Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives (IEC 62351-5:2023)

This part of IEC 62351 defines the application authentication mechanism (A-profile) specifying messages, procedures and algorithms for securing the operation of all protocols based on or derived from IEC 60870-5: Telecontrol Equipment and Systems - Transmission Protocols.
This Standard applies to at least those protocols listed in Table 1.
[Table 1]
The initial audience for this International Standard is intended to be the members of the working groups developing the protocols listed in Table 1.
For the measures described in this standard to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process. The working groups in charge of take this standard to the specific protocols listed in Table 1 may choose not to do so.
The subsequent audience for this specification is intended to be the developers of products that implement these protocols.
Portions of this standard may also be of use to managers and executives in order to understand the purpose and requirements of the work.
This document is organized working from the general to the specific, as follows:
- Clauses 2 through 4 provide background terms, definitions, and references.
- Clause 5 describes the problems this specification is intended to address.
- Clause 6 describes the mechanism generically without reference to a specific protocol.
- Clauses 7 and 8 describe the mechanism more precisely and are the primary normative part of this specification.
- Clause 9 define the interoperability requirements for this authentication mechanism.
- Clause 10 describes the requirements for other standards referencing this specification
Unless specifically labelled as informative or optional, all clauses of this specification are normative.

Energiemanagementsysteme und zugehöriger Datenaustausch – IT-Sicherheit für Daten und Kommunikation – Teil 5: Sicherheit für IEC 60870-5 und Derivate (IEC 62351-5:2023)

Gestion des systèmes de puissance et échanges d’informations associées - Sécurité des communications et des données - Partie 5: Aspects de sécurité pour l’IEC 60870-5 et ses dérivés (IEC 62351-5:2023)

IEC 62351-5:2023 définit le mécanisme de communication sécurisée du profil d'application (profil A) qui spécifie les messages, les procédures et les algorithmes pour sécuriser le fonctionnement de tous les protocoles fondés sur ou dérivés de l’IEC 60870-5, Matériels et systèmes de téléconduite – Protocoles de transmission.
Pour que les mesures décrites dans le présent document entrent en application, elles doivent être acceptées et référencées par les spécifications des protocoles eux-mêmes. Le présent document est rédigé dans le but de permettre ce processus.
Il est prévu que les lecteurs suivants du présent document soient les personnes chargées d’élaborer les produits qui mettent en œuvre ces protocoles.
Certaines parties du présent document peuvent également être utiles aux gestionnaires et aux cadres dirigeants pour comprendre le but et les exigences du travail.
Ce document est organisé du plus général au plus spécifique, comme suit:
• les Articles 2 à 4 fournissent des termes, des définitions et des références de contexte;
• l’Article 5 décrit les problèmes que la présente spécification est destinée à traiter;
• l’Article 6 décrit le mécanisme de manière générale, sans référence à un protocole spécifique;
• les Articles 7 et 8 décrivent le mécanisme plus précisément. Ils constituent la partie normative principale de la présente spécification;
• l’Article 9 définit les exigences d’interopérabilité pour ce mécanisme de communication sécurisée y compris la relation entre cette norme et la CEI 62351-3 pour la sécurité de la couche transport;
• l’Article 10 décrit les exigences des autres normes qui font référence au présent document.
Il est attendu que les actions d’une organisation en réponse aux événements et conditions d’erreurs décrits dans le présent document soient définies par la politique de sécurité de l’organisme. Elles ne relèvent pas du domaine d’application du présent document.
Cette Norme internationale annule et remplace l'IEC TS 62351-5 parue en 2013. Elle constitue une révision technique. Les modifications principales présentées dans la présente Norme internationale sont les suivantes:
a) le mécanisme de communication sécurisée est réalisé par une association poste de conduite/poste téléconduit;
b) la gestion des Utilisateurs, qui sert à ajouter, modifier ou supprimer un Utilisateur, a été supprimée;
c) la méthode symétrique, qui sert à modifier la Clé de Mise à Jour, a été supprimée;
d) la méthode asymétrique, qui sert à modifier la Clé de Mise à Jour, a été révisée;
e) la procédure et les concepts de Stimulation/Réponse ont été supprimés;
f) le concept de Mode Agressif a été remplacé par le mécanisme d’échange de messages de Données Sécurisées;
g) un chiffrement authentifié des données d’application a été ajouté;
h) la liste des algorithmes de sécurité admis a été mise à jour;
i) les règles de calcul des numéros de séquence des messages ont été mises à jour;
j) la surveillance et l’enregistrement des événements ont été ajoutés.

Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 5. del: Varnost za IEC 60870-5 in izpeljanke (IEC 62351-5:2023)

Ta del standarda IEC 62351 opredeljuje mehanizem za ugotavljanje pristnosti uporabe (profil A), ki določa sporočila, postopke in algoritme za zavarovanje delovanja vseh protokolov, ki temeljijo na standardu IEC 60870-5 ali iz njega izhajajo: Oprema in sistemi na daljinsko vodenje – Protokoli prenosa.
Ta standard se uporablja vsaj za protokole, navedene v preglednici 1.
[Preglednica 1]
Namembni uporabniki tega mednarodnega standarda so člani delovnih skupin, ki razvijajo protokole, navedene v preglednici 1.
Ukrepi, opisani v tem standardu, stopijo v veljavo, ko so sprejeti in sklicevani v samih specifikacijah protokolov. Ta dokument je napisan, da se omogoči ta postopek. Delovne skupine, odgovorne za razvoj tega standarda za posebne protokole iz preglednice 1, se lahko odločijo, da tega ne bodo storile.
Posledično je ta specifikacija namenjena razvijalcem proizvodov, ki izvajajo te protokole.
Deli tega standarda lahko pomagajo tudi direktorjem in vodjem pri razumevanju namena in zahtev dela.
Ta dokument je organiziran od splošnega do posebnega, kot sledi:
– V točkah od 2 do 4 so navedeni osnovni izrazi, opredelitve in sklicevanja.
– V točki 5 so opisani problemi, ki naj bi jih ta specifikacija obravnavala.
– V točki 6 je mehanizem opisan na splošno brez sklicevanja na poseben protokol.
– Točki 7 in 8 natančneje opisujeta mehanizem in predstavljata glavni normativni del te specifikacije.
– Točka 9 opredeljuje zahteve za interoperabilnost tega mehanizma za ugotavljanje pristnosti.
– Točka 10 opisuje zahteve za druge standarde, ki se sklicujejo na to specifikacijo.
Če niso posebej označeni kot informativni ali neobvezni, so vsi členi te specifikacije normativni.

General Information

Status
Published
Publication Date
12-Mar-2023
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
01-Mar-2023
Due Date
06-May-2023
Completion Date
13-Mar-2023

Buy Standard

Standard
EN IEC 62351-5:2023 - BARVE
English language
126 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN IEC 62351-5:2023
01-april-2023
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij -
Varnost podatkov in komunikacij - 5. del: Varnost za IEC 60870-5 in izpeljanke (IEC
62351-5:2023)
Power systems management and associated information exchange - Data and
communications security - Part 5: Security for IEC 60870-5 and derivatives (IEC 62351-
5:2023)
Energiemanagementsysteme und zugehöriger Datenaustausch – IT-Sicherheit für Daten
und Kommunikation – Teil 5: Sicherheit für IEC 60870-5 und Derivate (IEC 62351-
5:2023)
Gestion des systèmes de puissance et échanges d’informations associées - Sécurité des
communications et des données - Partie 5: Aspects de sécurité pour l’IEC 60870-5 et
ses dérivés (IEC 62351-5:2023)
Ta slovenski standard je istoveten z: EN IEC 62351-5:2023
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
SIST EN IEC 62351-5:2023 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN IEC 62351-5:2023

---------------------- Page: 2 ----------------------
SIST EN IEC 62351-5:2023


EUROPEAN STANDARD EN IEC 62351-5

NORME EUROPÉENNE

EUROPÄISCHE NORM February 2023
ICS 33.200

English Version
Power systems management and associated information
exchange - Data and communications security - Part 5: Security
for IEC 60870-5 and derivatives
(IEC 62351-5:2023)
Gestion des systèmes de puissance et échanges Energiemanagementsysteme und zugehöriger
d'informations associées - Sécurité des communications et Datenaustausch - IT-Sicherheit für Daten und
des données - Partie 5: Aspects de sécurité pour l'IEC Kommunikation - Teil 5: Sicherheit für IEC 60870-5 und
60870-5 et ses dérivés Derivate
(IEC 62351-5:2023) (IEC 62351-5:2023)
This European Standard was approved by CENELEC on 2023-02-17. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.


European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2023 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
 Ref. No. EN IEC 62351-5:2023 E

---------------------- Page: 3 ----------------------
SIST EN IEC 62351-5:2023
EN IEC 62351-5:2023 (E)
European foreword
The text of document 57/2516/FDIS, future edition 1 of IEC 62351-5, prepared by IEC/TC 57 "Power
systems management and associated information exchange" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN IEC 62351-5:2023.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2023-08-17
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2026-02-17
document have to be withdrawn

Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 62351-5:2023 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standard indicated:
IEC 60870-5-101:2003 NOTE Approved as EN 60870-5-101:2003 (not modified)
IEC 60870-5-102 NOTE Approved as EN 60870-5-102
IEC 60870-5-103 NOTE Approved as EN 60870-5-103
IEC 60870-5-104 NOTE Approved as EN 60870-5-104
2

---------------------- Page: 4 ----------------------
SIST EN IEC 62351-5:2023
EN IEC 62351-5:2023 (E)
Annex A
(normative)

Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the
relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 60870-5 series Telecontrol equipment and systems – EN 60870-5 series
Part 5: Transmission protocols
IEC/TS 62351-1 - Power systems management and - -
associated information exchange - Data
and communications security - Part 1:
Communication network and system
security - Introduction to security issues
IEC/TS 62351-2 - Power systems management and - -
associated information exchange - Data
and communications security - Part 2:
Glossary of terms
IEC 62351-3 - Power systems management and EN 62351-3 -
associated information exchange - Data
and communications security - Part 3:
Communication network and system
security - Profiles including TCP/IP
IEC 62351-7 - Power systems management and EN 62351-7 -
associated information exchange - Data
and communications security - Part 7:
Network and System Management (NSM)
data object models
IEC 62351-8 - Power systems management and EN IEC 62351-8 -
associated information exchange - Data
and communications security - Part 8:
Role-based access control for power
system management
1
IEC 62351-14 - Power systems management and - -
associated information exchange - Data
and communications security - Part 14:
Cyber security event logging

1
Under preparation. Stage at the time of publication: IEC ACDV 62351-14:2021.
3

---------------------- Page: 5 ----------------------
SIST EN IEC 62351-5:2023
EN IEC 62351-5:2023 (E)
IETF RFC 2104 - HMAC: Keyed-Hashing for Message - -
Authentication
IETF RFC 3394 - Advanced Encryption Standard (AES) Key - -
Wrap Algorithm
IETF RFC 5116 - An Interface and Algorithms for - -
Authenticated Encryption
IETF RFC 5869 - HMAC-based Extract-and-Expand Key - -
Derivation Function
IETF RFC 7693 - The BLAKE2 Cryptographic Hash and - -
Message Authentication Code (MAC)
IETF RFC 7748 - Elliptic Curves for Security - -
SEC2-V2 - Standards for Efficient Cryptography - -
SEC2: Recommended Elliptic Curve
Domain parameters - Version 2.0

4

---------------------- Page: 6 ----------------------
SIST EN IEC 62351-5:2023




IEC 62351-5

®


Edition 1.0 2023-01




INTERNATIONAL



STANDARD




NORME


INTERNATIONALE
colour

inside










Power systems management and associated information exchange – Data and

communications security –

Part 5: Security for IEC 60870-5 and derivatives



Gestion des systèmes de puissance et échanges d’informations associés –

Sécurité des communications et des données –


Partie 5: Aspects de sécurité pour l’IEC 60870-5 et ses dérivés













INTERNATIONAL

ELECTROTECHNICAL

COMMISSION


COMMISSION

ELECTROTECHNIQUE


INTERNATIONALE




ICS 33.200 ISBN 978-2-8322-6017-3




Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale

---------------------- Page: 7 ----------------------
SIST EN IEC 62351-5:2023
– 2 – IEC 62351-5:2023 © IEC 2023
CONTENTS
FOREWORD . 6
1 Scope . 8
2 Normative references . 9
3 Terms and definitions . 10
4 Abbreviated terms . 11
5 Problem description . 12
5.1 Overview of clause . 12
5.2 Specific threats addressed . 12
5.3 Design issues . 12
5.3.1 Overview of subclause . 12
5.3.2 Asymmetric communications . 12
5.3.3 Message-oriented . 12
5.3.4 Poor sequence numbers or no sequence numbers . 13
5.3.5 Limited processing power . 13
5.3.6 Limited bandwidth . 13
5.3.7 No access to authentication server . 13
5.3.8 Limited frame length . 13
5.3.9 Limited checksum . 14
5.3.10 Radio systems . 14
5.3.11 Dial-up systems . 14
5.3.12 Variety of protocols affected . 14
5.3.13 Differing data link layers . 14
5.3.14 Long upgrade intervals . 15
5.3.15 Remote sites . 15
5.3.16 Unreliable media . 15
5.4 General principles . 15
5.4.1 Overview of subclause . 15
5.4.2 Application layer only . 15
5.4.3 Generic definition mapped onto different protocols . 15
5.4.4 Bi-directional . 15
5.4.5 Management of cryptographic keys . 15
5.4.6 Backwards tolerance . 16
5.4.7 Upgradeable . 16
5.4.8 Multiple connections . 16
6 Theory of operation . 16
6.1 Overview of clause . 16
6.2 The secure communication . 16
6.2.1 Basic concepts . 16
6.2.2 Association ID . 17
6.2.3 Authenticating . 18
6.2.4 Central Authority . 18
6.2.5 Role Based Access Control (RBAC) . 18
6.2.6 Cryptographic keys . 18
6.2.7 Security statistics . 22
6.2.8 Security events . 22
7 Functional requirements . 22

---------------------- Page: 8 ----------------------
SIST EN IEC 62351-5:2023
IEC 62351-5:2023 © IEC 2023 – 3 –
7.1 Overview of clause . 22
7.2 Procedures Overview . 22
7.3 State machine overview . 23
7.4 Timers and counters . 25
7.5 Security statistics and events . 25
7.5.1 General . 25
7.5.2 Special security thresholds . 29
7.5.3 Security statistics reporting . 29
7.5.4 Security events monitoring and logging . 29
8 Formal procedures . 30
8.1 Overview of subclause . 30
8.2 Distinction between messages and ASDUs . 30
8.2.1 General . 30
8.2.2 Messages datatypes and notations . 30
8.3 Station Association procedure . 30
8.3.1 General . 30
8.3.2 Public key certificates . 31
8.3.3 Configuration of authorized remote stations . 33
8.3.4 Pre-requisites to initiate the Station Association procedure . 33
8.3.5 Messages definition . 33
8.3.6 Controlling station state machine . 42
8.3.7 Controlled station state machine . 52
8.3.8 Verification of remote station’s certificate . 61
8.3.9 Verification of certificates during normal operations . 61
8.3.10 Update Keys derivation . 62
8.3.11 Controlling station directives for Station Association and Update Keys
management . 63
8.3.12 Controlled station directives for Station Association and Update Keys
management . 63
8.3.13 Initializing and updating Stations Association and Update Keys . 65
8.4 Session Key Change procedure . 66
8.4.1 General . 66
8.4.2 Messages definition . 67
8.4.3 Controlling station state machine . 76
8.4.4 Controlled station state machine . 85
8.4.5 Controlling station directives for Session Keys management. 93
8.4.6 Controlled station directives for Session Keys management . 93
8.4.7 Initializing and changing Session Keys . 94
8.5 Secure Data Exchange . 95
8.5.1 General . 95
8.5.2 Messages definition . 96
8.5.3 Controlling station state machine . 100
8.5.4 Controlled station state machine . 105
8.5.5 Controlling station directives for Secure Data Exchange . 109
8.5.6 Controlled station directives for Secure Data Exchange . 109
8.5.7 Example of Secure Data exchange during Station Association . 110
8.5.8 Example of Secure Data Exchange during Session Key Change . 111
9 Interoperability requirements . 113
9.1 Overview of clause . 113

---------------------- Page: 9 ----------------------
SIST EN IEC 62351-5:2023
– 4 – IEC 62351-5:2023 © IEC 2023
9.2 Minimum requirements . 113
9.2.1 Overview of subclause . 113
9.2.2 Authentication algorithms . 113
9.2.3 Key wrap / transport algorithms . 113
9.2.4 Cryptographic keys . 114
9.2.5 Cryptographic curves . 114
9.2.6 Configurable values . 114
9.2.7 Cryptographic information . 116
9.3 Options . 116
9.3.1 Overview of subclause . 116
9.3.2 MAC/AEAD algorithms . 117
9.3.3 Key wrap / transport algorithms . 117
9.3.4 Cryptographic curves . 117
9.4 Use with TCP/IP . 117
9.5 Use with redundant channels . 117
10 Requirements for referencing this standard . 118
10.1 Overview of clause . 118
10.2 Selected options . 118
10.3 Message format mapping . 118
10.4 Reference to procedures . 118
10.5 Protocol information . 118
10.6 Controlled station response to unauthorized operations requests . 119
10.7 Transmission of security statistics . 119
10.8 Configurable values . 119
10.9 Protocol implementation conformance statement . 119
Annex A (informative) Security Event mapping to IEC 62351-14 . 120
A.1 General . 120
A.2 Mapping of IEC 62351-5 events specified in this document . 120
Bibliography . 122

Figure 1 – Overview of interaction between Central Authority and stations . 21
Figure 2 – Sequence of procedures . 23
Figure 3 – Station Association procedure . 34
Figure 4 – Station Association – Controlling station state machine . 43
Figure 5 – Station Association – Controlled station state machine . 53
Figure 6 – Example of Association ID, Update Keys and Session Keys initialization. 66
Figure 7 – Session Key Change procedure . 67
Figure 8 – Session Key Change – Controlling station state machine . 77
Figure 9 – Session Key Change – Controlled station state machine . 86
Figure 10 – Example of Session Key initialization and periodic update . 95
Figure 11 – Secure Data Exchange . 96
Figure 12 – Secure Data Exchange – Controlling station state machine . 101
Figure 13 – Secure Data Exchange – Controlled station state machine . 106
Figure 14 – Example of Secure Data Exchange during Station Association . 111
Figure 15 – Example of Secure Data messages exchanged during Session Key
Change . 112

---------------------- Page: 10 ----------------------
SIST EN IEC 62351-5:2023
IEC 62351-5:2023 © IEC 2023 – 5 –
Table 1 – Scope of application to standards . 8
Table 2 – Summary of symmetric keys used . 19
Table 3 – Summary of asymmetric keys used . 19
Table 4 – States used in the controlling station state machine . 24
Table 5 – States used in the controlled station state machine . 24
Table 6 – Summary of timers and counters used . 25
Table 7 – Security statistics and associated events . 26
Table 8 – Elliptic curves . 31
Table 9 – Association Request message . 35
Table 10 – Association Response message . 36
Table 11 – Update Key Change Request message. 38
Table 12 – Data Included in MAC calculation (in order) . 40
Table 13 – Update Key Change Response message . 40
Table 14 – Data Included in MAC calculation (in order) . 41
Table 15 – Controlling station state machine: Station Association . 44
Table 16 – Controlled station state machine: Station Association . 54
Table 17 – List of pre-defined role-to-permission assignment . 64
Table 18 – Session Request message . 68
Table 19 – Session Response message . 70
Table 20 – Data Included in MAC calculation (in order) . 71
Table 20 – Session Key Change Request message . 72
Table 21 – Data Included in WKD (in order) . 73
Table 22 – Example of Session Key order . 74
Table 23 – Data Included in the MAC calculation (in order) . 74
Table 25 – Session Key Change Response message . 75
Table 26 – Data Included in the MAC calculation (in order) . 75
Table 27 – Controlling station state machine: Session Key Change . 78
Table 28 – Controlled station state machine: Session Key Change . 87
Table 29 – Secure Data message . 97
Table 29 – Secure Data Payload using MAC algorithm . 98
Table 31 – Data included in the MAC calculation in Secure Data Payload (in order) . 99
Table 32 – AEAD algorithm parameters to generate the Secure Data Payload (in order) . 99
Table 33 – Controlling station state machine: Secure Data Exchange . 102
Table 34 – Controlled station state machine: Secure Data Exchange . 107
Table 35 – Configuration of cryptographic information . 116
Table 36 – Legend for configuration of cryptographic information. 116
Table A.1 – Security event logs defined in IEC 62351-5 Ed.1 mapped to IEC 62351-14 . 120

---------------------- Page: 11 ------
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.