iTeh Standards logo
EURUSD
Your shopping cart is empty.
SIST

SIST EN 62351-3:2015

(Main)

Power systems management nd associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP

Power systems management nd associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP

Specifies how to provide confidentiality, tamper detection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer.   This publication is of core relevance for Smart Grid.

Energiemanagementsysteme und zugehöriger Datenaustausch - IT-Sicherheit für Daten und Kommunikation - Teil 3: Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP

Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des communications et des données - Partie 3: Sécurité des réseaux et des systèmes de communication - Profils comprenant TCP/IP

L'IEC 62351-3:2014 spécifie comment garantir la confidentialité, la protection de l'intégrité et l'authentification des niveaux des messages pour les protocoles SCADA (système de commande, de surveillance et d'acquisition de données, Supervisory Control And Data Acquisition) et de téléconduite qui utilisent les protocoles TCP/IP comme couche transport des messages lorsque la cybersécurité est exigée. Bien qu'il existe de nombreuses solutions permettant de sécuriser les protocoles TCP/IP, le domaine d'application de la présente partie est de sécuriser la communication entre des entités, à l'une ou l'autre extrémité de la connexion TCP/IP, dans les limites des entités communicantes. La présente partie de l'IEC 62351 présente les exigences de sécurité des protocoles de la gestion des systèmes de puissance de l'IEC.

Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in sistemov - Profili za TCP/IP (IEC 62351-3:2014)

Standard določa, kako zagotoviti zaupnost, odkrivati nedovoljeno poseganje in preverjati pristnost na ravni sporočil za SCADA in protokole za daljinsko vodenje, ki za sporočilno transportno plast uporabljajo TCP/IP.
Ta objava je bistvena za pametna omrežja.

General Information

Status
Published
Publication Date
02-Mar-2015
ICS
29.240.30 - Control equipment for electric power systems
35.240.50 - IT applications in industry
Technical Committee
PSE - Power systems management
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
16-Jan-2015
Due Date
23-Mar-2015
Completion Date
03-Mar-2015
Mandate
M/490 - Standardisation mandate to the European Standardisation Organisations (ESOs) to support European Smart Grid deployment
Ref Project
EN 62351-3:2014 - Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP

Relations

Amended By
SIST EN 62351-3:2015/A2:2020 - Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
Effective Date
01-Jun-2020
Amended By
SIST EN 62351-3:2015/A1:2018 - Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
Effective Date
01-Nov-2018
Revised
SIST EN IEC 62351-3:2023 - Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP (IEC 62351-3:2023)
Effective Date
31-Aug-2021

Overview

EN 62351-3:2014 (IEC 62351-3) defines how to secure TCP/IP-based communications used in power system management and telecontrol. Its primary objective is to provide confidentiality, tamper detection (integrity) and message-level authentication for SCADA and telecontrol protocols that use TCP/IP as the transport layer. This part of the IEC 62351 series is of core relevance to the Smart Grid and to any utility implementing secure TCP/IP communications between end points.

Key topics and technical requirements

EN 62351-3 focuses on constraints and profiles for applying Transport Layer Security (TLS) in the power systems environment. Important technical topics include:

  • TLS usage and profiles (based on RFC 5246 TLS 1.2) tailored for telecontrol and SCADA.
  • Deprecation and selection of cipher suites to avoid weak algorithms.
  • Version negotiation and safe fall-back behavior for TLS sessions.
  • Session management: rules for session resumption and session renegotiation.
  • Message Authentication Code (MAC) requirements for integrity protection.
  • Certificate support and X.509 handling:
    • Multiple Certification Authorities (CAs)
    • Certificate size and exchange considerations
    • Public-key certificate validation and revocation handling
  • Co-existence rules for secure and non-secure protocol traffic on the same network.
  • Optional security measures and guidance on when to apply them.
  • Conformance language to assist product and protocol validation.

The standard explicitly focuses on end-to-end protection between communicating entities; intermediate “bump‑in‑the‑wire” devices are out of scope.

Applications and who uses it

EN 62351-3 is intended for:

  • Protocol designers and standards authors who need a normative TLS profile for IEC protocols.
  • Product developers implementing secure SCADA, telecontrol, and Smart Grid communications.
  • Security architects in utilities and grid operators specifying how TCP/IP transport must be protected.
  • Project managers and regulators assessing compliance for secure power systems operations.

Typical applications include secure IEC protocol deployments over TCP/IP, protecting telemetry, control commands, and meter data exchanges in distribution and transmission networks.

Related standards and references

  • IEC 62351 series (Parts 1, 2, 9…)
  • RFC 5246 (TLS 1.2), RFC 5280 (X.509), RFC 4492 (ECC cipher suites)
  • ISO/IEC 9594-8 (Directory / public-key frameworks)

EN 62351-3:2014 is a practical, interoperable specification for applying TLS in the power systems domain-key for Smart Grid security, SCADA protection, and TCP/IP-based telecontrol.

SIST EN 62351-3:2015SIST EN 62351-3:2015
PreviousNext
Standard
SIST EN 62351-3:2015
English language
17 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Frequently Asked Questions

SIST EN 62351-3:2015 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Power systems management nd associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP". This standard covers: Specifies how to provide confidentiality, tamper detection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer. This publication is of core relevance for Smart Grid</a>.

Specifies how to provide confidentiality, tamper detection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer. This publication is of core relevance for Smart Grid</a>.

SIST EN 62351-3:2015 is classified under the following ICS (International Classification for Standards) categories: 29.240.30 - Control equipment for electric power systems; 35.240.50 - IT applications in industry. The ICS classification helps identify the subject area and facilitates finding related standards.

SIST EN 62351-3:2015 has the following relationships with other standards: It is inter standard links to SIST EN 62351-3:2015/A2:2020, SIST EN 62351-3:2015/A1:2018, SIST EN IEC 62351-3:2023. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

SIST EN 62351-3:2015 is associated with the following European legislation: Standardization Mandates: M/490. When a standard is cited in the Official Journal of the European Union, products manufactured in conformity with it benefit from a presumption of conformity with the essential requirements of the corresponding EU directive or regulation.

You can purchase SIST EN 62351-3:2015 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.

Standards Content (Sample)


SLOVENSKI STANDARD
01-april-2015
8SUDYOMDQMHHOHNWURHQHUJHWVNHJDVLVWHPDLQSULSDGDMRþDL]PHQMDYDLQIRUPDFLM
9DUQRVWSRGDWNRYLQNRPXQLNDFLMGHO9DUQRVWNRPXQLNDFLMVNLKRPUHåLMLQ
VLVWHPRY3URILOL]D7&3,3 ,(&
Power systems management nd associated information exchange - Data and
communications security - Part 3: Communication network and system security - Profiles
including TCP/IP
Ta slovenski standard je istoveten z: EN 62351-3:2014
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN 62351-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2014
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 3:
Communication network and system security - Profiles including
TCP/IP
(IEC 62351-3:2014)
Gestion des systèmes de puissance et échanges Management von Systemen der Energietechnik und
d'informations associés - Sécurité des communications et zugehöriger Datenaustausch - Daten- und
des données - Partie 3: Sécurité des réseaux et des Kommunikationssicherheit - Teil 3: Sicherheit von
systèmes de communication - Profils comprenant TCP/IP Kommunikationsnetzen und Systemen - Profile
(CEI 62351-3:2014) einschließlich TCP/IP
(IEC 62351-3:2014)
This European Standard was approved by CENELEC on 2014-12-02. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN 62351-3:2014 E
Foreword
The text of document 57/1498/FDIS, future edition 1 of IEC 62351-3, prepared by IEC/TC 57 "Power
systems management and associated information exchange" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN 62351-3:2014.
The following dates are fixed:
(dop) 2015-09-02
• latest date by which the document has to be implemented at
national level by publication of an identical national
standard or by endorsement
(dow) 2017-12-02
• latest date by which the national standards conflicting with
the document have to be withdrawn

Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such
patent rights.
Endorsement notice
The text of the International Standard IEC 62351-3:2014 was approved by CENELEC as a European
Standard without any modification.

- 3 - EN 62351-3:2014
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
NOTE 1 When an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is
available here: www.cenelec.eu.

Publication Year Title EN/HD Year
IEC/TS 62351-1 2007 Power systems management and associated - -
information exchange - Data and
communications security -
Part 1: Communication network and system
security - Introduction to security issues
IEC/TS 62351-2 2008 Power systems management and associated - -
information exchange - Data and
communications security -
Part 2: Glossary of terms
1)
IEC/TS 62351-9 -  Power systems management and associated - -
information exchange - Data and
communications security -
Part 9: Key management
ISO/IEC 9594-8 -  Information technology - Open Systems - -
Interconnection - The Directory -
Part 8: Public-key and attribute certificate
frameworks
RFC 4492 2006 Elliptic Curve Cryptography (ECC) Cipher - -
Suites for Transport Layer Security (TLS)
RFC 5246 2008 The Transport Layer Security (TLS) Protocol - -
Version 1.2
RFC 5280 2008 Internet X.509 Public Key Infrastructure - -
Certificate and Certificate Revocation List
(CRL) Profile
RFC 5746 2010 Transport Layer Security (TLS) Renegotiation - -
Indication Extension
2)
RFC 6066 2011 Transport Layer Security (TLS) Extensions: - -
Extension Definitions
RFC 6176 2011 Prohibiting Secure Sockets Layer (SSL) - -
Version 2.0
1)
At draft stage.
2)
Supersedes RFC 4366:2006, Transport Layer Security (TLS) Extensions.

IEC 62351-3 ®
Edition 1.0 2014-10
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Power systems management and associated information exchange – Data and

communications security –
Part 3: Communication network and system security – Profiles including TCP/IP

Gestion des systèmes de puissance et échanges d'informations associés –

Sécurité des communications et des données –

Partie 3: Sécurité des réseaux et des systèmes de communication – Profils

comprenant TCP/IP
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
CODE PRIX N
ICS 33.200 ISBN 978-2-8322-1900-3

– 2 – IEC 62351-3:2014 © IEC 2014

CONTENTS
FOREWORD . 3
1 Scope . 5
1.1 Scope . 5
1.2 Intended Audience . 5
2 Normative references . 5
3 Terms, definitions and abbreviations . 6
3.1 Terms, definitions and abbreviations . 6
3.2 Additional abbreviations . 6
4 Security issues addressed by this standard . 6
4.1 Operational requirements affecting the use of TLS in the telecontrol
environment . 6
4.2 Security threats countered . 7
4.3 Attack methods countered . 7
5 Mandatory requirements . 7
5.1 Deprecation of cipher suites . 7
5.2 Negotiation of versions . 8
5.3 Session resumption . 8
5.4 Session renegotiation . 8
5.5 Message Authentication Code . 9
5.6 Certificate support . 9
5.6.1 Multiple Certification Authorities (CAs) . 9
5.6.2 Certificate size . 10
5.6.3 Certificate exchange . 10
5.6.4 Public-key certificate validation . 10
5.7 Co-existence with non-secure protocol traffic . 12
6 Optional security measure support. 12
7 Referencing standard requirements . 12
8 Conformance . 13
Bibliography . 14

IEC 62351-3:2014 © IEC 2014 – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION
EXCHANGE – DATA AND COMMUNICATIONS SECURITY –

Part 3: Communication network and system security –
Profiles including TCP/IP
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62351-3 has been prepared by IEC technical committee 57: Power
systems management and associated information exchange.
This standard cancels and replaces IEC TS 62351-3:2007.
The text of this standard is based on the following documents:
FDIS Report on voting
57/1498/FDIS 57/1515/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.

– 4 – IEC 62351-3:2014 © IEC 2014

This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts in the IEC 62351 series, published under the general title Power systems
management and associated information exchange – Data and communications security, can
be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IEC 62351-3:2014 © IEC 2014 – 5 –
POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION
EXCHANGE – DATA AND COMMUNICATIONS SECURITY –

Part 3: Communication network and system security –
Profiles including TCP/IP
1 Scope
1.1 Scope
This part of IEC 62351 specifies how to provide confidentiality, integrity protection, and
message level authentication for SCADA and telecontrol protocols that make use of TCP/IP
as a message transport layer when cyber-security is required.
Although there are many possible solutions to secure TCP/IP, the particular scope of this part
is to provide security between communicating entities at either end of a TCP/IP connection
within the end communicating entities. The use and specification of intervening external
security devices (e.g. “bump-in-the-wire”) are considered out-of-scope.
This part of IEC 62351 specifies how to secure TCP/IP-based protocols through constraints
on the specification of the messages, procedures, and algorithms of Transport Layer Security
(TLS) (defined in RFC 5246) so that they are applicable to the telecontrol environment of the
IEC. TLS is applied to protect the TCP communication. It is intended that this standard be
referenced as a normative part of other IEC standards that have the need for providing
security for their TCP/IP-based protocol. However, it is up to the individual protocol security
initiatives to decide if this standard is to be referenced.
This part of IEC 62351 reflects the security requirements of the IEC power systems
management protocols. Should other standards bring forward new requirements, this standard
may need to be revised.
1.2 Intended Audience
The initial audience for this specification is intended to be experts developing or making use
of IEC protocols in the field of power systems management and associated information
exchange. For the measures described in this specification to take effect, they must be
accepted and referenced by the specifications for the protocols themselves, where the
protocols make use of TCP/IP security. This document is written to enable that process.
The subsequent audience for this specification is intended to be the developers of products
that implement these protocols.
Portions of this specification may also be of use to managers and executives in order to
understand the purpose and requirements of the work.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC TS 62351-1:2007, Power systems management and associated information exchange –
Data and communications security – Part 1: Communication network and system security –
Introduction to security issues
IEC TS 62351-2:2008, Power systems management and associated information exchange –
Data and communications security – Part 2: Glossary of terms

– 6 – IEC 62351-3:2014 © IEC 2014

IEC TS 62351-9, Power systems management and associated information exchange – Data
and communications security – Part 9: Key Management
ISO/IEC 9594-8, Information technology – Open Systems Interconnection – The Directory:
Public-key and attribute certificate frameworks
RFC 4492:2006, Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
Security (TLS)
RFC 5246:2008, The TLS Protocol Version 1.2
RFC 5280:2008, Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile
RFC 5746:2010, Transport Layer Security (TLS) Renegotiation Indication Extension
RFC 6066:2006, Transport Layer Security Extensions
RFC 6176:2011, Prohibiting Secure Sockets Layer (SSL) Version 2.0
3 Terms, definitions and abbreviations
3.1 Terms, definitions and abbreviations
For the purposes of this document, the terms, definitions and abbreviations given in IEC
TS 62351-2, Glossary, apply .
3.2 Additional abbreviations
CRL Certificate Revocation List
DER Distinguished Encoding Rules
ECDSA Elliptic Curve Digital Signature Algorithm
ECGDSA Elliptic Curve German Digital Signature Algorithm (see ISO/IEC 15946-2)
OCSP Online Certificate Status Protocol (see RFC 6960)
PIXIT Protocol Implementation eXtra Information for Testing
4 Security issues addressed by this standard
4.1 Operational requirements affecting the use of TLS in the telecontrol environment
The IEC telecontrol environment has different operational requirements from many
Information Technology (IT) applications that make use of TLS in order to provide security
protection. The most differentiating, in terms of security, is the duration of the TCP/IP
connection for which security needs to be maintained.
Many IT protocols have short duration connections, which allow the encryption algorithms to
be renegotiated at connection re-establishment. However, the connections within a telecontrol
environment tend to have longer durations, often “permanent”. It is the longevity of the
connections in the field of power systems management and associated information exchange
that give rise to the need for special consideration. In this regard, in order to provide
protection for the “permanent” connections, a mechanism for updating the session key is
specified within this standard, based upon the TLS features of session resumption and
session re-negotiation while also considering the relationship with certificate revocation state
information.
Another issue addressed within this standard is how to achieve interoperability between
different implementations. TLS allows for a wide variety of cipher suites to be supported and
___________
Under consideration.
This is typically referred
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

記事のタイトル:SIST EN 62351-3:2015 - 電力システム管理と関連情報交換 - データおよび通信のセキュリティ - パート3:TCP/IPを含む通信ネットワークおよびシステムのセキュリティ - プロファイル 記事の内容:この記事は、SCADAおよびテレコントロールプロトコルにおいて、メッセージトランスポート層としてTCP/IPを使用する際に、機密性、改ざん検出、およびメッセージレベルの認証を提供する方法について規定されています。この規格はスマートグリッドシステムにとって重要です。

記事のタイトル: SIST EN 62351-3:2015 - 電力システム管理と関連情報の交換 - データと通信のセキュリティー - 第3部: 通信ネットワークとシステムのセキュリティー - TCP/IPを含むプロファイル 記事の内容: この規格は、TCP/IPをメッセージトランスポート層として使用するSCADAおよびテレコントロールプロトコルの機密性、改ざん検知、メッセージレベルの認証の提供方法について指定しています。 この出版物はスマートグリッドにとって重要なものです。

The article discusses the importance of the SIST EN 62351-3:2015 standard in ensuring data and communication security in power systems management. This standard focuses on safeguarding SCADA and telecontrol protocols that use TCP/IP as a message transport layer. It provides guidelines for maintaining confidentiality, detecting tampering, and ensuring message level authentication. This standard is particularly relevant for the Smart Grid.

제목: SIST EN 62351-3:2015 - 전력 시스템 관리 및 관련된 정보 교환 - 데이터 및 통신 보안 - 제 3부: 통신 네트워크 및 시스템 보안 - TCP/IP를 포함한 프로파일 내용: 이 문서는 메시지 전송 계층으로 TCP/IP를 사용하는 SCADA 및 텔레컨트롤 프로토콜의 기밀성, 조작 감지 및 메시지 수준 인증을 제공하는 방법에 대해 명시합니다. 이 출판물은 스마트 그리드에 핵심적인 영향을 미칩니다.

기사 제목: SIST EN 62351-3:2015 - 전력 시스템 관리 및 관련 정보 교환 - 데이터 및 통신 보안 - 파트 3: 통신 네트워크 및 시스템 보안 - TCP/IP를 포함한 프로필 기사 내용: 이 기사는 SCADA 및 원격 제어 프로토콜에서 TCP/IP를 메시지 전송 계층으로 사용하는 경우 기밀성, 침입 탐지 및 메시지 수준 인증을 제공하는 방법에 대해 명시하고 있습니다. 이 퍼블리케이션은 스마트 그리드에 중요합니다.

The article is about a technical specification called SIST EN 62351-3:2015. This specification focuses on providing security measures such as confidentiality, tamper detection, and message level authentication for protocols used in SCADA and telecontrol systems that use TCP/IP as a message transport layer. The specification is important for Smart Grid systems.

This May Also Interest You

SIST
SIST EN IEC 62351-9:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment (IEC 62351-9:2023)
EN IEC 62351-9:2023

IEC 62351-9:2023 specifies cryptographic key management, primarily focused on the management of long-term keys, which are most often asymmetric key pairs, such as public-key certificates and corresponding private keys. As certificates build the base this document builds a foundation for many IEC 62351 services (see also Annex A). Symmetric key management is also considered but only with respect to session keys for group-based communication as applied in IEC 62351-6. The objective of this document is to define requirements and technologies to achieve interoperability of key management by specifying or limiting key management options to be used.
This document assumes that an organization (or group of organizations) has defined a security policy to select the type of keys and cryptographic algorithms that will be utilized, which may have to align with other standards or regulatory requirements. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. This document assumes that the reader has a basic understanding of cryptography and key management principles.
The requirements for the management of pairwise symmetric (session) keys in the context of communication protocols is specified in the parts of IEC 62351 utilizing or specifying pairwise communication such as:
• IEC 62351-3 for TLS by profiling the TLS options
• IEC 62351-4 for the application layer end-to-end security
• IEC TS 62351-5 for the application layer security mechanism for IEC 60870-5-101/104 and IEEE 1815 (DNP3)
The requirements for the management of symmetric group keys in the context of power system communication protocols is specified in IEC 62351-6 for utilizing group security to protect GOOSE and SV communication. IEC 62351-9 utilizes GDOI as already IETF specified group-based key management protocol to manage the group security parameter and enhances this protocol to carry the security parameter for GOOSE, SV, and PTP.
This document also defines security events for specific conditions which could identify issues which might require error handling. However, the actions of the organisation in response to these error conditions are beyond the scope of this document and are expected to be defined by the organizations security policy.
In the future, as public-key cryptography becomes endangered by the evolution of quantum computers, this document will also consider post-quantum cryptography to a certain extent. Note that at this time being no specific measures are provided.
This second edition cancels and replaces the first edition published in 2017. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Certificate components and verification of the certificate components have been added;
b) GDOI has been updated to include findings from interop tests;
c) GDOI operation considerations have been added;
d) GDOI support for PTP (IEEE 1588) support has been added as specified by IEC/IEEE 61850-9-3 Power Profile;
e) Cyber security event logging has been added as well as the mapping to IEC 62351-14;
f) Annex B with background on utilized cryptographic algorithms and mechanisms has been added.

  • Standard
    147 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-3:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP (IEC 62351-3:2023)
EN IEC 62351-3:2023

IEC 62351-3:2023 specifies how to provide confidentiality, integrity protection, and message level authentication for protocols that make use of TCP/IP as a message transport layer and utilize Transport Layer Security when cyber-security is required. This may relate to SCADA and telecontrol protocols, but also to additional protocols if they meet the requirements in this document.
IEC 62351-3 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (TLSv1.2 defined in RFC 5246, TLSv1.3 defined in RFC 8446). In the specific clauses, there will be subclauses to note the differences and commonalities in the application depending on the target TLS version. The use and specification of intervening external security devices (e.g., "bump-in-the-wire") are considered out-of-scope.
In contrast to previous editions of this document, this edition is self-contained in terms of completely defining a profile of TLS. Hence, it can be applied directly, without the need to specify further TLS parameters, except the port number, over which the communication will be performed. Therefore, this part can be directly utilized from a referencing standard and can be combined with further security measures on other layers. Providing the profiling of TLS without the need for further specifying TLS parameters allows declaring conformity to the described functionality without the need to involve further IEC 62351 documents.
This document is intended to be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol exchanges under similar boundary conditions. However, it is up to the individual protocol security initiatives to decide if this document is to be referenced.
The document also defines security events for specific conditions, which support error handling, security audit trails, intrusion detection, and conformance testing. Any action of an organization in response to events to an error condition described in this document are beyond the scope of this document and are expected to be defined by the organization’s security policy.
This document reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this document may need to be revised.
This second edition cancels and replaces the first edition published in 2014, Amendment 1:2018 and Amendment 2:2020. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Inclusion of the TLSv1.2 related parameter required in IEC 62351-3 Ed.1.2 to be specified by the referencing standard. This comprises the following parameter:
• Mandatory TLSv1.2 cipher suites to be supported.
• Specification of session resumption parameters.
• Specification of session renegotiation parameters.
• Revocation handling using CRL and OCSP.
• Handling of security events.
b) Inclusion of a TLSv1.3 profile to be applicable for the power system domain in a similar way as for TLSv1.2 session.

  • Standard
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-5:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives (IEC 62351-5:2023)
EN IEC 62351-5:2023

This part of IEC 62351 defines the application authentication mechanism (A-profile) specifying messages, procedures and algorithms for securing the operation of all protocols based on or derived from IEC 60870-5: Telecontrol Equipment and Systems - Transmission Protocols.
This Standard applies to at least those protocols listed in Table 1.
[Table 1]
The initial audience for this International Standard is intended to be the members of the working groups developing the protocols listed in Table 1.
For the measures described in this standard to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process. The working groups in charge of take this standard to the specific protocols listed in Table 1 may choose not to do so.
The subsequent audience for this specification is intended to be the developers of products that implement these protocols.
Portions of this standard may also be of use to managers and executives in order to understand the purpose and requirements of the work.
This document is organized working from the general to the specific, as follows:
- Clauses 2 through 4 provide background terms, definitions, and references.
- Clause 5 describes the problems this specification is intended to address.
- Clause 6 describes the mechanism generically without reference to a specific protocol.
- Clauses 7 and 8 describe the mechanism more precisely and are the primary normative part of this specification.
- Clause 9 define the interoperability requirements for this authentication mechanism.
- Clause 10 describes the requirements for other standards referencing this specification
Unless specifically labelled as informative or optional, all clauses of this specification are normative.

  • Standard
    126 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-6:2021(Main)
Power systems management and associated information exchange - Data and communications security - Part 6: Security for IEC 61850
EN IEC 62351-6:2020

IEC 62351-6:2020 specifies messages, procedures, and algorithms for securing the operation of all protocols based on or derived from the IEC 61850 series. This document applies to at least those protocols listed below:
IEC 61850-8-1 Communication networks and systems for power utility automation – Part 8-1: Specific communication service mapping (SCSM) – Mappings to MMS (ISO/IEC 9506-1 and ISO/IEC 9506-2) and to ISO/IEC 8802-3
IEC 61850-8-2 Communication networks and systems for power utility automation – Part 8-2: Specific communication service mapping (SCSM) – Mapping to Extensible Messaging Presence Protocol (XMPP)
IEC 61850-9-2 Communication networks and systems for power utility automation – Part 9-2: Specific communication service mapping (SCSM) – Sampled values over ISO/IEC 8802-3
IEC 61850-6 Communication networks and systems for power utility automation – Part 6: Configuration description language for communication in power utility automation systems related to IEDs
The initial audience for this document is intended to be the members of the working groups developing or making use of the protocols listed in Table 1. For the measures described in this specification to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process.
The subsequent audience for this document is intended to be the developers of products that implement these protocols.
Portions of this document may also be of use to managers and executives in order to understand the purpose and requirements of the work.

  • Standard
    37 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-4:2019/A1:2020(Amendment)
Power systems management and associated information exchange - Data and communications security - Part 4: Profiles including MMS and derivatives
EN IEC 62351-4:2018/A1:2020
  • Amendment
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-8:2020(Main)
Power systems management and associated information exchange - Data and communications security - Part 8: Role-based access control for power system management
EN IEC 62351-8:2020

IEC 62351-8: 2020 is to facilitate role-based access control (RBAC) for power system management. RBAC assigns human users, automated systems, and software applications (collectively called "subjects" in this document) to specified "roles", and restricts their access to only those resources, which the security policies identify as necessary for their roles.
As electric power systems become more automated and cyber security concerns become more prominent, it is becoming increasingly critical to ensure that access to data (read, write, control, etc.) is restricted. As in many aspects of security, RBAC is not just a technology; it is a way of running a business. RBAC is not a new concept; in fact, it is used by many operating systems to control access to system resources. Specifically, RBAC provides an alternative to the all-or-nothing super-user model in which all subjects have access to all data, including control commands.
RBAC is a primary method to meet the security principle of least privilege, which states that no subject should be authorized more permissions than necessary for performing that subject’s task. With RBAC, authorization is separated from authentication. RBAC enables an organization to subdivide super-user capabilities and package them into special user accounts termed roles for assignment to specific individuals according to their associated duties. This subdivision enables security policies to determine who or what systems are permitted access to which data in other systems. RBAC provides thus a means of reallocating system controls as defined by the organization policy. In particular, RBAC can protect sensitive system operations from inadvertent (or deliberate) actions by unauthorized users. Clearly RBAC is not confined to human users though; it applies equally well to automated systems and software applications, i.e., software parts operating independent of user interactions.
The following interactions are in scope:
– local (direct wired) access to the object by a human user; by a local and automated computer agent, or built-in HMI or panel;
– remote (via dial-up or wireless media) access to the object by a human user;
– remote (via dial-up or wireless media) access to the object by a remote automated computer agent, e.g. another object at another substation, a distributed energy resource at an end-user’s facility, or a control centre application.
While this document defines a set of mandatory roles to be supported, the exchange format for defined specific or custom roles is also in scope of this document.
Out of scope for this document are all topics which are not directly related to the definition of roles and access tokens for local and remote access, especially administrative or organizational tasks.

  • Standard
    77 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 62351-3:2015/A2:2020(Amendment)
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
EN 62351-3:2014/A2:2020
  • Amendment
    13 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-4:2019(Main)
Power systems management and associated information exchange - Data and communications security - Part 4: Profiles including MMS and derivatives
EN IEC 62351-4:2018

1.1 General
This part of IEC 62351 extends the scope of IEC TS 62351-4:2007 [1]1 by specifying a compatibility mode that provides interoperation with implementation based on IEC TS 62351- 4:2007 and by specifying extended capabilities referred to as native mode.
This part of IEC 62351 specifies security requirements both at the transport layer and at the application layer. While IEC TS 62351-4:2007 primarily provided some limited support at the application layer for authentication during handshake for the Manufacturing Message Specification (MMS) based applications, this document also provides support for extended integrity and authentication both for the handshake phase and for the data transfer phase. It provides for shared key management and data transfer encryption at the application layer and it provides security end-to-end (E2E) with zero or more intermediate entities. While IEC TS 62351-4:2007 only provides support for systems based on the MMS, i.e. systems using an Open Systems Interworking (OSI) protocol stack, this document also provides support for application protocols using other protocol stacks, e.g. an Internet protocol suite (see 4.1).
This support is extended to protect application protocols using XML encoding. This extended security at the application layer is referred to as E2E-security.
In addition to E2E security, this part of IEC 62351 also provides mapping to environmental protocols carrying the security related information. Only OSI and XMPP environments are currently considered.
It is intended that this part of IEC 62351 be referenced as a normative part of standards that have a need for using application protocols, e.g., MMS, in a secure manner. It is anticipated that there are implementations, in particular Inter-Control Centre Communications Protocol (ICCP) implementations that are dependent on the IEC TS 62351- 4:2007 specifications of the T-profile and the A-security-profile. The specifications from IEC TS 62351-4:2007 are therefore included in this part of IEC 62351. Implementations supporting these specifications will interwork with implementation based on IEC TS 62351-4:2007.
NOTE The A-security-profile is in the strict sense not a profile, but the term is here kept for historical reasons.
This document represents a set of mandatory and optional security specifications to be implemented to protect application protocols.
The initial audience for this document is the members of the working groups developing or making use of protocols. For the measures described in this part of IEC 62351 to take effect, they shall be accepted and referenced by the specifications for the protocols themselves.
The subsequent audience for this document is the developers of products that implement these protocols and the end user that want to specify requirements for its own environment.
Portions of this document may also be of use to managers and executives in order to understand the purpose and requirements of the work.

  • Standard
    113 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 62351-3:2015/A1:2018(Amendment)
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
EN 62351-3:2014/A1:2018

This part of IEC 62351 specifies how to provide confidentiality, integrity protection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer when cyber-security is required.
Although there are many possible solutions to secure TCP/IP, the particular scope of this part is to provide security between communicating entities at either end of a TCP/IP connection within the end communicating entities. The use and specification of intervening external security devices (e.g. “bump-in-the-wire”) are considered out-of-scope.
This part of IEC 62351 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (defined in RFC 5246) so that they are applicable to the telecontrol environment of the IEC. TLS is applied to protect the TCP communication. It is intended that this standard be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol. However, it is up to the individual protocol security initiatives to decide if this standard is to be referenced.
This part of IEC 62351 reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this standard may need to be revised.

  • Amendment
    11 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 62351-7:2018(Main)
Power systems management and associated information exchange - Data and communications security - Part 7: Network and System management (NSM) data object models
EN 62351-7:2017

IEC 62351-7:2017 defines network and system management (NSM) data object models that are specific to power system operations. These NSM data objects will be used to monitor the health of networks and systems, to detect possible security intrusions, and to manage the performance and reliability of the information infrastructure. The goal is to define a set of abstract objects that will allow the remote monitoring of the health and condition of IEDs (Intelligent Electronic Devices), RTUs (Remote Terminal Units), DERs (Distributed Energy Resources) systems and other systems that are important to power system operations. This new edition constitutes a technical revision and includes the following significant technical changes with respect to IEC TS 62351-7 (2010): NSM object data model reviewed and enriched; UML model adopted for NSM objects description; SNMP protocol MIBs translation included as Code Components.
The Code Components included in this IEC standard are also available as electronic machine
readable file at: http://www.iec.ch/tc57/supportdocuments/IEC_62351-7.MIBS.light.zip.

  • Standard
    237 pages
    English language
    sale 10% off
    e-Library read for
    1 day