How can ISO 27001 and ISO 22301 help with critical infrastructure protection?

The European Council Directive 2008/114/EC of December 8, 2008, is a European Directive for the identification and designation of critical European infrastructures and the assessment of the need to improve their protection. It states:

Critical infrastructure means an asset, system or part thereof … which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions.

Obviously, this definition would also be applicable to any country in the world. Let’s see how to approach it.

Critical infrastructure in the EU and the US

According to the European Network and Information Security Agency (ENISA), typical sectors where we can find critical infrastructures are the following:

  • Energy
  • ICT
  • Water
  • Food
  • Health
  • Financial
  • Public and legal order
  • Civil admin.
  • Transport
  • Chemical and nuclear
  • Space and research

These sectors are considered critical, and most countries have regulations for their protection. In Europe there is a global European Directive (which is mentioned above), but each Member State defines its own regulation. In the United States, the global leader in the protection of critical infrastructure, there is the Presidential Policy Directive on Critical Infrastructure Security and Resilience (PDD 63) and the U.S. Policy on Counterterrorism (PDD 39). Most recently, the U.S. National Institute of Standards and Technology (NIST) developed the Framework for Improving Critical Infrastructure Cybersecurity.

By the way, Industrial Control Systems (ICS) are a fundamental part of the critical infrastructure, and include the following types:

  • Systems Control and Data Acquisition (SCADA)
  • Programmable Logic Controllers (PLC)
  • Distributed Control Systems (DCS)

These basically are control systems that are used to control the infrastructure.

Critical infrastructures = IT + OT

Critical infrastructures are composed of two different worlds – IT and OT – which, of late, appear to be merging. In the world of IT (Information Technology) we have computers, software, network devices, etc. In the world of OT (Operational Technology) we have physical systems, sensors, machines, etc. How are they integrated? Let me explain this using an easy example: The entity that manages the water (distribution, water purification, etc.) in a country can be considered part of the critical infrastructure, because water is an essential resource for the life of all citizens. This entity has a SCADA composed of systems to open/close water gates, sensors to monitor water levels, machines for the purification of water, etc. All of these elements are related to the OT, because we need to control physical devices, processes, and events in the organization.

If we connect the systems related to OT (sensors, physical devices, etc.) to an information system, we can manage information received by sensors, visualize it in a graphical user interface, and maybe even connect remotely to a physical device to manage it.

How can ISO 27001 and ISO 22301 help with critical infrastructure protection? - 27001AcademyFigure: Scope of OT and IT

Critical infrastructure issues – Malware as an example of a big problem

The convergence of OT and IT is very positive for the industrial sector, but there is also a dark side – you likely have heard about the malware Stuxnet, which caused significant problems for the nuclear power plant in Iran. This malware was developed specifically to attack SCADA systems, and the systems affected by this malware globally number at 90,000.

The difference with respect to typical malware (like a virus that infects your computer), is that this specific malware related to critical infrastructures can affect people’s lives. How long could you live without water, electricity, hospitals, public transport, communications (telephone, internet), etc.?

So, as you can see, the world of IT can add threats to the world of OT. And they could be serious. So, what can we do?

ISO 27001 and ISO 22301 – How can they help?

Today, everything is connected – take, for example, the IoT (Internet of Things). But, in the industrial world (where critical infrastructure belongs), we are facing new threats that are typically found in the world of IT. The good news is that we have tools to manage threats related to IT, such as ISO 27001 (an international standard for information security).

But, how can we identify such threats? Well, the main point of ISO 27001 is risk management. If you would like to learn more about risk management according to ISO 27001, the articles ISO 27001 risk assessment & treatment ‑ 6 basic steps and How to write ISO 27001 risk assessment methodology can help you. Identifying the threats will help you define controls to implement in order to manage related risks.

As for threats that are not related to IT (security), but affect critical infrastructure, there is another international standard that helps: ISO 22301. This standard was developed for the management of business continuity, including identifying critical processes, establishing their impact, managing risks, and developing formal procedures for business recovery in a disaster. Critical infrastructures are very complex, and composed of industrial activities, industrial processes, people, etc. ISO 22301 could help their recovery in a disaster scenario. The articles How to implement business impact analysis (BIA) according to ISO 22301 and Business continuity plan: How to structure it according to ISO 22301 can help to start an ISO 22301 implementation.

Benefits of using ISO 27001 and ISO 22301 for the management of critical infrastructures

Critical infrastructures suffer problems that typically are found in the IT world, but this could be avoided using the risk management of ISO 27001. Critical infrastructures are also subject to problems in a disaster scenario, so ISO 22301 could be used for their recovery. Implementation of these standards provides an organization with many benefits, which could also be applied to critical infrastructure.

Both ISO 27001 and ISO 22301 have many benefits, and have many common points, so it is recommended that they be implemented together in critical infrastructure composed of IT and OT. Additionally, by implementing ISO 27001, you get much closer to meeting the EU GDPR (EU General Data Protection Regulation) requirements – see the article Does ISO 27001 implementation satisfy EU GDPR requirements?

For the integration of both standards, this free webinar may also be interesting for you ISO 27001 & ISO 22301: Why is it better to implement them together?

So, what if you implement both standards together? Taking advantage of their common points, obtaining benefits from two international standards – without a doubt, it is the best choice to manage and improve critical infrastructures.

See this free white paper on How to implement NIST cybersecurity framework using ISO 27001 to learn how to integrate ISO standards with US regulations.

Advisera Antonio Jose Segovia
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.