EN IEC 62351-4:2018
(Main)Power systems management and associated information exchange - Data and communications security - Part 4: Profiles including MMS and derivatives
Power systems management and associated information exchange - Data and communications security - Part 4: Profiles including MMS and derivatives
1.1 General This part of IEC 62351 extends the scope of IEC TS 62351-4:2007 [1]1 by specifying a compatibility mode that provides interoperation with implementation based on IEC TS 62351- 4:2007 and by specifying extended capabilities referred to as native mode. This part of IEC 62351 specifies security requirements both at the transport layer and at the application layer. While IEC TS 62351-4:2007 primarily provided some limited support at the application layer for authentication during handshake for the Manufacturing Message Specification (MMS) based applications, this document also provides support for extended integrity and authentication both for the handshake phase and for the data transfer phase. It provides for shared key management and data transfer encryption at the application layer and it provides security end-to-end (E2E) with zero or more intermediate entities. While IEC TS 62351-4:2007 only provides support for systems based on the MMS, i.e. systems using an Open Systems Interworking (OSI) protocol stack, this document also provides support for application protocols using other protocol stacks, e.g. an Internet protocol suite (see 4.1). This support is extended to protect application protocols using XML encoding. This extended security at the application layer is referred to as E2E-security. In addition to E2E security, this part of IEC 62351 also provides mapping to environmental protocols carrying the security related information. Only OSI and XMPP environments are currently considered. It is intended that this part of IEC 62351 be referenced as a normative part of standards that have a need for using application protocols, e.g., MMS, in a secure manner. It is anticipated that there are implementations, in particular Inter-Control Centre Communications Protocol (ICCP) implementations that are dependent on the IEC TS 62351- 4:2007 specifications of the T-profile and the A-security-profile. The specifications from IEC TS 62351-4:2007 are therefore included in this part of IEC 62351. Implementations supporting these specifications will interwork with implementation based on IEC TS 62351-4:2007. NOTE The A-security-profile is in the strict sense not a profile, but the term is here kept for historical reasons. This document represents a set of mandatory and optional security specifications to be implemented to protect application protocols. The initial audience for this document is the members of the working groups developing or making use of protocols. For the measures described in this part of IEC 62351 to take effect, they shall be accepted and referenced by the specifications for the protocols themselves. The subsequent audience for this document is the developers of products that implement these protocols and the end user that want to specify requirements for its own environment. Portions of this document may also be of use to managers and executives in order to understand the purpose and requirements of the work.
Energiemanagementsysteme und zugehöriger Datenaustausch - IT-Sicherheit für Daten und Kommunikation - Teil 4: Profile einschließlich MMS und Ableitungen
Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des communications et des données - Partie 4 : Profils comprenant MMS
IEC 62351:2018 spécifie les exigences de sécurité concernant à la fois la couche transport et la couche application. Alors que l’IEC TS 62351-4:2007 apportait principalement une aide limitée concernant la couche application pour l’authentification lors de l’établissement de liaison des applications fondées sur la messagerie MMS (manufacturing message specification), le présent document fournit également une assistance quant à l’extension de l’intégrité et l’authentification lors des phases d’établissement de liaison et de transfert de données. Il pourvoit à la gestion essentielle partagée et au chiffrement de transfert de données pour la couche application et assure la sécurité bout-à-bout (E2E - end-to-end) avec zéro entité intermédiaire ou plus. Alors que l’IEC TS 62351-4:2007 apporte une assistance uniquement pour les systèmes fondés sur la MMS, c’est-à-dire les systèmes utilisant une pile de protocoles OSI (open systems interworking - interconnexion de systèmes ouverts), le présent document fournit également une assistance quant aux protocoles d’application utilisant d’autres piles de protocoles, par exemple une suite de protocoles Internet (voir 4.1). Cette assistance est étendue afin d’assurer la protection des protocoles d’application utilisant le codage XML. Cette sécurité étendue au niveau de la couche application est appelée sécurité E2E. En plus de la sécurité E2E, la présente partie de l’IEC 62351 présente également la mise en correspondance avec les protocoles environnementaux comportant les informations concernant la sécurité. Seuls les environnements OSI et XMPP sont actuellement pris en considération.
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 4. del: Profili, vključno z MMS in izpeljankami
Ta del standarda IEC 62351 razširja področje uporabe standarda IEC TS 62351-4:2007 [1]1, saj določa način združljivosti, ki zagotavlja interoperabilnost z izvajanjem na podlagi standarda IEC TS 62351-4:2007 in določa razširjene zmogljivosti, imenovane nativni način.
Ta del standarda IEC 62351 določa varnostne zahteve tako na transportni kot na aplikacijski plasti. Medtem ko je IEC TS 62351-4:2007 primarno zagotovil omejeno podporo na aplikacijski plasti za preverjanje pristnosti med rokovanjem z aplikacijami na osnovi MMS (Manufacturing Message Specification), pa ta dokument zagotavlja tudi podporo za razširjeno integriteto in preverjanje pristnosti tako za fazo rokovanja kot za fazo prenosa podatkov. Zagotavlja upravljanje s ključem v skupni rabi, šifriranje prenosa podatkov na aplikacijski plasti in celostno varnost (E2E) z nič ali več vmesnimi enotami. Medtem ko IEC TS 62351-4:2007 zagotavlja podporo samo za sisteme na osnovi MMS, tj. sisteme, ki uporabljajo sklad protokolov OSI (Open Systems Interworking), pa ta dokument zagotavlja tudi podporo za aplikacijske protokole, ki uporabljajo druge sklade protokolov, npr. zbirko internetnih protokolov (glej 4.1)
Ta podpora je razširjena za zaščito aplikacijskih protokolov s kodiranjem XML. Ta razširjena varnost na aplikacijski plasti se imenuje E2E-varnost.
Poleg E2E-varnosti zagotavlja ta del standarda IEC 62351 tudi preslikavo v okoljske protokole, ki vsebujejo informacije v zvezi z varnostjo. Trenutno so obravnavana samo okolja OSI in XMPP.
Ta del standarda IEC 62351 naj bi bil normativni del standardov, v katerih je zahtevana varna uporaba aplikacijskih protokolov, npr. MMS.
Predvidoma obstajajo izvedbe, zlasti izvedbe komunikacijskega protokola ICCP (Inter-Control Centre Communications Protocol), ki so odvisne od specifikacij T-profila in A-varnostnega profila iz standarda IEC TS 62351- 4:2007. Specifikacije iz standarda IEC TS 62351-4:2007 so zato vključene v ta del standarda IEC 62351. Izvedbe, ki podpirajo te specifikacije, se bodo lahko povezovale z izvedbami na podlagi standarda IEC TS 62351-4:2007.
OPOMBA: A-varnostni profil v strogem pomenu besede ni profil, ampak je izraz, ohranjen zaradi zgodovinskih razlogov.
Ta dokument predstavlja niz obveznih in neobveznih varnostnih specifikacij, ki jih je treba uporabiti za zaščito aplikacijskih protokolov.
Namembni uporabniki tega dokumenta so člani delovnih skupin, ki razvijajo ali uporabljajo protokole. Ukrepi, opisani v tem delu standarda IEC 62351, stopijo v veljavo, ko so sprejeti in sklicevani v samih specifikacijah protokolov.
Drugi uporabniki tega dokumenta so lahko tudi razvijalci izdelkov, ki uvajajo te protokole, in končni uporabnik, ki želi določiti zahteve za lastno okolje.
Deli tega dokumenta lahko pomagajo tudi direktorjem in vodjem pri razumevanju namena in zahtev dela.
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-marec-2019
8SUDYOMDQMHHOHNWURHQHUJHWVNHJDVLVWHPDLQSULSDGDMRþDL]PHQMDYDLQIRUPDFLM
9DUQRVWSRGDWNRYLQNRPXQLNDFLMGHO3URILOLYNOMXþQR]006LQL]SHOMDQNDPL
Power systems management and associated information exchange - Data and
communications security - Part 4: Profiles including MMS and derivatives
Energiemanagementsysteme und zugehöriger Datenaustausch - IT-Sicherheit für Daten
und Kommunikation - Teil 4: Profile einschließlich MMS und Ableitungen
Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des
communications et des données - Partie 4 : Profils comprenant MMS
Ta slovenski standard je istoveten z: EN IEC 62351-4:2018
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 62351-4
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2018
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 4: Profiles
including MMS and derivatives
(IEC 62351-4:2018)
Gestion des systèmes de puissance et échanges Energiemanagementsysteme und zugehöriger
d'informations associés - Sécurité des communications et Datenaustausch - IT-Sicherheit für Daten und
des données - Partie 4 : Profils comprenant MMS Kommunikation - Teil 4: Profile einschließlich MMS und
(IEC 62351-4:2018) Ableitungen
(IEC 62351-4:2018)
This European Standard was approved by CENELEC on 2018-12-20. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62351-4:2018 E
European foreword
The text of document 57/2032/FDIS, future edition 1 of IEC 62351-4, prepared by IEC/TC 57 "Power
systems management and associated information exchange" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN IEC 62351-4:2018.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2019-09-20
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2021-12-20
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Endorsement notice
The text of the International Standard IEC 62351-4:2018 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 60870-6-503:2014 NOTE Harmonized as EN 60870-6-503:2014 (not modified)
IEC 60870-6-702:2014 NOTE Harmonized as EN 60870-6-702:2014 (not modified)
IEC 60870-6-802:2014 NOTE Harmonized as EN 60870-6-802:2014 (not modified)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62351-1 - Power systems management and associated - -
information exchange - Data and communications
security - Part 1: Communication network and
system security - Introduction to security issues
IEC/TS 62351-2 - Power systems management and associated - -
information exchange - Data and communications
security - Part 2: Glossary of terms
IEC 62351-3 2014 Power systems management and associated EN 62351-3 2014
information exchange - Data and communications
security - Part 3: Communication network and
system security - Profiles including TCP/IP
+A1 2018 +A1 2018
IEC/TS 62351-8 2011 Power systems management and associated - -
information exchange - Data and communications
security - Part 8: Role-based access control
IEC 62351-9 2017 Power systems management and associated EN 62351-9 2017
information exchange - Data and communications
security - Part 9: Cyber security key management for
power system equipment
ISO/IEC 8073 1997 Information technology - Open Systems - -
Interconnection - Protocol for providing the
connection-mode transport service
ISO/IEC 8823-1 1994 Information technology - Open Systems - -
Interconnection - Connection-oriented presentation
protocol: Protocol specification
ISO/IEC 8824-1 - Information technology - Abstract Syntax Notation - -
One (ASN.1): Specification of basic notation
ISO/IEC 8825-1 - Information technology - ASN.1 encoding rules: - -
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER)
ISO/IEC 8825-4 - Information technology - ASN.1 encoding rules: XML - -
Encoding Rules (XER)
ISO 8601 2004 Data elements and interchange formats - - -
Information interchange - Representation of dates
and times
ISO 9506-2 2003 Industrial automation systems - Manufacturing - -
Message Specification - Part 2: Protocol
specification
ISO/IEC 9594-8 - Information technology - Open Systems - -
Interconnection - The Directory - Part 8: Public-key
and attribute certificate frameworks
ITU-T - Information technology - Open Systems - -
Recommendation Interconnection - Connection-oriented protocol for
X.227 the Association Control Service Element: Protocol
specification
+ A1 - - -
IETF RFC 1006 1987 ISO Transport Service on top of the TCP, Version: 3 - -
IETF RFC 2104 1997 HMAC: Keyed-Hashing for Message Authentication - -
IETF RFC 3526 2003 More Modular Exponential (MODP) Diffie-Hellman - -
groups for Internet Key Exchange (IKE)
IETF RFC 5114 2003 Additional Diffie-Hellman Groups for Use with IETF - -
Standards
IETF RFC 5246 2008 The Transport Layer Security (TLS) Protocol Version - -
1.2
IETF RFC 5480 2009 Elliptic Curve Cryptography Subject Public Key - -
Information
IETF RFC 5639 2010 Elliptic Curve Cryptography (ECC) Brainpool - -
Standard Curves and Curve Generation
IETF RFC 5869 2010 HMAC-based Extract-and-Expand Key Derivation - -
Function
IETF RFC 6120 2011 Extensible Messaging and Presence Protocol - -
(XMPP): Core
IETF RFC 6122 2011 Extensible Messaging and Presence Protocol - -
(XMPP): Address Format
IEC 62351-4 ®
Edition 1.0 2018-11
INTERNATIONAL
STANDARD
colour
inside
Power systems management and associated information exchange – Data and
communications security –
Part 4: Profiles including MMS and derivatives
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 33.200 ISBN 978-2-8322-6262-7
– 2 – IEC 62351-4:2018 © IEC 2018
CONTENTS
FOREWORD . 8
1 Scope . 10
1.1 General . 10
1.2 Code components . 11
2 Normative references . 11
3 Terms, definitions and abbreviated terms . 12
3.1 General . 12
3.2 Terms and definitions . 13
3.3 Abbreviated terms . 16
4 Security issues addressed by this part of IEC 62351 . 17
4.1 Communications reference models . 17
4.2 Security for application and transport profiles . 18
4.3 Compatibility and native modes. 19
4.4 Security threats countered . 19
4.4.1 General . 19
4.4.2 Threats countered in compatibility mode . 20
4.4.3 Threats countered in native mode . 20
4.5 Attack methods countered . 20
4.5.1 General . 20
4.5.2 Attacks countered in compatibility mode . 20
4.5.3 Attacks countered in native mode . 20
4.6 Logging . 21
5 Specific requirements . 21
5.1 Specific requirements for ICCP/IEC 60870-6-x communication stack . 21
5.2 Specific requirements for IEC 61850 . 22
6 Transport Security . 22
6.1 General . 22
6.2 Application of transport layer security (TLS) . 22
6.2.1 General . 22
6.2.2 The TLS cipher suite concept . 23
6.2.3 TLS session resumption . 23
6.2.4 TLS session renegotiation . 23
6.2.5 Supported number of trust anchors . 23
6.2.6 Public-key certificate size . 23
6.2.7 Evaluation period for revocation state of public-key certificates . 23
6.2.8 Public-key certificate validation . 24
6.2.9 Security events handling . 24
6.3 T-security in an OSI operational environment . 24
6.3.1 General . 24
6.3.2 TCP ports . 24
6.3.3 Disabling of TLS . 25
6.3.4 TLS cipher suites support . 25
6.4 T-security in an XMPP operational environment . 26
7 Application layer security overview (informative) .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.