Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP

This part of IEC 62351 specifies how to provide confidentiality, integrity protection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer when cyber-security is required. Although there are many possible solutions to secure TCP/IP, the particular scope of this part is to provide security between communicating entities at either end of a TCP/IP connection within the end communicating entities. The use and specification of intervening external security devices (e.g. “bump-in-the-wire”) are considered out-of-scope. This part of IEC 62351 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (defined in RFC 5246) so that they are applicable to the telecontrol environment of the IEC. TLS is applied to protect the TCP communication. It is intended that this standard be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol. However, it is up to the individual protocol security initiatives to decide if this standard is to be referenced. This part of IEC 62351 reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this standard may need to be revised.

Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3: Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP

Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des communications et des données - Partie 3: Sécurité des réseaux et des systèmes de communication - Profils comprenant TCP/IP

Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in sistemov - Profili za TCP/IP - Dopolnilo A1

General Information

Status
Published
Publication Date
22-Oct-2018
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
05-Oct-2018
Due Date
10-Dec-2018
Completion Date
23-Oct-2018

RELATIONS

Buy Standard

Amendment
SIST EN 62351-3:2015/A1:2018
English language
11 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN 62351-3:2015/A1:2018
01-november-2018
8SUDYOMDQMHHOHNWURHQHUJHWVNHJDVLVWHPDLQSULSDGDMRþDL]PHQMDYDLQIRUPDFLM
9DUQRVWSRGDWNRYLQNRPXQLNDFLMGHO9DUQRVWNRPXQLNDFLMVNLKRPUHåLMLQ
VLVWHPRY3URILOL]D7&3,3'RSROQLOR$
Power systems management and associated information exchange - Data and

communications security - Part 3: Communication network and system security - Profiles

including TCP/IP

Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von

Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3:
Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP

Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des

communications et des données - Partie 3: Sécurité des réseaux et des systèmes de

communication - Profils comprenant TCP/IP
Ta slovenski standard je istoveten z: EN 62351-3:2014/A1:2018
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
SIST EN 62351-3:2015/A1:2018 en

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 62351-3:2015/A1:2018
---------------------- Page: 2 ----------------------
SIST EN 62351-3:2015/A1:2018
EUROPEAN STANDARD EN 62351-3:2014/A1
NORME EUROPÉENNE
EUROPÄISCHE NORM
September 2018
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 3:
Communication network and system security - Profiles including
TCP/IP
(IEC 62351-3:2014/A1:2018)

Gestion des systèmes de puissance et échanges Management von Systemen der Energietechnik und

d'informations associés - Sécurité des communications et zugehöriger Datenaustausch - Daten- und

des données - Partie 3: Sécurité des réseaux et des Kommunikationssicherheit - Teil 3: Sicherheit von

systèmes de communication - Profils comprenant TCP/IP Kommunikationsnetzen und Systemen - Profile

(IEC 62351-3:2014/A1:2018) einschließlich TCP/IP
(IEC 62351-3:2014/A1:2018)

This amendment A1 modifies the European Standard EN 62351-3:2014; it was approved by CENELEC on 2018-06-29. CENELEC

members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this amendment the

status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC

Management Centre or to any CENELEC member.

This amendment exists in three official versions (English, French, German). A version in any other language made by translation under the

responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as

the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,

Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,

Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,

Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2018 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.

Ref. No. EN 62351-3:2014/A1:2018 E
---------------------- Page: 3 ----------------------
SIST EN 62351-3:2015/A1:2018
EN 62351-3:2014/A1:2018 (E)
European foreword

The text of document 57/1976/FDIS, future edition 1 of IEC 62351-3/A1, prepared by IEC/TC 57

"Power systems management and associated information exchange" was submitted to the IEC-

CENELEC parallel vote and approved by CENELEC as EN 62351-3:2014/A1:2018.
The following dates are fixed:

• latest date by which the document has to be implemented at national (dop) 2019-03-29

level by publication of an identical national standard or by endorsement

• latest date by which the national standards conflicting with the (dow) 2021-06-29

document have to be withdrawn

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

This document has been prepared under a mandate given to CENELEC by the European Commission

and the European Free Trade Association.
Endorsement notice

The text of the International Standard IEC 62351-3:2014/A1:2018 was approved by CENELEC as a

European Standard without any modification.
---------------------- Page: 4 ----------------------
SIST EN 62351-3:2015/A1:2018
EN 62351-3:2014/A1:2018 (E)
Replace Annex ZA of 62351-3:2014 by the following one:
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments)

applies.

NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the relevant

EN/HD applies.

NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:

www.cenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62351-1 2007 Power systems management and - -
associated information exchange - Data
and communications security - Part 1:
Communication network and system
security - Introduction to security issues
IEC/TS 62351-2 2008 Power systems management and - -
associated information exchange - Data
and communications security - Part 2:
Glossary of terms
IEC 62351-9 - Power systems management and EN 62351-9 -
associated information exchange - Data
and communications security - Part 9:
Cyber security key management for power
system equipment
ISO/IEC 9594-8 2017 Information technology - Open Systems - -
Interconnection - The Directory - Part 8:
Public-key and attribute certificate
frameworks
RFC 4492 2006 Elliptic Curve Cryptography (ECC) Cipher - -
Suites for Transport Layer Security (TLS)
RFC 5246 2008 The Transport Layer Security (TLS) - -
Protocol Version 1.2
RFC 5280 2008 Internet X.509 Public Key Infrastructure - -
Certificate and Certificate Revocation List
(CRL) Profile
RFC 5746 2010 Transport Layer Security (TLS) - -
Renegotiation Indication Extension
RFC 6066 2006 Transport Layer Security (TLS) Extensions: - -
Extension Definitions
RFC 6176 2011 Prohibiting Secure Sockets Layer (SSL) - -
Version 2.0
---------------------- Page: 5 ----------------------
SIST EN 62351-3:2015/A1:2018
---------------------- Page: 6 ----------------------
SIST EN 62351-3:2015/A1:2018
IEC 62351-3
Edition 1.0 2018-05
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
A MENDMENT 1
AM ENDEMENT 1
Power systems management and associated information exchange – Data
and communications security –
Part 3: Communication network and system security – Profiles including TCP/IP
Gestion des systèmes de puissance et échanges d'informations associés –
Sécurité des communications et des données –
Partie 3: Sécurité des réseaux et des systèmes de communication – Profils
comprenant TCP/IP
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-5720-3

Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale
---------------------- Page: 7 ----------------------
SIST EN 62351-3:2015/A1:2018
– 2 – IEC 62351-3:2014/AMD1:2018
© IEC 2018
FOREWORD
This amendment to the International Standard IEC 62351-3 has been prepared by
IEC technical committee 57: Power systems management and associated information
exchange.
The text of this amendment is based on the following documents:
FDIS Report on voting
57/1976/FDIS 57/1990/RVD

Full information on the voting for the approval of this amendment can be found in the report

on voting indicated in the above table.

A list of all parts in the IEC 62351 series, published under the general title Power systems

management and associated information exchange – Data and communications security, can

be found on the IEC website.

The committee has decided that the contents of this amendment and the base publication will

remain unchanged until the stability date indicated on the IEC website under

"http://webstore.iec.ch" in the data related to the specific publication. At this date, the

publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
_____________
2 Normative references
Replace the existing reference IEC TS 62351-9 with the following new reference:

IEC 62351-9, Power systems management and associated information exchange – Data and

communications security – Part 9: Cyber security key management for power system
equipment
Replace the existing reference IEC/ISO 9594-8 with the following new reference:

ISO/IEC 9594-8:2017, Rec. ITU-T X.509 (2016), Information technology – Open Systems

Interconnection – The Directory – Part 8: Public-key and attribute certificate frameworks

4.1 Operational requirements affecting the use of TLS in the telecontrol environment

Replace the existing text of the fifth paragraph of 4.1 with the following new text:

Note that TLS utilizes X.509 certificates (see also ISO/IEC 9594-8 or RFC 5280) for

authentication. In the context of this specification the term certificates always relates to

public-key certificates (in contrast to attribute certificates).
---------------------- Page: 8 ----------------------
SIST EN 62351-3:2015/A1:2018
IEC 62351-3:2014/AMD1:2018 – 3 –
© IEC 2018
4.2 Security threats countered

Replace the existing text of the second paragraph of 4.2 with the following new text:

TCP/IP and the security specifications in this part of IEC 62351 cover only to the

communication transport layers (OSI layers 4 and lower). This part of IEC 62351 does not

cover security functionality specific for the communication application layers (OSI layers 5 and

above) or application-to-application security.

NOTE The application of TLS as profiled in this document supports the protection of information sent over the

TLS protected connection.
4.3 Attack methods countered

Replace the existing text of the first bullet point of Subclause 4.3 by the following new text:

– Man-in-the-middle: This threat is countered through the use of a Message Authentication

Code mechanism or digital signatures specified within this document.
5.1 Deprecation of cipher suites
Add the following new text before the fourth paragraph of 5.1:

The support of SHA-1 is intended for backward compatibility. SHA-256 shall be supported and

is the preferred signature algorithm to be used.

SHA-1 is no longer recognized as secure with respect collision resistance and it is therefore

strongly recommended to perform a risk assessment before using this algorithm. If SHA-256

cannot be used, it is also recommended that additional security measures be taken. The

usage of SHA-1 will be disallowed in the next edition of this standard.

NOTE Recommendations regarding hash signature algorithms are reviewed constantly and can be found in NIST

SP800-57, BNetzA (BSI), or the NSA Suite B.

Replace the existing text of the fourth paragraph of 5.1 by the following new text:

The list of disallowed suites includes, but is not limited to:
– TLS_NULL_WITH_NULL_NULL
– TLS_RSA_ WITH_NULL_MD5
5.2 Negotiation of Versions
Add the following new text at the end of Subclause 5.2:

The proposal of versions TLS 1.0 or TLS 1.1 should raise a security warning ("warning:

insecure TLS version"). Implementations should provide a mechanism for announcing security

warnings.
5.3 Session Resumption
Replace the existing text of Subclause 5.3 with the following new text:

Session resumption in TLS allows for the resumption of a session based on the session ID

connected with a dedicated (existing) master secret, which will result in a new session key.

This minimizes the performance impact of asymmetric handshakes, and can be done during a

running session or after a session has ended within a defined time period (TLS suggests not

more than 24 hours in RFC 5280). This specification follows this suggestion. Session

resumption should be performed at least every 24 hours for active sessions or not later than

24 hours for sessions that have ended. The actual parameters should be defined based on

---------------------- Page: 9 ----------------------
SIST EN 62351-3:2015/A1:2018
– 4 – IEC 62351-3:2014/AMD1:2018
© IEC 2018

risk assessment from the referencing standard. Session resumption is expected to be more

frequent than session renegotiation.

Implementations claiming conformance to this standard shall specify that the symmetric

session keys shall be renewed within the maximum time period. This resumption maximum

time constraint is expected to be specified in a PIXIT of the referencing standard. The

maximum time period for session resumption shall be aligned with the CRL refresh time.

Session resumption intervals shall be configurable, so long as they are within the specified

maximum time period.

Clients shall initiate session resumption using the ClientHello message. A server initiated

update of session parameter shall use the HelloRequest message to trigger the client to

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.