What is ISO 27019?

ISO 27019 provides information security controls specifically for the energy utility industry. It extends ISO 27002 with guidance tailored to process control systems used in energy generation, transmission, and distribution.

Why Energy Sector Security Matters

The energy sector faces unique cybersecurity challenges:

• Critical Infrastructure - Power grids are national security assets
• OT/IT Convergence - Industrial systems connecting to networks
• Legacy Systems - Decades-old equipment still in operation
• Nation-State Threats - Targeted attacks on infrastructure
• Physical/Cyber Intersection - Cyber attacks causing physical damage

Key Terminology

Process Control Systems

• SCADA (Supervisory Control and Data Acquisition)
• DCS (Distributed Control Systems)
• PLCs (Programmable Logic Controllers)
• RTUs (Remote Terminal Units)
• IEDs (Intelligent Electronic Devices)

Energy Utility Types

• Generation - Power plants (fossil, nuclear, renewable)
• Transmission - High-voltage power lines
• Distribution - Local power delivery
• Smart Grid - Intelligent energy networks

ISO 27019 vs Other Standards

Scope of ISO 27019

Covers security for:

• Central and distributed process control
• Automation technology
• Communication networks
• Smart grid components
• Supporting IT systems

Does NOT cover:

• Nuclear facilities (separate regulations)
• Physical security alone
• Business IT systems (use ISO 27002)

Real-World Incidents

Ukraine Power Grid (2015/2016)

• Cyber attacks caused widespread blackouts
• Demonstrated vulnerability of energy sector
• Led to increased focus on ICS security

Colonial Pipeline (2021)

• Ransomware attack on fuel pipeline
• Showed interdependencies in energy infrastructure
• Highlighted need for OT security programs

Next Lesson: Understanding process control systems and their security needs.