Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP

Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3: Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP

Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des communications et des données - Partie 3: Sécurité des réseaux et des systèmes de communication - Profils comprenant TCP/IP

Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in sistemov - Profili za TCP/IP - Dopolnilo A2

General Information

Status
Published
Publication Date
10-May-2020
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
06-May-2020
Due Date
11-Jul-2020
Completion Date
11-May-2020

RELATIONS

Buy Standard

Amendment
SIST EN 62351-3:2015/A2:2020
English language
13 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN 62351-3:2015/A2:2020
01-junij-2020
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij -
Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in
sistemov - Profili za TCP/IP - Dopolnilo A2
Power systems management and associated information exchange - Data and

communications security - Part 3: Communication network and system security - Profiles

including TCP/IP

Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von

Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3:
Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP

Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des

communications et des données - Partie 3: Sécurité des réseaux et des systèmes de

communication - Profils comprenant TCP/IP
Ta slovenski standard je istoveten z: EN 62351-3:2014/A2:2020
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
SIST EN 62351-3:2015/A2:2020 en

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 62351-3:2015/A2:2020
---------------------- Page: 2 ----------------------
SIST EN 62351-3:2015/A2:2020
EUROPEAN STANDARD EN 62351-3:2014/A2
NORME EUROPÉENNE
EUROPÄISCHE NORM
May 2020
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 3:
Communication network and system security - Profiles including
TCP/IP
(IEC 62351-3:2014/A2:2020)

Gestion des systèmes de puissance et échanges Management von Systemen der Energietechnik und

d'informations associés - Sécurité des communications et zugehöriger Datenaustausch - Daten- und

des données - Partie 3: Sécurité des réseaux et des Kommunikationssicherheit - Teil 3: Sicherheit von

systèmes de communication - Profils comprenant TCP/IP Kommunikationsnetzen und Systemen - Profile

(IEC 62351-3:2014/A2:2020) einschließlich TCP/IP
(IEC 62351-3:2014/A2:2020)

This amendment A2 modifies the European Standard EN 62351-3:2014; it was approved by CENELEC on 2020-04-02. CENELEC

members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this amendment the

status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC

Management Centre or to any CENELEC member.

This amendment exists in three official versions (English, French, German). A version in any other language made by translation under the

responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as

the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,

Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the

Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,

Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2020 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.

Ref. No. EN 62351-3:2014/A2:2020 E
---------------------- Page: 3 ----------------------
SIST EN 62351-3:2015/A2:2020
EN 62351-3:2014/A2:2020 (E)
European foreword

The text of document 57/2149/FDIS, future IEC 62351-3/A2, prepared by IEC/TC 57 "Power systems

management and associated information exchange" was submitted to the IEC-CENELEC parallel vote

and approved by CENELEC as EN 62351-3:2014/A2:2020.
The following dates are fixed:

• latest date by which the document has to be implemented at national (dop) 2021-01-02

level by publication of an identical national standard or by endorsement

• latest date by which the national standards conflicting with the (dow) 2023-04-02

document have to be withdrawn

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

This document has been prepared under a mandate given to CENELEC by the European Commission

and the European Free Trade Association.
Endorsement notice

The text of the International Standard IEC 62351-3:2014/A2:2020 was approved by CENELEC as a

European Standard without any modification.

In the official version, for Bibliography, the following notes have to be added for the standards

indicated:
IEC 62351-7 NOTE Harmonized as EN 62351-7
1 2
IEC 62351-14 NOTE Harmonized as EN IEC 62351-14
To be published. Stage at the time of publication: IEC/PCC 62351-14:2020.
To be published. Stage at the time of publication: prEN IEC 62351-14:2019.
---------------------- Page: 4 ----------------------
SIST EN 62351-3:2015/A2:2020
EN 62351-3:2014/A2:2020 (E)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments)

applies.

NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the relevant

EN/HD applies.

NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:

www.cenelec.eu.
Add the following reference:
Publication Year Title EN/HD Year
IEC 62351-7 - Power systems management and associated EN 62351-7 -
information exchange - Data and
communications security - Part 7: Network
and System Management (NSM) data object
models
---------------------- Page: 5 ----------------------
SIST EN 62351-3:2015/A2:2020
---------------------- Page: 6 ----------------------
SIST EN 62351-3:2015/A2:2020
IEC 62351-3
Edition 1.0 2020-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
A MENDMENT 2
AM ENDEMENT 2
Power systems management and associated information exchange – Data
and communications security –
Part 3: Communication network and system security – Profiles including TCP/IP
Gestion des systèmes de puissance et échanges d'informations associés –
Sécurité des communications et des données –
Partie 3: Sécurité des réseaux et des systèmes de communication – Profils
comprenant TCP/IP
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-7713-3

Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale
---------------------- Page: 7 ----------------------
SIST EN 62351-3:2015/A2:2020
– 2 – IEC 62351-3:2014/AMD2:2020
© IEC 2020
FOREWORD

This amendment to International Standard IEC 62351-3 has been prepared by IEC technical

committee 57: Power systems management and associated information exchange.
The text of this standard is based on the following documents:
FDIS Report on voting
57/2149/FDIS 57/2167/RVD

Full information on the voting for the approval of this standard can be found in the report on

voting indicated in the above table.

This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.

A list of all parts in the IEC 62351 series, published under the general title Power systems

management and associated information exchange – Data and communications security, can

be found on the IEC website.

The committee has decided that the contents of this publication will remain unchanged until the

stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data related to

the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
____________
INTRODUCTION to Amendment 2

This amendment to International Standard IEC 62351-3 and its Amendment 1 (2018) has been

prepared in order to address the following issues:

– Support for TLS versions 1.1 and 1.0 is made optional instead of mandatory to address

known weaknesses. This is aligned with the defined security warnings for TLS versions 1.1

and 1.0.

– Update of TLS version handling during renegotiation and resumption to avoid TLS version

downgrade/upgrade within a same session.

– Updated explanatory text for session renegotiation to make the communication relations

clearer.

– Deprecation of RSA1024 and SHA-1 algorithms. This underlines the desire to disallow them

in the next edition.
– Inclusion of PICS section for mandatory and optional settings in TLS.

– Updated text for and enhancements of security events to better align with IEC 62351-14.

– Inclusion of general remarks for the security event handling.
– Update of references.
---------------------- Page: 8 ----------------------
SIST EN 62351-3:2015/A2:2020
IEC 62351-3:2014/AMD2:2020 – 3 –
© IEC 2020

Moreover, explanatory text has been included to better describe certain options as well as an

adjustment to the requirements for referencing standards.
2 Normative references
Add the following new document to the list of references:

IEC 62351-7, Power systems management and associated information exchange – Data and

communications security – Part 7: Network and System Management (NSM) data object models

4 Security issues addressed by this standard
4.2 Security threats countered

Replace the existing text of the second paragraph of Subclause 4.2 as modified by Amendment

1 with the following new text:

TCP/IP and the security specifications in this part of IEC 62351 cover only the communication

transport layers (OSI layers 4 and lower). Specifically, TLS protects the transported messages

from OSI layer 5 and above in a transparent way. This part of IEC 62351 does not cover security

functionality specific for the communication application layers (OSI layers 5 and above) or

application-to-application security.
Add, after existing Subclause 4.3 as modified by Amendment 1, the following new
Subclause 4.4:
4.4 Handling of security events

Throughout the document security events are defined as warnings and alarms. These security

events are intended to support the error handling and thus to increase system resilience.

Implementations should provide a mechanism for announcing security events.

It is recommended that the security warning and alarms throughout the document are

implemented by cyber security events as specified by IEC 62351-14 or by monitoring objects

as specified by IEC 62351-7.

Note that warnings and alarms are used to indicate the severity of an event from a security

point of view. The following notion is used:

– A warning was intended to raise awareness but to indicate that it may be safe to proceed.

– An alarm is an indication to not proceed.

In any case, it is expected that an operator’s security policy determines the final handling based

on the operational environment.
5 Mandatory requirements
5.1 Deprecation of cipher suites

Replace the existing text of the second paragraph of Subclause 5.1 with the following new text:

If the communication connection is encrypted the following cipher suites may be used:

– TLS_RSA_WITH_NULL_SHA
– TLS_RSA_WITH_NULL_SHA256

Replace the existing text of the fourth paragraph of Subclause 5.1 as added by Amendment 1

with the following new text:
---------------------- Page: 9 ----------------------
SIST EN 62351-3:2015/A2:2020
– 4 – IEC 62351-3:2014/AMD2:2020
© IEC 2020

The support of SHA-1 is deprecated. Its use is limited to backward compatibility. SHA-256 shall

be supported and is the preferred hash algorithm to be used.
Add, at the end of Subclause 5.1, the following new text:

The failure in finding a matching cipher suite during the TLS handshake shall raise a security

event ("alarm: no matching TLS cipher suites”).
5.2 Negotiation of versions

Replace the existing text of the first paragraph of Subclause 5.2 with the following new text:

TLS v1.2 as defined in RFC 5246 (sometimes referred to as SSL v3.3) is the default version

that shall be supported. Higher versions may be supported.

NOTE 1 This document refers to features defined for TLS 1.2. Higher versions of TLS, like TLS 1.3, do not

necessarily support all features listed in this document.

It is recommended that the TLS client initiating a TLS connection indicates the highest TLS

version supported in the ClientHello message of the TLS handshake. The receiving TLS

server may accept higher versions if functional supported and allowed by the security policy of

the operating environment.

To ensure backward compatibility implementations may optionally support TLS version 1.0 and

1.1 (sometimes referred to as SSL v3.1 and v3.2). The TLS handshake provides a built-in

mechanism that shall be used to support version negotiation. The peer initiating a TLS

connection shall always indicate the highest TLS version supported during the TLS handshake

message. The application of TLS versions other than v1.2 is a matter of the local security policy.

Proposal of versions prior to TLS 1.0 shall result in no secure connection being established

(see also RFC 6176).

NOTE 2 For TLS 1.0 and TLS 1.1 certain security issues are known, The optional support is

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.