IEC TS 62351-100-3:2020

IEC TS 62351-100-3
Edition 1.0 2020-01
TECHNICAL
SPECIFICATION
colour
inside
Power systems management and associated information exchange – Data and
communications security –
Part 100-3: Conformance test cases for IEC 62351-3, the secure communication
extension for profiles including TCP/IP
IEC TS 62351-100-3:2020-01(en)
---------------------- Page: 1 ----------------------
THIS PUBLICATION IS COPYRIGHT PROTECTED
Copyright © 2020 IEC, Geneva, Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form

or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from

either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC

copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or

The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes

The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the

IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org

The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,

variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English

committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.

and withdrawn publications. Also known as the International Electrotechnical Vocabulary

Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary

details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and

once a month by email. French extracted from the Terms and Definitions clause of

IEC Customer Service Centre - webstore.iec.ch/csc collected from earlier publications of IEC TC 37, 77, 86 and

Warning! Make sure that you obtained this publication from an authorized distributor.

FOREWORD ........................................................................................................................... 3

INTRODUCTION ..................................................................................................................... 5

1 Scope .............................................................................................................................. 6

2 Normative references ...................................................................................................... 6

3 Terms, definitions and abbreviated terms ........................................................................ 7

3.1 Terms and definitions .............................................................................................. 7

3.2 Abbreviated terms ................................................................................................... 8

4 General ........................................................................................................................... 8

4.1 Normatives covered by this document ..................................................................... 8

4.2 Conformance testing structure ................................................................................ 9

4.2.1 General ........................................................................................................... 9

4.2.2 Conformance testing addressed per station type ............................................. 9

4.2.3 Normal procedure tests and resiliency tests ..................................................... 9

4.3 Conformance testing requirements ........................................................................ 10

4.3.1 Testing within the context of an application .................................................... 10

4.3.2 Requirements for the device under test.......................................................... 10

4.3.3 Requirements for the test facility ................................................................... 10

4.3.4 Test logging ................................................................................................... 11

5 Verification of Configuration parameters ........................................................................ 12

5.1 General ................................................................................................................. 12

5.2 Configuration parameters ...................................................................................... 12

6 Verification of IEC 62351-3 requirements....................................................................... 14

6.1 General ................................................................................................................. 14

6.2 Normal procedure test cases ................................................................................ 14

6.3 Resiliency test cases ............................................................................................ 17

7 Tests Results Chart ....................................................................................................... 22

7.1 Verification of Configuration Parameters ............................................................... 22

7.2 Verification of IEC 62351-3 requirements .............................................................. 23

Table 1 – Configuration Parameters ...................................................................................... 12

Table 2 – IEC 62351-3 requirements: Normal procedure tests .............................................. 14

Table 3 – IEC 62351-3 requirements: Resiliency tests .......................................................... 17

Table 4 – Test results chart: Verification of configuration parameters ................................... 22

Table 5 – Test results chart: Verification of IEC 62351-3 requirements ................................. 23

1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising

all national electrotechnical committees (IEC National Committees). The object of IEC is to promote

international co-operation on all questions concerning standardization in the electrical and electronic fields. To

this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,

Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC

Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested

in the subject dealt with may participate in this preparatory work. International, governmental and non-

governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely

with the International Organization for Standardization (ISO) in accordance with conditions determined by

2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international

consensus of opinion on the relevant subjects since each technical committee has representation from all

3) IEC Publications have the form of recommendations for international use and are accepted by IEC National

Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC

Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any

4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications

transparently to the maximum extent possible in their national and regional publications. Any divergence

between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in

5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity

assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any

6) All users should ensure that they have the latest edition of this publication.

7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and

members of its technical committees and IEC National Committees for any personal injury, property damage or

other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and

expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC

8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is

9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of

patent rights. IEC shall not be held responsible for identifying any or all such patent rights.

The main task of IEC technical committees is to prepare International Standards. In

exceptional circumstances, a technical committee may propose the publication of a technical

• the required support cannot be obtained for the publication of an International Standard,

• the subject is still under technical development or where, for any other reason, there is the

future but no immediate possibility of an agreement on an International Standard.

Technical specifications are subject to review within three years of publication to decide

IEC TS 62351-100-3, which is a technical specification, has been prepared by IEC technical

Full information on the voting for the approval of this technical specification can be found in

This document has been drafted in accordance with the ISO/IEC Directives, Part 2.

This document is to be read in conjunction with IEC 62351-3:2014, IEC 62351-3/AMD1:2018

A list of all parts in the IEC 62351 series, published under the general title Power systems

management and associated information exchange – Data and communications security, can

The committee has decided that the contents of this document will remain unchanged until the

stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates

understanding of its contents. Users should therefore print this document using a

This technical specification describes test cases for conformance testing of telecontrol

equipment or systems integrating the IEC 62351-3 security extension for profiles including

This part of IEC 62351, which is a technical specification, describes test cases of data and

communication security for telecontrol equipment, Substation Automation Systems [SAS] and

The goal of this document is to enable interoperability by providing a standard method of

testing protocol implementations to verify that a device fulfils the requirement of IEC 62351-3.

Note that conformity to IEC 62351-3 does not guarantee interoperability between devices

using different implementations. It is expected that using this specification during testing will

minimize the risk of non-interoperability. A basic condition for this interoperability is a passed

The scope of this document is the specification of common available procedures and

definitions for conformance and/or interoperability testing to ensure conformity to

IEC 62351-3. The conformance test cases defined here are focused to verify the conformant

integration of the underlying authentication/encryption protocol (TLS), as specified in

This document is not intended to test the underlying authentication/encryption protocol

required by IEC 62351-3 to be implemented over TCP/IP (TLS). The conformance testing of

the authentication/encryption protocol over TCP/IP is outside the scope of this document.

This document deals with data and communication security conformance testing; therefore,

other requirements, such as safety or EMC are not covered. These requirements are covered

by other standards (if applicable) and the proof of compliance for these topics is done

The following documents are referred to in the text in such a way that some or all of their

content constitutes requirements of this document. For dated references, only the edition

cited applies. For undated references, the latest edition of the referenced document (including

IEC TS 62351-2:2008, Power systems management and associated information exchange -

IEC 62351-3:2014, Power systems management and associated information exchange – Data

and communications security – Part 3: Communication network and system security – Profiles

The base standard always takes precedence. In case of ambiguity between this technical specification and the

base standards (IEC 62351-3), this part of IEC 62351 needs to be clarified or amended.

When testing, negative behavior is not described in the base standard, the behavior described in this document

prevails and should be observed. The conformance statement produced after testing indicates any lack of

For the purposes of this document, the terms and definitions given in IEC TS 62351-2 and the

ISO and IEC maintain terminological databases for use in standardization at the following

Note 1 to entry: In some specifications, a device is commonly called "controlling station" or "master" or "master

ability of two or more telecontrol devices from the same vendor, or different vendors, to

calculated value used by a receiving station to authenticate and check the integrity of an

set of test cases to verify that the device fulfils the requirements of IEC 62351-3 in the

document which describes complete functionalities and system specific information

system specific information contained in the PIXIT document regarding the capabilities of the

set of test cases to verify that the device fulfils the requirements of IEC 62351-3 in reacting to

Note 1 to entry: In some specifications, a server is commonly called "controlled station" or "outstation" or "slave".

all tools and instruments which simulate and verify the communication traffic, inputs and/or

party initiating a conformance test of a device that is executed by a test facility

supplier-independent organization which is able to provide appropriate test equipment and

Refer to IEC 62351-2 for a list of applicable abbreviated terms. The abbreviations listed below

are included here because they are specific to IEC 62351-3 and they may be useful for

In addition to the test cases described in this document there are further test cases necessary

for TLS base protocol RFC as well as test cases depending on the content provided in the

certificates. An example may be the RBAC extension specified in IEC 62351-8 or certificate

IEC 62351-3 defines the requirements related to the authentication/encryption protocol,

• Clause 5: Verification of configuration parameters. This clause contains the parameters

specified by the standards referencing IEC 62351-3 (see IEC 62351-3:2014/AMD1:2018,

• Clause 6: Verification of IEC 62351-3 requirements. The goal of this clause is to verify that

• Clause 7: Test result chart. This clause contains the results of the test cases listed in

Clause 6 for each supported value of the configuration parameters listed in Clause 5.

The test cases are organized in tables. They are numbered, their numbering syntax is:

In the column ‘Reference’ each test case has a direct reference to IEC 62351-3 where the

clause under test is defined. PICS or PIXIT could be found in the “Reference” column for

some test cases whenever the execution of the test case shall take into account specific

Test cases are mandatory depending on the description in the column ‘Required’. The

M = Mandatory test case. The test is referencing to a clause that is mandatory in

PIXIT = Mandatory test case if the functionality is enabled in the PICS or PIXIT by marking

The test cases in Clause 6 to verify the requirements defined in IEC 62351-3 are addressed

IEC 62351-3 specifies how each station (client and server) shall execute the procedures in

normal conditions (expected behavior) and also how it shall behave when unexpected or fault

events occur during their execution (negative behaviors). So, for each procedure in Clause 6

the test cases are also divided in two sections: the normal procedures test cases addressing

the expected behaviors and the resiliency test cases addressing unexpected or fault events.

Normal Procedure tests and Resiliency tests shall be performed according to the parameters

values supported by the DUT as defined in Clause 6, declared in the PICS and in the PIXIT of

All the tests defined in this technical specification shall be executed for client stations and

The test cases listed in this document shall be executed within the context of an application.

The DUT claiming conformance to IEC 62351-3 shall execute an application protocol defined

c) Instruction manuals detailing the installation and operation of the device or assistance for

d) The DUT is able to operate as a client or server station according to the PID (depending

e) The DUT must be fully configured according to the PID and shall be able to execute all the

f) The functionality described in the PID related to data points such as parameter loading,

read procedure, command transmission, etc. is implemented with a representative sub-set

g) Verification of the data points shall be possible in a human readable way or format, and

completeness. Also, the software and hardware versions of the DUT shall be verified.

• Conformance testing shall be customized for the DUT based on the capabilities identified

in the PID (=PICS+PIXIT). Upon this customization, the test facility shall communicate

• The test cases listed in Clauses 5 and 6 shall be performed with no errors detected during

• The test cases in Clause 6 should be performed in the order listed and the steps in each

test case shall be followed, which means that the DUT is able to function as described in

• For each test case listed in Clauses 5 and 6 the test results need to be marked in the

appropriate column of the test result chart in Clause 7. Each test case can either pass

(Passed), or fail (Failed), or be not applicable (NA) when the configuration value is not

supported by the device, or the test case cannot be performed (Empty). Ideally, there

All test cases listed in Clause 7 should be verified automatically by a testing software or

verified manually by review of the test history log after execution of the test procedures. The

simulator is preferably flexible in adding or changing test cases in order to be adaptable to

changes in the protocol standard and the PID provided with the DUT. In all cases, the test

In operational use, the device may show communication and/or behavior errors, which forces

the supplier to reproduce the complete conformance test (for example for verification

The test focuses only on the protocol elements and functions as described in the PID; the test

During the execution of conformance testing the following information should be logged by the

• communication events (first handshake, session renegotiation, session resumption);

• certificate check results (e.g. valid, expired, revoked, invalid key length, invalid signature);

• The security events raised by the DUT (defined in IEC 62351-3) whenever a negative

If the specific test logging defined herein and IEC 62351-3 is not supported by the DUT, the

DUT shall provide the means by which the tester can verify the proper execution of the test

The scope of this clause is to verify the configuration of all the parameters that affect security extension procedures and protocol behavior so that

the whole or part of conformance testing shall be executed (and the tests result chart in Clause 7 shall be filled accordingly) for each value of these

parameters as indicated in 5.2. Basically, the DUT must be tested to verify that the whole functionality and behavior are correct according to the

All conformance tests listed in Clause 6 shall be performed for each station type supported.

5.2.2 TCP IP Port to be All conformance tests listed in Clause 6 shall be performed for the value of this parameter. IEC 62351-3:2014, Clause 7 M

All conformance tests listed in Clause 6 shall be performed for each value (mandatory and optional)

5.2.4 TLS Cipher Suites Set of cipher suites supported in TLS protocol. IEC 62351-3:2014, Clause 7 M

All conformance tests listed in Clause 6 shall be performed at least for the minimum mandatory value