IEC 62351-9:2017
(Main)Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment
Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment
IEC 62351-9:2017 specifies cryptographic key management, namely how to generate, distribute, revoke, and handle public-key certificates and cryptographic keys to protect digital data and its communication. Included in the scope is the handling of asymmetric keys (e.g. private keys and public-key certificates), as well as symmetric keys for groups (GDOI). This document assumes that other standards have already chosen the type of keys and cryptography that will be utilized, since the cryptography algorithms and key materials chosen will be typically mandated by an organization’s own local security policies and by the need to be compliant with other international standards. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. The objective is to define requirements and technologies to achieve interoperability of key management. The purpose of this document is to guarantee interoperability among different vendors by specifying or limiting key management options to be used. This document assumes that the reader understands cryptography and PKI principles.
Gestion des systèmes de puissance et échanges d'informations associés – Sécurité des communications et des données – Partie 9: Gestion de clé de cybersécurité des équipements de système de puissance
IEC 62351-9:2017 porte sur la gestion de clé cryptographique, c'est-à-dire sur la manière de générer, distribuer, révoquer et manipuler les certificats de clé publique et les clés cryptographiques pour protéger les données numériques et leurs communications. La manipulation des clés asymétriques (les clés privées et les certificats de clé publique, par exemple) et les clés symétriques pour les groupes (GDOI) font également partie du domaine d'application de la présente norme.
La présente partie de l'IEC 62351 part du principe que d'autres normes ont déjà choisi le type de clés et la cryptographie qui seront utilisés, dans la mesure où les algorithmes de cryptographie et les supports de clé choisis sont en principe liés aux politiques de sécurité locales propres à une organisation et à la nécessité de satisfaire aux autres normes internationales. Le présent document spécifie donc uniquement les techniques de gestion de ces infrastructures de clé et de cryptographie sélectionnées. Il s'agit de définir les exigences et les technologies permettant d'assurer l'interopérabilité de la gestion de clé.
La présente partie de l'IEC 62351 a pour objet de garantir l'interopérabilité entre les différents fournisseurs en spécifiant ou limitant les options de gestion de clé à utiliser. Le présent document part du principe que le lecteur comprend les principes de cryptographie et d'infrastructure à clés publiques.
General Information
Relations
Buy Standard
Standards Content (Sample)
IEC 62351-9 ®
Edition 1.0 2017-05
INTERNATIONAL
STANDARD
colour
inside
Power systems management and associated information exchange – Data and
communications security –
Part 9: Cyber security key management for power system equipment
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.
IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 20 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 16 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.
IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 65 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and
CISPR.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
IEC 62351-9 ®
Edition 1.0 2017-05
INTERNATIONAL
STANDARD
colour
inside
Power systems management and associated information exchange – Data and
communications security –
Part 9: Cyber security key management for power system equipment
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 33.200 ISBN 978-2-8322-4220-9
– 2 – IEC 62351-9:2017 © IEC 2017
CONTENTS
FOREWORD . 6
1 Scope . 8
2 Normative references . 8
3 Terms and definitions . 9
4 Abbreviations and acronyms . 14
5 Cryptographic applications for power system implementations . 15
5.1 Cryptography, cryptographic keys, and security objectives . 15
5.2 Types of cryptography . 16
5.3 Uses of cryptography . 16
5.3.1 Goals of cyber security . 16
5.3.2 Confidentiality . 17
5.3.3 Data integrity . 17
5.3.4 Authentication. 18
5.3.5 Non-repudiation . 18
5.3.6 Trust . 18
6 Key management concepts and methods in power system operations . 19
6.1 Key management system security policy . 19
6.2 Key management design principles for power system operations . 19
6.3 Use of Transport Layer Security (TLS) . 19
6.4 Cryptographic key usages . 19
6.5 Trust using a public-key infrastructure (PKI). 20
6.5.1 Registration authorities (RA) . 20
6.5.2 Certification authority (CA) . 20
6.5.3 Public-key certificates . 20
6.5.4 Attribute certificates . 21
6.5.5 Public-key certificate and attribute certificate extensions . 21
6.6 Trust via non-PKI self-signed certificates . 22
6.7 Authorization and validation lists . 22
6.7.1 General . 22
6.7.2 AVLs in non-constrained environments . 23
6.7.3 AVLs in constrained environments . 23
6.7.4 Use of self-signed public-key certificates in AVLs . 23
6.8 Trust via pre-shared keys. 23
6.9 Session keys . 24
6.10 Protocols used in trust establishment . 24
6.10.1 Certification request . 24
6.10.2 Trust Anchor Management Protocol (TAMP) . 24
6.10.3 Simple Certificate Enrolment Protocol (SCEP) . 24
6.10.4 Internet X.509 PKI Certificate Management Protocol (CMP) . 24
6.10.5 Certificate Management over CMS (CMC) . 25
6.10.6 Enrolment over Secure Transport (EST) . 25
6.10.7 Summary view on the different protocols . 25
6.11 Group keys . 26
6.11.1 Purpose of group keys . 26
6.11.2 Group Domain of Interpretation (GDOI) . 26
6.12 Key management lifecycle . 31
6.12.1 Key management in the life cycle of an entity . 31
6.12.2 Cryptographic key lifecycle . 32
6.13 Certificate management processes . 34
6.13.1 Certificate management process . 34
6.13.2 Initial certificate creation . 34
6.13.3 Enrolment of an entity . 34
6.13.4 Certificate signing request (CSR) process . 36
6.13.5 Certificate revocation lists (CRLs) . 37
6.13.6 Online certificate status protocol (OCSP) . 38
6.13.7 Server-based certificate validation protocol (SCVP) . 41
6.13.8 Short-lived certificates . 41
6.13.9 Certificate renewal . 42
6.14 Alternative process for asymmetric keys generated outside the entity . 43
6.15 Key distribution for symmetric keys with different time frames . 44
7 General key management requirements . 44
7.1 Asymmetric and symmetric key management requirements . 44
7.2 Required cryptographic materials . 44
7.3 Public-Key certificates requirements . 45
7.4 Cryptographic key protection. 45
7.5 Use of existing security key management infrastructure . 45
7.6 Use of object identifiers . 45
8 Asymmetric key management . 45
8.1 Certificate generation and installation . 45
8.1.1 Private and public key generation and installation. 45
8.1.2 Private and public key renewal . 46
8.1.3 Random Number Generation . 46
8.1.4 Certificate policy . 46
8.1.5 Entity registration for identity establishment . 46
8.1.6 Entity configuration . 47
8.1.7 Entity enrolment . 47
8.1.8 Trust anchor information update . 48
8.2 Public-key certificate revocation . 49
8.3 Certificate validity . 49
8.3.1 Validity of certificates . 49
8.3.2 Certificate revocation . 50
8.3.3 Certificate revocation status checking . 50
8.3.4 Handling of authorization and validation lists (AVLs) . 50
8.4 Certificate expiration and renewal . 55
8.5 Secured Time Synchronization . 55
9 Symmetric key management . 56
9.1 Group based key management (GDOI) . 56
9.1.1 GDOI requirements . 56
9.1.2 Internet Key Exchange Version 1 (IKEv1) . 56
9.1.3 Phase 1 IKEv1 main mode exchange type 2 . 57
9.1.4 Phase 1/2 ISAKMP informational exchange type 5 . 60
9.1.5 Phase 2 GDOI GROUPKEY-PULL exchange type 32 . 62
9.1.6 GROUPKEY-PULL group key download exchange . 70
10 Connections to the IEC 62351 parts and other IEC documents . 71
– 4 – IEC 62351-9:2017 © IEC 2017
Annex A (normative) Protocol Implementation Conformance Statement (PICS) . 73
Annex B (informative) Random Number Generation (RNG) .
...
IEC 62351-9 ®
Edition 1.0 2017-05
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Power systems management and associated information exchange – Data and
communications security –
Part 9: Cyber security key management for power system equipment
Gestion des systèmes de puissance et échanges d’informations associés –
Sécurité des communications et des données –
Partie 9: Gestion de clé de cybersécurité des équipements de système de
puissance
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.
IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 20 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 16 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.
IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 65 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and
CISPR.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.
A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.
Catalogue IEC - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
Application autonome pour consulter tous les renseignements
Le premier dictionnaire en ligne de termes électroniques et
bibliographiques sur les Normes internationales,
électriques. Il contient 20 000 termes et définitions en anglais
Spécifications techniques, Rapports techniques et autres
et en français, ainsi que les termes équivalents dans 16
documents de l'IEC. Disponible pour PC, Mac OS, tablettes
langues additionnelles. Egalement appelé Vocabulaire
Android et iPad.
Electrotechnique International (IEV) en ligne.
Recherche de publications IEC - www.iec.ch/searchpub
Glossaire IEC - std.iec.ch/glossary
La recherche avancée permet de trouver des publications IEC 65 000 entrées terminologiques électrotechniques, en anglais
en utilisant différents critères (numéro de référence, texte, et en français, extraites des articles Termes et Définitions des
comité d’études,…). Elle donne aussi des informations sur les publications IEC parues depuis 2002. Plus certaines entrées
projets et les publications remplacées ou retirées. antérieures extraites des publications des CE 37, 77, 86 et
CISPR de l'IEC.
IEC Just Published - webstore.iec.ch/justpublished
Service Clients - webstore.iec.ch/csc
Restez informé sur les nouvelles publications IEC. Just
Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur cette
Disponible en ligne et aussi une fois par mois par email. publication ou si vous avez des questions contactez-nous:
csc@iec.ch.
IEC 62351-9 ®
Edition 1.0 2017-05
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Power systems management and associated information exchange – Data and
communications security –
Part 9: Cyber security key management for power system equipment
Gestion des systèmes de puissance et échanges d’informations associés –
Sécurité des communications et des données –
Partie 9: Gestion de clé de cybersécurité des équipements de système de
puissance
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-5199-7
– 2 – IEC 62351-9:2017 © IEC 2017
CONTENTS
CONTENTS . 2
FOREWORD . 6
1 Scope . 8
2 Normative references . 8
3 Terms and definitions . 9
4 Abbreviations and acronyms . 15
5 Cryptographic applications for power system implementations . 16
5.1 Cryptography, cryptographic keys, and security objectives . 16
5.2 Types of cryptography . 16
5.3 Uses of cryptography . 17
5.3.1 Goals of cyber security . 17
5.3.2 Confidentiality . 18
5.3.3 Data integrity . 18
5.3.4 Authentication. 18
5.3.5 Non-repudiation . 18
5.3.6 Trust . 18
6 Key management concepts and methods in power system operations . 19
6.1 Key management system security policy . 19
6.2 Key management design principles for power system operations . 19
6.3 Use of Transport Layer Security (TLS) . 20
6.4 Cryptographic key usages . 20
6.5 Trust using a public-key infrastructure (PKI). 20
6.5.1 Registration authorities (RA) . 20
6.5.2 Certification authority (CA) . 20
6.5.3 Public-key certificates . 21
6.5.4 Attribute certificates . 21
6.5.5 Public-key certificate and attribute certificate extensions . 22
6.6 Trust via non-PKI self-signed certificates . 22
6.7 Authorization and validation lists . 23
6.7.1 General . 23
6.7.2 AVLs in non-constrained environments . 23
6.7.3 AVLs in constrained environments . 23
6.7.4 Use of self-signed public-key certificates in AVLs . 24
6.8 Trust via pre-shared keys. 24
6.9 Session keys . 24
6.10 Protocols used in trust establishment . 24
6.10.1 Certification request . 24
6.10.2 Trust Anchor Management Protocol (TAMP) . 25
6.10.3 Simple Certificate Enrolment Protocol (SCEP) . 25
6.10.4 Internet X.509 PKI Certificate Management Protocol (CMP) . 25
6.10.5 Certificate Management over CMS (CMC) . 25
6.10.6 Enrolment over Secure Transport (EST) . 25
6.10.7 Summary view on the different protocols . 26
6.11 Group keys . 26
6.11.1 Purpose of group keys . 26
6.11.2 Group Domain of Interpretation (GDOI) . 27
6.12 Key management lifecycle . 31
6.12.1 Key management in the life cycle of an entity . 31
6.12.2 Cryptographic key lifecycle . 32
6.13 Certificate management processes . 34
6.13.1 Certificate management process . 34
6.13.2 Initial certificate creation . 34
6.13.3 Enrolment of an entity . 34
6.13.4 Certificate signing request (CSR) process . 36
6.13.5 Certificate revocation lists (CRLs) . 37
6.13.6 Online certificate status protocol (OCSP) . 38
6.13.7 Server-based certificate validation protocol (SCVP) . 41
6.13.8 Short-lived certificates . 41
6.13.9 Certificate renewal . 42
6.14 Alternative process for asymmetric keys generated outside the entity . 43
6.15 Key distribution for symmetric keys with different time frames . 44
7 General key management requirements . 44
7.1 Asymmetric and symmetric key management requirements . 44
7.2 Required cryptographic materials . 44
7.3 Public-Key certificates requirements . 45
7.4 Cryptographic key protection. 45
7.5 Use of existing security key management infrastructure . 45
7.6 Use of object identifiers .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.