1、 Reference number ISO/IEC TR 27019:2013(E) ISO/IEC 2013TECHNICAL REPORT ISO/IEC TR 27019 First edition 2013-07-15Information technology Security techniques Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry Technologi
2、es de linformation Techniques de scurit Lignes directrices de management de la scurit de linformation fondes sur lISO/CEI 27002 pour les systmes de contrle des procds spcifiques lindustrie des oprateurs nergtiques ISO/IEC TR 27019:2013(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved
3、. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at
4、 the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2013 All rights reservedISO/IEC TR 27019:2013(E) ISO
5、/IEC 2013 All rights reserved iiiContents Page Foreword vi Introduction . vii 1 Scope 1 2 Normative references 1 3 Terms and definitions . 2 4 Overview . 3 4.1 Structure of this guideline 3 4.2 Information security management systems for energy supply utilities 4 4.2.1 Objectives 4 4.2.2 Security co
6、nsiderations for process control systems used by the energy utilities 4 4.2.3 Information assets to be protected . 4 4.2.4 Establishment of information security management 5 4.2.5 Critical success factors 5 5 Security policy . 5 6 Organization of information security 6 6.1 Internal organization . 6
7、6.1.1 Management commitment to information security 6 6.1.2 Information security coordination . 6 6.1.3 Allocation of information security responsibilities . 6 6.1.4 Authorization process for information processing facilities 6 6.1.5 Confidentiality agreements 6 6.1.6 Contact with authorities 6 6.1.
8、7 Contact with special interest groups 7 6.1.8 Independent review of information security . 7 6.2 External parties 7 6.2.1 Identification of risks related to external parties . 7 6.2.2 Addressing security when dealing with customers 7 6.2.3 Addressing security in third-party agreements . 8 7 Asset m
9、anagement 8 7.1 Responsibility for assets 8 7.1.1 Inventory of assets 8 7.1.2 Ownership of assets . 9 7.1.3 Acceptable use of assets . 9 7.2 Information classification . 9 7.2.1 Classification guidelines 9 7.2.2 Information labelling and handling 9 8 Human resource security . 10 8.1 Prior to employm
10、ent 10 8.1.1 Roles and responsibilities 10 8.1.2 Screening . 10 8.1.3 Terms and conditions of employment 10 8.2 During employment . 10 8.3 Termination or change of employment . 11 9 Physical and environmental security 11 9.1 Secure areas 11 9.1.1 Physical security perimeter 11 9.1.2 Physical entry c
11、ontrols . 11 ISO/IEC TR 27019:2013(E) iv ISO/IEC 2013 All rights reserved9.1.3 Securing offices, rooms and facilities .11 9.1.4 Protecting against external and environmental threats 11 9.1.5 Working in secure areas .11 9.1.6 Public access, delivery and loading areas 11 9.1.7 Securing control centers
12、 11 9.1.8 Securing equipment rooms 12 9.1.9 Securing peripheral sites 13 9.2 Equipment security .14 9.2.1 Equipment siting and protection 14 9.2.2 Supporting utilities 14 9.2.3 Cabling security .14 9.2.4 Equipment maintenance .15 9.2.5 Security of equipment off-premises 15 9.2.6 Secure disposal or r
13、euse of equipment 15 9.2.7 Removal of property 15 9.3 Security in premises of 3 rdparties .15 9.3.1 Equipment sited on the premises of other energy utility organizations 15 9.3.2 Equipment sited on customers premises 16 9.3.3 Interconnected control and communication systems .16 10 Communications and
14、 operations management .16 10.1 Operational procedures and responsibilities .16 10.1.1 Documented operating procedures .16 10.1.2 Change management 17 10.1.3 Segregation of duties 17 10.1.4 Separation of development, test and operational facilities .17 10.2 Third party service delivery management .1
15、7 10.3 System planning and acceptance 17 10.4 Protection against malicious and mobile code 17 10.4.1 Controls against malicious code .17 10.4.2 Controls against mobile code 18 10.5 Back-up .18 10.6 Network security management .18 10.6.1 Network controls 18 10.6.2 Security of network services 18 10.6
16、.3 Securing process control data communication .18 10.7 Media handling .19 10.8 Exchange of information .19 10.9 Electronic commerce services .19 10.10 Monitoring 19 10.10.1 Audit logging 19 10.10.2 Monitoring system use 19 10.10.3 Protection of log information .19 10.10.4 Administrator and operator
17、 logs 19 10.10.5 Fault logging 19 10.10.6 Clock synchronization 20 10.11 Legacy systems .20 10.11.1 Treatment of legacy systems .20 10.12 Safety functions .20 10.12.1 Integrity and availability of safety functions .21 11 Access control .21 11.1 Business requirement for access control .21 11.1.1 Acce
18、ss control policy 21 11.2 User access management .21 11.3 User responsibilities .21 11.3.1 Password use .21 11.3.2 Unattended user equipment .22 11.3.3 Clear desk and clear screen policy 22 11.4 Network access control 22 ISO/IEC TR 27019:2013(E) ISO/IEC 2013 All rights reserved v11.4.1 Policy on use
19、 of network services . 22 11.4.2 User authentication for external connections 22 11.4.3 Equipment identification in networks . 22 11.4.4 Remote diagnostic and configuration port protection 22 11.4.5 Segregation in networks . 22 11.4.6 Network connection control . 23 11.4.7 Network routing control 23
20、 11.4.8 Logical coupling of external process control systems . 23 11.5 Operating system access control 23 11.5.1 Secure log-on procedures 23 11.5.2 User identification and authentication 23 11.5.3 Password management system . 23 11.5.4 Use of system utilities . 23 11.5.5 Session time-out 24 11.5.6 L
21、imitation of connection time 24 11.6 Application and information access control 24 11.7 Mobile computing and teleworking . 24 12 Information systems acquisition, development and maintenance 24 12.1 Security requirements of information systems 24 12.1.1 Security requirements analysis and specificatio
22、n . 24 12.2 Correct processing in applications . 24 12.3 Cryptographic controls . 24 12.4 Security of system files 24 12.4.1 Control of operational software . 24 12.4.2 Protection of system test data . 25 12.4.3 Access control to program source code 25 12.5 Security in development and support proces
23、ses 25 12.6 Technical vulnerability management 25 13 Information security incident management 25 13.1 Reporting information security events and weaknesses 25 13.2 Management of information security incidents and improvements 25 14 Business continuity management . 25 14.1 Information security aspects
24、 of business continuity management . 25 14.1.1 Including information security in the business continuity management process . 25 14.1.2 Business continuity and risk assessment 25 14.1.3 Developing and implementing continuity plans including information security 25 14.1.4 Business continuity planning
25、 framework . 26 14.1.5 Testing, maintaining and re-assessing business continuity plans . 26 14.2 Essential emergency services . 26 14.2.1 Emergency communication . 26 15 Compliance 27 15.1 Compliance with legal requirements . 27 15.1.1 Identification of applicable legislation 27 15.1.2 Intellectual
26、property rights (IPR) 27 15.1.3 Protection of organizational records . 27 15.1.4 Data protection and privacy of personal information 27 15.1.5 Prevention of misuse of information processing facilities . 27 15.1.6 Regulation of cryptographic controls . 27 15.2 Compliance with security policies and st
27、andards, and technical compliance . 27 15.3 Information systems audit considerations . 28 Annex A (Informative) Energy utility extended control set . 29 Annex B (Informative) Additional implementation guidance . 31 Bibliographic references . 37 ISO/IEC TR 27019:2013(E) vi ISO/IEC 2013 All rights res
28、ervedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through t
29、echnical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take
30、 part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare I
31、nternational Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. In exceptional circumstances, when the joint
32、 technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art“, for example), it may decide to publish a Technical Report. A Technical Report is entirely informative in nature and shall be subject to review every fiv
33、e years in the same manner as an International Standard. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC TR 27019 was prepared by DIN
34、 Deutsches Institut fr Normung e. V. (as DIN SPEC 27009:2012-04 4) and was adopted, under a special “fast-track procedure“, by Joint Technical Committee ISO/IEC JTC 1, Information technology, in parallel with its approval by the national bodies of ISO and IEC. ISO/IEC TR 27019:2013(E) ISO/IEC 2013 A
35、ll rights reserved viiIntroduction This Technical Report provides guiding principles based on ISO/IEC 27002 “Code of practice for information security management” for information security management applied to process control systems as used in the energy utility industry. The aim of this document i
36、s to extend the ISO/IEC 27000 standards to the domain of process control systems and automation technology, thus allowing the energy utility industry to implement a standardized information security management system (ISMS) in accordance with ISO/IEC 27001 that extends from the business to the proce
37、ss control level. At the focus of application of this document are the systems and networks for controlling and supervising the generation, transmission and distribution of electric power, gas and heat in combination with the control of facilitating processes. This includes control and automation sy
38、stems, protection and safety systems and measurement systems, including their associated communications and telecontrol applications. For purposes of simplification, these systems will be collectively referred to in the following as “process control systems”. In addition to the security objectives a
39、nd measures that are set forth in ISO/IEC 27002:2005, the process control systems used by energy utilities and energy suppliers are subject to further, special requirements. In comparison with conventional IT environments (e.g. office IT) there are fundamental and significant differences with respec
40、t to the development, operation, repair, maintenance and operating environment of process control systems. Furthermore, the process technology referred to in this document may represent integral components of critical infrastructures which means they are therefore essential for the secure and reliab
41、le operation of such infrastructures. These distinctions and characteristics need to be taken into due consideration by the management processes for process control systems and justify separate consideration within the ISO/IEC 27000 series of standards. In particular, the following fundamental diffe
42、rences exist compared with conventional IT systems: Security features In comparison with conventional IT systems, process control systems exhibit increased requirements with regard to their availability and integrity. In some operational environments failure of the process monitoring and control sys
43、tems cannot be tolerated. Also, the integrity of the data processed is frequently of crucial importance. Incorrect data can lead to incorrect control inputs, resulting in failure of protection or safety systems or trigger incorrect decisions by operating personnel, as a result of an erroneous repres
44、entation of current process conditions. These requirements therefore need to be taken into consideration during the system design stage as well as in normal operation. System architecture Besides the central IT installations within control centers for grid operation or conventional power plants ther
45、e are several systems which are typically distributed over larger areas, e.g.: process control and monitoring systems within substations and gas pressure regulating and metering stations; process control and monitoring systems for distributed generation, like wind-farms or photovoltaic generation un
46、its; digital metering and measurement devices. ISO/IEC TR 27019:2013(E) viii ISO/IEC 2013 All rights reservedOften, these remote systems cannot be physically protected at the same level as centrally located systems. Therefore, the system architecture needs to take these differences into consideratio
47、n and it may be necessary to provide additional safeguards at the interface between distributed and central systems. Also, the operating and management processes for distributed systems may vary in comparison with centralized IT architectures. It is for instance, not normal procedure to apply change
48、s to essential systems in critical substations or at other important sites via remote access, unless the corresponding field service personnel are present on-site. Furthermore, in many process control environments the architecture should allow for autonomous (local) operation of each distributed sit
49、e without network access to central installations. In case of outages it has to be possible to restart selected sites without an external energy source, e.g. for grid restoration (“black start capable” systems). Maintenance Process control systems are often designed for a service life of 20 or more years. If standard operating systems or software packages are used, special measures to handle outdated and no-longer supported software are needed. Frequent shutdowns of process control components, e.g. to install software pa
