Cyber security for the energy sector – an introduction to ISO/IEC 27019 and the BDEW/OE Whitepaper

Generation, storage, transport and distribution of electricity and gas are the most critical of all critical infrastructure processes supporting our daily life. As in every modern industry domain, energy supply is heavily dependent on industrial control systems (ICS) and the security of these systems. While many energy utilities implement an information security management system (ISMS) based on the ISO/IEC 27000 standard family, they often struggle with the inclusion of the ICS and OT domain, when they try to harmonize security management over their entire business scope. To fill this gap ISO/IEC 27019 Information security controls for the energy utility industry was developed. ISO/IEC 27019 is a sector specific control set for the process control system domain of the energy sector which is based on ISO/IEC 27001 and ISO/IEC 27002.

To supplement the generic controls of ISO/IEC 27019 with detailed technical security specifications for ICS systems, the German and Austrian energy operator associations BDEW and Oesterreichs Energie have published the BDEW/OE Whitepaper. The Whitepaper can be used during system procurement and defines security requirements for control and automation systems of the energy domain and their telecommunication infrastructure.

The workshop gives an introduction to the contents and practical application of ISO/IEC 27019 and the BDEW/OE Whitepaper.

The following topics will be covered:

  • Industrial control systems in the energy sector
  • Introduction to the ISO/IEC 27000 series
  • Overview of ISO/IEC 27019
  • Practical application of ISO/IEC 27019
  • ISO/IEC 27019 and European cyber security regulation
  • The BDEW/OE Whitepaper, a security procurement guideline for energy ICS

The workshop will include a lecture, discussions and exercises.