Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27019:2017 — ISMS for Energy Utilities
Code of practice for information security controls applied to energy utility industry
ISO/IEC 27019:2017 provides interpretation and implementation guidance for information security controls applied to energy utility organizations — including electricity, gas, oil, and heat suppliers, as well as associated market participants, network operators, and service providers. It extends the control set defined in ISO/IEC 27002 to address the unique operational technology (OT) environments, regulatory frameworks, and business processes specific to the energy utility sector.
Energy utilities operate at the intersection of traditional IT and industrial control systems. ISO/IEC 27019 bridges this gap by tailoring Annex A controls to ICS/SCADA environments, smart grid architectures, and regulatory compliance obligations such as NERC CIP and the EU Network Code on Cybersecurity.
1. Scope and Sector-Specific Context
The standard applies to any organization that generates, transmits, distributes, or trades energy, as well as those providing supporting services such as metering, demand response, and market operations. It recognizes that energy utilities face a unique threat landscape, where cyberattacks can have direct physical consequences — from blackouts to equipment destruction and environmental hazards.
| Sector | Examples | Key Security Concerns |
|---|---|---|
| Electricity | Generation plants, transmission grids, distribution networks, smart meters | SCADA compromise, grid instability, cascade failures, demand-side manipulation |
| Gas | Pipelines, storage facilities, distribution networks, LNG terminals | Pipeline pressure manipulation, gas quality tampering, leak detection bypass |
| Oil | Refineries, pipeline networks, storage depots, distribution terminals | Process control disruption, spill prevention override, supply chain integrity |
| Heat | District heating plants, distribution networks, substations | Temperature control tampering, grid balancing disruption |
The standard addresses the tension between IT and OT security paradigms. While IT security prioritizes confidentiality (e.g., protecting customer data), OT security prioritizes availability and safety — a control that shuts down a server for patching might be acceptable in IT but catastrophic in a power generation environment. ISO/IEC 27019 provides the framework for making these trade-off decisions explicitly and defensibly.
A control that is perfectly reasonable in an office IT environment — such as automatic password rotation every 30 days — can cause an emergency shutdown in an ICS environment if the password change disrupts an automated process or locks out a critical service account. ISO/IEC 27019 helps organizations identify these conflicts before they cause incidents.
2. Key Control Areas for Energy Utilities
ISO/IEC 27019:2017 extends and interprets ISO/IEC 27002 controls across the following critical domains:
2.1 ICS/SCADA Security
Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are at the heart of energy utility operations. The standard provides specific guidance on network segmentation between IT and OT networks, secure remote access for vendors and operators, patch management in environments where downtime is not an option, and intrusion detection tailored to industrial protocols such as IEC 60870-5-104, IEC 61850, DNP3, and Modbus.
2.2 Smart Grid Security
The transition to smart grids introduces bidirectional communication, distributed energy resources (DER), advanced metering infrastructure (AMI), and new attack surfaces. ISO/IEC 27019 advises on securing the communication channels between smart meters and head-end systems, protecting customer consumption data, and ensuring the integrity of pricing and demand-response signals.
2.3 Supply Chain and Third-Party Security
Energy utilities increasingly rely on third-party vendors for equipment, software, and operational services. The standard emphasizes vendor risk assessment, security requirements in procurement contracts, hardware and software supply chain integrity, and secure decommissioning of retired equipment — particularly critical when meters, RTUs (Remote Terminal Units), and other field devices are involved.
| Control Domain | Utility-Specific Adaptation | Implementation Example |
|---|---|---|
| Access Control | Role-based access for control room operators, engineer工作站, field technicians | Dual-factor authentication for SCADA access, physical key for substation panel access |
| Cryptography | Encryption for smart meter communications, secure key management for field devices | Hardware security modules (HSM) for certificate signing in AMI head-end systems |
| Physical Security | Protection of substations, control centers, and remote facilities | Tamper-proof enclosures for RTUs, video surveillance, intrusion detection at substations |
| Incident Response | Grid-specific incident scenarios, coordination with grid operators and regulators | Tabletop exercises simulating black-start scenarios and coordinated cyber-physical attacks |
3. Engineering Design Insights
Security architects designing ISMS implementations for energy utilities should consider these field-tested design principles:
- Defense-in-depth for OT environments: Implement multiple layers of security — physical security at substations, network segmentation with industrial firewalls, host-based security on engineering workstations, and application-level security for control applications. The ISA/IEC 62443 framework provides complementary zone and conduit models that align well with ISO/IEC 27019.
- Safety-first control selection: In energy utilities, every security control should be evaluated for its potential impact on operational safety. A control that could cause a safety system to malfunction must be rejected regardless of its security benefit. This requires close collaboration between security teams, control engineers, and safety specialists.
- Regulatory compliance integration: Energy utilities face overlapping regulatory regimes. ISO/IEC 27019 helps harmonize compliance across NERC CIP (North America), the EU Network Code on Cybersecurity (Europe), and national-level regulations. Build a unified control framework that satisfies multiple regulatory requirements simultaneously.
- Resilience and black-start capability: Security controls must not impair the utility’s ability to recover from a total blackout. Black-start generators, communication systems, and control capabilities must remain operational even when primary security systems are compromised. Test these scenarios regularly.
One of the most effective engineering practices is the implementation of a “security gateway” architecture between IT and OT networks. Using unidirectional gateways (data diodes) or tightly controlled firewalls with deep packet inspection (DPI) for industrial protocols, organizations can achieve robust segmentation without introducing latency or single points of failure that could affect grid stability.
4. Frequently Asked Questions
Q: How does ISO/IEC 27019 relate to IEC 62443?
A: ISO/IEC 27019 provides management-level ISMS guidance for the energy utility sector, while IEC 62443 (formerly ISA-99) provides detailed technical and procedural security requirements for industrial automation and control systems. They are complementary: ISO/IEC 27019 addresses the “what” and “why” from a management system perspective, and IEC 62443 addresses the “how” at the technical implementation level.
A: ISO/IEC 27019 provides management-level ISMS guidance for the energy utility sector, while IEC 62443 (formerly ISA-99) provides detailed technical and procedural security requirements for industrial automation and control systems. They are complementary: ISO/IEC 27019 addresses the “what” and “why” from a management system perspective, and IEC 62443 addresses the “how” at the technical implementation level.
Q: Is ISO/IEC 27019 certifiable on its own?
A: No. ISO/IEC 27019 is a sector-specific implementation guideline, not a certifiable standard. Organizations seeking certification should pursue ISO/IEC 27001 certification with the scope and control implementation informed by ISO/IEC 27019.
A: No. ISO/IEC 27019 is a sector-specific implementation guideline, not a certifiable standard. Organizations seeking certification should pursue ISO/IEC 27001 certification with the scope and control implementation informed by ISO/IEC 27019.
Q: Does ISO/IEC 27019 cover nuclear power plants?
A: Nuclear power plants have additional, more stringent security requirements typically governed by national nuclear regulatory bodies and standards such as IAEA NSS 17. ISO/IEC 27019 covers conventional energy utilities but may not fully address the unique safety-security interface requirements of nuclear facilities.
A: Nuclear power plants have additional, more stringent security requirements typically governed by national nuclear regulatory bodies and standards such as IAEA NSS 17. ISO/IEC 27019 covers conventional energy utilities but may not fully address the unique safety-security interface requirements of nuclear facilities.
Q: How often should an energy utility review its ISMS controls?
A: Given the rapidly evolving threat landscape targeting critical infrastructure, the standard recommends continuous monitoring with formal reviews at least annually, plus triggered reviews following significant changes such as new asset acquisitions, regulatory updates, or major security incidents.
A: Given the rapidly evolving threat landscape targeting critical infrastructure, the standard recommends continuous monitoring with formal reviews at least annually, plus triggered reviews following significant changes such as new asset acquisitions, regulatory updates, or major security incidents.
