I worked on a big project while at BSI with large ICS organization regarding their industrial control systems and ISO/IEC 27019:2017 Information technology - Security techniques - Information security controls for the energy utility industry.
ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following:
- central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;
This includes smart grid, all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System);
- any premises housing the above-mentioned equipment and systems;
- remote maintenance systems for above-mentioned systems.
Also the PLCs (Programmable logic controllers) and SCADA (Supervisory control and data acquisition) talk over the cloud these days. The operator interfaces which enable monitoring and the issuing of process commands, such as controller setpoint changes, are handled through the SCADA supervisory computer system.
This is a sector that is listed in the DHS list of critical infrastructure.
| John A DiMaria; CSSBB, AMBCI, HISP, MHISP, CERP Assurance Investigatory Fellow Cloud Security Alliance
|
This e-mail account is used only for work-related purposes; it is not guaranteed that any correspondence sent to this address will be read by the addressee only, as it may be necessary, under certain circumstances, for third parties appointed by the Cloud Security Alliance to access this e-mail account. Please do not send any messages of a personal nature to this address.