🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
BS EN IEC 62351-5:2023 – TC

BS EN IEC 62351-5:2023 – TC

$280.87

Tracked Changes. Power systems management and associated information exchange. Data and communications security – Security for IEC 60870-5 and derivatives

Published By Publication Date Number of Pages
BSI 2023 358
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Category:

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

This part of IEC 62351 defines the application authentication mechanism (A-profile) specifying messages, procedures and algorithms for securing the operation of all protocols based on or derived from IEC 60870-5: Telecontrol Equipment and Systems – Transmission Protocols. This Standard applies to at least those protocols listed in Table 1. [Table 1] The initial audience for this International Standard is intended to be the members of the working groups developing the protocols listed in Table 1. For the measures described in this standard to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process. The working groups in charge of take this standard to the specific protocols listed in Table 1 may choose not to do so. The subsequent audience for this specification is intended to be the developers of products that implement these protocols. Portions of this standard may also be of use to managers and executives in order to understand the purpose and requirements of the work. This document is organized working from the general to the specific, as follows: – Clauses 2 through 4 provide background terms, definitions, and references. – Clause 5 describes the problems this specification is intended to address. – Clause 6 describes the mechanism generically without reference to a specific protocol. – Clauses 7 and 8 describe the mechanism more precisely and are the primary normative part of this specification. – Clause 9 define the interoperability requirements for this authentication mechanism. – Clause 10 describes the requirements for other standards referencing this specification Unless specifically labelled as informative or optional, all clauses of this specification are normative.

PDF Catalog

PDF Pages PDF Title
1 30470729
231 A-30400482
232 undefined
235 Annex A (normative)Normative references to international publicationswith their corresponding European publications
237 English
CONTENTS
241 FOREWORD
243 1 Scope
Tables
Table 1 – Scope of application to standards
244 2 Normative references
245 3 Terms and definitions
246 4 Abbreviated terms
247 5 Problem description
5.1 Overview of clause
5.2 Specific threats addressed
5.3 Design issues
5.3.1 Overview of subclause
5.3.2 Asymmetric communications
5.3.3 Message-oriented
248 5.3.4 Poor sequence numbers or no sequence numbers
5.3.5 Limited processing power
5.3.6 Limited bandwidth
5.3.7 No access to authentication server
5.3.8 Limited frame length
249 5.3.9 Limited checksum
5.3.10 Radio systems
5.3.11 Dial-up systems
5.3.12 Variety of protocols affected
5.3.13 Differing data link layers
250 5.3.14 Long upgrade intervals
5.3.15 Remote sites
5.3.16 Unreliable media
5.4 General principles
5.4.1 Overview of subclause
5.4.2 Application layer only
5.4.3 Generic definition mapped onto different protocols
5.4.4 Bi-directional
5.4.5 Management of cryptographic keys
251 5.4.6 Backwards tolerance
5.4.7 Upgradeable
5.4.8 Multiple connections
6 Theory of operation
6.1 Overview of clause
6.2 The secure communication
6.2.1 Basic concepts
252 6.2.2 Association ID
253 6.2.3 Authenticating
6.2.4 Central Authority
6.2.5 Role Based Access Control (RBAC)
6.2.6 Cryptographic keys
254 Table 2 – Summary of symmetric keys used
Table 3 – Summary of asymmetric keys used
256 Figures
Figure 1 – Overview of interaction between Central Authority and stations
257 6.2.7 Security statistics
6.2.8 Security events
7 Functional requirements
7.1 Overview of clause
7.2 Procedures Overview
258 7.3 State machine overview
Figure 2 – Sequence of procedures
259 Table 4 – States used in the controlling station state machine
Table 5 – States used in the controlled station state machine
260 7.4 Timers and counters
7.5 Security statistics and events
7.5.1 General
Table 6 – Summary of timers and counters used
261 Table 7 – Security statistics and associated events
264 7.5.2 Special security thresholds
7.5.3 Security statistics reporting
7.5.4 Security events monitoring and logging
265 8 Formal procedures
8.1 Overview of subclause
8.2 Distinction between messages and ASDUs
8.2.1 General
8.2.2 Messages datatypes and notations
8.3 Station Association procedure
8.3.1 General
266 8.3.2 Public key certificates
Table 8 – Elliptic curves
268 8.3.3 Configuration of authorized remote stations
8.3.4 Pre-requisites to initiate the Station Association procedure
8.3.5 Messages definition
269 Figure 3 – Station Association procedure
270 Table 9 – Association Request message
271 Table 10 – Association Response message
273 Table 11 – Update Key Change Request message
275 Table 12 – Data Included in MAC calculation (in order)
Table 13 – Update Key Change Response message
276 Table 14 – Data Included in MAC calculation (in order)
277 8.3.6 Controlling station state machine
278 Figure 4 – Station Association – Controlling station state machine
279 Table 15 – Controlling station state machine: Station Association
287 8.3.7 Controlled station state machine
288 Figure 5 – Station Association – Controlled station state machine
289 Table 16 – Controlled station state machine: Station Association
296 8.3.8 Verification of remote station’s certificate
8.3.9 Verification of certificates during normal operations
297 8.3.10 Update Keys derivation
298 8.3.11 Controlling station directives for Station Association and Update Keys management
8.3.12 Controlled station directives for Station Association and Update Keys management
299 Table 17 – List of pre-defined role-to-permission assignment
300 8.3.13 Initializing and updating Stations Association and Update Keys
301 8.4 Session Key Change procedure
8.4.1 General
Figure 6 – Example of Association ID, Update Keys and Session Keys initialization
302 8.4.2 Messages definition
Figure 7 – Session Key Change procedure
303 Table 18 – Session Request message
305 Table 19 – Session Response message
306 Table 20 – Data Included in MAC calculation (in order)
307 Table 21 – Session Key Change Request message
308 Table 22 – Data Included in WKD (in order)
309 Table 23 – Example of Session Key order
Table 24 – Data Included in the MAC calculation (in order)
310 Table 25 – Session Key Change Response message
Table 26 – Data Included in the MAC calculation (in order)
311 8.4.3 Controlling station state machine
312 Figure 8 – Session Key Change – Controlling station state machine
313 Table 27 – Controlling station state machine: Session Key Change
320 8.4.4 Controlled station state machine
321 Figure 9 – Session Key Change – Controlled station state machine
322 Table 28 – Controlled station state machine: Session Key Change
328 8.4.5 Controlling station directives for Session Keys management
8.4.6 Controlled station directives for Session Keys management
329 8.4.7 Initializing and changing Session Keys
330 8.5 Secure Data Exchange
8.5.1 General
Figure 10 – Example of Session Key initialization and periodic update
331 8.5.2 Messages definition
Figure 11 – Secure Data Exchange
332 Table 29 – Secure Data message
333 Table 30 – Secure Data Payload using MAC algorithm
334 Table 31 – Data included in the MAC calculation in Secure Data Payload (in order)
Table 32 – AEAD algorithm parameters to generate the Secure Data Payload (in order)
335 8.5.3 Controlling station state machine
336 Figure 12 – Secure Data Exchange – Controlling station state machine
337 Table 33 – Controlling station state machine: Secure Data Exchange
340 8.5.4 Controlled station state machine
341 Figure 13 – Secure Data Exchange – Controlled station state machine
342 Table 34 – Controlled station state machine: Secure Data Exchange
344 8.5.5 Controlling station directives for Secure Data Exchange
8.5.6 Controlled station directives for Secure Data Exchange
345 8.5.7 Example of Secure Data exchange during Station Association
346 8.5.8 Example of Secure Data Exchange during Session Key Change
Figure 14 – Example of Secure Data Exchange during Station Association
347 Figure 15 – Example of Secure Data messages exchanged during Session Key Change
348 9 Interoperability requirements
9.1 Overview of clause
9.2 Minimum requirements
9.2.1 Overview of subclause
9.2.2 Authentication algorithms
9.2.3 Key wrap / transport algorithms
349 9.2.4 Cryptographic keys
9.2.5 Cryptographic curves
9.2.6 Configurable values
351 9.2.7 Cryptographic information
9.3 Options
9.3.1 Overview of subclause
Table 35 – Configuration of cryptographic information
Table 36 – Legend for configuration of cryptographic information
352 9.3.2 MAC/AEAD algorithms
9.3.3 Key wrap / transport algorithms
9.3.4 Cryptographic curves
9.4 Use with TCP/IP
9.5 Use with redundant channels
353 10 Requirements for referencing this standard
10.1 Overview of clause
10.2 Selected options
10.3 Message format mapping
10.4 Reference to procedures
10.5 Protocol information
354 10.6 Controlled station response to unauthorized operations requests
10.7 Transmission of security statistics
10.8 Configurable values
10.9 Protocol implementation conformance statement
355 Annex A (informative)Security Event mapping to IEC 62351-14
A.1 General
A.2 Mapping of IEC 62351-5 events specified in this document
Table A.1 – Security event logs defined in IEC 62351-5 Ed.1 mapped to IEC 62351-14
357 Bibliography

Related products

BS EN IEC 62351-5:2023 - TC
$280.87