Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment

IEC 62351-9:2023 specifies cryptographic key management, primarily focused on the management of long-term keys, which are most often asymmetric key pairs, such as public-key certificates and corresponding private keys. As certificates build the base this document builds a foundation for many IEC 62351 services (see also Annex A). Symmetric key management is also considered but only with respect to session keys for group-based communication as applied in IEC 62351-6. The objective of this document is to define requirements and technologies to achieve interoperability of key management by specifying or limiting key management options to be used. This document assumes that an organization (or group of organizations) has defined a security policy to select the type of keys and cryptographic algorithms that will be utilized, which may have to align with other standards or regulatory requirements. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. This document assumes that the reader has a basic understanding of cryptography and key management principles. The requirements for the management of pairwise symmetric (session) keys in the context of communication protocols is specified in the parts of IEC 62351 utilizing or specifying pairwise communication such as: • IEC 62351-3 for TLS by profiling the TLS options • IEC 62351-4 for the application layer end-to-end security • IEC TS 62351-5 for the application layer security mechanism for IEC 60870-5-101/104 and IEEE 1815 (DNP3) The requirements for the management of symmetric group keys in the context of power system communication protocols is specified in IEC 62351-6 for utilizing group security to protect GOOSE and SV communication. IEC 62351-9 utilizes GDOI as already IETF specified group-based key management protocol to manage the group security parameter and enhances this protocol to carry the security parameter for GOOSE, SV, and PTP. This document also defines security events for specific conditions which could identify issues which might require error handling. However, the actions of the organisation in response to these error conditions are beyond the scope of this document and are expected to be defined by the organizations security policy. In the future, as public-key cryptography becomes endangered by the evolution of quantum computers, this document will also consider post-quantum cryptography to a certain extent. Note that at this time being no specific measures are provided. This second edition cancels and replaces the first edition published in 2017. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: a) Certificate components and verification of the certificate components have been added; b) GDOI has been updated to include findings from interop tests; c) GDOI operation considerations have been added; d) GDOI support for PTP (IEEE 1588) support has been added as specified by IEC/IEEE 61850-9-3 Power Profile; e) Cyber security event logging has been added as well as the mapping to IEC 62351-14; f) Annex B with background on utilized cryptographic algorithms and mechanisms has been added.

Energiemanagementsysteme und zugehöriger Datenaustausch - IT-Sicherheit für Daten und Kommunikation - Teil 9: Cyber security Schlüssel-Management für Stromversorgungsanlagen

Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des communications et des données - Partie 9: Gestion de clé de cybersécurité des équipements de système de puissance

IEC 62351-9:2023 spécifie la gestion des clés cryptographiques, principalement axée sur la gestion des clés à long terme, qui sont le plus souvent des paires de clés asymétriques, telles que des certificats de clés publiques et les clés privées correspondantes. Comme les certificats constituent la base, le présent document établit une fondation pour de nombreux services de l’IEC 62351 (voir également Annex A). La gestion des clés symétriques est également prise en compte, mais uniquement en ce qui concerne les clés de session pour les communications de groupe, telles qu’elles sont appliquées dans l’IEC 62351-6. L’objectif du présent document est de définir les exigences et les technologies permettant d’assurer l’interopérabilité de la gestion des clés en spécifiant ou en limitant les options de gestion de clés à utiliser. Le présent document présume qu’une organisation (ou un groupe d’organisations) a défini une politique de sécurité pour sélectionner le type de clés et d’algorithmes cryptographiques qui seront utilisés, qui peuvent être à aligner sur d’autres normes ou exigences réglementaires. Le présent document spécifie donc uniquement les techniques de gestion de ces infrastructures de clé et de cryptographie sélectionnées. Le présent document présume que le lecteur a des notions de base en cryptographie et sur les principes de gestion des clés. Les exigences relatives à la gestion des paires de clés (de session) symétriques dans le contexte des protocoles de communication sont spécifiées dans les parties de l’IEC 62351 qui utilisent ou spécifient une communication par paire, telles que: • l’IEC 62351-3 pour TLS en profilant les options TLS; • l’IEC 62351-4 pour la sécurité de bout en bout de la couche application; • l’IEC 62351-5 pour le mécanisme de sécurité de la couche application pour l’IEC 60870-5-101/104 et l’IEEE 1815 (DNP3). Les exigences relatives à la gestion des clés de groupe symétriques dans le contexte des protocoles de communication des systèmes de puissance sont spécifiées dans l’IEC 62351-6 pour l’utilisation de sécurité de groupe pour protéger les communications GOOSE et SV. L’IEC 62351-9 utilise GDOI comme protocole de gestion de clés par groupe déjà spécifié par l’IETF (Internet Engineering Task Force) pour gérer le paramètre de sécurité de groupe et améliore ce protocole pour transporter le paramètre de sécurité pour les communications GOOSE, SV et PTP. Le présent document définit également les événements de sécurité pour des conditions spécifiques susceptibles d’identifier des problèmes pouvant exiger un traitement des erreurs. Cependant, les actions de l’organisation en réponse à ces conditions d’erreur ne relèvent pas du domaine d’application du présent document et sont censées être définies par la politique de sécurité des organisations. À l’avenir, lorsque la cryptographie à clé publique sera mise en danger par l’évolution des ordinateurs quantiques, le présent document examinera également la cryptographie post-quantique dans une certaine mesure. Il est à noter qu’à l’heure actuelle, aucune mesure spécifique n’est prévue. Cette deuxième édition annule et remplace la première édition parue en 2017. Cette édition constitue une révision technique. Cette édition inclut les modifications techniques majeures suivantes par rapport à l’édition précédente: a) des composants de certificats et leur vérification ont été ajoutés; b) le GDOI a été mis à jour pour inclure les résultats des essais d’interopérabilité; c) des aspects liés au fonctionnement du GDOI ont été ajoutés; d) la prise en charge du GDOI pour PT

Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 9. del: Upravljanje računalniške varnosti opreme napajalnih sistemov (IEC 62351-9:2023)

Standard IEC 62351-9:2023 določa upravljanje kriptografskih ključev, ki se osredotoča predvsem na dolgoročne ključe, ki so najpogosteje asimetrični pari ključev, kot so potrdila za javne ključe in ustrezni zasebni ključi. Ker certifikati gradijo osnovo, ta dokument gradi osnovo za številne storitve standarda IEC 62351 (glej tudi dodatek A). Upošteva se tudi upravljanje simetričnih ključev, vendar le v zvezi s ključi sej za skupinsko komunikacijo, kot se uporablja v standardu IEC 62351-6. Cilj tega dokumenta je določitev zahtev in tehnologij doseganje interoperabilnosti upravljanja ključev z določitvijo ali omejitvijo možnosti upravljanja ključev, ki bodo uporabljene.
Ta dokument predpostavlja, da je organizacija (ali skupina organizacij) opredelila varnostno politiko za izbiro vrste ključev in kriptografskih algoritmov, ki bodo uporabljeni, kar bo morda treba uskladiti z drugimi standardi ali regulativnimi zahtevami. Ta dokument tako določa zgolj načine upravljanja za te izbrane infrastrukture ključev in kriptografije. Ta dokument predvideva, da bralec v osnovi razume načela kriptografije upravljanja ključev.
Zahteve za upravljanje parnih simetričnih (sejnih) ključev v kontekstu komunikacijskih protokolov so določene v delih standarda IEC 62351, ki uporabljajo ali določajo parno komunikacijo, kot so:
• IEC 62351-3 za TLS s profiliranjem možnosti TLS
• IEC 62351-4 za celovito varnost aplikacijskega sloja
• IEC TS 62351-5 za varnostni mehanizem aplikacijskega sloja za IEC 60870-5-101/104 in IEEE 1815 (DNP3)
Zahteve za upravljanje parnih simetričnih ključev skupine v kontekstu komunikacijskih protokolov elektroenergetskega sistema so določene v standardu 62351-6 za uporabo varnosti skupine za zaščito komunikacije GOOSE in SV. Standard IEC 62351-9 uporablja GDOI kot že določen protokol za upravljanje ključev na osnovi skupine IETF za upravljanje varnostnega parametra skupine ter izboljša ta protokol za prenos varnostnega parametra za GOOSE, SV in PTP.
Dokument določa tudi varnostne dogodke za posebne pogoje, ki lahko prepoznajo težave, ki lahko zahtevajo obravnavanje napak. Vendar dejanja organizacije kot odgovor na te pogoje napak ne spadajo v področje uporabe tega dokumenta in naj bi jih določila varnostna politika organizacije.
V prihodnosti, ko bo kriptografija z javnim ključem ogrožena zaradi razvoja kvantnih računalnikov, bo ta dokument do določene mere obravnaval tudi postkvantno kriptografijo. Upoštevajte, da trenutno ni določenih posebnih ukrepov.
Druga izdaja razveljavlja in nadomešča prvo izdajo, objavljeno leta 2017. Ta izdaja je tehnično popravljena izdaja.
Ta izdaja v primerjavi s prejšnjo vključuje naslednje pomembne tehnične spremembe:
a) dodane so bile komponente potrdil in preverjanje pristnosti komponent potrdil;
b) GDOI je bil posodobljen in vključuje ugotovitve iz preskušanj interoperabilnosti;
c) dodani so bili premisleki glede delovanja GDOI;
d) dodana je bila podpora GDOI za PTP (IEEE 1588), kot določa profil napajanja iz standarda EC/IEEE 61850-9-3;
e) dodano je bilo beleženje dogodkov računalniške varnosti in ujemanje s standardom IEC 62351-14;
f) dodan je bil dodatek B z ozadjem o uporabljenih kriptografskih algoritmih in mehanizmih.

General Information

Status
Published
Publication Date
27-Jul-2023
Current Stage
6060 - Document made available - Publishing
Start Date
28-Jul-2023
Completion Date
28-Jul-2023

Relations

Buy Standard

Standard
EN IEC 62351-9:2023 - BARVE
English language
147 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-oktober-2023
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij -
Varnost podatkov in komunikacij - 9. del: Upravljanje računalniške varnosti
opreme napajalnih sistemov (IEC 62351-9:2023)
Power systems management and associated information exchange - Data and
communications security - Part 9: Cyber security key management for power system
equipment (IEC 62351-9:2023)
Energiemanagementsysteme und zugehöriger Datenaustausch - IT-Sicherheit für Daten
und Kommunikation - Teil 9: Cyber security Schlüssel-Management für
Stromversorgungsanlagen (IEC 62351-9:2023)
Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des
communications et des données - Partie 9: Gestion de clé de cybersécurité des
équipements de système de puissance (IEC 62351-9:2023)
Ta slovenski standard je istoveten z: EN IEC 62351-9:2023
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.030 Informacijska varnost IT Security
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN IEC 62351-9

NORME EUROPÉENNE
EUROPÄISCHE NORM July 2023
ICS 33.200 Supersedes EN 62351-9:2017
English Version
Power systems management and associated information
exchange - Data and communications security - Part 9: Cyber
security key management for power system equipment
(IEC 62351-9:2023)
Gestion des systèmes de puissance et échanges Energiemanagementsysteme und zugehöriger
d'informations associés - Sécurité des communications et Datenaustausch - IT-Sicherheit für Daten und
des données - Partie 9: Gestion de clé de cybersécurité des Kommunikation - Teil 9: Cyber security Schlüssel-
équipements de système de puissance Management für Stromversorgungsanlagen
(IEC 62351-9:2023) (IEC 62351-9:2023)
This European Standard was approved by CENELEC on 2023-07-11. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2023 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62351-9:2023 E

European foreword
The text of document 57/2579/FDIS, future edition 2 of IEC 62351-9, prepared by IEC/TC 57 "Power
systems management and associated information exchange" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN IEC 62351-9:2023.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2024-04-11
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2026-07-11
document have to be withdrawn
This document supersedes EN 62351-9:2017 and all of its amendments and corrigenda (if any).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a standardization request addressed to CENELEC by the
European Commission. The Standing Committee of the EFTA States subsequently approves these
requests for its Member States.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 62351-9:2023 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standard indicated:
ISO/IEC 19790:2012 NOTE Approved as EN ISO/IEC 19790:2020 (not modified)
IEC 62351-8 NOTE Approved as EN IEC 62351-8
ISO/IEC 19790 NOTE Approved as EN ISO/IEC 19790
IEC 62443-3-3 NOTE Approved as EN IEC 62443-3-3
IEC 62443-4-2 NOTE Approved as EN IEC 62443-4-2
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cencenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62351-2 - Power systems management and associated - -
information exchange - Data and
communications security - Part 2: Glossary of
terms
IEC 62351-3 2023 Power systems management and associated - -
information exchange - Data and
communications security - Part 3:
Communication network and system security -
Profiles including TCP/IP
IEC 62351-4 - Power systems management and associated EN IEC 62351-4 -
information exchange - Data and
communications security - Part 4: Profiles
including MMS and derivatives
IEC 62351-5 - Power systems management and associated EN IEC 62351-5 -
information exchange - Data and
communications security - Part 5: Security for
IEC 60870-5 and derivatives
IEC 62351-6 - Power systems management and associated EN IEC 62351-6 -
information exchange - Data and
communications security - Part 6: Security for
IEC 61850
IEC 62351-14 — Power systems management and associated - -
information exchange - Data and
communications security - Part 14: Cyber
security event logging
ISO/IEC 9594-8 2020 Information technology - Open systems - -
interconnection - Part 8: The Directory: Public-
key and attribute certificate frameworks
ISO/IEC 9594-11 2020 Information technology - Open systems - -
interconnection directory - Part 11: Protocol
specifications for secure operations

Under preparation. Stage at the time of publication: IEC/ACDV 62351-14:2023.
Publication Year Title EN/HD Year
ISO/IEC 9834-1 2012 Information technology - Procedures for the - -
operation of object identifier registration
authorities: General procedures and top arcs
of the international object identifier tree
IETF RFC 5272 - Certificate Management over CMS (CMC) - -
IETF RFC 5755 - An Internet Attribute Certificate Profile for - -
Authorization
IETF RFC 5934 - Trust Anchor Management Protocol (TAMP) - -
IETF RFC 6407 - The Group Domain of Interpretation - -
IETF RFC 6960 - X.509 - Internet Public Key Infrastructure - -
Online Certificate Status Protocol - OCSP
IETF RFC 7030 - Enrolment over Secure Transport - -
IETF RFC 8052 - Group Domain of Interpretation (GDOI) - -
Protocol Support for IEC 62351 Security
IETF RFC 8263 - Group Domain of Interpretation (GDOI) - -
GROUPKEY-PUSH Acknowledgement
Message
IETF RFC 8894 - Simple Certificate Enrolment Protocol - -

IEC 62351-9 ®
Edition 2.0 2023-06
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Power systems management and associated information exchange – Data and

communications security –
Part 9: Cyber security key management for power system equipment

Gestion des systèmes de puissance et échanges d’informations associés –

Sécurité des communications et des données –

Partie 9: Gestion de clé de cybersécurité des équipements de système de

puissance
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-6950-3

– 2 – IEC 62351-9:2023  IEC 2023
CONTENTS
FOREWORD . 8
1 Scope . 10
2 Normative references . 11
3 Terms, definitions, and abbreviations . 12
3.1 Terms and definitions . 12
3.2 Abbreviations and acronyms . 17
4 Security concepts applicable to power systems . 19
4.1 General . 19
4.2 Security objectives . 19
4.2.1 Confidentiality . 19
4.2.2 Data integrity . 19
4.2.3 Authentication. 19
4.2.4 Non-repudiation . 20
4.3 Cryptographic algorithms and concepts . 20
5 Key establishment and management techniques . 21
5.1 General . 21
5.2 Key management lifecycle . 21
5.2.1 Key management in the life cycle of a device . 21
5.2.2 Lifecycle of a cryptographic key . 23
5.3 Cryptographic key usages . 24
5.4 Key management system security policy . 25
5.5 Key management design principles for power system operations . 25
5.6 Establishment of symmetric keys . 26
5.6.1 Overview . 26
5.6.2 The Diffie-Hellman key agreement method . 26
5.6.3 Key derivation function (KDF) method . 26
5.6.4 Group key management . 27
5.7 Trust supported by public-key infrastructures (PKI) and privilege
management infrastructures (PMI) . 30
5.7.1 General . 30
5.7.2 Registration authorities (RA) . 30
5.7.3 Certification authority (CA) . 30
5.7.4 Public-key certificates . 31
5.7.5 Attribute certificates . 32
5.7.6 Public-key certificate and attribute certificate extensions . 33
5.8 Certificate management of public-key certificates . 33
5.8.1 Certificate management process . 33
5.8.2 Initial certificate creation . 34
5.8.3 Onboarding of an entity . 34
5.8.4 Enrolment of an entity . 35
5.8.5 Certificate signing request (CSR) processing .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.