IEC TS 60870-5-7:2013
(Main)Telecontrol equipment and systems - Part 5-7: Transmission protocols - Security extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols (applying IEC 62351)
Telecontrol equipment and systems - Part 5-7: Transmission protocols - Security extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols (applying IEC 62351)
IEC/TS 60870-5-7:2013(E) describes messages and data formats for implementing IEC/TS 62351-5 for secure authentication as an extension to IEC 60870-5-101 and IEC 60870-5-104. The purpose of this base standard is to permit the receiver of any IEC 60870-5-101/104 Application Protocol Data Unit (APDU) to verify that the APDU was transmitted by an authorized user and that the APDU was not modified in transit. It provides methods to authenticate not only the device which originated the APDU but also the individual human user if that capability is supported by the rest of the telecontrol system. This specification is also intended to be used, together with the definitions of IEC/TS 62351-3, in conjunction with the IEC 60870-5-104 companion standard.
General Information
Buy Standard
Standards Content (Sample)
IEC/TS 60870-5-7 ®
Edition 1.0 2013-07
TECHNICAL
SPECIFICATION
colour
inside
Telecontrol equipment and systems –
Part 5-7: Transmission protocols – Security extensions to IEC 60870-5-101 and
IEC 60870-5-104 protocols (applying IEC 62351)
IEC/TS 60870-5-7:2013(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.
IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.
IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.
IEC/TS 60870-5-7 ®
Edition 1.0 2013-07
TECHNICAL
SPECIFICATION
colour
inside
Telecontrol equipment and systems –
Part 5-7: Transmission protocols – Security extensions to IEC 60870-5-101 and
IEC 60870-5-104 protocols (applying IEC 62351)
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
X
ICS 33.200 ISBN 978-2-8322-0919-6
– 2 – TS 60870-5-7 © IEC:2013(E)
CONTENTS
FOREWORD . 5
1 Scope . 7
2 Normative references . 7
3 Terms, definitions and abbreviations . 8
3.1 Terms and definitions . 8
3.2 Abbreviated terms . 9
4 Selected options . 9
4.1 Overview of clause . 9
4.2 MAC algorithms . 9
4.3 Encryption algorithms . 9
4.4 Maximum error count . 9
4.5 Use of aggressive mode . 9
5 Operations considered critical . 9
6 Addressing information . 10
7 Implementation of messages . 10
7.1 Overview of clause . 10
7.2 Data definitions . 10
7.2.1 Causes of transmission . 10
7.2.2 Type identifiers . 10
7.2.3 Security statistics . 11
7.2.4 Variable length data . 11
7.2.5 Information object address . 12
7.2.6 Transmitting extended ASDUs using segmentation . 12
7.3 Application Service Data Units . 16
7.3.1 TYPE IDENT 81: S_CH_NA_1 Authentication challenge . 16
7.3.2 TYPE IDENT 82: S_RP_NA_1 Authentication Reply . 17
7.3.3 TYPE IDENT 83: S_AR_NA_1 Aggressive mode authentication
request . 18
7.3.4 TYPE IDENT 84: S_KR_NA_1 Session key status request. 19
7.3.5 TYPE IDENT 85: S_KS_NA_1 Session key status . 20
7.3.6 TYPE IDENT 86: S_KC_NA_1 Session key change . 21
7.3.7 TYPE IDENT 87: S_ER_NA_1 Authentication error . 22
7.3.8 TYPE IDENT 88: S_UC_NA_1 User certificate . 23
7.3.9 TYPE IDENT 90: S_US_NA_1 User status change . 24
7.3.10 TYPE IDENT 91: S_UQ_NA_1 Update key change request . 25
7.3.11 TYPE IDENT 92: S_UR_NA_1 Update key change reply . 26
7.3.12 TYPE IDENT 93: S_UK_NA_1 Update key change − symmetric . 27
7.3.13 TYPE IDENT 94: S_UA_NA_1 Update key change − asymmetric . 28
7.3.14 TYPE IDENT 95: S_UC_NA_1 Update key change confirmation . 29
7.3.15 TYPE IDENT 41: S_IT_TC_1 Integrated totals containing time-
tagged security statistics . 30
8 Implementation of procedures. 31
8.1 Overview of clause . 31
8.2 Initialization of aggressive mode. 31
8.3 Refreshing challenge data . 34
8.4 Co-existence with non-secure implementations . 34
TS 60870-5-7 © IEC:2013(E) – 3 –
9 Implementation of IEC/TS 62351-3 using IEC 60870-5-104 . 34
9.1 Overview of clause . 34
9.2 Deprecation of non-encrypting cipher suites . 34
9.3 Mandatory cipher suite . 34
9.4 Recommended cipher suites . 34
9.5 Negotiation of versions . 35
9.6 Cipher renegotiation . 35
9.7 Message authentication code . 35
9.8 Certificate support . 35
9.8.1 Overview of clause . 35
9.8.2 Multiple Certificate Authorities (CAs) . 36
9.8.3 Certificate size . 36
9.8.4 Certificate exchange . 36
9.8.5 Certificate comparison . 36
9.9 Co-existence with non-secure protocol traffic . 37
9.10 Use with redundant channels . 37
10 Protocol Implementation Conformance Statement. 38
10.1 Overview of clause . 38
10.2 Required algorithms . 38
10.3 MAC algorithms . 38
10.4 Key wrap algorithms . 38
10.5 Use of error messages . 38
10.6 Update key change methods . 38
10.7 User status change . 39
10.8 Configurable parameters . 39
10.9 Configurable statistic thresholds and statistic information object addresses . 40
10.10 Critical functions . 40
Bibliography . 44
Figure 1 – ASDU segmentation control . 12
Figure 2 – Segmenting extended ASDUs . 12
Figure 3 – Illustration of ASDU segment reception state machine . 15
Figure 4 – ASDU: S_CH_NA_1 Authentication challenge . 16
Figure 5 – ASDU: S_RP_NA_1 Authentication Reply . 17
Figure 6 – ASDU: S_AR_NA_1 Aggressive Mode Authentication Request . 18
Figure 7 – ASDU: S_KR_NA_1 Session key status request . 19
Figure 8 – ASDU: S_KS_NA_1 Session key status . 20
Figure 9 – ASDU: S_KC_NA_1 Session key change . 21
Figure 10 – ASDU: S_ER_NA_1 Authentication error . 22
Figure 11 – ASDU: S_UC_NA_1 User certificate . 23
Figure 12 – ASDU: S_US_NA_1 User status change . 24
Figure 13 – ASDU: S_UQ_NA_1 Update key change request . 25
Figure 14 – ASDU: S_UR_NA_1 Update key change reply . 26
Figure 15 – ASDU: S_UK_NA_1 Update key change – symmetric . 27
Figure 16 – ASDU: S_UA_NA_1 Update key change – asymmetric . 28
Figure 17 – ASDU: S_UC_NA_1 Update key change confirmation . 29
– 4 – TS 60870-5-7 © IEC:2013(E)
Figure 18 – ASDU: S_IT_TC_1 Integrated totals containing time-tagged security
statistics . 30
Figure 19 – Example of successful initialization of challenge data . 33
Table 1 – Additional cause of transmission . 10
Table 2 – Additional type identifiers . 10
Table 3 – Maximum lengths of variable length data . 11
Table 4 – ASDU segment reception state machine . 14
Table 5 – Recommended cipher suite combinations . 35
TS 60870-5-7 © IEC:2013(E) – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
TELECONTROL EQUIPMENT AND SYSTEMS –
Part 5-7: Transmission protocols – Security extensions to
IEC 60870-5-101 and IEC 60870-5-104 protoc
...
IEC/TS 60870-5-7 ®
Edition 1.0 2013-07
TECHNICAL
SPECIFICATION
colour
inside
Telecontrol equipment and systems –
Part 5-7: Transmission protocols – Security extensions to IEC 60870-5-101 and
IEC 60870-5-104 protocols (applying IEC 62351)
IEC/TS 60870-5-7:2013(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.
IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.
IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.
IEC/TS 60870-5-7 ®
Edition 1.0 2013-07
TECHNICAL
SPECIFICATION
colour
inside
Telecontrol equipment and systems –
Part 5-7: Transmission protocols – Security extensions to IEC 60870-5-101 and
IEC 60870-5-104 protocols (applying IEC 62351)
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
X
ICS 33.200 ISBN 978-2-8322-0919-6
– 2 – TS 60870-5-7 © IEC:2013(E)
CONTENTS
FOREWORD . 5
1 Scope . 7
2 Normative references . 7
3 Terms, definitions and abbreviations . 8
3.1 Terms and definitions . 8
3.2 Abbreviated terms . 9
4 Selected options . 9
4.1 Overview of clause . 9
4.2 MAC algorithms . 9
4.3 Encryption algorithms . 9
4.4 Maximum error count . 9
4.5 Use of aggressive mode . 9
5 Operations considered critical . 9
6 Addressing information . 10
7 Implementation of messages . 10
7.1 Overview of clause . 10
7.2 Data definitions . 10
7.2.1 Causes of transmission . 10
7.2.2 Type identifiers . 10
7.2.3 Security statistics . 11
7.2.4 Variable length data . 11
7.2.5 Information object address . 12
7.2.6 Transmitting extended ASDUs using segmentation . 12
7.3 Application Service Data Units . 16
7.3.1 TYPE IDENT 81: S_CH_NA_1 Authentication challenge . 16
7.3.2 TYPE IDENT 82: S_RP_NA_1 Authentication Reply . 17
7.3.3 TYPE IDENT 83: S_AR_NA_1 Aggressive mode authentication
request . 18
7.3.4 TYPE IDENT 84: S_KR_NA_1 Session key status request. 19
7.3.5 TYPE IDENT 85: S_KS_NA_1 Session key status . 20
7.3.6 TYPE IDENT 86: S_KC_NA_1 Session key change . 21
7.3.7 TYPE IDENT 87: S_ER_NA_1 Authentication error . 22
7.3.8 TYPE IDENT 88: S_UC_NA_1 User certificate . 23
7.3.9 TYPE IDENT 90: S_US_NA_1 User status change . 24
7.3.10 TYPE IDENT 91: S_UQ_NA_1 Update key change request . 25
7.3.11 TYPE IDENT 92: S_UR_NA_1 Update key change reply . 26
7.3.12 TYPE IDENT 93: S_UK_NA_1 Update key change − symmetric . 27
7.3.13 TYPE IDENT 94: S_UA_NA_1 Update key change − asymmetric . 28
7.3.14 TYPE IDENT 95: S_UC_NA_1 Update key change confirmation . 29
7.3.15 TYPE IDENT 41: S_IT_TC_1 Integrated totals containing time-
tagged security statistics . 30
8 Implementation of procedures. 31
8.1 Overview of clause . 31
8.2 Initialization of aggressive mode. 31
8.3 Refreshing challenge data . 34
8.4 Co-existence with non-secure implementations . 34
TS 60870-5-7 © IEC:2013(E) – 3 –
9 Implementation of IEC/TS 62351-3 using IEC 60870-5-104 . 34
9.1 Overview of clause . 34
9.2 Deprecation of non-encrypting cipher suites . 34
9.3 Mandatory cipher suite . 34
9.4 Recommended cipher suites . 34
9.5 Negotiation of versions . 35
9.6 Cipher renegotiation . 35
9.7 Message authentication code . 35
9.8 Certificate support . 35
9.8.1 Overview of clause . 35
9.8.2 Multiple Certificate Authorities (CAs) . 36
9.8.3 Certificate size . 36
9.8.4 Certificate exchange . 36
9.8.5 Certificate comparison . 36
9.9 Co-existence with non-secure protocol traffic . 37
9.10 Use with redundant channels . 37
10 Protocol Implementation Conformance Statement. 38
10.1 Overview of clause . 38
10.2 Required algorithms . 38
10.3 MAC algorithms . 38
10.4 Key wrap algorithms . 38
10.5 Use of error messages . 38
10.6 Update key change methods . 38
10.7 User status change . 39
10.8 Configurable parameters . 39
10.9 Configurable statistic thresholds and statistic information object addresses . 40
10.10 Critical functions . 40
Bibliography . 44
Figure 1 – ASDU segmentation control . 12
Figure 2 – Segmenting extended ASDUs . 12
Figure 3 – Illustration of ASDU segment reception state machine . 15
Figure 4 – ASDU: S_CH_NA_1 Authentication challenge . 16
Figure 5 – ASDU: S_RP_NA_1 Authentication Reply . 17
Figure 6 – ASDU: S_AR_NA_1 Aggressive Mode Authentication Request . 18
Figure 7 – ASDU: S_KR_NA_1 Session key status request . 19
Figure 8 – ASDU: S_KS_NA_1 Session key status . 20
Figure 9 – ASDU: S_KC_NA_1 Session key change . 21
Figure 10 – ASDU: S_ER_NA_1 Authentication error . 22
Figure 11 – ASDU: S_UC_NA_1 User certificate . 23
Figure 12 – ASDU: S_US_NA_1 User status change . 24
Figure 13 – ASDU: S_UQ_NA_1 Update key change request . 25
Figure 14 – ASDU: S_UR_NA_1 Update key change reply . 26
Figure 15 – ASDU: S_UK_NA_1 Update key change – symmetric . 27
Figure 16 – ASDU: S_UA_NA_1 Update key change – asymmetric . 28
Figure 17 – ASDU: S_UC_NA_1 Update key change confirmation . 29
– 4 – TS 60870-5-7 © IEC:2013(E)
Figure 18 – ASDU: S_IT_TC_1 Integrated totals containing time-tagged security
statistics . 30
Figure 19 – Example of successful initialization of challenge data . 33
Table 1 – Additional cause of transmission . 10
Table 2 – Additional type identifiers . 10
Table 3 – Maximum lengths of variable length data . 11
Table 4 – ASDU segment reception state machine . 14
Table 5 – Recommended cipher suite combinations . 35
TS 60870-5-7 © IEC:2013(E) – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
TELECONTROL EQUIPMENT AND SYSTEMS –
Part 5-7: Transmission protocols – Security extensions to
IEC 60870-5-101 and IEC 60870-5-104 protoc
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.