ISO/IEC TR 27019:2013

TECHNICAL ISO/IEC
REPORT TR
27019
First edition
2013-07-15


Information technology — Security
techniques — Information security
management guidelines based on
ISO/IEC 27002 for process control
systems specific to the energy utility
industry
Technologies de l'information — Techniques de sécurité — Lignes
directrices de management de la sécurité de l'information fondées sur
l'ISO/CEI 27002 pour les systèmes de contrôle des procédés
spécifiques à l'industrie des opérateurs énergétiques




Reference number
ISO/IEC TR 27019:2013(E)
©
ISO/IEC 2013

---------------------- Page: 1 ----------------------
ISO/IEC TR 27019:2013(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any
means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission.
Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2013 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 27019:2013(E)
Contents Page
Foreword . vi
Introduction . vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Overview . 3
4.1 Structure of this guideline . 3
4.2 Information security management systems for energy supply utilities . 4
4.2.1 Objectives . 4
4.2.2 Security considerations for process control systems used by the energy utilities . 4
4.2.3 Information assets to be protected . 4
4.2.4 Establishment of information security management . 5
4.2.5 Critical success factors . 5
5 Security policy . 5
6 Organization of information security . 6
6.1 Internal organization . 6
6.1.1 Management commitment to information security . 6
6.1.2 Information security coordination . 6
6.1.3 Allocation of information security responsibilities . 6
6.1.4 Authorization process for information processing facilities . 6
6.1.5 Confidentiality agreements . 6
6.1.6 Contact with authorities . 6
6.1.7 Contact with special interest groups . 7
6.1.8 Independent review of information security . 7
6.2 External parties . 7
6.2.1 Identification of risks related to external parties . 7
6.2.2 Addressing security when dealing with customers . 7
6.2.3 Addressing security in third-party agreements . 8
7 Asset management . 8
7.1 Responsibility for assets . 8
7.1.1 Inventory of assets . 8
7.1.2 Ownership of assets . 9
7.1.3 Acceptable use of assets . 9
7.2 Information classification . 9
7.2.1 Classification guidelines . 9
7.2.2 Information labelling and handling . 9
8 Human resource security . 10
8.1 Prior to employment . 10
8.1.1 Roles and responsibilities . 10
8.1.2 Screening . 10
8.1.3 Terms and conditions of employment . 10
8.2 During employment . 10
8.3 Termination or change of employment . 11
9 Physical and environmental security . 11
9.1 Secure areas . 11
9.1.1 Physical security perimeter . 11
9.1.2 Physical entry controls . 11
© ISO/IEC 2013 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 27019:2013(E)
9.1.3 Securing offices, rooms and facilities .11
9.1.4 Protecting against external and environmental threats .11
9.1.5 Working in secure areas .11
9.1.6 Public access, delivery and loading areas .11
9.1.7 Securing control centers .11
9.1.8 Securing equipment rooms .12
9.1.9 Securing peripheral sites .13
9.2 Equipment security .14
9.2.1 Equipment siting and protection .14
9.2.2 Supporting utilities .14
9.2.3 Cabling security .14
9.2.4 Equipment maintenance .15
9.2.5 Security of equipment off-premises .15
9.2.6 Secure disposal or reuse of equipment .15
9.2.7 Removal of property .15
rd
9.3 Security in premises of 3 parties .15
9.3.1 Equipment sited on the premises of other energy utility organizations .15
9.3.2 Equipment sited on customer’s premises .16
9.3.3 Interconnected control and communication systems .16
10 Communications and operations management .16
10.1 Operational procedures and responsibilities .16
10.1.1 Documented operating procedures .16
10.1.2 Change management .17
10.1.3 Segregation of duties .17
10.1.4 Separation of development, test and operational facilities .17
10.2 Third party service delivery management .17
10.3 System planning and acceptance .17
10.4 Protection against malicious and mobile code .17
10.4.1 Controls against malicious code .17
10.4.2 Controls against mobile code .18
10.5 Back-up .18
10.6 Network security management .18
10.6.1 Network controls .18
10.6.2 Security of network services .18
10.6.3 Securing process control data communication .18
10.7 Media handling .19
10.8 Exchange of information .19
10.9 Electronic commerce services .19
10.10 Monitoring .19
10.10.1 Audit logging .19
10.10.2 Monitoring system use .19
10.10.3 Protection of log information .19
10.10.4 Administrator and operator logs .19
10.10.5 Fault logging .19
10.10.6 Clock synchronization .20
10.11 Legacy systems .20
10.11.1 Treatment of legacy systems .20
10.12 Safety functions .20
10.12.1 Integrity and availability of safety functions .21
11 Access control .21
11.1 Business requirement for access control .21
11.1.1 Access control policy .21
11.2 User access management .21
11.3 User responsibilities .21
11.3.1 Password use .21
11.3.2 Unattended user equipment .22
11.3.3 Clear desk and clear screen policy .22
11.4 Network access control .22
iv © ISO/IEC 2013 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 27019:2013(E)
11.4.1 Policy on use of network services . 22
11.4.2 User authentication for external connections . 22
11.4.3 Equipment identification in networks . 22
11.4.4 Remote diagnostic and configuration port protection . 22
11.4.5 Segregation in networks . 22
11.4.6 Network connection control . 23
11.4.7 Network routing control . 23
11.4.8 Logical coupling of external process control systems . 23
11.5 Operating system access control . 23
11.5.1 Secure log-on procedures . 23
11.5.2 User identification and authentication . 23
11.5.3 Password management system . 23
11.5.4 Use of system utilities . 23
11.5.5 Session time-out . 24
11.5.6 Limitation of connection time . 24
11.6 Application and information access control . 24
11.7 Mobile computing and teleworking . 24
12 Information systems acquisition, development and maintenance . 24
12.1 Security requirements of information systems . 24
12.1.1 Security requirements analysis and specification . 24
12.2 Correct processing in applications . 24
12.3 Cryptographic controls . 24
12.4 Security of system files . 24
12.4.1 Control of operational software . 24
12.4.2 Protection of system test data . 25
12.4.3 Access control to program source code .  25
12.5 Security in development and support processes . 25
12.6 Technical vulnerability management . 25
13 Information security incident management . 25
13.1 Reporting information security events and weaknesses . 25
13.2 Management of information security incidents and improvements . 25
14 Business continuity management . 25
14.1 Information security aspects of business continuity management . 25
14.1.1 Including information security in the business continuity management process . 25
14.1.2 Business continuity and risk assessment . 25
14.1.3 Developing and implementing continuity plans including information security . 25
14.1.4 Business continuity planning framework . 26
14.1.5 Testing, maintaining and re-assessing business continuity plans . 26
14.2 Essential emergency services . 26
14.2.1 Emergency communication . 26
15 Compliance . 27
15.1 Compliance with legal requirements . 27
15.1.1 Identification of applicable legislation . 27
15.1.2 Intellectual property rights (IPR) . 27
15.1.3 Protection of organizational records . 27
15.1.4 Data protection and privacy of personal information . 27
15.1.5 Prevention of misuse of information processing facilities . 27
15.1.6 Regulation of cryptographic controls . 27
15.2 Compliance with security policies and standards, and technical compliance . 27
15.3 Information systems audit considerations . 28
Annex A (Informative) Energy utility extended control set . 29
Annex B (Informative) Additional implementation guidance . 31
Bibliographic references . 37

© ISO/IEC 2013 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC TR 27019:2013(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, when the joint technical committee has collected data of a different kind from
that which is normally published as an International Standard ("state of the art", for example), it may decide to
publish a Technical Report. A Technical Report is entirely informative in nature and shall be subject to review
every five years in the same manner as an International Standard.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 27019 was prepared by DIN Deutsches Institut für Normung e. V. (as DIN SPEC 27009:2012-04
[4]) and was adopted, under a special "fast-track procedure", by Joint Technical Committee ISO/IEC JTC 1,
Information technology, in parallel with its approval by the national bodies of ISO and IEC.
vi © ISO/IEC 2013 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC TR 27019:2013(E)
Introduction
This Technical Report provides guiding principles based on ISO/IEC 27002 “Code of practice for information
security management” for information security management applied to process control systems as used in the
energy utility industry. The aim of this document is to extend the ISO/IEC 27000 standards to the domain of
process control systems and automation technology, thus allowing the energy utility industry to implement a
standardized information security management system (ISMS) in accordance with ISO/IEC 27001 that
extends from the business to the process control level.
At the focus of application of this document are the systems and networks for controlling and supervising the
generation, transmission and distribution of electric power, gas and heat in combination with the control of
facilitating processes. This includes control and automation systems, protection and safety systems and
measurement systems, including their associated communications and telecontrol applications. For purposes
of simplification, these systems will be collectively referred to in the following as “process control systems”.
In addition to the security objectives and measures that are set forth in ISO/IEC 27002:2005, the process
control systems used by energy utilities and energy suppliers are subject to further, special requirements. In
comparison with conventional IT environments (e.g. office IT) there are fundamental and significant
differences with respect to the development, operation, repair, maintenance and operating environment of
process control systems. Furthermore, the process technology referred to in this document may represent
integral components of critical infrastructures which means they are therefore essential for the secure and
reliable operation of such infrastructures. These distinctions and characteristics need to be taken into due
consideration by the management processes for process control systems and justify separate consideration
within the ISO/IEC 27000 series of standards.
In particular, the following fundamental differences exist compared with conventional IT systems:
Security features
In comparison with conventional IT systems, process control systems exhibit increased requirements with
regard to their availability and integrity. In some operational environments failure of the process monitoring
and control systems cannot be tolerated. Also, the integrity of the data processed is frequently of crucial
importance. Incorrect data can lead to incorrect control inputs, resulting in failure of protection or safety
systems or trigger incorrect decisions by operating personnel, as a result of an erroneous representation of
current process conditions. These requirements therefore need to be taken into consideration during the
system design stage as well as in normal operation.
System architecture
Besides the central IT installations within control centers for grid operation or conventional power plants there
are several systems which are typically distribu
...