🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
BS EN IEC 62351-5:2023

BS EN IEC 62351-5:2023

$215.11

Power systems management and associated information exchange. Data and communications security – Security for IEC 60870-5 and derivatives

Published By Publication Date Number of Pages
BSI 2023 128
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Category:

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

This part of IEC 62351 defines the application authentication mechanism (A-profile) specifying messages, procedures and algorithms for securing the operation of all protocols based on or derived from IEC 60870-5: Telecontrol Equipment and Systems – Transmission Protocols. This Standard applies to at least those protocols listed in Table 1. [Table 1] The initial audience for this International Standard is intended to be the members of the working groups developing the protocols listed in Table 1. For the measures described in this standard to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process. The working groups in charge of take this standard to the specific protocols listed in Table 1 may choose not to do so. The subsequent audience for this specification is intended to be the developers of products that implement these protocols. Portions of this standard may also be of use to managers and executives in order to understand the purpose and requirements of the work. This document is organized working from the general to the specific, as follows: – Clauses 2 through 4 provide background terms, definitions, and references. – Clause 5 describes the problems this specification is intended to address. – Clause 6 describes the mechanism generically without reference to a specific protocol. – Clauses 7 and 8 describe the mechanism more precisely and are the primary normative part of this specification. – Clause 9 define the interoperability requirements for this authentication mechanism. – Clause 10 describes the requirements for other standards referencing this specification Unless specifically labelled as informative or optional, all clauses of this specification are normative.

PDF Catalog

PDF Pages PDF Title
2 undefined
5 Annex A (normative)Normative references to international publicationswith their corresponding European publications
7 English
CONTENTS
11 FOREWORD
13 1 Scope
Tables
Table 1 – Scope of application to standards
14 2 Normative references
15 3 Terms and definitions
16 4 Abbreviated terms
17 5 Problem description
5.1 Overview of clause
5.2 Specific threats addressed
5.3 Design issues
5.3.1 Overview of subclause
5.3.2 Asymmetric communications
5.3.3 Message-oriented
18 5.3.4 Poor sequence numbers or no sequence numbers
5.3.5 Limited processing power
5.3.6 Limited bandwidth
5.3.7 No access to authentication server
5.3.8 Limited frame length
19 5.3.9 Limited checksum
5.3.10 Radio systems
5.3.11 Dial-up systems
5.3.12 Variety of protocols affected
5.3.13 Differing data link layers
20 5.3.14 Long upgrade intervals
5.3.15 Remote sites
5.3.16 Unreliable media
5.4 General principles
5.4.1 Overview of subclause
5.4.2 Application layer only
5.4.3 Generic definition mapped onto different protocols
5.4.4 Bi-directional
5.4.5 Management of cryptographic keys
21 5.4.6 Backwards tolerance
5.4.7 Upgradeable
5.4.8 Multiple connections
6 Theory of operation
6.1 Overview of clause
6.2 The secure communication
6.2.1 Basic concepts
22 6.2.2 Association ID
23 6.2.3 Authenticating
6.2.4 Central Authority
6.2.5 Role Based Access Control (RBAC)
6.2.6 Cryptographic keys
24 Table 2 – Summary of symmetric keys used
Table 3 – Summary of asymmetric keys used
26 Figures
Figure 1 – Overview of interaction between Central Authority and stations
27 6.2.7 Security statistics
6.2.8 Security events
7 Functional requirements
7.1 Overview of clause
7.2 Procedures Overview
28 7.3 State machine overview
Figure 2 – Sequence of procedures
29 Table 4 – States used in the controlling station state machine
Table 5 – States used in the controlled station state machine
30 7.4 Timers and counters
7.5 Security statistics and events
7.5.1 General
Table 6 – Summary of timers and counters used
31 Table 7 – Security statistics and associated events
34 7.5.2 Special security thresholds
7.5.3 Security statistics reporting
7.5.4 Security events monitoring and logging
35 8 Formal procedures
8.1 Overview of subclause
8.2 Distinction between messages and ASDUs
8.2.1 General
8.2.2 Messages datatypes and notations
8.3 Station Association procedure
8.3.1 General
36 8.3.2 Public key certificates
Table 8 – Elliptic curves
38 8.3.3 Configuration of authorized remote stations
8.3.4 Pre-requisites to initiate the Station Association procedure
8.3.5 Messages definition
39 Figure 3 – Station Association procedure
40 Table 9 – Association Request message
41 Table 10 – Association Response message
43 Table 11 – Update Key Change Request message
45 Table 12 – Data Included in MAC calculation (in order)
Table 13 – Update Key Change Response message
46 Table 14 – Data Included in MAC calculation (in order)
47 8.3.6 Controlling station state machine
48 Figure 4 – Station Association – Controlling station state machine
49 Table 15 – Controlling station state machine: Station Association
57 8.3.7 Controlled station state machine
58 Figure 5 – Station Association – Controlled station state machine
59 Table 16 – Controlled station state machine: Station Association
66 8.3.8 Verification of remote station’s certificate
8.3.9 Verification of certificates during normal operations
67 8.3.10 Update Keys derivation
68 8.3.11 Controlling station directives for Station Association and Update Keys management
8.3.12 Controlled station directives for Station Association and Update Keys management
69 Table 17 – List of pre-defined role-to-permission assignment
70 8.3.13 Initializing and updating Stations Association and Update Keys
71 8.4 Session Key Change procedure
8.4.1 General
Figure 6 – Example of Association ID, Update Keys and Session Keys initialization
72 8.4.2 Messages definition
Figure 7 – Session Key Change procedure
73 Table 18 – Session Request message
75 Table 19 – Session Response message
76 Table 20 – Data Included in MAC calculation (in order)
77 Table 21 – Session Key Change Request message
78 Table 22 – Data Included in WKD (in order)
79 Table 23 – Example of Session Key order
Table 24 – Data Included in the MAC calculation (in order)
80 Table 25 – Session Key Change Response message
Table 26 – Data Included in the MAC calculation (in order)
81 8.4.3 Controlling station state machine
82 Figure 8 – Session Key Change – Controlling station state machine
83 Table 27 – Controlling station state machine: Session Key Change
90 8.4.4 Controlled station state machine
91 Figure 9 – Session Key Change – Controlled station state machine
92 Table 28 – Controlled station state machine: Session Key Change
98 8.4.5 Controlling station directives for Session Keys management
8.4.6 Controlled station directives for Session Keys management
99 8.4.7 Initializing and changing Session Keys
100 8.5 Secure Data Exchange
8.5.1 General
Figure 10 – Example of Session Key initialization and periodic update
101 8.5.2 Messages definition
Figure 11 – Secure Data Exchange
102 Table 29 – Secure Data message
103 Table 30 – Secure Data Payload using MAC algorithm
104 Table 31 – Data included in the MAC calculation in Secure Data Payload (in order)
Table 32 – AEAD algorithm parameters to generate the Secure Data Payload (in order)
105 8.5.3 Controlling station state machine
106 Figure 12 – Secure Data Exchange – Controlling station state machine
107 Table 33 – Controlling station state machine: Secure Data Exchange
110 8.5.4 Controlled station state machine
111 Figure 13 – Secure Data Exchange – Controlled station state machine
112 Table 34 – Controlled station state machine: Secure Data Exchange
114 8.5.5 Controlling station directives for Secure Data Exchange
8.5.6 Controlled station directives for Secure Data Exchange
115 8.5.7 Example of Secure Data exchange during Station Association
116 8.5.8 Example of Secure Data Exchange during Session Key Change
Figure 14 – Example of Secure Data Exchange during Station Association
117 Figure 15 – Example of Secure Data messages exchanged during Session Key Change
118 9 Interoperability requirements
9.1 Overview of clause
9.2 Minimum requirements
9.2.1 Overview of subclause
9.2.2 Authentication algorithms
9.2.3 Key wrap / transport algorithms
119 9.2.4 Cryptographic keys
9.2.5 Cryptographic curves
9.2.6 Configurable values
121 9.2.7 Cryptographic information
9.3 Options
9.3.1 Overview of subclause
Table 35 – Configuration of cryptographic information
Table 36 – Legend for configuration of cryptographic information
122 9.3.2 MAC/AEAD algorithms
9.3.3 Key wrap / transport algorithms
9.3.4 Cryptographic curves
9.4 Use with TCP/IP
9.5 Use with redundant channels
123 10 Requirements for referencing this standard
10.1 Overview of clause
10.2 Selected options
10.3 Message format mapping
10.4 Reference to procedures
10.5 Protocol information
124 10.6 Controlled station response to unauthorized operations requests
10.7 Transmission of security statistics
10.8 Configurable values
10.9 Protocol implementation conformance statement
125 Annex A (informative)Security Event mapping to IEC 62351-14
A.1 General
A.2 Mapping of IEC 62351-5 events specified in this document
Table A.1 – Security event logs defined in IEC 62351-5 Ed.1 mapped to IEC 62351-14
127 Bibliography

Related products

BS EN IEC 62351-5:2023
$215.11