EN 62351-3:2014/A1:2018
(Amendment)Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
This part of IEC 62351 specifies how to provide confidentiality, integrity protection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer when cyber-security is required. Although there are many possible solutions to secure TCP/IP, the particular scope of this part is to provide security between communicating entities at either end of a TCP/IP connection within the end communicating entities. The use and specification of intervening external security devices (e.g. “bump-in-the-wire”) are considered out-of-scope. This part of IEC 62351 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (defined in RFC 5246) so that they are applicable to the telecontrol environment of the IEC. TLS is applied to protect the TCP communication. It is intended that this standard be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol. However, it is up to the individual protocol security initiatives to decide if this standard is to be referenced. This part of IEC 62351 reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this standard may need to be revised.
Energiemanagementsysteme und zugehöriger Datenaustausch - IT-Sicherheit für Daten und Kommunikation - Teil 3: Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP
Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des communications et des données - Partie 3: Sécurité des réseaux et des systèmes de communication - Profils comprenant TCP/IP
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in sistemov - Profili za TCP/IP - Dopolnilo A1
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-november-2018
8SUDYOMDQMHHOHNWURHQHUJHWVNHJDVLVWHPDLQSULSDGDMRþDL]PHQMDYDLQIRUPDFLM
9DUQRVWSRGDWNRYLQNRPXQLNDFLMGHO9DUQRVWNRPXQLNDFLMVNLKRPUHåLMLQ
VLVWHPRY3URILOL]D7&3,3'RSROQLOR$
Power systems management and associated information exchange - Data and
communications security - Part 3: Communication network and system security - Profiles
including TCP/IP
Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von
Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3:
Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP
Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des
communications et des données - Partie 3: Sécurité des réseaux et des systèmes de
communication - Profils comprenant TCP/IP
Ta slovenski standard je istoveten z: EN 62351-3:2014/A1:2018
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN 62351-3:2014/A1
NORME EUROPÉENNE
EUROPÄISCHE NORM
September 2018
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 3:
Communication network and system security - Profiles including
TCP/IP
(IEC 62351-3:2014/A1:2018)
Gestion des systèmes de puissance et échanges Management von Systemen der Energietechnik und
d'informations associés - Sécurité des communications et zugehöriger Datenaustausch - Daten- und
des données - Partie 3: Sécurité des réseaux et des Kommunikationssicherheit - Teil 3: Sicherheit von
systèmes de communication - Profils comprenant TCP/IP Kommunikationsnetzen und Systemen - Profile
(IEC 62351-3:2014/A1:2018) einschließlich TCP/IP
(IEC 62351-3:2014/A1:2018)
This amendment A1 modifies the European Standard EN 62351-3:2014; it was approved by CENELEC on 2018-06-29. CENELEC
members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this amendment the
status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This amendment exists in three official versions (English, French, German). A version in any other language made by translation under the
responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as
the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN 62351-3:2014/A1:2018 E
European foreword
The text of document 57/1976/FDIS, future edition 1 of IEC 62351-3/A1, prepared by IEC/TC 57
"Power systems management and associated information exchange" was submitted to the IEC-
CENELEC parallel vote and approved by CENELEC as EN 62351-3:2014/A1:2018.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2019-03-29
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2021-06-29
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a mandate given to CENELEC by the European Commission
and the European Free Trade Association.
Endorsement notice
The text of the International Standard IEC 62351-3:2014/A1:2018 was approved by CENELEC as a
European Standard without any modification.
Replace Annex ZA of 62351-3:2014 by the following one:
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62351-1 2007 Power systems management and - -
associated information exchange - Data
and communications security - Part 1:
Communication network and system
security - Introduction to security issues
IEC/TS 62351-2 2008 Power systems management and - -
associated information exchange - Data
and communications security - Part 2:
Glossary of terms
IEC 62351-9 - Power systems management and EN 62351-9 -
associated information exchange - Data
and communications security - Part 9:
Cyber security key management for power
system equipment
ISO/IEC 9594-8 2017 Information technology - Open Systems - -
Interconnection - The Directory - Part 8:
Public-key and attribute certificate
frameworks
RFC 4492 2006 Elliptic Curve Cryptography (ECC) Cipher - -
Suites for Transport Layer Security (TLS)
RFC 5246 2008 The Transport Layer Security (TLS) - -
Protocol Version 1.2
RFC 5280 2008 Internet X.509 Public Key Infrastructure - -
Certificate and Certificate Revocation List
(CRL) Profile
RFC 5746 2010 Transport Layer Security (TLS) - -
Renegotiation Indication Extension
RFC 6066 2006 Transport Layer Security (TLS) Extensions: - -
Extension Definitions
RFC 6176 2011 Prohibiting Secure Sockets Layer (SSL) - -
Version 2.0
IEC 62351-3 ®
Edition 1.0 2018-05
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
A MENDMENT 1
AM ENDEMENT 1
Power systems management and associated information exchange – Data
and communications security –
Part 3: Communication network and system security – Profiles including TCP/IP
Gestion des systèmes de puissance et échanges d'informations associés –
Sécurité des communications et des données –
Partie 3: Sécurité des réseaux et des systèmes de communication – Profils
comprenant TCP/IP
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 33.200 ISBN 978-2-8322-5720-3
– 2 – IEC 62351-3:2014/AMD1:2018
© IEC 2018
FOREWORD
This amendment to the International Standard IEC 62351-3 has been prepared by
IEC technical committee 57: Power systems management and associated information
exchange.
The text of this amendment is based on the following documents:
FDIS Report on voting
57/1976/FDIS 57/1990/RVD
Full information on the voting for the approval of this amendment can be found in the report
on voting indicated in the above table.
A list of all parts in the IEC 62351 series, published under the general title Power systems
management and associated information exchange – Data and communications security, can
be found on the IEC website.
The committee has decided that the contents of this amendment and the base publication will
remain unchanged until the stability date indicated on the IEC website under
"http://webstore.iec.ch" in the data related to the specific publication. At this date, the
publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
_____________
2 Normative references
Replace the existing reference IEC TS 62351-9 with the following new reference:
IEC 62351-9, Power systems management and associated information exchange – Data and
communications security – Part 9: Cyber security key management for power system
equipment
Replace the existing reference IEC/ISO 9594-8 with the following new reference:
ISO/IEC 9594-8:2017, Rec. ITU-T X.509 (2016), Information technology – Open Systems
Interconnection – The Directory – Part 8: Public-key and attribute certificate frameworks
4.1 Operational requirements affecting the use of TLS in the telecontrol environment
Replace the existing text of the fifth paragraph of 4.1 with the following new text:
Note that TLS utilizes X.509 certificates (see also ISO/IEC 9594-8 or RFC 5280) for
authentication. In the context of this specification the term certificates always relates to
public-key certificates (in contrast to attribute certificates).
IEC 62351-3:2014/AMD1:2018 – 3 –
© IEC 2018
4.2 Security threats countered
Replace the existing text of the second paragraph of 4.2 with the following new text:
TCP/IP and the security specifications in this part of IEC 62351 cover only to the
communication transport layers (OSI layers 4 and lower). This part of IEC 62351 does not
cover security functionality specific for the communication application layers (OSI layers 5 and
above) or application-to-application security.
NOTE The application of TLS as profiled in this document supports the protection of information sent over the
TLS protected connection.
4.3 Attack methods countered
Replace the existing text of the first bullet point of Subclause 4.3 by the following new text:
– Man-in-the-middle: This threat is countered through the use of a Message Authentication
Code mechanism or digital signatures specified within this document.
5.1 Deprecation of cipher suites
Add the following new text before the fourth paragraph of 5.1:
The support of SHA-1 is intended for backward compatibility. SHA-256 shall be supported and
is the preferred signature algorithm to be used.
SHA-1 is no longer recognized as secure with respect collision resistance and it is therefore
strongly recommended to perform a risk assessment before using this algorithm. If SHA-256
cannot be used, it is also recommended that additional security measures be taken. The
usage of SHA-1 will be disallowed in the next edition of this standard.
NOTE Recommendations regarding hash signature algorithms are reviewed constantly and can be found in NIST
SP800-57, BNetzA (BSI), or the NSA Suite B.
Replace the existing text of the fourth paragraph of 5.1 by the following new text:
The list of disallowed suites includes, but is not limited to:
– TLS_NULL_WITH_NULL_NULL
– TLS_RSA_ WITH_NULL_MD5
5.2 Negotiation of Versions
Add the following new text at the end of Subclause 5.2:
The proposal of versions TLS 1.0 or TLS 1.1 should raise a security warning ("warning:
insecure TLS version"). Implementations should provide a mechanism for announcing security
warnings.
5.3 Session Resumption
Replace the existing text of Subclause 5.3 with the following new text:
Session resumption in TLS allows for the resumption of a session based on the session ID
connected with a dedicated (existing) master secret, which will result in a new session key.
This minimizes the performance impact of asymmetric handshakes, and can be done during a
running session or after a session has ended within a defined time period (TLS suggests not
more than 24 hours in RFC 5280). This specification follows this suggestion. Session
resumption should be performed at least every 24 hours for active sessions or not later than
24 hours for sessions that have ended. The actual parameters should be defined based on
– 4 – IEC 62351-3:2014/AMD1:2018
© IEC 2018
risk assessment from the referencing standard. Session resumption is expected to be more
frequent than session renegotiation.
Implementations claiming conformance to this standard shall specify that the symmetric
session keys shall be renewed within the maximum time period. This resumption maximum
time constraint is expected to be specified in a PIXIT of the referencing standard. The
maximum time period for session resumption shall be aligned with the CRL refresh time.
Session resumption intervals shall be configurable, so long as they are within the specified
maximum time period.
Clients shall initiate session resumption using the ClientHello message. A server initiated
update of session parameter shall use the HelloRequest message to trigger the client to send
a ClientHello message on the currently active connection.
NOTE According to RFC 5246 the HelloRequest is an optional message that the server may send to a client.
Session resumption may be initiated by either side, as long as the security policies for both
the client and the server permit this. In case of failures to resume a session, the failure
handling described in TLS v1.2 shall be followed.
Session resumption may be done
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.