EN IEC 62351-3:2023
(Main)Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
IEC 62351-3:2023 specifies how to provide confidentiality, integrity protection, and message level authentication for protocols that make use of TCP/IP as a message transport layer and utilize Transport Layer Security when cyber-security is required. This may relate to SCADA and telecontrol protocols, but also to additional protocols if they meet the requirements in this document. IEC 62351-3 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (TLSv1.2 defined in RFC 5246, TLSv1.3 defined in RFC 8446). In the specific clauses, there will be subclauses to note the differences and commonalities in the application depending on the target TLS version. The use and specification of intervening external security devices (e.g., "bump-in-the-wire") are considered out-of-scope. In contrast to previous editions of this document, this edition is self-contained in terms of completely defining a profile of TLS. Hence, it can be applied directly, without the need to specify further TLS parameters, except the port number, over which the communication will be performed. Therefore, this part can be directly utilized from a referencing standard and can be combined with further security measures on other layers. Providing the profiling of TLS without the need for further specifying TLS parameters allows declaring conformity to the described functionality without the need to involve further IEC 62351 documents. This document is intended to be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol exchanges under similar boundary conditions. However, it is up to the individual protocol security initiatives to decide if this document is to be referenced. The document also defines security events for specific conditions, which support error handling, security audit trails, intrusion detection, and conformance testing. Any action of an organization in response to events to an error condition described in this document are beyond the scope of this document and are expected to be defined by the organization’s security policy. This document reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this document may need to be revised. This second edition cancels and replaces the first edition published in 2014, Amendment 1:2018 and Amendment 2:2020. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: a) Inclusion of the TLSv1.2 related parameter required in IEC 62351-3 Ed.1.2 to be specified by the referencing standard. This comprises the following parameter: • Mandatory TLSv1.2 cipher suites to be supported. • Specification of session resumption parameters. • Specification of session renegotiation parameters. • Revocation handling using CRL and OCSP. • Handling of security events. b) Inclusion of a TLSv1.3 profile to be applicable for the power system domain in a similar way as for TLSv1.2 session.
Energiemanagementsysteme und zugehöriger Datenaustausch - IT-Sicherheit für Daten und Kommunikation - Teil 3: Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP
Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des communications et des données - Partie 3: Sécurité des réseaux et des systèmes de communication - Profils comprenant TCP/IP
IEC 62351-3:2023 spécifie comment assurer la confidentialité, la protection de l’intégrité et l’authentification des niveaux des messages pour les protocoles qui utilisent les protocoles TCP/IP comme couche transport des messages et utilisent la sécurité de la couche transport lorsque la cybersécurité est exigée. Ceci peut concerner les protocoles SCADA/téléconduite, protection, automation et contrôles. L’IEC 62351-3 spécifie une méthode permettant de sécuriser les protocoles TCP/IP par l’intermédiaire de contraintes sur la spécification des messages, procédures et algorithmes de sécurité de la couche transport (TLS) (version 1.2 de TLS définie dans la RFC 5246 et version 1.3 définie dans la RFC 8446). Des articles spécifiques contiennent des paragraphes indiquant les différences et les points communs d’application en fonction de la version TLS cible. L’utilisation et la spécification des dispositifs de sécurité externe concernés (par exemple "bump-in-the-wire") sont considérées comme ne relevant pas du domaine d’application du présent document. Contrairement aux précédentes éditions du présent document, la présente édition est autosuffisante, car elle définit entièrement un profil de TLS. De ce fait, elle peut être appliquée directement, sans nécessiter de spécifier de paramètres TLS supplémentaires, à l’exception du numéro du port par lequel la communication est effectuée. Par conséquent, la présente partie peut être directement utilisée à partir d’une norme de référence et peut être combinée avec des mesures de sécurité supplémentaires sur d’autres couches. La définition du profil de TLS sans nécessiter de spécifier de paramètres TLS supplémentaires permet de déclarer la conformité à la fonctionnalité décrite sans nécessiter de recourir à d’autres documents IEC 62351. Le présent document est destiné à être référencé comme partie normative des autres normes IEC qui traitent de la nécessité d’assurer la sécurité de leurs échanges protocolaires basés sur TCP/IP dans des conditions limites similaires. Cependant, il revient aux initiatives individuelles en matière de sécurité des protocoles de décider si le présent document est à référencer. Le présent document définit également des événements de sécurité pour des conditions spécifiques, qui prennent en charge la gestion des erreurs, les pistes d’audit de sécurité, la détection d’intrusion et les essais de conformité. Toute action d’un organisme en réponse à des événements dus à une condition d’erreur décrite dans le présent document ne relève pas du domaine d’application du présent document et est susceptible d’être définie par la politique de sécurité de l’organisme. Le présent document présente les exigences de sécurité des protocoles de gestion des systèmes de puissance de l’IEC. Une révision du présent document pourrait s’avérer nécessaire en cas d’ajout de nouvelles exigences dans d’autres normes. Cette seconde édition annule et remplace la première édition parue en 2014, l’Amendement 1:2018 et l’Amendement 2:2020. Cette édition constitue une révision technique. Cette édition inclut les modifications techniques majeures suivantes par rapport à l’édition précédente: a) inclusion du paramètre lié à la TLSv1.2 exigé dans l’IEC 62351-3 Éd.1.2 à spécifier par la norme de référence. Ce paramètre comprend les éléments suivants: • les suites chiffrées TLSv1.2 obligatoires à prendre en charge; • la spécification des paramètres de reprise de session; • la spécification des paramètres de renégociation de session; • la gestion des révocations à l’aide de la CRL et du protocole OCSP; • la ges
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in sistemov - Profili za TCP/IP (IEC 62351-3:2023)
Standard IEC 62351-3:2023 določa, kako zagotoviti zaupnost, zaščito celovitosti in preverjati pristnost na ravni sporočil za protokole, ki za sporočilno transportno plast uporabljajo TCP/IP, ter zagotoviti varnost na transportni plasti, ko je zahtevana kibernetska varnost. To se lahko nanaša na protokole sistema nadzora in pridobivanja podatkov ter protokole za daljinsko vodenje, pa tudi na dodatne protokole, če izpolnjujejo zahteve v tem dokumentu.
Standard IEC 62351-3 določa, kako zaščititi protokole, ki temeljijo na TCP/IP, z omejitvami na specifikacijo sporočil, postopkov in algoritmov varnosti na transportni plasti (TLS) (TLSv1.2 opredeljen v RFC 5246, TLSv1.3 opredeljen v RFC 8446 ). Posebne točke bodo vsebovale podtočke z razlikami in skupnimi značilnostmi v aplikaciji glede na ciljno različico varnosti na transportni plasti. Uporaba in specifikacija vmesnih zunanjih varnostnih naprav (npr. »bump-in-the-wire«) se štejeta izven področja uporabe.
V nasprotju s prejšnjimi izdajami tega dokumenta je ta izdaja samozadostna v smislu popolne opredelitve profila varnosti na transportni plasti. Zato ga je mogoče uporabiti neposredno, brez potrebe po določanju nadaljnjih parametrov varnosti na transportni plasti, razen številke vrat, prek katerih se bo komunikacija izvajala. Tako je ta del mogoče neposredno uporabiti iz referenčnega standarda in ga je mogoče kombinirati z nadaljnjimi varnostnimi ukrepi na drugih plasteh. Zagotavljanje profiliranja varnosti na transportni plasti brez potrebe po nadaljnjem določanju parametrov varnosti na transportni plasti omogoča izjavo o skladnosti z opisano funkcionalnostjo brez potrebe po vključitvi nadaljnjih dokumentov IEC 62351.
Ta dokument naj bi bil normativni del drugih standardov IEC, ki morajo zagotoviti varnost za svoje izmenjave protokolov na osnovi TCP/IP pod podobnimi mejnimi pogoji. Vendar pa se o tem, ali naj se sklicuje na ta dokument, odločijo posamezne varnostne pobude protokola.
Dokument določa tudi varnostne dogodke za posebne pogoje, ki podpirajo obravnavanje napak, varnostne revizijske sledi, odkrivanje vdorov in preskušanje skladnosti. Kakršno koli dejanje organizacije kot odgovor na dogodke zaradi stanja napake, opisanega v tem dokumentu, ne spada v področje uporabe tega dokumenta in pričakuje se, da bo določeno z varnostno politiko organizacije.
Ta dokument odraža varnostne zahteve protokolov za upravljanje elektroenergetskega sistema IEC. Če bodo drugi standardi uvedli nove zahteve, bo morda treba ta dokument revidirati.
Druga izdaja razveljavlja in nadomešča prvo izdajo, objavljeno leta 2014, dopolnilo 1 iz leta 2018 in dopolnilo 2 iz leta 2020. Ta izdaja je tehnično popravljena izdaja.
Ta izdaja v primerjavi s prejšnjo vključuje naslednje pomembne tehnične spremembe:
a) Vključitev s TLSv1.2 povezanega parametra, zahtevanega v standardu IEC 62351-3, izdaja1.2, je treba določiti z referenčnim standardom. To vključuje naslednji parameter:
• Podprti morajo biti obvezni paketi šifre TLSv1.2.
• Specifikacija parametrov za nadaljevanje seje.
• Specifikacija parametrov za vnovično pogajanje za vzpostavitev seje.
• Obravnavanje ukinitve s CRL in OCSP.
• Obravnavanje varnostnih dogodkov.
b) Vključitev profila TLSv1.3, ki se uporablja za domeno elektroenergetskega sistema na podoben način kot za sejo TLSv1.2.
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-oktober-2023
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij -
Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in
sistemov - Profili za TCP/IP
Power systems management and associated information exchange - Data and
communications security - Part 3: Communication network and system security - Profiles
including TCP/IP
Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von
Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3:
Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP
Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des
communications et des données - Partie 3: Sécurité des réseaux et des systèmes de
communication - Profils comprenant TCP/IP
Ta slovenski standard je istoveten z: EN IEC 62351-3:2023
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 62351-3
NORME EUROPÉENNE
EUROPÄISCHE NORM July 2023
ICS 33.200 Supersedes EN 62351-3:2014; EN 62351-
3:2014/A1:2018; EN 62351-3:2014/A2:2020
English Version
Power systems management and associated information
exchange - Data and communications security - Part 3:
Communication network and system security - Profiles including
TCP/IP
(IEC 62351-3:2023)
Gestion des systèmes de puissance et échanges Datenmodelle, Schnittstellen und Informationsaustausch für
d'informations associés - Sécurité des communications et Planung und Betrieb von Energieversorgungsunternehmen
des données - Partie 3: Sécurité des réseaux et des - Daten- und Kommunikationssicherheit - Teil 3: Sicherheit
systèmes de communication - Profils comprenant TCP/IP von Kommunikationsnetzen und Systemen - Profile
(IEC 62351-3:2023) einschließlich TCP/IP
(IEC 62351-3:2023)
This European Standard was approved by CENELEC on 2023-07-11. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2023 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62351-3:2023 E
European foreword
The text of document 57/2578/FDIS, future edition 2 of IEC 62351-3, prepared by IEC/TC 57 "Power
systems management and associated information exchange" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN IEC 62351-3:2023.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2024-04-11
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2026-07-11
document have to be withdrawn
This document supersedes EN 62351-3:2014 and all of its amendments and corrigenda (if any).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a Standardization Request given to CENELEC by the
European Commission and the European Free Trade Association.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 62351-3:2023 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standard indicated:
IEC 62351-4:2018 NOTE Approved as EN IEC 62351-4:2018 (not modified)
IEC 62351-4:2018/A1:2020 NOTE Approved as EN IEC 62351-4:2018/A1:2020 (not modified)
IEC 62351-5 NOTE Approved as EN IEC 62351-5
IEC 62351-6:2020 NOTE Approved as EN IEC 62351-6:2020 (not modified)
IEC 62351-7 NOTE Approved as EN 62351-7
IEC 62351-8:2020 NOTE Approved as EN IEC 62351-8:2020 (not modified)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cencenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62351-1 2007 Power systems management and associated - -
information exchange - Data and communications
security - Part 1: Communication network and system
security - Introduction to security issues
IEC/TS 62351-2 2008 Power systems management and associated - -
information exchange - Data and communications
security - Part 2: Glossary of terms
IEC 62351-9 - Power systems management and associated - -
information exchange - Data and communications
security - Part 9: Cyber security key management for
power system equipment
ISO/IEC 9594-8 2020 Information technology - Open systems - -
interconnection - Part 8: The Directory: Public-key and
attribute certificate frameworks
RFC 5246 2008 The Transport Layer Security (TLS) Protocol - -
Version 1.2
RFC 5280 2008 Internet X.509 Public Key Infrastructure Certificate - -
and Certificate Revocation List (CRL) Profile
RFC 5288 2008 AES Galois Counter Mode (GCM) Cipher Suites for - -
TLS
RFC 5289 2008 TLS Elliptic Curve Cipher Suites with SHA-256/384 - -
and AES Galois Counter Mode (GCM)
RFC 5746 2010 Transport Layer Security (TLS) Renegotiation - -
Indication Extension
RFC 6066 2011 Transport Layer Security (TLS) Extensions: Extension - -
Definitions
RFC 6176 2011 Prohibiting Secure Sockets Layer (SSL) Version 2.0 - -
RFC 8422 2018 ECC Cipher Suites for TLSv1.2 and earlier - -
RFC 8446 2018 The TLS Protocol Version 1.3 - -
RFC 9150 2021 TLS 1.3 Authentication and Integrity only Cipher - -
Suites
IEC 62351-3 ®
Edition 2.0 2023-06
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Power systems management and associated information exchange – Data and
communications security –
Part 3: Communication network and system security – Profiles including TCP/IP
Gestion des systèmes de puissance et échanges d’informations associés –
Sécurité des communications et des données –
Partie 3: Sécurité des réseaux et des systèmes de communication – Profils
comprenant TCP/IP
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-6935-0
– 2 – IEC 62351-3:2023 © IEC 2023
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 8
1.1 Scope . 8
1.2 Intended audience . 8
2 Normative references . 9
3 Terms, definitions and abbreviated terms . 9
3.1 Terms and definitions . 9
3.2 Abbreviated terms . 10
4 Security issues addressed by this document . 10
4.1 General . 10
4.2 Security threats countered . 11
4.3 Attack methods countered . 11
4.4 Handling of security events . 12
5 Overview of differences in TLS versions . 12
5.1 General . 12
5.2 Main differences between TLSv1.2 and TLSv1.3 . 12
5.3 Cipher suite naming . 13
5.4 Backward compatibility . 14
5.5 Extensions . 14
6 Generic requirements . 15
6.1 General . 15
6.2 Signalling of supported TLS versions . 15
6.3 Usage of non-encrypting cipher suites . 16
6.4 Certificate support . 17
6.4.1 Support of multiple trust anchors . 17
6.4.2 Certificate size . 17
6.4.3 Certificate exchange . 17
6.4.4 Public-key certificate validation . 18
6.5 Co-existence with non-secure protocol traffic . 21
7 Requirements specific to TLSv1.2. 21
7.1 General . 21
7.2 Supported cipher suites . 21
7.3 Disallowed cipher suites . 22
7.4 Key exchange . 22
7.4.1 General . 22
7.4.2 Key exchange mechanisms . 22
7.4.3 Cryptographic algorithms . 22
7.4.4 Session resumption . 24
7.4.5 Session renegotiation . 25
7.5 Support of extensions . 26
7.5.1 General . 26
7.5.2 TLS session renegotiation extension . 26
7.5.3 Signalling of client supported CA certificates via Trusted CA . 27
7.5.4 Signalling of supported signature algorithms . 27
7.5.5 Stapling of OCSP response messages . 28
...
SLOVENSKI STANDARD
01-oktober-2023
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij -
Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in
sistemov - Profili za TCP/IP (IEC 62351-3:2023)
Power systems management and associated information exchange - Data and
communications security - Part 3: Communication network and system security - Profiles
including TCP/IP (IEC 62351-3:2023)
Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von
Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3:
Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP
(IEC 62351-3:2023)
Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des
communications et des données - Partie 3: Sécurité des réseaux et des systèmes de
communication - Profils comprenant TCP/IP (IEC 62351-3:2023)
Ta slovenski standard je istoveten z: EN IEC 62351-3:2023
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 62351-3
NORME EUROPÉENNE
EUROPÄISCHE NORM July 2023
ICS 33.200 Supersedes EN 62351-3:2014; EN 62351-
3:2014/A1:2018; EN 62351-3:2014/A2:2020
English Version
Power systems management and associated information
exchange - Data and communications security - Part 3:
Communication network and system security - Profiles including
TCP/IP
(IEC 62351-3:2023)
Gestion des systèmes de puissance et échanges Datenmodelle, Schnittstellen und Informationsaustausch für
d'informations associés - Sécurité des communications et Planung und Betrieb von Energieversorgungsunternehmen
des données - Partie 3: Sécurité des réseaux et des - Daten- und Kommunikationssicherheit - Teil 3: Sicherheit
systèmes de communication - Profils comprenant TCP/IP von Kommunikationsnetzen und Systemen - Profile
(IEC 62351-3:2023) einschließlich TCP/IP
(IEC 62351-3:2023)
This European Standard was approved by CENELEC on 2023-07-11. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2023 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62351-3:2023 E
European foreword
The text of document 57/2578/FDIS, future edition 2 of IEC 62351-3, prepared by IEC/TC 57 "Power
systems management and associated information exchange" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN IEC 62351-3:2023.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2024-04-11
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2026-07-11
document have to be withdrawn
This document supersedes EN 62351-3:2014 and all of its amendments and corrigenda (if any).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a Standardization Request given to CENELEC by the
European Commission and the European Free Trade Association.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 62351-3:2023 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standard indicated:
IEC 62351-4:2018 NOTE Approved as EN IEC 62351-4:2018 (not modified)
IEC 62351-4:2018/A1:2020 NOTE Approved as EN IEC 62351-4:2018/A1:2020 (not modified)
IEC 62351-5 NOTE Approved as EN IEC 62351-5
IEC 62351-6:2020 NOTE Approved as EN IEC 62351-6:2020 (not modified)
IEC 62351-7 NOTE Approved as EN 62351-7
IEC 62351-8:2020 NOTE Approved as EN IEC 62351-8:2020 (not modified)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cencenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62351-1 2007 Power systems management and associated - -
information exchange - Data and communications
security - Part 1: Communication network and system
security - Introduction to security issues
IEC/TS 62351-2 2008 Power systems management and associated - -
information exchange - Data and communications
security - Part 2: Glossary of terms
IEC 62351-9 - Power systems management and associated - -
information exchange - Data and communications
security - Part 9: Cyber security key management for
power system equipment
ISO/IEC 9594-8 2020 Information technology - Open systems - -
interconnection - Part 8: The Directory: Public-key and
attribute certificate frameworks
RFC 5246 2008 The Transport Layer Security (TLS) Protocol - -
Version 1.2
RFC 5280 2008 Internet X.509 Public Key Infrastructure Certificate - -
and Certificate Revocation List (CRL) Profile
RFC 5288 2008 AES Galois Counter Mode (GCM) Cipher Suites for - -
TLS
RFC 5289 2008 TLS Elliptic Curve Cipher Suites with SHA-256/384 - -
and AES Galois Counter Mode (GCM)
RFC 5746 2010 Transport Layer Security (TLS) Renegotiation - -
Indication Extension
RFC 6066 2011 Transport Layer Security (TLS) Extensions: Extension - -
Definitions
RFC 6176 2011 Prohibiting Secure Sockets Layer (SSL) Version 2.0 - -
RFC 8422 2018 ECC Cipher Suites for TLSv1.2 and earlier - -
RFC 8446 2018 The TLS Protocol Version 1.3 - -
RFC 9150 2021 TLS 1.3 Authentication and Integrity only Cipher - -
Suites
IEC 62351-3 ®
Edition 2.0 2023-06
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Power systems management and associated information exchange – Data and
communications security –
Part 3: Communication network and system security – Profiles including TCP/IP
Gestion des systèmes de puissance et échanges d’informations associés –
Sécurité des communications et des données –
Partie 3: Sécurité des réseaux et des systèmes de communication – Profils
comprenant TCP/IP
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-6935-0
– 2 – IEC 62351-3:2023 © IEC 2023
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 8
1.1 Scope . 8
1.2 Intended audience . 8
2 Normative references . 9
3 Terms, definitions and abbreviated terms . 9
3.1 Terms and definitions . 9
3.2 Abbreviated terms . 10
4 Security issues addressed by this document . 10
4.1 General . 10
4.2 Security threats countered . 11
4.3 Attack methods countered . 11
4.4 Handling of security events . 12
5 Overview of differences in TLS versions . 12
5.1 General . 12
5.2 Main differences between TLSv1.2 and TLSv1.3 . 12
5.3 Cipher suite naming . 13
5.4 Backward compatibility . 14
5.5 Extensions . 14
6 Generic requirements . 15
6.1 General . 15
6.2 Signalling of supported TLS versions . 15
6.3 Usage of non-encrypting cipher suites . 16
6.4 Certificate support . 17
6.4.1 Support of multiple trust anchors . 17
6.4.2 Certificate size . 17
6.4.3 Certificate exchange . 17
6.4.4 Public-key certificate validation . 18
6.5 Co-existence with non-secure protocol traffic . 21
7 Requirements specific to TLSv1.2. 21
7.1 General . 21
7.2 Supported cipher suites . 21
7.3 Disallowed cipher suites . 22
7.4 Key exchange . 22
7.4.1 General . 22
7.4.2 Key exchange mechanisms . 22
7.4.3 Cryptographic algorithms . 22
7.4.4 Session resumption . 24
7.4.5 Session renegotiation . 25
7.5 Support of extensions . 26
7.5.1 General . 26
7.5.2 TLS session renegotiation extension . 26
7.5.3 Signalling of client supported CA certificates via Trusted CA . 27
7.5.4 Signalling of supported signature algorithms . 27
7.5.5 Stapling of OCSP response messages .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.