e) enforcing a list of allowed access locations and/or systems;
f) ensuring that remote access Is monitored and supervised and that changes and modifications to critical assets are traceable;
g) ensuring that only known and approved tools should be used for remote access and remote maintenance.
7 Human resource security
7.1 PrIor to employment
7.1.1 Screening
9.2 User access management
9.2.1 User registration and dc registration
A1dtnnI implrn.nt2tIUn gudancr trw ISO/IFC 21002-2013 21
The use ol unique user identifiers is not always feasible in energy utility process control systems, e.g. for accessing the operating system or firmware of embedded systems like controllers/PLCs or for maintenance processes in distributed systems. The resulting risk should be considered and appropriate risk-mitigating countermeasures implemented,
The use of individual and group user accounts should be consistent with applicable logging requirements (see 12.4.1)
9.22 User access provisioning
No additional Inlormatlon specific to the energy utility sector for ISO/IEC 270022013.9.2.2.
9.2.3 Management of privileged access rights
No additional information specific to the energy utility sector for ISO/IEC 27002:2013,9.2.3.
9.2.4 Management of secret authentication information of users
No additional information specific to the energy utility sector for ISO/LEC 27002:2013,9.2.4.
9.2.5 Review of user access rights
No additional information specific to the energy utility sector for ISO/LEC 27002:20 13, 9.2.5.
9.2.6 Removal or adjustment of access rights
No additional information specific to the energy utility sector for ISO/IEC 27002:2013,9.2.6.
9.3 User responsIbilitIes
9.3.1 Use of secret authentication Information
Mdltional implementation guidance far ISOIIEC 27002:2013.9.31:
In the process control domain It is not always possible to ensure the use of secure secret authentication information, e.g.:
— legacy systems often do not allow for individual passwords and/or passwords with necessary strength;
— It is frequently impossible to connect systems operated at decentralized pbnts. such as substations or distributed generation and production units, to central directory services, which means that local accounts need to be used. This makes it practically impossible to change secret authentication information for these accounts regularly.
It should therefore be clearly indicated to the user when the general secret authentication information policy applies and when exceptions are allowed. e.g. different passwords are to be used or where It is not possible to use any passwords at all (legacy systems).
Especially In situations where shared secret authentication information Is used for system access, the following should be considered:
— the shared secret authentication Information should be as secure as possible;
Energy utility orgamzations should consider the continuity of the general energy supply as one of the key elements of business continuity management while ensuring safety of the general public and the security of assets. Foc this reason, disaster recovery concepts and procedures for relevant emergency and crisis scenarios affecting critical process control systems, e.g. outages. Failures and malfunctions, should be considered to ensure the availability of these process control systems
When required, energy utility organizations should ensure redundancy for communications with remote facilities taking Into account factors such as weather conditions.
Additional other Information for ISO/JEC 27002:2013, 17.21:
lSO/IEC 27031 provIdes guidance for information and communication technology readiness For business continuity.
17.2.2 ENR – Emergency communication
Additional control to ISO/IEC 27002:2013. 17.2:
Control
If major disturbances, natural disasters, accidents or any other emergencies occur, or if there is a risk of occurrence thereoL energy utility organizations should ensure that essential communication links are maintained with their own emergency staff and/or the emergency staff of other utilities, with essential control systems and with external emergency organizations necessary for the protection and handling of, or recovery from, such Incidents.
lmpIrmnttirwi gultincr
Essential communication links can include voice and data transmission, for example with the foLlowing:
— operating and emergency staff in central or peripheral locations;
— internal and external crisis management:
— power stations;
— gas and oil production, and heat generation:
— energy storage sites:
— distributed energy producers;
— transmission and distribution system operalors
— meteorological organizations;
— flood prevention organizations:
— fire service organizations;
— disaster-relief organizations;
— security authorities;
— telecommunication service providers;
— medical institutions;
— other national or local organizations that handle essential public services.
Furthermore, emergency communications can include data links with the following.
— emergency control systems and related suhcomponents.