Series: Additional Controls in ISO/IEC 27019:2024 for Energy Utilities
- sujosutech
- Aug 22
- 3 min read
Physical Controls – Part I
The second edition of the information security standard ISO/IEC 27019:2024 enhances the controls of ISO/IEC 27002:2022 by providing specific guidance for the energy utility industry. It also provides a set of 12 additional controls that aim to address the security needs of energy utilities. Two of those controls are organizational, four are physical and the remaining six are technological in nature.
In the previous article, we looked at the additional organizational controls of ISO/IEC 27019:2024. In this article and the next, we will analyze the implementation aspects of the new physical controls.
Control 7.15: ENR – Securing control centres
This control aims to maintain the physical security of an organization’s control centres that contain its control system servers, Human-Machine Interfaces (HMIs) and supporting systems. Implementation of this control would help the organization prevent physical security breaches and protect the confidentiality, integrity and availability of its information systems within the control centres.
The control centres of energy utilities may refer to grid control centres or the control rooms of centralized or distributed power plants, or generation or production units. Control centres should be located on solid ground that possesses sufficient load bearing capacity. Appropriate controls should be implemented to protect them against the following:
Natural calamities like earthquakes, tsunami, floods, volcanic eruptions, tornadoes etc.;
Environmental threats like wind, water, strong electromagnetic fields etc.; and
Human-induced threats like fire, explosions, vandalism etc.
There should be physical segregation between process control systems and other ICT systems when they are housed in a common location. Moreover, “segregation of duties” should be maintained when external parties operate either the control systems or the ICT systems.
Control 7.16: ENR – Securing equipment rooms
This control aims to maintain the physical security of an organization’s equipment rooms which house its control system facilities. Implementation of this control would help the organization prevent physical security breaches and protect the confidentiality, integrity and availability of its information systems within the equipment rooms.
The control system facilities of energy utilities, which are located within equipment rooms, comprise of Energy Management System (EMS), Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), Programmable Logic Controllers (PLCs) etc. Control system equipment rooms should be unobtrusive so that attackers are unable to detect their existence. Appropriate controls should be implemented to protect them against the following:
Natural calamities like earthquakes, floods, volcanic eruptions etc.;
Environmental threats like wind, water, strong electromagnetic fields, power disruptions etc.; and
Human-induced threats like fire, explosions, vandalism etc.
Physical access to equipment rooms should be monitored and unauthorized access must be controlled.
The contents and implementation of the following security policies and procedures may be impacted by the above controls:
Risk Management Policy – An organization should consider the potential impact of identified threats during the assessment of security risks related to control centres and equipment rooms, and preparation of risk treatment plans.
Physical Security Policy – This policy establishes the rules for granting, controlling, monitoring, and removal of physical access to the control centres and equipment rooms. It identifies the sensitive areas and defines and restricts access to the same.
Disaster Recovery Policy – This policy ensures that control centres and equipment rooms are protected against service interruptions, including large scale disasters, by the development, implementation, and testing of disaster recovery / business continuity plans (DR/BCP).
Physical Access Control Procedure – The requirements of physical access and “segregation of duties” can influence access control decisions. For example, if maintenance staff needs access to process control system assets, it must be approved by the process-in-charge and such access should be revoked as soon as the maintenance work is completed.
Procedure Addressing Segregation of Duties – This procedure defines a formal process for segregation of duties to avoid conflicts of interest and ensure security of process control systems of the organization.
Physical Access Logs – The physical access logs of control centres and equipment rooms should be protected and retained for defined time-periods.
How Sujosu Technology Can Help
Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include:
Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.
Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks.
Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals.
Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.
With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy.
Partner with Sujosu Technology
Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.
Comments