This is a blog post interview with Dr. Stephan Beirer, the expert on the ISO/IEC 27019 standard. He will give a training session during the CS3sthlm conference week. Below you will find an interview we did with him as he was preparing for the class. You will probably find several things in the interview that you didnt already knew about the standard!

Dr. Stephan Beirer - The Expert on the ISO/IEC 20719 standard

What is your day job, where are you working and what do you do?

I am a Principal Security Consultant and the Team Manager for ICS/OT Security at GAI NetConsult, a security consulting company based in Berlin / Germany.

GAI NetConsult has been working in the ICS/OT domain for more than 15 years. Together with my colleagues we do consulting and technical or organizational auditing in the OT and ICS domain, mostly for operators and asset owners from energy industry, industrial manufacturing and for critical infrastructure projects.

For how long have you worked in the field?

During my studies and my PhD, I worked as a freelance security consultant. In 2006, I joined GAI NetConsult; I have been working in the ICS / OT domain since then.

Are you involved in the standardization process? What areas are you working with?

Since 2010, I am involved in security standardization for ICS and OT systems. First in the security working group of the German utility organization BDEW, then also in the national standardization institutions DIN and DKE, the German mirror organisation to IEC. Since 2011, I have been working on the international level within ISO and IEC. In the working group responsible for information security management at ISO/IEC, I am the Editor of ISO/IEC 27019 and an expert for ICS and Smart Grid.

In your class, you will cover the ISO/IEC 27019 standard, which is somewhat unknown to many. What is the background for this standard?

ISO/IEC 27019 started as a German national project in 2010. It was initiated by several large and medium sized energy utilities and BDEW, the German utility association. The utilities felt that it was hard to integrate the OT / ICS domain within their security management organization, which was based on ISO/IEC 27001 within most companies. They decided to publish a standard to fill this gap and in 2013, the German version was translated and published as an international ISO/IEC document.

The aim of 27019 is to extend the contents of ISO/IEC 27002 to the domain of process control systems and automation technology, thus allowing energy utilities to implement a standardized and specific information security management system (ISMS) that extends from the business to the process control level.

Where you involved early on with the development of the ISO/IEC 27019 standard?

I was the project leader and editor for the German version at DIN and DKE from 2010 to 2012 and was then delegated from the German National Body to ISO/IEC to be the Editor of the International Standard.

There is a relatively new edition of the standard. Does the new version differ much in comparison with older ones?

The latest version from 2017 is now completely aligned with the current version of ISO/IEC 27001 and 27002, so it can be seamlessly used within an ISMS based on ISO/IEC 27001. Additionally we aligned with 27001 in such a way that is possible to have certifications based on ISO/IEC 27019 together with 27001. Furthermore, the scope of the standard has been extended to include the oil sector. We completely revised the technical content of all security controls and twelve new topics are covered now which were not included in the first revision from 2013, e.g. with regard to mobile devices, vulnerability management or technical reviews.  

Will utility companies start certification processes against the 27019 standard, or is it still against the 27001 only?

It is now possible to have a certification for ISO/IEC 27019. This automatically includes the ISO/IEC 27001 requirements, which 27019 refers to. In Germany, already all gas and electricity grid providers have to be certified against ISO/IEC 27001 together with ISO´/IEC 27002 and 27019 since January, very likely a similar regulation will come into force for large generation and gas storage plants.

Is there any requirement on prerequisites and prior deep knowledge of ISO/IEC 27000 before taking the class?

Absolutely not. After an introduction to the energy supply and the ICS systems used in the different energy domains, I will give an overview about the ISO/IEC 27000 series and the important content of ISO/IEC 27001, which is necessary to understand the application of 27019. Then we will concentrate on the 27019 controls for the various security management domains.

You will also talk about an interesting German and Austrian Whitepaper. What is the background of this document?

The Whitepaper „Requirements for Secure Control and Telecommunication Systems” is a best practice guideline, which defines security requirements for control systems used in the energy domain. It was developed by the German and Austrian utility associations BDEW and Oesterreichs Energie - therefore it is also called BDEW/OE-Whitepaper. The first version was published already in 2008 and it has become the de-facto standard in the German speaking regions, i.e. Germany, Austria and Switzerland for security requirement definitions for control systems in the energy domain.

In May 2018 a fully revised version 2.0 has been published, the English translation is available is here:

How does the BDEW/OE-Whitepaper relate to ISO/IEC 27019?

While ISO/IEC 27019 defines requirements and best-practice controls related to the security management in the utility organization, the BDEW/OE-Whitepaper covers the requirements for the technology used in the ICS/OT domain. It is focusing on security specification and requirement definition in procurement projects.

Together, ISO/IEC 27019 and the BDEW/OE-Whitepaper are the basis for secure operation within an energy utility.

How long have you been working with the BDEW/OE-Whitepaper?

With BDEW and Oesterreichs Energie, I have been the editor of the Whitepaper both for the initial version in 2008 and for the revision in 2018. I have used the Whitepaper very often over the last 10 years, especially in procurement and audit projects for grid control systems, substation automation and protection systems as well as for power and gas storage plant automation and virtual power plants and supporting OT systems. Oddly enough, sometimes I still have to discuss the same problematic topics with suppliers and integrators as ten years ago.

Is your class only theoretical, or will the participants also have any practical exercises?

We will have exercises to learn how to apply the lecture content with regard to the ISO/IEC 27019 controls and the BDEW/OE-Whitepaper requirements. I will give as many first hand experiences from my projects with 27019 and the Whitepaper as possible.

As an expert in the field of IT/information/cyber security, any advice you would like to share?

Our field is rapidly changing, thus is very important to have a regular exchange within the community. CS3STHLM is a perfect event for this.

Any last thoughts you would like to share with the readers?

I am happy that I have been invited to give a lecture at CS3STHLM. I am looking forward to meet IRL some old friends from the ICS security community and to make a lot of new ones in Stockholm! I heard rumours there might be a gathering of the European Chapter of BEER-ISAC also…