Series: Additional Controls in ISO/IEC 27019:2024 for Energy Utilities 

Technological Controls – Part I 

The second edition of the information security standard ISO/IEC 27019:2024 enhances the controls of ISO/IEC 27002:2022 by providing specific guidance for the energy utility industry. It also provides a set of 12 additional controls that aim to address the security needs of energy utilities. Two of those controls are organizational, four are physical and the remaining six are technological in nature. 

In the previous articles, we looked at the additional organizational and physical controls of ISO/IEC 27019:2024. We will now analyze the implementation aspects of the new technological controls. 

Control 8.35: ENR – Treatment of legacy systems 

This control aims to manage the security risks that can arise from the use of legacy systems. Implementation of this control would help the organization prevent security breaches and protect the confidentiality, integrity and availability of its information systems. 

Energy utilities may have several legacy systems like mainframe computers, proprietary metering systems and older SCADA/DCS systems that handle critical functions like grid management and customer billing. The legacy systems usually lack basic security features. The vulnerabilities within these systems should be carefully identified so that appropriate controls can be implemented. These can include segregation of networks and enforcement of access control at the network, system and application levels. Equipment used for the maintenance and configuration of legacy systems should be secured. 

The contents and implementation of the following security policies and procedures may be impacted by this control: 

• Risk Management Policy – An organization should consider the risks arising from the use of legacy systems, and prepare appropriate risk treatment plans. 

• Technical Vulnerability Management Policy – This policy establishes rules and principles for identifying and managing vulnerabilities within the legacy systems of energy utilities. 

• Access Control Procedure – The requirements of access to legacy systems can influence access control decisions. For example, if maintenance staff needs access to legacy systems, it must be approved by appropriate personnel and such access should be revoked as soon as the maintenance work is completed. In case of remote access, proper network isolation must be ensured. 

  
  

Control 8.36: ENR – Integrity and availability of safety functions 

This control aims to protect the safety functions of energy utilities against failure, interference and manipulation. Implementation of this control would help the organization prevent security breaches and protect the confidentiality, integrity and availability of its information systems. 

Safety functions for energy utilities include worker protection (personal protective equipment, training, risk assessments etc.), operational safety (equipment maintenance, hazard identification etc.), network safety (fault monitoring, grid stability etc.), and emergency management (response plans, weather monitoring etc.) to prevent accidents, ensure compliance and protect infrastructure and the public. The integrity and availability of the information, assets and functions, which are required to ensure safety in energy utilities, should be protected according to applicable safety standards. Dedicated communication systems should be used for the transmission of safety-related data. Besides, all changes to the configuration of safety systems should be properly logged. 

The contents and implementation of the following security policies and procedures may be impacted by this control: 

• Risk Management Policy – An organization should assess the risks to its safety functions, and prepare appropriate risk treatment plans. 

• Change Management Procedure – The rules for effecting changes to critical safety systems and their safety-related configuration data are defined in this procedure. 

• Configuration Logs – The changes to the configuration of safety systems should be logged. The logs should be protected and retained for defined time-periods. 

  
  

How Sujosu Technology Can Help 

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include: 

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure. 

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks. 

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals. 

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively. 

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy. 

Partner with Sujosu Technology 

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.