Series: Additional Controls in ISO/IEC 27019:2024 for Energy Utilities 

Technological Controls – Part III 

The second edition of the information security standard ISO/IEC 27019:2024 enhances the controls of ISO/IEC 27002:2022 by providing specific guidance for the energy utility industry. It also provides a set of 12 additional controls that aim to address the security needs of energy utilities. Two of those controls are organizational, four are physical and the remaining six are technological in nature. 

In this final article of the series, we will look at the implementation aspects of the remaining technological controls. 

Control 8.39: ENR – Least functionality 

This control aims to reduce the risks originating from unnecessary functionalities of process control systems in energy utilities. Implementation of this control would help the organization protect the confidentiality, integrity and availability of its information systems by securely configuring the process control systems to prevent any attempted security breaches. 

Energy utilities should allow only those functionalities of its process control systems that are essential for operations. All unnecessary functions, ports, protocols etc. should be explicitly prohibited and disabled. 

The contents and implementation of the following security policies and procedures may be impacted by this control: 

• Risk Management Policy – An organization should consider the risks arising from unnecessary functionalities of process control systems, and prepare appropriate risk treatment plans. 

• Configuration Management Procedure – This defines the steps for secure configuration of process control systems. 

  
  

Control 8.40: ENR – Emergency communication 

This control aims to ensure the availability of essential communication links in case of emergencies. Implementation of this control would help the organization prevent disruption to its critical operations by protecting, and ensuring the availability of, essential communication links and detecting potential breaches to its information systems and networks. 

In case of emergencies like natural disasters, accidents etc., energy utilities must ensure that essential communication links are maintained with all critical systems and stakeholders like control systems, emergency staff and external organizations responsible for handling of, or recovery from, such incidents. Essential communication links may include voice and data transmission with emergency staff in central or peripheral locations, power stations, energy storage sites, distributed energy producers, fire service organizations, disaster management authority etc. 

The contents and implementation of the following security policies and procedures may be impacted by this control: 

• Risk Management Policy – An organization should assess the risks of failure of communication links in case of disasters, and prepare appropriate risk treatment plans. 

• Disaster Recovery Policy – This policy ensures that the critical systems of the organization are protected against service interruptions, including large scale disasters, by the development, implementation and testing of disaster recovery / business continuity plans (DR/BCP). 

• Incident Management Procedure – This procedure defines the steps to be implemented in case of major incidents that may cause outage of critical services of the organization. 

  
  

How Sujosu Technology Can Help 

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include: 

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure. 

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks. 

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals. 

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively. 

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy. 

Partner with Sujosu Technology 

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.