Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP

This part of IEC 62351 specifies how to provide confidentiality, integrity protection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer when cyber-security is required.
Although there are many possible solutions to secure TCP/IP, the particular scope of this part is to provide security between communicating entities at either end of a TCP/IP connection within the end communicating entities. The use and specification of intervening external security devices (e.g. “bump-in-the-wire”) are considered out-of-scope.
This part of IEC 62351 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (defined in RFC 5246) so that they are applicable to the telecontrol environment of the IEC. TLS is applied to protect the TCP communication. It is intended that this standard be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol. However, it is up to the individual protocol security initiatives to decide if this standard is to be referenced.
This part of IEC 62351 reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this standard may need to be revised.

Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3: Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP

Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des communications et des données - Partie 3: Sécurité des réseaux et des systèmes de communication - Profils comprenant TCP/IP

Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in sistemov - Profili za TCP/IP - Dopolnilo A1

General Information

Status
Published
Publication Date
22-Oct-2018
ICS
29.240.30 - Control equipment for electric power systems
 
35.240.50 - IT applications in industry
Technical Committee
PSE - Power systems management
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
05-Oct-2018
Due Date
10-Dec-2018
Completion Date
23-Oct-2018
Mandate
M/490 - Standardisation mandate to the European Standardisation Organisations (ESOs) to support European Smart Grid deployment
Ref Project
EN 62351-3:2014/A1:2018 - Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP

Relations

Amends
SIST EN 62351-3:2015 - Power systems management nd associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
Effective Date
01-Nov-2018
Revised
SIST EN IEC 62351-3:2023 - Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP (IEC 62351-3:2023)
Effective Date
31-Aug-2021

Overview

SIST EN 62351-3:2015/A1:2018 is a European standard that forms part of the IEC 62351 series, focusing on data and communications security for power systems management and associated information exchange. Specifically, Part 3 addresses communication network and system security with profiles including TCP/IP protocols. This standard outlines how to achieve confidentiality, message integrity, and authentication in telecontrol and SCADA protocols using TCP/IP transport layers, meeting the cyber-security requirements essential for critical energy infrastructure.

The standard delineates security roles within communication end points-excluding external security devices like bump-in-the-wire solutions-and prescribes the use of Transport Layer Security (TLS), as defined in RFC 5246, tailored to the IEC telecontrol context. By providing normative guidelines for securing TCP/IP-based protocols, EN 62351-3 supports the robust protection of control system communications against emerging cyber threats while ensuring interoperability within the power sector.

Key Topics

  • Scope and Security Focus
    EN 62351-3 specifically targets security at the TCP/IP transport layers (OSI layers 4 and below) in power system communication protocols. It does not address security for higher-layer applications, thereby focusing on securing the communication channels themselves.

  • Use of TLS for Secure Communication
    The standard requires TLS protocols to protect data exchanged over TCP connections, implementing confidentiality, authentication, and message integrity. It profiles TLS 1.2 with recommended algorithms and security parameters suitable for power system telecontrol environments.

  • Revision and Updates
    The 2018 amendment (A1) introduces several vital updates, including strengthened requirements for cipher suites, deprecation of insecure algorithms like SHA-1, and enhanced session management practices such as session resumption and renegotiation aligned with certificate revocation updates.

  • Mutual Certificate-Based Authentication
    Bi-directional certificate exchange using X.509 public key certificates is mandatory to establish trust between communication entities. The standard mandates termination of connections if certificates are missing or invalid, ensuring stringent authentication protocols.

  • Threat Mitigation
    EN 62351-3 counters man-in-the-middle attacks via digital signatures or message authentication codes, and enforces periodic reauthentication and key renewal to mitigate risks from replay attacks or certificate compromise.

Applications

  • SCADA and Telecontrol Systems Security
    Utilities and power system operators use this standard to secure SCADA communications over TCP/IP networks, ensuring secure telemetry and control commands within critical infrastructure.

  • Cybersecurity Standards Integration
    EN 62351-3 serves as a reference security framework for other IEC standards focused on TCP/IP-based protocols. Protocol designers incorporate this standard to ensure compliance with cybersecurity requirements in various power system information exchange solutions.

  • Critical Infrastructure Protection
    By prescribing validated TLS profiles and robust key management practices, the standard assists stakeholders in maintaining resilient communication networks impervious to common network-layer cyberattacks.

  • Interoperability and Compliance
    Utilities implementing EN 62351-3 can better ensure interoperability between diverse vendor equipment and software, facilitating standardized secure communications across different systems and national grids.

Related Standards

  • IEC 62351 Series

    • Part 1: Introduction to security issues in power systems
    • Part 2: Glossary of terms related to data and communication security
    • Part 9: Cybersecurity key management for power system equipment

  • TLS and Cryptography RFCs

    • RFC 5246: Transport Layer Security (TLS) version 1.2
    • RFC 5280: Internet X.509 Public Key Infrastructure Certificates and Certificate Revocation Lists (CRLs)
    • RFC 5746: TLS Renegotiation Indication Extension
    • RFC 6066: TLS Extensions
    • RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for TLS

  • ISO/IEC 9594-8
    Framework for public-key and attribute certificates crucial for implementing X.509 certificate-based authentication in power system communications.

  • NIST and NSA Recommendations
    Guidance on hash algorithms and cryptographic strength, including the recommendation to move from SHA-1 to SHA-256 for signature algorithms, aligning with the latest cryptographic best practices.

By adopting SIST EN 62351-3:2015/A1:2018, power utilities reinforce their network and system security, protecting critical power management operations against cyber threats. This standard ensures the application of proven TLS profiles and cryptographic methods specifically adapted to the secure exchange of information in TCP/IP-based power system telemetry and control environments.

SIST EN 62351-3:2015/A1:2018 - Page 1 previewSIST EN 62351-3:2015/A1:2018 - Page 2 previewSIST EN 62351-3:2015/A1:2018 - Page 3 previewSIST EN 62351-3:2015/A1:2018 - Page 4 preview
PreviousNext
Amendment

SIST EN 62351-3:2015/A1:2018

English language
11 pages
Preview
Preview
e-Library read for
1 day

Frequently Asked Questions

SIST EN 62351-3:2015/A1:2018 is a amendment published by the Slovenian Institute for Standardization (SIST). Its full title is "Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP". This standard covers: This part of IEC 62351 specifies how to provide confidentiality, integrity protection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer when cyber-security is required. Although there are many possible solutions to secure TCP/IP, the particular scope of this part is to provide security between communicating entities at either end of a TCP/IP connection within the end communicating entities. The use and specification of intervening external security devices (e.g. “bump-in-the-wire”) are considered out-of-scope. This part of IEC 62351 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (defined in RFC 5246) so that they are applicable to the telecontrol environment of the IEC. TLS is applied to protect the TCP communication. It is intended that this standard be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol. However, it is up to the individual protocol security initiatives to decide if this standard is to be referenced. This part of IEC 62351 reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this standard may need to be revised.

This part of IEC 62351 specifies how to provide confidentiality, integrity protection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer when cyber-security is required. Although there are many possible solutions to secure TCP/IP, the particular scope of this part is to provide security between communicating entities at either end of a TCP/IP connection within the end communicating entities. The use and specification of intervening external security devices (e.g. “bump-in-the-wire”) are considered out-of-scope. This part of IEC 62351 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (defined in RFC 5246) so that they are applicable to the telecontrol environment of the IEC. TLS is applied to protect the TCP communication. It is intended that this standard be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol. However, it is up to the individual protocol security initiatives to decide if this standard is to be referenced. This part of IEC 62351 reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this standard may need to be revised.

SIST EN 62351-3:2015/A1:2018 is classified under the following ICS (International Classification for Standards) categories: 29.240.30 - Control equipment for electric power systems; 35.240.50 - IT applications in industry. The ICS classification helps identify the subject area and facilitates finding related standards.

SIST EN 62351-3:2015/A1:2018 has the following relationships with other standards: It is inter standard links to SIST EN 62351-3:2015, SIST EN IEC 62351-3:2023. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

SIST EN 62351-3:2015/A1:2018 is associated with the following European legislation: Standardization Mandates: M/490. When a standard is cited in the Official Journal of the European Union, products manufactured in conformity with it benefit from a presumption of conformity with the essential requirements of the corresponding EU directive or regulation.

You can purchase SIST EN 62351-3:2015/A1:2018 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.

Standards Content (Sample)


SLOVENSKI STANDARD
01-november-2018
8SUDYOMDQMHHOHNWURHQHUJHWVNHJDVLVWHPDLQSULSDGDMRþDL]PHQMDYDLQIRUPDFLM
9DUQRVWSRGDWNRYLQNRPXQLNDFLMGHO9DUQRVWNRPXQLNDFLMVNLKRPUHåLMLQ
VLVWHPRY3URILOL]D7&3,3'RSROQLOR$
Power systems management and associated information exchange - Data and
communications security - Part 3: Communication network and system security - Profiles
including TCP/IP
Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von
Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3:
Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP
Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des
communications et des données - Partie 3: Sécurité des réseaux et des systèmes de
communication - Profils comprenant TCP/IP
Ta slovenski standard je istoveten z: EN 62351-3:2014/A1:2018
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN 62351-3:2014/A1

NORME EUROPÉENNE
EUROPÄISCHE NORM
September 2018
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 3:
Communication network and system security - Profiles including
TCP/IP
(IEC 62351-3:2014/A1:2018)
Gestion des systèmes de puissance et échanges Management von Systemen der Energietechnik und
d'informations associés - Sécurité des communications et zugehöriger Datenaustausch - Daten- und
des données - Partie 3: Sécurité des réseaux et des Kommunikationssicherheit - Teil 3: Sicherheit von
systèmes de communication - Profils comprenant TCP/IP Kommunikationsnetzen und Systemen - Profile
(IEC 62351-3:2014/A1:2018) einschließlich TCP/IP
(IEC 62351-3:2014/A1:2018)
This amendment A1 modifies the European Standard EN 62351-3:2014; it was approved by CENELEC on 2018-06-29. CENELEC
members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this amendment the
status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This amendment exists in three official versions (English, French, German). A version in any other language made by translation under the
responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as
the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN 62351-3:2014/A1:2018 E

European foreword
The text of document 57/1976/FDIS, future edition 1 of IEC 62351-3/A1, prepared by IEC/TC 57
"Power systems management and associated information exchange" was submitted to the IEC-
CENELEC parallel vote and approved by CENELEC as EN 62351-3:2014/A1:2018.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2019-03-29
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2021-06-29
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a mandate given to CENELEC by the European Commission
and the European Free Trade Association.
Endorsement notice
The text of the International Standard IEC 62351-3:2014/A1:2018 was approved by CENELEC as a
European Standard without any modification.

Replace Annex ZA of 62351-3:2014 by the following one:
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62351-1 2007 Power systems management and - -
associated information exchange - Data
and communications security - Part 1:
Communication network and system
security - Introduction to security issues
IEC/TS 62351-2 2008 Power systems management and - -
associated information exchange - Data
and communications security - Part 2:
Glossary of terms
IEC 62351-9 -  Power systems management and EN 62351-9 -
associated information exchange - Data
and communications security - Part 9:
Cyber security key management for power
system equipment
ISO/IEC 9594-8 2017 Information technology - Open Systems - -
Interconnection - The Directory - Part 8:
Public-key and attribute certificate
frameworks
RFC 4492 2006 Elliptic Curve Cryptography (ECC) Cipher - -
Suites for Transport Layer Security (TLS)
RFC 5246 2008 The Transport Layer Security (TLS) - -
Protocol Version 1.2
RFC 5280 2008 Internet X.509 Public Key Infrastructure - -
Certificate and Certificate Revocation List
(CRL) Profile
RFC 5746 2010 Transport Layer Security (TLS) - -
Renegotiation Indication Extension
RFC 6066 2006 Transport Layer Security (TLS) Extensions: - -
Extension Definitions
RFC 6176 2011 Prohibiting Secure Sockets Layer (SSL) - -
Version 2.0
IEC 62351-3 ®
Edition 1.0 2018-05
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
A MENDMENT 1
AM ENDEMENT 1
Power systems management and associated information exchange – Data

and communications security –
Part 3: Communication network and system security – Profiles including TCP/IP

Gestion des systèmes de puissance et échanges d'informations associés –

Sécurité des communications et des données –

Partie 3: Sécurité des réseaux et des systèmes de communication – Profils

comprenant TCP/IP
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-5720-3

– 2 – IEC 62351-3:2014/AMD1:2018
© IEC 2018
FOREWORD
This amendment to the International Standard IEC 62351-3 has been prepared by
IEC technical committee 57: Power systems management and associated information
exchange.
The text of this amendment is based on the following documents:
FDIS Report on voting
57/1976/FDIS 57/1990/RVD
Full information on the voting for the approval of this amendment can be found in the report
on voting indicated in the above table.
A list of all parts in the IEC 62351 series, published under the general title Power systems
management and associated information exchange – Data and communications security, can
be found on the IEC website.
The committee has decided that the contents of this amendment and the base publication will
remain unchanged until the stability date indicated on the IEC website under
"http://webstore.iec.ch" in the data related to the specific publication. At this date, the
publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
_____________
2 Normative references
Replace the existing reference IEC TS 62351-9 with the following new reference:
IEC 62351-9, Power systems management and associated information exchange – Data and
communications security – Part 9: Cyber security key management for power system
equipment
Replace the existing reference IEC/ISO 9594-8 with the following new reference:
ISO/IEC 9594-8:2017, Rec. ITU-T X.509 (2016), Information technology – Open Systems
Interconnection – The Directory – Part 8: Public-key and attribute certificate frameworks
4.1 Operational requirements affecting the use of TLS in the telecontrol environment
Replace the existing text of the fifth paragraph of 4.1 with the following new text:
Note that TLS utilizes X.509 certificates (see also ISO/IEC 9594-8 or RFC 5280) for
authentication. In the context of this specification the term certificates always relates to
public-key certificates (in contrast to attribute certificates).

IEC 62351-3:2014/AMD1:2018 – 3 –
© IEC 2018
4.2 Security threats countered
Replace the existing text of the second paragraph of 4.2 with the following new text:
TCP/IP and the security specifications in this part of IEC 62351 cover only to the
communication transport layers (OSI layers 4 and lower). This part of IEC 62351 does not
cover security functionality specific for the communication application layers (OSI layers 5 and
above) or application-to-application security.
NOTE The application of TLS as profiled in this document supports the protection of information sent over the
TLS protected connection.
4.3 Attack methods countered
Replace the existing text of the first bullet point of Subclause 4.3 by the following new text:
– Man-in-the-middle: This threat is countered through the use of a Message Authentication
Code mechanism or digital signatures specified within this document.
5.1 Deprecation of cipher suites
Add the following new text before the fourth paragraph of 5.1:
The support of SHA-1 is intended for backward compatibility. SHA-256 shall be supported and
is the preferred signature algorithm to be used.
SHA-1 is no longer recognized as secure with respect collision resistance and it is therefore
strongly recommended to perform a risk assessment before using this algorithm. If SHA-256
cannot be used, it is also recommended that additional security measures be taken. The
usage of SHA-1 will be disallowed in the next edition of this standard.
NOTE Recommendations regarding hash signature algorithms are reviewed constantly and can be found in NIST
SP800-57, BNetzA (BSI), or the NSA Suite B.
Replace the existing text of the fourth paragraph of 5.1 by the following new text:
The list of disallowed suites includes, but is not limited to:
– TLS_NULL_WITH_NULL_NULL
– TLS_RSA_ WITH_NULL_MD5
5.2 Negotiation of Versions
Add the following new text at the end of Subclause 5.2:
The proposal of versions TLS 1.0 or TLS 1.1 should raise a security warning ("warning:
insecure TLS version"). Implementations should provide a mechanism for announcing security
warnings.
5.3 Session Resumption
Replace the existing text of Subclause 5.3 with the following new text:
Session resumption in TLS allows for the resumption of a session based on the session ID
connected with a dedicated (existing) master secret, which will result in a new session key.
This minimizes the performance impact of asymmetric handshakes, and can be done during a
running session or after a session has ended within a defined time period (TLS suggests not
more than 24 hours in RFC 5280). This specification follows this suggestion. Session
resumption should be performed at least every 24 hours for active sessions or not later than
24 hours for sessions that have ended. The actual parameters should be defined based on

– 4 – IEC 62351-3:2014/AMD1:2018
© IEC 2018
risk assessment from the referencing standard. Session resumption is expected to be more
frequent than session renegotiation.
Implementations claiming conformance to this standard shall specify that the symmetric
session keys shall be renewed within the maximum time period. This resumption maximum
time constraint is expected to be specified in a PIXIT of the referencing standard. The
maximum time period for session resumption shall be aligned with the CRL refresh time.
Session resumption intervals shall be configurable, so long as they are within the specified
maximum time period.
Clients shall initiate session resumption using the ClientHello message. A server initiated
update of session parameter shall use the HelloRequest message to trigger the client to
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...