Power systems management and associated information exchange - Data and communication security - Part 100-4: Cybersecurity conformance testing for IEC 62351-4

IEC TS 62351-100-4:2023, which is a technical specification, describes test procedures for interoperability conformance testing of data and communication security for power system automation and protection systems which implement MMS, IEC 61850-8-1 (MMS), IEC 61850-8-2 (XMPP) or any other protocol implementing IEC 62351-4:2018/AMD1:2020. The tests described in this document cover only E2E security testing and do not evaluate A-security profile implementation. Thus, citing conformance to this document does not imply that any particular security level has been achieved by the corresponding product, or by the system in which it is used.
The goal of this document is to enable interoperability by providing a standard method of testing protocol implementations, but it does not guarantee the full interoperability of devices. It is expected that using this document during testing will minimize the risk of non interoperability. Additional testing and assurance measures will be required to verify that a particular implementation of IEC 62351-4:2018/AMD1:2020 has correctly implemented all the security functions and that they can be assured to be present in the delivered products. This topic is covered in other IEC standards, for example IEC 62443.
The scope of this document is to specify available common procedures and definitions for conformance and/or interoperability testing of IEC 62351-4:2018/AMD1:2020.
This document deals mainly with cyber security conformance testing; therefore, other requirements, such as safety or EMC are not covered. These requirements are covered by other standards (if applicable) and the proof of compliance for these topics is done according to these standards.
T-profile testing is to be performed prior to E2E security profile testing. T-profile testing is described in IEC 62351-100-3 in the context of IEC 61850-8-1. T-profile testing for IEC 61850-8-2 is to be described in the corresponding IEC 61850-8-2 test specification.

General Information

Status
Published
Publication Date
26-Nov-2023
Current Stage
PPUB - Publication issued
Start Date
20-Jul-2023
Completion Date
27-Nov-2023
Ref Project

Buy Standard

Technical specification
IEC TS 62351-100-4:2023 - Power systems management and associated information exchange - Data and communication security - Part 100-4: Cybersecurity conformance testing for IEC 62351-4 Released:27. 11. 2023
English language
109 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC TS 62351-100-4 ®
Edition 1.0 2023-11
TECHNICAL
SPECIFICATION
colour
inside
Power systems management and associated information exchange – Data and
communication security –
Part 100-4: Cybersecurity conformance testing for IEC 62351-4

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

IEC Secretariat Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform IEC Products & Services Portal - products.iec.ch
The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the
variety of criteria (reference number, text, technical publications previews. With a subscription you will always have
committee, …). It also gives information on projects, replaced access to up to date content tailored to your needs.
and withdrawn publications.
Electropedia - www.electropedia.org
IEC Just Published - webstore.iec.ch/justpublished
The world's leading online dictionary on electrotechnology,
Stay up to date on all new IEC publications. Just Published
containing more than 22 300 terminological entries in English
details all new publications released. Available online and once
and French, with equivalent terms in 19 additional languages.
a month by email.
Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Customer Service Centre - webstore.iec.ch/csc

If you wish to give us your feedback on this publication or need
further assistance, please contact the Customer Service
Centre: sales@iec.ch.
IEC TS 62351-100-4 ®
Edition 1.0 2023-11
TECHNICAL
SPECIFICATION
colour
inside
Power systems management and associated information exchange – Data and

communication security –
Part 100-4: Cybersecurity conformance testing for IEC 62351-4

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 33.200  ISBN 978-2-8322-7903-8

– 2 – IEC TS 62351-100-4:2023 © IEC 2023
CONTENTS
FOREWORD . 6
INTRODUCTION . 8
1 Scope . 9
2 Normative references . 9
3 Terms, definitions, and abbreviated terms . 10
3.1 Terms and definitions. 10
3.2 Abbreviated terms . 11
4 Application structure and information flow. 11
4.1 Overview . 11
4.2 Application entity structure . 12
4.3 Relationship to test structure . 13
5 General . 14
5.1 General guidelines . 14
5.2 Test methodology . 14
5.2.1 General . 14
5.2.2 Normal procedure tests and resiliency tests . 14
5.2.3 SubClass descriptions . 14
5.3 Conformance testing requirements . 15
5.3.1 Testing within the context of an application. 15
5.3.2 Requirements for the device under test . 15
5.3.3 Requirements for the test facility . 15
5.3.4 Test Validation . 16
5.4 PICS . 16
5.5 PIXIT . 17
5.6 Tests cases . 18
6 E2E conformity testing in an OSI environment . 22
6.1 Conformance tables for E2E OSI-security profile . 22
6.2 E2E Test Procedures for OSI environment . 25
6.2.1 Association Management . 25
6.2.2 Clear Data Transfer . 29
6.2.3 Encrypted Data Transfer . 31
6.2.4 Rekey . 34
7 E2E conformity testing in the XMPP environment . 38
7.1 Conformance tables for E2E-XMPP security profile . 38
7.2 E2E Test Procedures for XMPP environment . 41
7.2.1 Association Management . 41
7.2.2 Clear Data Transfer . 44
7.2.3 Encrypted Data Transfer . 45
7.2.4 Rekey . 46
8 E2E Resiliency test procedures . 49
8.1 General . 49
8.2 Association Management Resiliency Testing . 50
8.3 Clear Data Transfer Resiliency . 59
8.4 Encrypted Data Transfer Resiliency . 64
9 E2E security subclass (SecPDU) . 68
9.1 E2E Handshake request subclass . 68

9.2 E2E handshake accept subclass . 71
9.3 E2E Application reject subclass . 74
9.4 E2E Handshake reject subclass . 76
9.5 E2E Handshake security abort subclass . 78
9.6 E2E Data transfer security abort subclass . 80
9.7 E2E Abort by protected protocol subclass . 82
9.8 E2E Clear data transfer subclass . 84
9.9 E2E Encrypted data transfer subclass . 88
9.10 E2E Association release request subclass . 92
9.11 E2E Association release response subclass . 94
10 OSI subclass (EnvPDU) . 96
10.1 OSI association request subclass . 96
10.2 OSI association response subclass . 98
10.3 OSI abort subclass . 100
10.4 OSI clear data transfer subclass . 103
10.5 OSI encrypted data transfer subclass. 103
10.6 OSI release request subclass . 104
10.7 OSI release response subclass . 104
11 XMPP subclass (EnvPDU) . 105
11.1 XMPP IQ stanza subclass . 105
11.2 XMPP message stanza subclass . 108
11.3 XMPP error subclass . 109

Figure 1 – Application entity structure and information flow . 12
Figure 2 – Relationships between APDUs . 12
Figure 3 – Structure for test specifications . 13

Table 1 – PIXIT for Base Profile . 17
Table 2 – PIXIT for Secure Communication. 18
Table 3 – IEC 62351-4:2018/AMD1:2020 E2E Compliancy Testing (IEC 61850-8-1 and
ICCP) . 19
Table 4 – IEC 62351-4:2018/AMD1:2020 E2E Compliancy Testing (IEC 61850-8-2) . 21
Table 5 – Base Profile – E2E Security . 23
Table 6 – Protocol Handshake – E2E Security . 23
Table 7 – IEC 61850 Application Association – E2E Security . 23
Table 8 – OSI EnvPDU Supported – E2E Security . 23
Table 9 – OSI EnvPDU Subclass Supported – E2E Security . 23
Table 10 – E2E SecPDU Subclass Supported . 24
Table 11 – OSI Mode of encryption – E2E Security . 24
Table 12 – Cryptographic algorithms – E2E Security . 24
Table 13 – ASN.1 Objects – E2E Security . 25
Table 14 – Verification of Client handshake request procedure in OSI environment . 26
Table 15 – Verification of Server handshake request procedure in OSI environment . 27
Table 16 – Handshake request resiliency procedure in OSI environment – Client . 28
Table 17 – Handshake request resiliency procedure in OSI environment – Server . 29

– 4 – IEC TS 62351-100-4:2023 © IEC 2023
Table 18 – Verification of requirements for OSI environment security – Clear Data
transfer . 30
Table 19 – Clear Data Transfer resiliency procedure in OSI environment – Client . 30
Table 20 – Clear Data Transfer resiliency procedure in OSI environment – Server . 31
Table 21 – Verification of requirements for OSI environment security – Encrypted data

transfer . 32
Table 22 – Resiliency testing for client – Encrypted data transfer . 33
Table 23 – Resiliency testing for server – Encrypted data transfer .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.