Series: Additional Controls in ISO/IEC 27019:2024 for Energy Utilities
- sujosutech
- 44 minutes ago
- 3 min read
Physical Controls – Part II
The second edition of the information security standard ISO/IEC 27019:2024 enhances the controls of ISO/IEC 27002:2022 by providing specific guidance for the energy utility industry. It also provides a set of 12 additional controls that aim to address the security needs of energy utilities. Two of those controls are organizational, four are physical and the remaining six are technological in nature.
In the previous article, we analyzed two physical controls of ISO/IEC 27019:2024. In this article, we will look at the implementation aspects of the remaining physical controls.
Control 7.17: ENR – Securing peripheral sites
This control aims to maintain the physical security of an organization’s peripheral sites that contain its control system equipment. Implementation of this control would help the organization prevent physical security breaches and protect the confidentiality, integrity and availability of its information systems within the peripheral sites.
Components of the control system infrastructure of energy utilities are usually distributed across peripheral sites. These may include solar farms, wind turbines, hydroelectric dams, natural gas pipelines, and coal or nuclear power plants that generate and transport energy. Such peripheral sites are often unoccupied. Appropriate controls should be implemented to protect them against the following:
Natural calamities like earthquakes, floods, volcanic eruptions, tornadoes etc.;
Environmental threats like wind, water, strong electromagnetic fields etc.; and
Human-induced threats like fire, explosions, vandalism etc.
If a peripheral site houses critical assets, appropriate physical security controls should be installed and monitored remotely (e.g., secure fencing, automatic alarm system etc.).
The contents and implementation of the following security policies and procedures may be impacted by this control:
Risk Management Policy – An organization should consider the potential impact of identified threats during the assessment of security risks related to peripheral sites, and preparation of risk treatment plans.
Physical Security Policy – This policy includes the rules for granting, controlling, monitoring, and removal of physical access to the peripheral sites. It identifies the sensitive assets and defines and restricts access to the same.
Disaster Recovery Policy – This policy ensures that peripheral sites are protected against service interruptions, including large scale disasters, by the development, implementation, and testing of disaster recovery / business continuity plans (DR/BCP).
Physical Access Control Procedure – This procedure defines the rules for accessing the peripheral sites that house critical equipment of the organization.
Physical Access Logs – The physical access logs of peripheral sites should be protected and retained for defined time-periods.
Control 7.18: ENR – Interconnected control and communication systems
This control aims to protect interconnected control systems and communication lines from security breaches. Implementation of this control would help the organization prevent security breaches and protect the confidentiality, integrity and availability of its information systems and networks.
Control systems and communication lines of an energy utility may be interconnected with those of external parties. In such cases, the responsibilities and interfaces with external parties should be clearly defined. This would allow the organization to disconnect and be isolated quickly in case of a security incident.
Energy utilities should continuously monitor the status of their interconnections. They should implement mechanisms for
isolating the connections between themselves and external parties in case of incidents; and
reconnecting isolated connections after taking appropriate corrective actions.
The contents and implementation of the following security policies and procedures may be impacted by this control:
Outsourcing and Supplier Policy – This policy sets out the conditions that are required to maintain the security of the organization’s information and systems when third parties are involved in their operation. This includes the criteria and conditions necessary for the suspension of system interconnections in case of security incidents.
Backup Policy – This helps the organization define fall-back measures in case of service interruptions, owing to disconnection and isolation of control and communication systems, when incidents occur.
Incident Management Procedure – This procedure defines the steps to be followed in case of security incidents, including disconnection and isolation of control and communication systems.
How Sujosu Technology Can Help
Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include:
Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.
Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks.
Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals.
Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.
With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy.
Partner with Sujosu Technology
Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.
Comments