EN 62351-11:2017
(Main)Power systems management and associated information exchange – Data and communications security - Part 11: Security for XML documents
Power systems management and associated information exchange – Data and communications security - Part 11: Security for XML documents
IEC 62351-11:2016 specifies schema, procedures, and algorithms for securing XML documents that are used within the scope of the IEC as well as documents in other domains. This part is intended to be referenced by standards if secure exchanges are required, unless there is an agreement between parties in order to use other recognized secure exchange mechanisms. This part of IEC 62351 utilizes well-known W3C standards for XML document security and provides profiling of these standards and additional extensions.
Energiemanagementsysteme und zugehöriger Datenaustausch - IT-Sicherheit für Daten und Kommunikation - Teil 11: Sicherheit für XML-Dateien
Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des communications et des données - Partie 11: Sécurité des documents XML
L'IEC 62351-11:2016 spécifie un schéma, des procédures et des algorithmes permettant de sécuriser les documents XML qui sont utilisés dans le cadre du domaine d'application de l'IEC ainsi que les documents utilisés dans d'autres domaines. La présente partie est destinée à être citée en référence par les normes si des échanges sécurisés sont exigés, à moins qu'un accord existe entre les parties donnant lieu à l'utilisation d'autres mécanismes reconnus d'échanges sécurisés. La présente partie de l'IEC 62351 s'appuie sur des normes W3C reconnues pour la sécurité des documents XML et en fournit un profilage ainsi que des extensions supplémentaires.
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 11. del: Varnost datotek XML
Ta del standarda IEC 62351 določa shemo, postopke in algoritme za zaščito dokumentov XML, ki se uporabljajo na področju uporabe IEC, in dokumentov XML, ki se uporabljajo v drugih domenah (npr. IEEE, lastniški itd.). Ta del je namenjen sklicevanju v standardih, ko so zahtevane varne izmenjave, če ni sklenjen dogovor med strankami o uporabi drugih priznanih mehanizmov varne izmenjave.
Ta del standarda IEC 62351 uporablja dobro poznane standarde W3C za varnost dokumentov XML in zagotavlja profiliranje teh standardov in dodatnih razširitev. Razširitve standarda IEC 62351-11 omogočajo naslednje:
• Glava: glava vsebuje informacije, pomembne za pripravo zaščitenega dokumenta, kot sta datum in ura nastanka standarda IEC 62351-11.
• Izbira enkapsulacije izvirnega dokumenta XML v šifrirano (Encrypted) ali nešifrirano (nonEncrypted) obliko. Če je izbrano šifriranje, je na voljo mehanizem za izražanje informacij, potrebnih za dejansko izvajanje šifriranja na interoperabilen način (EncryptionInfo).
• AccessControl: mehanizem za izražanje informacij o dostopovnem krmiljenju, ki se nanašajo na informacije v izvirnem dokumentu XML.
• Telo: vsebuje izvirni dokument XML, ki je enkapsuliran.
• Podpis: podpis, ki se lahko uporablja za namene preverjanja pristnosti in odkrivanja nedovoljenega poseganja.
Ukrepi, opisani v tem dokumentu, se uveljavijo, ko so sprejeti in sklicevani v samih specifikacijah. Ta dokument je napisan, da se omogoči ta postopek.
Posledično je ta del standarda IEC 62351 namenjen razvijalcem proizvodov, ki uvajajo te specifikacije.
Deli tega dela standarda IEC 62351 lahko pomagajo tudi direktorjem in vodjem pri razumevanju namena in zahtev dela.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-april-2017
8SUDYOMDQMHHOHNWURHQHUJHWVNHJDVLVWHPDLQSULSDGDMRþDL]PHQMDYDLQIRUPDFLM
9DUQRVWSRGDWNRYLQNRPXQLNDFLMGHO9DUQRVWGDWRWHN;0/
Power systems management and associated information exchange - Data and
communications security - Part 11: Security for XML files
Ta slovenski standard je istoveten z: EN 62351-11:2017
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN 62351-11
NORME EUROPÉENNE
EUROPÄISCHE NORM
February 2017
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 11:
Security for XML documents
(IEC 62351-11:2016)
Gestion des systèmes de puissance et échanges Energiemanagementsysteme und zugehöriger
d'informations associés - Sécurité des communications et Datenaustausch - IT-Sicherheit für Daten und
des données - Partie 11: Sécurité des documents XML Kommunikation - Teil 11: Sicherheit für XML-Dateien
(IEC 62351-11:2016) (IEC 62351-11:2016)
This European Standard was approved by CENELEC on 2016-11-02. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2017 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN 62351-11:2017 E
European foreword
The text of document 57/1753/FDIS, future edition 1 of IEC 62351-11, prepared by IEC/TC 57 "Power
systems management and associated information exchange" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN 62351-11:2017.
The following dates are fixed:
(dop) 2017-08-10
• latest date by which the document has to be implemented at
national level by publication of an identical national
standard or by endorsement
• latest date by which the national standards conflicting with (dow) 2020-02-10
the document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such
patent rights.
Endorsement notice
The text of the International Standard IEC 62351-11:2016 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards indicated:
IEC 61850-6 NOTE Harmonized as EN 61850-6.
IEC 61970-552 NOTE Harmonized as EN 61970-552.
IEC 62351-1 NOTE Harmonized as EN 62351-1.
IEC 62351-3 NOTE Harmonized as EN 62351-3.
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
NOTE 1 When an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 62351-9 - Power systems management and - -
associated information exchange - Data
and communications security - Part 9:
Cyber security key management for power
system equipment
IEC/TS 62351-2 - Power systems management and - -
associated information exchange - Data
and communications security - Part 2:
Glossary of terms
IEC/TS 62351-8 - Power systems management and - -
associated information exchange - Data
and communications security - Part 8:
Role-based access control
IETF RFC 6931 - Additional XML Security Uniform Resource - -
Identifiers (URIs)
W3C - - -
Recommended
Canonical XML 1.0
W3C Required- - -
Canonical XML1.0
W3C XML 1.1 - Signature Syntax and Processing_- - -
Version 1.1
W3C XML - XML Signature Syntax and Processing - -
Signature
IEC 62351-11 ®
Edition 1.0 2016-09
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Power systems management and associated information exchange – Data and
communications security –
Part 11: Security for XML documents
Gestion des systèmes de puissance et échanges d’informations associés –
Sécurité des communications et des données –
Partie 11: Sécurité des documents XML
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-3636-9
– 2 – IEC 62351-11:2016 IEC 2016
CONTENTS
FOREWORD. 4
1 Scope . 6
2 Normative references . 7
3 Terms and definitions . 7
4 Security issues addressed by this document . 8
4.1 General . 8
4.2 Security threats countered . 8
4.3 Attack methods countered . 8
5 XML Documents . 8
6 XML document encapsulation . 10
6.1 General . 10
6.2 HeaderType . 11
6.3 Information . 12
6.3.1 General . 12
6.3.2 Nonce . 13
6.3.3 AccessControl . 13
6.3.4 Body . 20
6.4 Encrypted element . 21
6.4.1 General . 21
6.4.2 EncryptionMethod . 21
6.4.3 CipherData . 22
6.4.4 KeyInfo . 22
6.5 SignatureType. 23
6.5.1 General . 23
6.5.2 SignedInfoType . 23
6.6 Supporting XSD Types . 27
6.6.1 General . 27
6.6.2 NameSeqType . 27
6.7 Security algorithm selection . 27
7 Example files (informative) . 28
7.1 Non-encrypted example . 28
7.2 Encrypted example . 30
8 IANA list of signature, digest, and encryption methods (informative) . 32
Bibliography . 37
Figure 1 – Overview of IEC 62351-11 structure . 6
Figure 2 – Data in transition example . 9
Figure 3 – Secure encapsulation for XML documents . 10
Figure 4 – General IEC 62351-11 XSD layout . 10
Figure 5 – XSD ComplexType definition of HeaderType . 11
Figure 6 – XSD ComplexType definition of information. 12
Figure 7 – XSD Complex Type Definition of AccessControl . 13
Figure 8 – XSD Complex Type definition of AccessControlType . 14
Figure 9 – XSD Complex Type Definition of ACLRestrictionType . 15
IEC 62351-11:2016 IEC 2016 – 3 –
Figure 10 – XSD Complex Type definition of EntityType . 17
Figure 11 – Example of AccessControl and XPATH . 19
Figure 12 – Example of an IEC 62351-11 Body with a CIM document . 20
Figure 13 – Structure of the IEC 62351-11 Encrypted element . 21
Figure 14 – Structure of EncryptionMethodType . 21
Figure 15 – Structure of CipherDataType. 22
Figure 16 – EncryptedData element definition . 22
Figure 17 – W3C SignatureType definition . 23
Figure 18 – SignedInfotype XML structure . 24
Figure 19 – SignatureMethodType structure . 24
Figure 20 – ReferenceType structure . 25
Figure 21 – KeyInfoType Structure . 26
Figure 22 – Definition of NameSeqType . 27
Table 1 – Definitions of general structure for an IEC 62351-11 document . 11
Table 2 – Definition of HeaderType Element . 12
Table 3 – Definition of information element . 13
Table 4 – Definition of Contractual and ACL Element . 14
Table 5 – Definition of ACLRestrictionType Element . 15
Table 6 – Definition of Enumerated Values for ACLType . 16
Table 7 – Definition of Enumerated Values for Constraint . 16
Table 8 – Definition of EntityType Element . 17
– 4 – IEC 62351-11:2016 IEC 2016
INTERNATIONAL ELECTROTECHNICAL COMMISSION
_____________
POWER SYSTEMS MANAGEMENT AND
ASSOCIATED INFO
...
SLOVENSKI STANDARD
01-april-2017
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij -
Varnost podatkov in komunikacij - 11. del: Varnost datotek XML
Power systems management and associated information exchange - Data and
communications security - Part 11: Security for XML files
Ta slovenski standard je istoveten z: EN 62351-11:2017
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN 62351-11
NORME EUROPÉENNE
EUROPÄISCHE NORM
February 2017
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 11:
Security for XML documents
(IEC 62351-11:2016)
Gestion des systèmes de puissance et échanges Energiemanagementsysteme und zugehöriger
d'informations associés - Sécurité des communications et Datenaustausch - IT-Sicherheit für Daten und
des données - Partie 11: Sécurité des documents XML Kommunikation - Teil 11: Sicherheit für XML-Dateien
(IEC 62351-11:2016) (IEC 62351-11:2016)
This European Standard was approved by CENELEC on 2016-11-02. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2017 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN 62351-11:2017 E
European foreword
The text of document 57/1753/FDIS, future edition 1 of IEC 62351-11, prepared by IEC/TC 57 "Power
systems management and associated information exchange" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN 62351-11:2017.
The following dates are fixed:
(dop) 2017-08-10
• latest date by which the document has to be implemented at
national level by publication of an identical national
standard or by endorsement
• latest date by which the national standards conflicting with (dow) 2020-02-10
the document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such
patent rights.
Endorsement notice
The text of the International Standard IEC 62351-11:2016 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards indicated:
IEC 61850-6 NOTE Harmonized as EN 61850-6.
IEC 61970-552 NOTE Harmonized as EN 61970-552.
IEC 62351-1 NOTE Harmonized as EN 62351-1.
IEC 62351-3 NOTE Harmonized as EN 62351-3.
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
NOTE 1 When an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 62351-9 - Power systems management and - -
associated information exchange - Data
and communications security - Part 9:
Cyber security key management for power
system equipment
IEC/TS 62351-2 - Power systems management and - -
associated information exchange - Data
and communications security - Part 2:
Glossary of terms
IEC/TS 62351-8 - Power systems management and - -
associated information exchange - Data
and communications security - Part 8:
Role-based access control
IETF RFC 6931 - Additional XML Security Uniform Resource - -
Identifiers (URIs)
W3C - - -
Recommended
Canonical XML 1.0
W3C Required- - -
Canonical XML1.0
W3C XML 1.1 - Signature Syntax and Processing_- - -
Version 1.1
W3C XML - XML Signature Syntax and Processing - -
Signature
IEC 62351-11 ®
Edition 1.0 2016-09
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Power systems management and associated information exchange – Data and
communications security –
Part 11: Security for XML documents
Gestion des systèmes de puissance et échanges d’informations associés –
Sécurité des communications et des données –
Partie 11: Sécurité des documents XML
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-3636-9
– 2 – IEC 62351-11:2016 IEC 2016
CONTENTS
FOREWORD. 4
1 Scope . 6
2 Normative references . 7
3 Terms and definitions . 7
4 Security issues addressed by this document . 8
4.1 General . 8
4.2 Security threats countered . 8
4.3 Attack methods countered . 8
5 XML Documents . 8
6 XML document encapsulation . 10
6.1 General . 10
6.2 HeaderType . 11
6.3 Information . 12
6.3.1 General . 12
6.3.2 Nonce . 13
6.3.3 AccessControl . 13
6.3.4 Body . 20
6.4 Encrypted element . 21
6.4.1 General . 21
6.4.2 EncryptionMethod . 21
6.4.3 CipherData . 22
6.4.4 KeyInfo . 22
6.5 SignatureType. 23
6.5.1 General . 23
6.5.2 SignedInfoType . 23
6.6 Supporting XSD Types . 27
6.6.1 General . 27
6.6.2 NameSeqType . 27
6.7 Security algorithm selection . 27
7 Example files (informative) . 28
7.1 Non-encrypted example . 28
7.2 Encrypted example . 30
8 IANA list of signature, digest, and encryption methods (informative) . 32
Bibliography . 37
Figure 1 – Overview of IEC 62351-11 structure . 6
Figure 2 – Data in transition example . 9
Figure 3 – Secure encapsulation for XML documents . 10
Figure 4 – General IEC 62351-11 XSD layout . 10
Figure 5 – XSD ComplexType definition of HeaderType . 11
Figure 6 – XSD ComplexType definition of information. 12
Figure 7 – XSD Complex Type Definition of AccessControl . 13
Figure 8 – XSD Complex Type definition of AccessControlType . 14
Figure 9 – XSD Complex Type Definition of ACLRestrictionType . 15
IEC 62351-11:2016 IEC 2016 – 3 –
Figure 10 – XSD Complex Type definition of EntityType . 17
Figure 11 – Example of AccessControl and XPATH . 19
Figure 12 – Example of an IEC 62351-11 Body with a CIM document . 20
Figure 13 – Structure of the IEC 62351-11 Encrypted element . 21
Figure 14 – Structure of EncryptionMethodType . 21
Figure 15 – Structure of CipherDataType. 22
Figure 16 – EncryptedData element definition . 22
Figure 17 – W3C SignatureType definition . 23
Figure 18 – SignedInfotype XML structure . 24
Figure 19 – SignatureMethodType structure . 24
Figure 20 – ReferenceType structure . 25
Figure 21 – KeyInfoType Structure . 26
Figure 22 – Definition of NameSeqType . 27
Table 1 – Definitions of general structure for an IEC 62351-11 document . 11
Table 2 – Definition of HeaderType Element . 12
Table 3 – Definition of information element . 13
Table 4 – Definition of Contractual and ACL Element . 14
Table 5 – Definition of ACLRestrictionType Element . 15
Table 6 – Definition of Enumerated Values for ACLType . 16
Table 7 – Definition of Enumerated Values for Constraint . 16
Table 8 – Definition of Enti
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.