Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives

IEC/TS 62351-5:2009(E) specifies messages, procedures and algorithms for securing the operation of all protocols based on or derived from the standard IEC 60870-5: Telecontrol equipment and systems - Part 5: Transmission protocols. It more specifically applies to IEC 60870-5-101, IEC 60870-5-102, IEC 60870-5-103, IEC 60870-5-104.
This publication is of core relevance for Smart Grid.

General Information

Status
Published
Publication Date
17-Aug-2009
Current Stage
DELPUB - Deleted Publication
Completion Date
29-Apr-2013
Ref Project

Relations

Buy Standard

Technical specification
IEC TS 62351-5:2009 - Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives Released:8/18/2009 Isbn:9782889106813
English language
59 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC/TS 62351-5 ®
Edition 1.0 2009-08
TECHNICAL
SPECIFICATION
Power systems management and associated information exchange – Data and
communications security –
Part 5: Security for IEC 60870-5 and derivatives

IEC/TS 62351-5:2009(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC/TS 62351-5 ®
Edition 1.0 2009-08
TECHNICAL
SPECIFICATION
Power systems management and associated information exchange – Data and
communications security –
Part 5: Security for IEC 60870-5 and derivatives

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
XA
ICS 33.200 ISBN 978-2-88910-681-3
– 2 – TS 62351-5 © IEC:2009(E)
CONTENTS
FOREWORD.6
1 Scope and object.8
1.1 Scope.8
1.2 Intended audience and use .8
1.3 Items outside of scope .8
1.4 Use with other standards.8
1.5 Document organization and approach.9
1.6 Compliance .9
2 Normative references .9
3 Terms and definitions .10
4 Abbreviated terms .11
5 Problem description.11
5.1 Overview of clause .11
5.2 Specific threats addressed .11
5.3 Design issues.11
5.3.1 Overview of subclause.11
5.3.2 Asymmetric communications.11
5.3.3 Message-oriented.12
5.3.4 Poor sequence numbers or no sequence numbers.12
5.3.5 Limited processing power .12
5.3.6 Limited bandwidth.12
5.3.7 No access to authentication server .12
5.3.8 Limited frame length .13
5.3.9 Limited checksum.13
5.3.10 Radio systems.13
5.3.11 Dial-up systems.13
5.3.12 Variety of protocols affected .13
5.3.13 Differing data link layers .14
5.3.14 Long upgrade intervals .14
5.3.15 Remote sites .14
5.3.16 Multiple users .14
5.3.17 Unreliable media .14
5.4 General principles .14
5.4.1 Overview of subclause.14
5.4.2 Authentication only .14
5.4.3 Application layer only .15
5.4.4 Generic definition mapped onto different protocols .15
5.4.5 Bi-directional .15
5.4.6 Challenge-response.15
5.4.7 Pre-shared keys as default option.15
5.4.8 Backwards tolerance .15
5.4.9 Upgradeable.16
5.4.10 Perfect forward secrecy.16
5.4.11 Multiple users .16
6 Theory of operation (informative).16

TS 62351-5 © IEC:2009(E) – 3 –
6.1 Overview of clause .16
6.2 Narrative description .16
6.2.1 Basic concepts .16
6.2.2 Initiating the challenge.17
6.2.3 Replying to the challenge .17
6.2.4 Authenticating .17
6.2.5 Authentication failure.18
6.2.6 Aggressive mode.18
6.2.7 Changing keys.18
6.3 Example message sequences .19
6.3.1 Overview of subclause.19
6.3.2 Challenge of a critical ASDU .20
6.3.3 Aggressive mode.21
6.3.4 Initializing and changing session keys .22
6.4 State machine overview .23
7 Formal specification .25
7.1 Overview of clause .25
7.2 Message definitions.25
7.2.1 Distinction between messages and ASDUs.25
7.2.2 Challenge message .25
7.2.3 Reply message.27
7.2.4 Aggressive mode request .29
7.2.5 Key status request message.31
7.2.6 Key status message .31
7.2.7 Session key change message.34
7.2.8 Error message.36
7.3 Formal procedures .38
7.3.1 Overview of subclause.38
7.3.2 Challenger procedures .38
7.3.3 Responder procedures .48
7.3.4 Controlling station procedures .48
7.3.5 Controlled station procedures .53
8 Interoperability requirements .53
8.1 Overview of clause .53
8.2 Minimum requirements .53
8.2.1 Overview of subclause.53
8.2.2 HMAC algorithms .53
8.2.3 Key wrap algorithms .54
8.2.4 Fixed values .54
8.2.5 Configurable values.54
8.3 Options .55
8.3.1 Overview of subclause.55
8.3.2 HMAC algorithms .55
8.3.3 Encryption algorithms .55
8.3.4 Configurable values.56
9 Special applications.56
9.1 Overview of clause .56
9.2 Use with TCP/IP .56
9.3 Use with redundant channels.56

– 4 – TS 62351-5 © IEC:2009(E)
9.4 Use with external link encryptors .56
10 Requirements for referencing this specification.57
10.1 Overview of clause .57
10.2 Selected options.57
10.3 Operations considered critical .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.