iTeh Standards logo
EURUSD
Your shopping cart is empty.
CLC

EN IEC 62351-5:2023

(Main)

Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives

Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives

This part of IEC 62351 defines the application authentication mechanism (A-profile) specifying messages, procedures and algorithms for securing the operation of all protocols based on or derived from IEC 60870-5: Telecontrol Equipment and Systems - Transmission Protocols. This Standard applies to at least those protocols listed in Table 1. [Table 1] The initial audience for this International Standard is intended to be the members of the working groups developing the protocols listed in Table 1. For the measures described in this standard to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process. The working groups in charge of take this standard to the specific protocols listed in Table 1 may choose not to do so. The subsequent audience for this specification is intended to be the developers of products that implement these protocols. Portions of this standard may also be of use to managers and executives in order to understand the purpose and requirements of the work. This document is organized working from the general to the specific, as follows: - Clauses 2 through 4 provide background terms, definitions, and references. - Clause 5 describes the problems this specification is intended to address. - Clause 6 describes the mechanism generically without reference to a specific protocol. - Clauses 7 and 8 describe the mechanism more precisely and are the primary normative part of this specification. - Clause 9 define the interoperability requirements for this authentication mechanism. - Clause 10 describes the requirements for other standards referencing this specification Unless specifically labelled as informative or optional, all clauses of this specification are normative.

Energiemanagementsysteme und zugehöriger Datenaustausch - IT-Sicherheit für Daten und Kommunikation – Teil 5: Sicherheit für IEC 60870-5 und Derivate

Gestion des systèmes de puissance et échanges d’informations associées - Sécurité des communications et des données - Partie 5: Aspects de sécurité pour l’IEC 60870-5 et ses dérivés

IEC 62351-5:2023 définit le mécanisme de communication sécurisée du profil d'application (profil A) qui spécifie les messages, les procédures et les algorithmes pour sécuriser le fonctionnement de tous les protocoles fondés sur ou dérivés de l’IEC 60870-5, Matériels et systèmes de téléconduite – Protocoles de transmission. Pour que les mesures décrites dans le présent document entrent en application, elles doivent être acceptées et référencées par les spécifications des protocoles eux-mêmes. Le présent document est rédigé dans le but de permettre ce processus. Il est prévu que les lecteurs suivants du présent document soient les personnes chargées d’élaborer les produits qui mettent en œuvre ces protocoles. Certaines parties du présent document peuvent également être utiles aux gestionnaires et aux cadres dirigeants pour comprendre le but et les exigences du travail. Ce document est organisé du plus général au plus spécifique, comme suit: • les Articles 2 à 4 fournissent des termes, des définitions et des références de contexte; • l’Article 5 décrit les problèmes que la présente spécification est destinée à traiter; • l’Article 6 décrit le mécanisme de manière générale, sans référence à un protocole spécifique; • les Articles 7 et 8 décrivent le mécanisme plus précisément. Ils constituent la partie normative principale de la présente spécification; • l’Article 9 définit les exigences d’interopérabilité pour ce mécanisme de communication sécurisée y compris la relation entre cette norme et la CEI 62351-3 pour la sécurité de la couche transport; • l’Article 10 décrit les exigences des autres normes qui font référence au présent document. Il est attendu que les actions d’une organisation en réponse aux événements et conditions d’erreurs décrits dans le présent document soient définies par la politique de sécurité de l’organisme. Elles ne relèvent pas du domaine d’application du présent document. Cette Norme internationale annule et remplace l'IEC TS 62351-5 parue en 2013. Elle constitue une révision technique. Les modifications principales présentées dans la présente Norme internationale sont les suivantes: a) le mécanisme de communication sécurisée est réalisé par une association poste de conduite/poste téléconduit; b) la gestion des Utilisateurs, qui sert à ajouter, modifier ou supprimer un Utilisateur, a été supprimée; c) la méthode symétrique, qui sert à modifier la Clé de Mise à Jour, a été supprimée; d) la méthode asymétrique, qui sert à modifier la Clé de Mise à Jour, a été révisée; e) la procédure et les concepts de Stimulation/Réponse ont été supprimés; f) le concept de Mode Agressif a été remplacé par le mécanisme d’échange de messages de Données Sécurisées; g) un chiffrement authentifié des données d’application a été ajouté; h) la liste des algorithmes de sécurité admis a été mise à jour; i) les règles de calcul des numéros de séquence des messages ont été mises à jour; j) la surveillance et l’enregistrement des événements ont été ajoutés.

Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 5. del: Varnost za IEC 60870-5 in izpeljanke (IEC 62351-5:2023)

Ta del standarda IEC 62351 opredeljuje mehanizem za ugotavljanje pristnosti uporabe (profil A), ki določa sporočila, postopke in algoritme za zavarovanje delovanja vseh protokolov, ki temeljijo na standardu IEC 60870-5 ali iz njega izhajajo: Oprema in sistemi na daljinsko vodenje – Protokoli prenosa.
Ta standard se uporablja vsaj za protokole, navedene v preglednici 1.
[Preglednica 1]
Namembni uporabniki tega mednarodnega standarda so člani delovnih skupin, ki razvijajo protokole, navedene v preglednici 1.
Ukrepi, opisani v tem standardu, stopijo v veljavo, ko so sprejeti in sklicevani v samih specifikacijah protokolov. Ta dokument je napisan, da se omogoči ta postopek. Delovne skupine, odgovorne za razvoj tega standarda za posebne protokole iz preglednice 1, se lahko odločijo, da tega ne bodo storile.
Posledično je ta specifikacija namenjena razvijalcem proizvodov, ki izvajajo te protokole.
Deli tega standarda lahko pomagajo tudi direktorjem in vodjem pri razumevanju namena in zahtev dela.
Ta dokument je organiziran od splošnega do posebnega, kot sledi:
– V točkah od 2 do 4 so navedeni osnovni izrazi, opredelitve in sklicevanja.
– V točki 5 so opisani problemi, ki naj bi jih ta specifikacija obravnavala.
– V točki 6 je mehanizem opisan na splošno brez sklicevanja na poseben protokol.
– Točki 7 in 8 natančneje opisujeta mehanizem in predstavljata glavni normativni del te specifikacije.
– Točka 9 opredeljuje zahteve za interoperabilnost tega mehanizma za ugotavljanje pristnosti.
– Točka 10 opisuje zahteve za druge standarde, ki se sklicujejo na to specifikacijo.
Če niso posebej označeni kot informativni ali neobvezni, so vsi členi te specifikacije normativni.

General Information

Status
Published
Publication Date
23-Feb-2023
ICS
33.200 - Telecontrol. Telemetering
Technical Committee
CLC/TC 57 - Power systems management and associated information exchange
Drafting Committee
IEC/TC 57 - IEC_TC_57
Current Stage
6060 - Document made available - Publishing
Start Date
24-Feb-2023
Completion Date
24-Feb-2023
Ref Project
SIST EN IEC 62351-5:2023 - Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives (IEC 62351-5:2023)
EN IEC 62351-5:2023 - BARVEEN IEC 62351-5:2023 - BARVE
PreviousNext
Standard
EN IEC 62351-5:2023 - BARVE
English language
126 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-april-2023
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij -
Varnost podatkov in komunikacij - 5. del: Varnost za IEC 60870-5 in izpeljanke (IEC
62351-5:2023)
Power systems management and associated information exchange - Data and
communications security - Part 5: Security for IEC 60870-5 and derivatives (IEC 62351-
5:2023)
Energiemanagementsysteme und zugehöriger Datenaustausch – IT-Sicherheit für Daten
und Kommunikation – Teil 5: Sicherheit für IEC 60870-5 und Derivate (IEC 62351-
5:2023)
Gestion des systèmes de puissance et échanges d’informations associées - Sécurité des
communications et des données - Partie 5: Aspects de sécurité pour l’IEC 60870-5 et
ses dérivés (IEC 62351-5:2023)
Ta slovenski standard je istoveten z: EN IEC 62351-5:2023
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN IEC 62351-5

NORME EUROPÉENNE
EUROPÄISCHE NORM February 2023
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 5: Security
for IEC 60870-5 and derivatives
(IEC 62351-5:2023)
Gestion des systèmes de puissance et échanges Energiemanagementsysteme und zugehöriger
d'informations associées - Sécurité des communications et Datenaustausch - IT-Sicherheit für Daten und
des données - Partie 5: Aspects de sécurité pour l'IEC Kommunikation - Teil 5: Sicherheit für IEC 60870-5 und
60870-5 et ses dérivés Derivate
(IEC 62351-5:2023) (IEC 62351-5:2023)
This European Standard was approved by CENELEC on 2023-02-17. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2023 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62351-5:2023 E

European foreword
The text of document 57/2516/FDIS, future edition 1 of IEC 62351-5, prepared by IEC/TC 57 "Power
systems management and associated information exchange" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN IEC 62351-5:2023.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2023-08-17
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2026-02-17
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 62351-5:2023 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standard indicated:
IEC 60870-5-101:2003 NOTE Approved as EN 60870-5-101:2003 (not modified)
IEC 60870-5-102 NOTE Approved as EN 60870-5-102
IEC 60870-5-103 NOTE Approved as EN 60870-5-103
IEC 60870-5-104 NOTE Approved as EN 60870-5-104
Annex A
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the
relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 60870-5 series Telecontrol equipment and systems – EN 60870-5 series
Part 5: Transmission protocols
IEC/TS 62351-1 - Power systems management and - -
associated information exchange - Data
and communications security - Part 1:
Communication network and system
security - Introduction to security issues
IEC/TS 62351-2 - Power systems management and - -
associated information exchange - Data
and communications security - Part 2:
Glossary of terms
IEC 62351-3 - Power systems management and EN 62351-3 -
associated information exchange - Data
and communications security - Part 3:
Communication network and system
security - Profiles including TCP/IP
IEC 62351-7 - Power systems management and EN 62351-7 -
associated information exchange - Data
and communications security - Part 7:
Network and System Management (NSM)
data object models
IEC 62351-8 - Power systems management and EN IEC 62351-8 -
associated information exchange - Data
and communications security - Part 8:
Role-based access control for power
system management
IEC 62351-14 - Power systems management and - -
associated information exchange - Data
and communications security - Part 14:
Cyber security event logging
Under preparation. Stage at the time of publication: IEC ACDV 62351-14:2021.
IETF RFC 2104 - HMAC: Keyed-Hashing for Message - -
Authentication
IETF RFC 3394 - Advanced Encryption Standard (AES) Key - -
Wrap Algorithm
IETF RFC 5116 - An Interface and Algorithms for - -
Authenticated Encryption
IETF RFC 5869 - HMAC-based Extract-and-Expand Key - -
Derivation Function
IETF RFC 7693 - The BLAKE2 Cryptographic Hash and - -
Message Authentication Code (MAC)
IETF RFC 7748 - Elliptic Curves for Security - -
SEC2-V2 - Standards for Efficient Cryptography - -
SEC2: Recommended Elliptic Curve
Domain parameters - Version 2.0

IEC 62351-5 ®
Edition 1.0 2023-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Power systems management and associated information exchange – Data and

communications security –
Part 5: Security for IEC 60870-5 and derivatives

Gestion des systèmes de puissance et échanges d’informations associés –

Sécurité des communications et des données –

Partie 5: Aspects de sécurité pour l’IEC 60870-5 et ses dérivés

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-6017-3

– 2 – IEC 62351-5:2023 © IEC 2023
CONTENTS
FOREWORD . 6
1 Scope . 8
2 Normative references . 9
3 Terms and definitions . 10
4 Abbreviated terms . 11
5 Problem description . 12
5.1 Overview of clause . 12
5.2 Specific threats addressed . 12
5.3 Design issues . 12
5.3.1 Overview of subclause . 12
5.3.2 Asymmetric communications . 12
5.3.3 Message-oriented . 12
5.3.4 Poor sequence numbers or no sequence numbers . 13
5.3.5 Limited processing power . 13
5.3.6 Limited bandwidth . 13
5.3.7 No access to authentication server . 13
5.3.8 Limited frame length . 13
5.3.9 Limited checksum . 14
5.3.10 Radio systems . 14
5.3.11 Dial-up systems . 14
5.3.12 Variety of protocols affected . 14
5.3.13 Differing data link layers . 14
5.3.14 Long upgrade intervals . 15
5.3.15 Remote sites . 15
5.3.16 Unreliable media . 15
5.4 General principles . 15
5.4.1 Overview of subclause . 15
5.4.2 Application layer only . 15
5.4.3 Generic definition mapped onto different protocols . 15
5.4.4 Bi-directional . 15
5.4.5 Management of cryptographic keys . 15
5.4.6 Backwards tolerance . 16
5.4.7 Upgradeable . 16
5.4.8 Multiple connections . 16
6 Theory of operation . 16
6.1 Overview of clause . 16
6.2 The secure communication . 16
6.2.1 Basic concepts . 16
6.2.2 Association ID . 17
6.2.3 Authenticating . 18
6.2.4 Central Authority . 18
6.2.5 Role Based Access Control (RBAC) . 18
6.2.6 Cryptographic keys . 18
6.2.7 Security statistics . 22
6.2.8 Security events . 22
7 Functional requirements . 22

IEC 62351-5:2023 © IEC 2023 – 3 –
7.1 Overview of clause . 22
7.2 Procedures Overview . 22
7.3 State machine overview . 23
7.4 Timers and counters . 25
7.5 Security statistics and events . 25
7.5.1 General . 25
7.5.2 Special security thresholds . 29
7.5.3 Security statistics reporting . 29
7.5.4 Security events monitoring and logging . 29
8 Formal procedures . 30
8.1 Overview of subclause . 30
8.2 Distinction between messages and ASDUs . 30
8.2.1 General . 30
8.2.2 Messages datatypes and notations . 30
8.3 Station Association procedure . 30
8.3.1 General . 30
8.3.2 Public key certificates . 31
8.3.3 Configuration of authorized remote stations . 33
8.3.4 Pre-requisites to initiate the Station Association procedure . 33
8.3.5 Messages definition . 33
8.3.6 Controlling station state machine . 42
8.3.7 Controlled station state machine . 52
8.3.8 Verification of remote station’s certificate . 61
8.3.9 Verification of certificates during normal operations . 61
8.3.10 Update Keys derivation . 62
8.3.11 Controlling station directives for Station Association and Update Keys
management . 63
8.3.12 Controlled station directives for Station Association and Update Keys
management . 63
8.3.13 Initializing and updating Stations Association and Update Keys . 65
8.4 Session Key Change procedure . 66
8.4.1 General . 66
8.4.2 Messages definition . 67
8.4.3 Controlling station state machine . 76
8.4.4 Controlled station state machine . 85
8.4.5 Controlling station directives for Session Keys management. 93
8.4.6 Controlled station directives for Session Keys management . 93
8.4.7 Initializing and changing Session Keys . 94
8.5 Secure Data Exchange . 95
8.5.1 General . 95
8.5.2 Messages definition . 96
8.5.3 Controlling station state machine . 100
8.5.4 Controlled station state machine . 105
8.5.5 Controlling station directives for Secure Data Exchange . 109
8.5.6 Controlled station directives for Secure Data Exchange . 109
8.5.7 Example of Secure Data exchange during Station Association . 110
8.5.8 Example of Secure Data Exchange during Session Key Change . 111
9 Interoperability requirements . 113
9.1 Overview of clause . 113

– 4 – IEC 62351-5:2023 © IEC 2023
9.2 Minimum requirements . 113
9.2.1 Overview of subclause . 113
9.2.2 Authentication algorithms . 113
9.2.3 Key wrap / transport algorithms . 113
9.2.4 Cryptographic keys . 114
9.2.5 Cryptographic curves . 114
9.2.6 Configurable values . 114
9.2.7 Cryptographic information . 116
9.3 Options . 116
9.3.1 Overview of subclause . 116
9.3.2 MAC/AEAD algorithms . 117
9.3.3 Key wrap / transport algorithms . 117
9.3.4 Cryptographic curves . 117
9.4 Use with TCP/IP . 117
9.5 Use with redundant channels . 117
10 Requirements for referencing this standard . 118
10.1 Overview of clause . 118
10.2 Selected options . 118
10.3 Message format mapping . 118
10.4 Reference to procedures . 118
10.5 Protocol information . 118
10.6 Controlled station response to unauthorized operations requests . 119
10.7 Transmission of security statistics . 119
10.8 Configurable values . 119
10.9 Protocol implementation conformance statement . 119
Annex A (informative) Security Event mapping to IEC 62351-14 . 120
A.1 General . 120
A.2 Mapping of IEC 62351-5 events specified in this document . 120
Bibliography . 122

Figure 1 – Overview of interaction between Central Authority and stations . 21
Figure 2 – Sequence of procedures . 23
Figure 3 – Station Association procedure . 34
Figure 4 – Station Association – Controlling station state machine . 43
Figure 5 – Station Association – Controlled station state machine . 53
Figure 6 – Example of Association ID, Update Keys and Session Keys initialization. 66
Figure 7 – Session Key Change procedure . 67
Figure 8 – Session Key Change – Controlling station state machine . 77
Figure 9 – Session Key Change – Controlled station state machine . 86
Figure 10 – Example of Session Key initialization and periodic update . 95
Figure 11 – Secure Data Exchange . 96
Figure 12 – Secure Data Exchange – Controlling station state machine . 101
Figure 13 – Secure Data Exchange – Controlled station state machine . 106
Figure 14 – Example of Secure Data Exchange during Station Association . 111
Figure 15 – Example of Secure Data messages exchanged during Session Key
Change . 112

IEC 62351-5:2023 © IEC 2023 – 5 –
Table 1 – Scope of application to standards . 8
Table 2 – Summary of symmetric keys used . 19
Table 3 – Summary of asymmetric keys used . 19
Table 4 – States used in the controlling station state machine . 24
Table 5 – States used in the controlled station state machine . 24
Table 6 – Summary of timers and counters used . 25
Table 7 – Security statistics and associated events . 26
Table 8 – Elliptic curves . 31
Table 9 – Association Request message . 35
Table 10 – Association Response message . 36
Table 11 – Update Key Change Request message. 38
Table 12 – Data Included in MAC calculation (in order) . 40
Table 13 – Update Key Change Response message . 40
Table 14 – Data Included in MAC calculation (in order) . 41
Table 15 – Controlling station state machine: Station Association . 44
Table 16 – Controlled station state machine: Station Association . 54
Table 17 – List of pre-defined role-to-permission assignment . 64
Table 18 – Session Request message . 68
Table 19 – Session Response message . 70
Table 20 – Data Included in MAC calculation (in order) . 71
Table 20 – Session Key Change Request message . 72
Table 21 – Data Included in WKD (in order) . 73
Table 22 – Example of Session Key order . 74
Table 23 – Data Included in the MAC calculation (in order) . 74
Table 25 – Session Key Change Response message . 75
Table 26 – Data Included in the MAC calculation (in order) . 75
Table 27 – Controlling station state machine: Session Key Change . 78
Table 28 – Controlled station state machine: Session Key Change . 87
Table 29 – Secure Data message . 97
Table 29 – Secure Data Payload using MAC algorithm . 98
Table 31 – Data included in the MAC calculation in Secure Data Payload (in order) . 99
Table 32 – AEAD algorithm parameters to generate the Secure Data Payload (in order) . 99
Table 33 – Controlling station state machine: Secure Data Exchange . 102
Table 34 – Controlled station state machine: Secure Data Exchange . 107
Table 35 – Configuration of cryptographic information . 116
Table 36 – Legend for configuration of cryptographic information. 116
Table A.1 – Security event logs defined in IEC 62351-5 Ed.1 mapped to IEC 62351-14 . 120

– 6 – IEC 62351-5:2023 © IEC 2023
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION
EXCHANGE – DATA AND COMMUNICATIONS SECURITY –

Part 5: Security for IEC 60870-5 and derivatives

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC Publication(s)"). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
rights. IEC shall not be held responsible for identifying any or all such patent rights.
IEC 62351-5 has been prepared by IEC technical committee 57: Power systems management
and associated information exchange. It is an International Standard.
This International Standard cancels and replaces IEC TS 62351-5 published in 2013. It
constitutes a technical revision. The primary changes in this International Standard are:
a) The secure communication mechanism is performed on per controlling station/controlled
station association.
b) User management to add, change or delete a User, was removed.
c) Symmetric method to change the Update Key was removed.
d) Asymmetric method to the change Update Key was reviewed.
e) Challenge/Reply procedure and concepts were removed.
f) Aggressive Mode concept was replaced with the Secure Data message exchange
mechanism.
g) Authenticated encryption of application data was added.

IEC 62351-5:2023 © IEC 2023 – 7 –
h) The list of permitted security algorithms has been updated.
i) The rules for calculating messages sequence numbers have been updated
j) Events monitoring and logging was added.
NOTE The following print types are used:
CAPITALIZATION has been used in the text of this document to formally identify the most
important components of the described security mechanism. These components include: 1)
data items e.g. Update Keys, Session Keys; 2) procedure names, e.g. Station Association,
Session Key Change; message names, e.g. Association Request, Session Request; 3) state
names, e.g. Session Established, Wait for Session Response; 5) statistics e.g. Authentication
Errors, Unexpected Messages and 5) event names e.g. Reply Timeout, Rx Invalid Session Key
Change.
The text of this International Standard is based on the following documents:
Draft Report on voting
57/2516/FDIS 57/2555/RVD
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this International Standard is English.
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
described in greater detail at www.iec.ch/standardsdev/publications.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under webstore.iec.ch in the data related to the
specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The "colour inside" logo on the cover page of this document indicates that it
contains colours which are considered to be useful for the correct understanding of its
contents. Users should therefore print this document using a colour printer.

– 8 – IEC 62351-5:2023 © IEC 2023
POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION
EXCHANGE – DATA AND COMMUNICATIONS SECURITY –

Part 5: Security for IEC 60870-5 and derivatives

1 Scope
This part of IEC 62351 defines the application profile (A-profile) secure communication
mechanism specifying messages, procedures and algorithms for securing the operation of all
protocols based on or derived from IEC 60870-5, Telecontrol Equipment and Systems –
Transmission Protocols. This document applies to at least those protocols listed in Table 1.
Table 1 – Scope of application to standards
Number Name
IEC 60870-5-101 Companion standard for basic telecontrol tasks
IEC 60870-5-102 Companion standard for the transmission of integrated totals in electric power systems
IEC 60870-5-103 Companion standard for the informative interface of protection equipment
IEC 60870-5-104 Network access for IEC 60870-5-101 using standard transport profiles
Distributed Network Protocol (defined in IEEE Std 1815, based on IEC 60870-1 through
DNP3
IEC 60870-5 and maintained jointly by the DNP Users Group and the IEEE)

The initial audience for this document is intended to be the members of the working groups
developing the protocols listed in Table 1.
For the measures described in this document to take effect, they must be accepted and
referenced by the specifications for the protocols themselves. This document is written to
enable that process. The working groups in charge of taking this document to the specific
protocols listed in Table 1 may choose not to do so.
The subsequent audience for this document is intended to be the developers of products that
implement these protocols.
Portions of this document may also be of use to managers and executives in order to understand
the purpose and requirements of the work.
This document is organized working from the general to the specific, as follows:
• Clauses 2 through 4 provide background terms, definitions, and references.
• Clause 5 describes the problems this specification is intended to address.
• Clause 6 describes the mechanism generically without reference to a specific protocol.
• Clauses 7 and 8 describe the mechanism more precisely and are the primary normative
part of this specification.
• Clause 9 define the interoperability requirements for this secure communication
mechanism, including the relationship of this standard to IEC 62351-3 for transport layer
security.
• Clause 10 describes the requirements for other standards referencing this document.

IEC 62351-5:2023 © IEC 2023 – 9 –
The actions of an organization in response to events and error conditions described in this
document are expected to be defined by the organization’s security policy and they are beyond
the scope of this document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies.
For undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 60870-5 (all parts), Telecontrol equipment and systems – Part 5: Transmission protocols
IEC TS 62351-1, Power systems management and associated information exchange – Data
and communications security – Part 1: Communication network and system security –
Introduction to security issues
IEC TS 62351-2, Power systems management and associated information exchange – Data
and communications security – Part 2: Glossary of terms
IEC 62351-3, Power systems management and associated information exchange – Data and
communications security – Part 3: Communication network and system security – Profiles
including TCP/IP
IEC 62351-7, Power systems management and associated information exchange – Data and
communications security – Part 7: Network and System Management (NSM) data object models
IEC 62351-8, Power systems management and associated information exchange – Data and
communications security – Part 8: Role-based access control for power system management
IEC 62351-14, Power systems management and associated information exchange – Data and
communications security – Part 14: Cyber security event logging
IETF RFC 2104, HMAC: Keyed-Hashing for Message Authentication
IETF RFC 3394, Advanced Encryption Standard (AES) Key Wrap Algorithm
IETF RFC 5116, An Interface and Algorithms for Authenticated Encryption
IETF RFC 5869, HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
IETF RFC 7693, The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)
IETF RFC 7748, Elliptic Curve for Security
SEC2-V2, Standards for Efficient Cryptography SEC2: Recommended Elliptic Curve Domain
Parameters – Version 2.0
___________
Under preparation. Stage at the time of publication: IEC ACDV 62351-14:2021.

– 10 – IEC 62351-5:2023 © IEC 2023
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC TS 62351-2 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
3.1
association ID
pair of values that uniquely identify the communication link between a controlling station and a
controlled station and the related set of cryptographic keys
3.2
central authority
entity whose scope is the entire organization for which the purpose is to provide authentication
information to devices and systems of the organization to authorize them to communicate. The
Central Authority may or may not also be a Certificate Authority
3.3
communication link
the communication channel that connects two communicating entities. This link may be an
actual physical link or it may be a logical link that uses one or more actual physical links.
3.4
control direction
direction of transmission from the controlling station to a controlled station
[SOURCE: IEC 60870-5-101:2003, 3.3]
3.5
controlled station
station which is monitored, or commanded and monitored by a master (controlling) station
Note 1 to entry: It is commonly called an "outstation" or "slave" in some specifications.
[SOURCE: IEC TR 60870-1-3:1997, 3, modified (addition of "(controlling" and Note 1 to entry)]
3.6
controlling station
station which performs the telecontrol of controlled stations
Note 1 to entry: It is commonly called a "master" or "master station" in some specifications.
[SOURCE: IEC TR 60870-1-3:1997, 3, modified (replacement of "outstations" with "controlled
stations)]
3.7
local station
station nearest to the observer when the process is the same on both the controlling and
controlled station
3.8
monitoring direction
direction of transmission from a controlled station to a controlling station
[SOURCE: IEC 60870-5-101:2003, 3.4]

IEC 62351-5:2023 © IEC 2023 – 11 –
3.9
remote station
station farther from the observer when the process is the same on both the controlling and
controlled station
3.10
telecontrol
control of operational equipment at a distance using the transmission of information by
telecommunication techniques
Note 1 to entry: Telecontrol may comprise any combination of command, alarm, indication, metering, protection
and tripping facilities, without any use of speech messages.
[SOURCE: IEC TR 60870-1-3:1997, 3]
4 Abbreviated terms
Refer to IEC TS 62351-2 for a list of applicable abbreviated terms. The following terms are
included here because they are specifically used in the affected protocols and also used in the
discussion of this secure communication mechanism.
A-Profile Application Profile. Security for the application layer.
AEAD Authenticated Encryption with Associated Data. Function to encrypt and
authenticate data (providing confidentiality and authentication). Note that
AEAD also supports integrity protection of additional data, which is not
encrypted.
AID Association ID. Value identifying a single connection between controlling
and Control
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

CLC
EN IEC 62488-1:2025(Main)
Power line communication systems for power utility applications - Part 1: Planning of analogue and digital power line carrier systems operating over HV electricity grids
SIST EN IEC 62488-1:2025

IEC 62488-1:2025 applies to the planning of analogue (APLC), digital (DPLC) and hybrid analogue-digital (ADPLC) power line carrier communication systems operating over HV electric power networks. The object of this document is to establish the planning of the services and performance parameters for the operational requirements to transmit and receive data efficiently and reliably. Such analogue and digital power line carrier systems are used by the different electricity supply industries and integrated into their communication infrastructure using common communication technologies such as radio links, fibre optic and satellite networks This second edition cancels and replaces the first edition published in 2012. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: a) Complete revision of this edition with respect to the previous edition with the main focus on planning of analogue and digital power line carrier systems operating over HV power networks; b) A general structure of a bidirectional point-to-multipoint APLC, DPLC or ADPLC link has been introduced; c) Introduction of a new approach for global frequency planning.

  • Standard
    108 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CLC
EN 61850-10:2013/A1:2025(Amendment)
Communication networks and systems for power utility automation - Part 10: Conformance testing
SIST EN 61850-10:2013/A1:2025
  • Amendment
    76 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CLC
EN IEC 62746-4:2025(Main)
Systems interface between customer energy management system and the power management system - Part 4: Demand Side Resource Interface
SIST EN IEC 62746-4:2025

IEC 62746-4:2024 describes CIM profiles for Demand-Side Resource Interface and is based on the use case shown in Annex A of this document. Schemas associated with this document were generated using the CIM101 UML and leverages the Market package. This document defines profiles complimentary to other standards, namely those in IEC 61970, IEC 61968, and IEC 62325.

  • Standard
    76 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CLC
EN 61850-6:2010/A2:2025(Amendment)
Communication networks and systems for power utility automation - Part 6: Configuration description language for communication in power utility automation systems related to IEDs
SIST EN 61850-6:2010/A2:2025
  • Amendment
    94 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CLC
EN IEC 61968-9:2024(Main)
Enterprise business function interfaces for utility operations - Part 9: Interfaces for meter reading and control
SIST EN IEC 61968-9:2024

IEC 61968-9:2024 specifies the information content of a set of message types that can be used to support many of the business functions related to meter reading and control. Typical uses of the message types include meter reading, controls, events, customer data synchronization and customer switching. Although intended primarily for electrical distribution networks, IEC 61968-9 can be used for other metering applications, including non-electrical metered quantities necessary to support gas and water networks. The purpose of this document is to define a standard for the integration of metering systems (MS), which includes traditional manual systems, and (one or two-way) automated meter reading (AMR) systems, and meter data management (MDM) systems with other enterprise systems and business functions within the scope of IEC 61968. The scope of this document is the exchange of information between metering systems, MDM systems and other systems within the utility enterprise. The specific details of communication protocols those systems employ are outside the scope of this document. Instead, this document will recognize and model the general capabilities that can be potentially provided by advanced and/or legacy meter infrastructures, including two-way communication capabilities such as load control, dynamic pricing, outage detection, distributed energy resource (DER) control signals and on-request read. In this way, this document will not be impacted by the specification, development and/or deployment of next generation meter infrastructures either through the use of standards or proprietary means. The focus of IEC 61968-9 is to define standard messages for the integration of enterprise applications, these messages may be directly or indirectly related to information flows within a broader scope. Examples would include messaging between head end systems and meters or PAN devices. The various components described later in this document will typically fall into either the category of a metering system (MS) head end, an MDM or other enterprise application (e.g. OMS, DRMS, CIS). The capabilities and information provided by a meter reading and meter data management systems are important for a variety of purposes, including (but not limited to) interval data, time-based demand data, time-based energy data (usage and production), outage management, service interruption, service restoration, quality of service monitoring, distribution network analysis, distribution planning, demand response, customer billing and work management. This standard also extends the CIM (Common Information Model) to support the exchange of meter data. This third edition cancels and replaces the second edition published in 2013. This edition constitutes a technical revision. Please see the foreword of IEC 61968-9 for further details.

  • Standard
    359 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CLC
EN IEC 61970-457:2024(Main)
Energy management system application program interface (EMS-API) - Part 457: Dynamics profile
SIST EN IEC 61970-457:2024

IEC 61970-457:2024 specifies a standard interface for exchanging dynamic model information needed to support the analysis of the steady state stability (small-signal stability) and/or transient stability of a power system or parts of it. The schema(s) for expressing the dynamic model information are derived directly from the CIM, more specifically from IEC 61970-302. The scope of this document includes only the dynamic model information that needs to be exchanged as part of a dynamic study, namely the type, description and parameters of each control equipment associated with a piece of power system equipment included in the steady state solution of a complete power system network model. Therefore, this profile is dependent upon other standard profiles for the equipment as specified in IEC 61970-452: CIM static transmission network model profiles, the topology, the steady state hypothesis and the steady state solution (as specified in IEC 61970-456: Solved power system state profiles) of the power system, which bounds the scope of the exchange. The profile information described by this document needs to be exchanged in conjunction with IEC 61970-452 and IEC 61970-456 profiles’ information to support the data requirements of transient analysis tools. IEC 61970-456 provides a detailed description of how different profile standards can be combined to form various types of power system network model exchanges. This document supports the exchange of the following types of dynamic models: • standard models: a simplified approach to exchange, where models are contained in predefined libraries of classes interconnected in a standard manner that represent dynamic behaviour of elements of the power system. The exchange only indicates the name of the model along with the attributes needed to describe its behaviour. • proprietary user-defined models: an exchange that would provide users the ability to exchange the parameters of a model representing a vendor or user proprietary device where an explicit description of the model is not described in this document. The connections between the proprietary models and standard models are the same as described for the standard models exchange. Recipient of the data exchange will need to contact the sender for the behavioural details of the model. This document builds on IEC 61970-302, CIM for dynamics which defines the descriptions of the standard dynamic models, their function block diagrams, and how they are interconnected and associated with the static network model. This type of model information is assumed to be pre-stored by all software applications hence it is not necessary to be exchanged in real-time or as part of a dynamics model exchange. This second edition cancels and replaces the first edition published in 2021. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: a) The majority of issues detected in IEC 61970-302:2018 and fixed in IEC 61970-302:2022 led to update of this document; b) IEEE 421.5-2016 on Excitation systems is fully covered; c) IEEE turbine report from 2013 was considered and as a result a number of gas, steam and hydro turbines/governors are added; d) IEC 61400-27-1:2020 on wind turbines is fully incorporated; e) WECC Inverter-Based Resource (IBR) models, Hybrid STATCOM models and storage models are added; f) The user defined models approach was enhanced in IEC 61970-302:2022 adding a model which enables modelling of a detailed dynamic model. This results in the creation of two additional pr

  • Standard
    780 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CLC
EN IEC 61970-302:2024(Main)
Energy management system application program interface (EMS-API) - Part 302: Common information model (CIM) dynamics
SIST EN IEC 61970-302:2024

IEC 61970-302:2024 specifies a Dynamics package which contains part of the CIM to support the exchange of models between software applications that perform analysis of the steady-state stability (small-signal stability) or transient stability of a power system as defined by IEEE / CIGRE, Definition and classification of power system stability IEEE/CIGRE joint task force on stability terms and definitions. The model descriptions in this document provide specifications for each type of dynamic model as well as the information that needs to be included in dynamic case exchanges between planning/study applications. The scope of the CIM Dynamics package specified in this document includes: • standard models: a simplified approach to describing dynamic models, where models representing dynamic behaviour of elements of the power system are contained in predefined libraries of classes which are interconnected in a standard manner. Only the names of the selected elements of the models along with their attributes are needed to describe dynamic behaviour. • proprietary user-defined models: an approach providing users the ability to define the parameters of a dynamic behaviour model representing a vendor or user proprietary device where an explicit description of the model is not provided by this document. The same libraries and standard interconnections are used for both proprietary user-defined models and standard models. The behavioural details of the model are not documented in this document, only the model parameters. • A model to enable exchange of models’ descriptions. This approach can be used to describe user defined and standard models. • A model to enable exchange of simulation results. This second edition cancels and replaces the first edition published in 2018. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: a) The majority of issues detected in IEC 61970-302:2018 are addressed; b) IEEE 421.5-2016 on Excitation systems is fully covered; c) The IEEE turbine report from 2013 was considered and as a result a number of gas, steam and hydro turbines/governors are added; d) IEC 61400-27-1:2020 on wind turbines is fully incorporated; e) WECC Inverter-Based Resource (IBR) models, Hybrid STATCOM models and storage models are added; f) The user defined models are enhanced with a model which enables modelling of detailed dynamic model; g) A model to enable exchange of simulation results is added; h) The work on the HVDC models is not complete. The HVDC dynamics models are a complex domain in which there are no models that are approved or widely recognised on international level, i.e. there are only project-based models. At this stage IEC 61970-302:2022 only specifies some general classes. However, it is recognised that better coverage of HVDC will require a further edition of this document; i) Models from IEEE 1547-2018 "IEEE Standard for Interconnection and Interoperability of Distributed Energy Resources with Associated Electric Power Systems Interfaces" are added. j) Statements have been added to certain figures, tables, schemas, and enumerations throughout the document that indicate that they are reproduced with the permission of the UCA International User Group (UCAIug). These items are derived from the CIM.

  • Standard
    894 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CLC
EN 60870-5-104:2006/A1:2016/AC:2023-09(Corrigendum)
Telecontrol equipment and systems - Part 5-104: Transmission protocols - Network access for IEC 60870-5-101 using standard transport profiles
SIST EN 60870-5-104:2007/A1:2017/AC:2024
  • Corrigendum
    3 pages
    English and French language
    sale 10% off
    e-Library read for
    1 day
CLC
EN IEC 62351-3:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
SIST EN IEC 62351-3:2023

IEC 62351-3:2023 specifies how to provide confidentiality, integrity protection, and message level authentication for protocols that make use of TCP/IP as a message transport layer and utilize Transport Layer Security when cyber-security is required. This may relate to SCADA and telecontrol protocols, but also to additional protocols if they meet the requirements in this document. IEC 62351-3 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (TLSv1.2 defined in RFC 5246, TLSv1.3 defined in RFC 8446). In the specific clauses, there will be subclauses to note the differences and commonalities in the application depending on the target TLS version. The use and specification of intervening external security devices (e.g., "bump-in-the-wire") are considered out-of-scope. In contrast to previous editions of this document, this edition is self-contained in terms of completely defining a profile of TLS. Hence, it can be applied directly, without the need to specify further TLS parameters, except the port number, over which the communication will be performed. Therefore, this part can be directly utilized from a referencing standard and can be combined with further security measures on other layers. Providing the profiling of TLS without the need for further specifying TLS parameters allows declaring conformity to the described functionality without the need to involve further IEC 62351 documents. This document is intended to be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol exchanges under similar boundary conditions. However, it is up to the individual protocol security initiatives to decide if this document is to be referenced. The document also defines security events for specific conditions, which support error handling, security audit trails, intrusion detection, and conformance testing. Any action of an organization in response to events to an error condition described in this document are beyond the scope of this document and are expected to be defined by the organization’s security policy. This document reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this document may need to be revised. This second edition cancels and replaces the first edition published in 2014, Amendment 1:2018 and Amendment 2:2020. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: a) Inclusion of the TLSv1.2 related parameter required in IEC 62351-3 Ed.1.2 to be specified by the referencing standard. This comprises the following parameter: • Mandatory TLSv1.2 cipher suites to be supported. • Specification of session resumption parameters. • Specification of session renegotiation parameters. • Revocation handling using CRL and OCSP. • Handling of security events. b) Inclusion of a TLSv1.3 profile to be applicable for the power system domain in a similar way as for TLSv1.2 session.

  • Standard
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CLC
EN IEC 62351-9:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment
SIST EN IEC 62351-9:2023

IEC 62351-9:2023 specifies cryptographic key management, primarily focused on the management of long-term keys, which are most often asymmetric key pairs, such as public-key certificates and corresponding private keys. As certificates build the base this document builds a foundation for many IEC 62351 services (see also Annex A). Symmetric key management is also considered but only with respect to session keys for group-based communication as applied in IEC 62351-6. The objective of this document is to define requirements and technologies to achieve interoperability of key management by specifying or limiting key management options to be used. This document assumes that an organization (or group of organizations) has defined a security policy to select the type of keys and cryptographic algorithms that will be utilized, which may have to align with other standards or regulatory requirements. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. This document assumes that the reader has a basic understanding of cryptography and key management principles. The requirements for the management of pairwise symmetric (session) keys in the context of communication protocols is specified in the parts of IEC 62351 utilizing or specifying pairwise communication such as: • IEC 62351-3 for TLS by profiling the TLS options • IEC 62351-4 for the application layer end-to-end security • IEC TS 62351-5 for the application layer security mechanism for IEC 60870-5-101/104 and IEEE 1815 (DNP3) The requirements for the management of symmetric group keys in the context of power system communication protocols is specified in IEC 62351-6 for utilizing group security to protect GOOSE and SV communication. IEC 62351-9 utilizes GDOI as already IETF specified group-based key management protocol to manage the group security parameter and enhances this protocol to carry the security parameter for GOOSE, SV, and PTP. This document also defines security events for specific conditions which could identify issues which might require error handling. However, the actions of the organisation in response to these error conditions are beyond the scope of this document and are expected to be defined by the organizations security policy. In the future, as public-key cryptography becomes endangered by the evolution of quantum computers, this document will also consider post-quantum cryptography to a certain extent. Note that at this time being no specific measures are provided. This second edition cancels and replaces the first edition published in 2017. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: a) Certificate components and verification of the certificate components have been added; b) GDOI has been updated to include findings from interop tests; c) GDOI operation considerations have been added; d) GDOI support for PTP (IEEE 1588) support has been added as specified by IEC/IEEE 61850-9-3 Power Profile; e) Cyber security event logging has been added as well as the mapping to IEC 62351-14; f) Annex B with background on utilized cryptographic algorithms and mechanisms has been added.

  • Standard
    147 pages
    English language
    sale 10% off
    e-Library read for
    1 day