Power systems management nd associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP

Specifies how to provide confidentiality, tamper detection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer.
This publication is of core relevance for Smart Grid.

Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3: Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP

Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des communications et des données - Partie 3: Sécurité des réseaux et des systèmes de communication - Profils comprenant TCP/IP

L'IEC 62351-3:2014 spécifie comment garantir la confidentialité, la protection de l'intégrité et l'authentification des niveaux des messages pour les protocoles SCADA (système de commande, de surveillance et d'acquisition de données, Supervisory Control And Data Acquisition) et de téléconduite qui utilisent les protocoles TCP/IP comme couche transport des messages lorsque la cybersécurité est exigée. Bien qu'il existe de nombreuses solutions permettant de sécuriser les protocoles TCP/IP, le domaine d'application de la présente partie est de sécuriser la communication entre des entités, à l'une ou l'autre extrémité de la connexion TCP/IP, dans les limites des entités communicantes. La présente partie de l'IEC 62351 présente les exigences de sécurité des protocoles de la gestion des systèmes de puissance de l'IEC.

Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in sistemov - Profili za TCP/IP (IEC 62351-3:2014)

Standard določa, kako zagotoviti zaupnost, odkrivati nedovoljeno poseganje in preverjati pristnost na ravni sporočil za SCADA in protokole za daljinsko vodenje, ki za sporočilno transportno plast uporabljajo TCP/IP.
Ta objava je bistvena za pametna omrežja.

General Information

Status
Published
Publication Date
02-Mar-2015
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
16-Jan-2015
Due Date
23-Mar-2015
Completion Date
03-Mar-2015

RELATIONS

Buy Standard

Standard
SIST EN 62351-3:2015
English language
17 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN 62351-3:2015
01-april-2015
8SUDYOMDQMHHOHNWURHQHUJHWVNHJDVLVWHPDLQSULSDGDMRþDL]PHQMDYDLQIRUPDFLM
9DUQRVWSRGDWNRYLQNRPXQLNDFLMGHO9DUQRVWNRPXQLNDFLMVNLKRPUHåLMLQ
VLVWHPRY3URILOL]D7&3,3 ,(&
Power systems management nd associated information exchange - Data and

communications security - Part 3: Communication network and system security - Profiles

including TCP/IP
Ta slovenski standard je istoveten z: EN 62351-3:2014
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
SIST EN 62351-3:2015 en

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 62351-3:2015
---------------------- Page: 2 ----------------------
SIST EN 62351-3:2015
EUROPEAN STANDARD EN 62351-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2014
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 3:
Communication network and system security - Profiles including
TCP/IP
(IEC 62351-3:2014)

Gestion des systèmes de puissance et échanges Management von Systemen der Energietechnik und

d'informations associés - Sécurité des communications et zugehöriger Datenaustausch - Daten- und

des données - Partie 3: Sécurité des réseaux et des Kommunikationssicherheit - Teil 3: Sicherheit von

systèmes de communication - Profils comprenant TCP/IP Kommunikationsnetzen und Systemen - Profile

(CEI 62351-3:2014) einschließlich TCP/IP
(IEC 62351-3:2014)

This European Standard was approved by CENELEC on 2014-12-02. CENELEC members are bound to comply with the CEN/CENELEC

Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC

Management Centre or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation

under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the

same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,

Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,

Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland,

Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels

© 2014 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.

Ref. No. EN 62351-3:2014 E
---------------------- Page: 3 ----------------------
SIST EN 62351-3:2015
EN 62351-3:2014 - 2 -
Foreword

The text of document 57/1498/FDIS, future edition 1 of IEC 62351-3, prepared by IEC/TC 57 "Power

systems management and associated information exchange" was submitted to the IEC-CENELEC

parallel vote and approved by CENELEC as EN 62351-3:2014.
The following dates are fixed:
(dop) 2015-09-02
• latest date by which the document has to be implemented at
national level by publication of an identical national
standard or by endorsement
(dow) 2017-12-02
• latest date by which the national standards conflicting with
the document have to be withdrawn

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such

patent rights.
Endorsement notice

The text of the International Standard IEC 62351-3:2014 was approved by CENELEC as a European

Standard without any modification.
---------------------- Page: 4 ----------------------
SIST EN 62351-3:2015
- 3 - EN 62351-3:2014
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following documents, in whole or in part, are normatively referenced in this document and are

indispensable for its application. For dated references, only the edition cited applies. For undated

references, the latest edition of the referenced document (including any amendments) applies.

NOTE 1 When an International Publication has been modified by common modifications, indicated by (mod),

the relevant EN/HD applies.

NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is

available here: www.cenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62351-1 2007 Power systems management and associated - -
information exchange - Data and
communications security -
Part 1: Communication network and system
security - Introduction to security issues
IEC/TS 62351-2 2008 Power systems management and associated - -
information exchange - Data and
communications security -
Part 2: Glossary of terms
IEC/TS 62351-9 - Power systems management and associated - -
information exchange - Data and
communications security -
Part 9: Key management
ISO/IEC 9594-8 - Information technology - Open Systems - -
Interconnection - The Directory -
Part 8: Public-key and attribute certificate
frameworks
RFC 4492 2006 Elliptic Curve Cryptography (ECC) Cipher - -
Suites for Transport Layer Security (TLS)
RFC 5246 2008 The Transport Layer Security (TLS) Protocol - -
Version 1.2
RFC 5280 2008 Internet X.509 Public Key Infrastructure - -
Certificate and Certificate Revocation List
(CRL) Profile
RFC 5746 2010 Transport Layer Security (TLS) Renegotiation - -
Indication Extension
RFC 6066 2011 Transport Layer Security (TLS) Extensions: - -
Extension Definitions
RFC 6176 2011 Prohibiting Secure Sockets Layer (SSL) - -
Version 2.0
At draft stage.
Supersedes RFC 4366:2006, Transport Layer Security (TLS) Extensions.
---------------------- Page: 5 ----------------------
SIST EN 62351-3:2015
---------------------- Page: 6 ----------------------
SIST EN 62351-3:2015
IEC 62351-3
Edition 1.0 2014-10
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Power systems management and associated information exchange – Data and
communications security –
Part 3: Communication network and system security – Profiles including TCP/IP
Gestion des systèmes de puissance et échanges d'informations associés –
Sécurité des communications et des données –
Partie 3: Sécurité des réseaux et des systèmes de communication – Profils
comprenant TCP/IP
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
CODE PRIX N
ICS 33.200 ISBN 978-2-8322-1900-3

Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale
---------------------- Page: 7 ----------------------
SIST EN 62351-3:2015
– 2 – IEC 62351-3:2014 © IEC 2014
CONTENTS

FOREWORD ........................................................................................................................... 3

1 Scope .............................................................................................................................. 5

1.1 Scope ..................................................................................................................... 5

1.2 Intended Audience .................................................................................................. 5

2 Normative references ...................................................................................................... 5

3 Terms, definitions and abbreviations ............................................................................... 6

3.1 Terms, definitions and abbreviations ....................................................................... 6

3.2 Additional abbreviations .......................................................................................... 6

4 Security issues addressed by this standard ..................................................................... 6

4.1 Operational requirements affecting the use of TLS in the telecontrol

environment ............................................................................................................ 6

4.2 Security threats countered ...................................................................................... 7

4.3 Attack methods countered ....................................................................................... 7

5 Mandatory requirements .................................................................................................. 7

5.1 Deprecation of cipher suites .................................................................................... 7

5.2 Negotiation of versions ........................................................................................... 8

5.3 Session resumption ................................................................................................ 8

5.4 Session renegotiation ............................................................................................. 8

5.5 Message Authentication Code ................................................................................. 9

5.6 Certificate support .................................................................................................. 9

5.6.1 Multiple Certification Authorities (CAs) ............................................................. 9

5.6.2 Certificate size ............................................................................................... 10

5.6.3 Certificate exchange ...................................................................................... 10

5.6.4 Public-key certificate validation ...................................................................... 10

5.7 Co-existence with non-secure protocol traffic ........................................................ 12

6 Optional security measure support................................................................................. 12

7 Referencing standard requirements ............................................................................... 12

8 Conformance ................................................................................................................. 13

Bibliography .......................................................................................................................... 14

---------------------- Page: 8 ----------------------
SIST EN 62351-3:2015
IEC 62351-3:2014 © IEC 2014 – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION
EXCHANGE – DATA AND COMMUNICATIONS SECURITY –
Part 3: Communication network and system security –
Profiles including TCP/IP
FOREWORD

1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising

all national electrotechnical committees (IEC National Committees). The object of IEC is to promote

international co-operation on all questions concerning standardization in the electrical and electronic fields. To

this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,

Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC

Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested

in the subject dealt with may participate in this preparatory work. International, governmental and non-

governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely

with the International Organization for Standardization (ISO) in accordance with conditions determined by

agreement between the two organizations.

2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international

consensus of opinion on the relevant subjects since each technical committee has representation from all

interested IEC National Committees.

3) IEC Publications have the form of recommendations for international use and are accepted by IEC National

Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC

Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any

misinterpretation by any end user.

4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications

transparently to the maximum extent possible in their national and regional publications. Any divergence

between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in

the latter.

5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity

assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any

services carried out by independent certification bodies.

6) All users should ensure that they have the latest edition of this publication.

7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and

members of its technical committees and IEC National Committees for any personal injury, property damage or

other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and

expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC

Publications.

8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is

indispensable for the correct application of this publication.

9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of

patent rights. IEC shall not be held responsible for identifying any or all such patent rights.

International Standard IEC 62351-3 has been prepared by IEC technical committee 57: Power

systems management and associated information exchange.
This standard cancels and replaces IEC TS 62351-3:2007.
The text of this standard is based on the following documents:
FDIS Report on voting
57/1498/FDIS 57/1515/RVD

Full information on the voting for the approval of this standard can be found in the report on

voting indicated in the above table.
---------------------- Page: 9 ----------------------
SIST EN 62351-3:2015
– 4 – IEC 62351-3:2014 © IEC 2014

This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.

A list of all parts in the IEC 62351 series, published under the general title Power systems

management and associated information exchange – Data and communications security, can

be found on the IEC website.

The committee has decided that the contents of this publication will remain unchanged until

the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data

related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
---------------------- Page: 10 ----------------------
SIST EN 62351-3:2015
IEC 62351-3:2014 © IEC 2014 – 5 –
POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION
EXCHANGE – DATA AND COMMUNICATIONS SECURITY –
Part 3: Communication network and system security –
Profiles including TCP/IP
1 Scope
1.1 Scope

This part of IEC 62351 specifies how to provide confidentiality, integrity protection, and

message level authentication for SCADA and telecontrol protocols that make use of TCP/IP

as a message transport layer when cyber-security is required.

Although there are many possible solutions to secure TCP/IP, the particular scope of this part

is to provide security between communicating entities at either end of a TCP/IP connection

within the end communicating entities. The use and specification of intervening external

security devices (e.g. “bump-in-the-wire”) are considered out-of-scope.

This part of IEC 62351 specifies how to secure TCP/IP-based protocols through constraints

on the specification of the messages, procedures, and algorithms of Transport Layer Security

(TLS) (defined in RFC 5246) so that they are applicable to the telecontrol environment of the

IEC. TLS is applied to protect the TCP communication. It is intended that this standard be

referenced as a normative part of other IEC standards that have the need for providing

security for their TCP/IP-based protocol. However, it is up to the individual protocol security

initiatives to decide if this standard is to be referenced.

This part of IEC 62351 reflects the security requirements of the IEC power systems

management protocols. Should other standards bring forward new requirements, this standard

may need to be revised.
1.2 Intended Audience

The initial audience for this specification is intended to be experts developing or making use

of IEC protocols in the field of power systems management and associated information

exchange. For the measures described in this specification to take effect, they must be

accepted and referenced by the specifications for the protocols themselves, where the

protocols make use of TCP/IP security. This document is written to enable that process.

The subsequent audience for this specification is intended to be the developers of products

that implement these protocols.

Portions of this specification may also be of use to managers and executives in order to

understand the purpose and requirements of the work.
2 Normative references

The following documents, in whole or in part, are normatively referenced in this document and

are indispensable for its application. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any
amendments) applies.

IEC TS 62351-1:2007, Power systems management and associated information exchange –

Data and communications security – Part 1: Communication network and system security –

Introduction to security issues

IEC TS 62351-2:2008, Power systems management and associated information exchange –

Data and communications security – Part 2: Glossary of terms
---------------------- Page: 11 ----------------------
SIST EN 62351-3:2015
– 6 – IEC 62351-3:2014 © IEC 2014

IEC TS 62351-9, Power systems management and associated information exchange – Data

and communications security – Part 9: Key Management

ISO/IEC 9594-8, Information technology – Open Systems Interconnection – The Directory:

Public-key and attribute certificate frameworks

RFC 4492:2006, Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer

Security (TLS)
RFC 5246:2008, The TLS Protocol Version 1.2

RFC 5280:2008, Internet X.509 Public Key Infrastructure Certificate and Certificate

Revocation List (CRL) Profile
RFC 5746:2010, Transport Layer Security (TLS) Renegotiation Indication Extension
RFC 6066:2006, Transport Layer Security Extensions
RFC 6176:2011, Prohibiting Secure Sockets Layer (SSL) Version 2.0
3 Terms, definitions and abbreviations
3.1 Terms, definitions and abbreviations

For the purposes of this document, the terms, definitions and abbreviations given in IEC

TS 62351-2, Glossary, apply .
3.2 Additional abbreviations
CRL Certificate Revocation List
DER Distinguished Encoding Rules
ECDSA Elliptic Curve Digital Signature Algorithm
ECGDSA Elliptic Curve German Digital Signature Algorithm (see ISO/IEC 15946-2)
OCSP Online Certificate Status Protocol (see RFC 6960)
PIXIT Protocol Implementation eXtra Information for Testing
4 Security issues addressed by this standard

4.1 Operational requirements affecting the use of TLS in the telecontrol environment

The IEC telecontrol environment has different operational requirements from many

Information Technology (IT) applications that make use of TLS in order to provide security

protection. The most differentiating, in terms of security, is the duration of the TCP/IP

connection for which security needs to be maintained.

Many IT protocols have short duration connections, which allow the encryption algorithms to

be renegotiated at connection re-establishment. However, the connections within a telecontrol

environment tend to have longer durations, often “permanent”. It is the longevity of the

connections in the field of power systems management and associated information exchange

that give rise to the need for special consideration. In this regard, in order to provide

protection for the “permanent” connections, a mechanism for updating the session key is

specified within this standard, based upon the TLS features of session resumption and

session re-negotiation while also considering the relationship with certificate revocation state

information.

Another issue addressed within this standard is how to achieve interoperability between

different implementations. TLS allows for a wide variety of cipher suites to be supported and

___________
Under consideration.
This is typically referred
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.