IEC TS 63383:2022
(Main)Cybersecurity aspects of devices used for power metering and monitoring, power quality monitoring, data collection and analysis
Cybersecurity aspects of devices used for power metering and monitoring, power quality monitoring, data collection and analysis
IEC TS 63383:2022 deals with cybersecurity related to measuring devices (PMD according to IEC 61557-12 and PQI according to IEC 62586-1) and devices for data collection (devices according to IEC 62974-1) that are intended to be installed in restricted access areas.
This document deals with cybersecurity aspects (e.g. device hardening or device resilience) of device(s) used for power metering and monitoring, power quality monitoring, data collection and analysis, but does not cover requirements for organisational cybersecurity (e.g. end-user security policy).
This document is a first attempt to develop awareness by manufacturers and other relevant stakeholders about cybersecurity aspects and provide basic guidance for achieving the appropriate security mitigation against vulnerabilities to security threats:
– in coherence with device/system approaches described in relevant standards such as IEC 62443 (all parts) and ISO/IEC 27001,
– based on generic system use-cases.
This document does not cover billing meters covered by the IEC 62053-2x set of standards.
General Information
Standards Content (Sample)
IEC TS 63383 ®
Edition 1.0 2022-11
TECHNICAL
SPECIFICATION
colour
inside
Cybersecurity aspects of devices used for power metering and monitoring,
power quality monitoring, data collection and analysis
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.
IEC Secretariat Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.
IEC publications search - webstore.iec.ch/advsearchform IEC Products & Services Portal - products.iec.ch
The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the
variety of criteria (reference number, text, technical publications previews. With a subscription you will always
committee, …). It also gives information on projects, replaced have access to up to date content tailored to your needs.
and withdrawn publications.
Electropedia - www.electropedia.org
IEC Just Published - webstore.iec.ch/justpublished
The world's leading online dictionary on electrotechnology,
Stay up to date on all new IEC publications. Just Published
containing more than 22 300 terminological entries in English
details all new publications released. Available online and
and French, with equivalent terms in 19 additional languages.
once a month by email.
Also known as the International Electrotechnical Vocabulary
(IEV) online.
IEC Customer Service Centre - webstore.iec.ch/csc
If you wish to give us your feedback on this publication or
need further assistance, please contact the Customer Service
Centre: sales@iec.ch.
IEC TS 63383 ®
Edition 1.0 2022-11
TECHNICAL
SPECIFICATION
colour
inside
Cybersecurity aspects of devices used for power metering and monitoring,
power quality monitoring, data collection and analysis
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 17.220.20; 29.240.01 ISBN 978-2-8322-6115-6
– 2 – IEC TS 63383:2022 © IEC 2022
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
1 Scope . 7
2 Normative references . 7
3 Terms, definitions, symbols and abbreviated terms . 7
3.1 Definitions related to cybersecurity . 7
3.2 Definitions related to devices . 11
3.3 Symbols and abbreviated terms . 12
4 Security objectives . 13
5 Cybersecurity risk assessment (generic approach) . 13
5.1 Risk assessment . 13
5.2 Risk management . 14
5.2.1 General . 14
5.2.2 Examples of metrics . 14
5.2.3 Examples for prioritization . 15
6 Requirements . 15
6.1 Overview. 15
6.2 Requirements for risk assessment . 16
6.3 Requirements for countermeasures . 17
6.4 Requirements for testing . 17
6.5 Requirements for lifecycle security management . 18
6.6 Requirements for instructions of use . 18
Annex A (informative) Example of generic risk assessment for PMDs, PQIs, data
gateways (DGW), energy data loggers (EDL) and energy servers (ESE) . 19
A.1 General . 19
A.2 Generic roles . 19
A.3 Generic system use-case . 19
A.4 Generic functions achieved by devices within a system . 20
A.4.1 PMD and PQI devices . 20
A.4.2 Data gateways (DGW), energy data loggers (EDL), energy servers
(ESE) . 21
A.5 Generic assessment of devices within the system . 22
A.5.1 Generic list of feared events . 22
A.5.2 Generic list of device-feared events . 23
A.5.3 Generic list of accesses allowing potential vulnerabilities . 25
A.5.4 Generic list of device accesses allowing potential vulnerabilities . 26
Annex B (informative) Example of generic countermeasures . 27
B.1 General . 27
B.2 Recommendations for manufacturers during design phase . 27
B.3 Recommendations for manufacturers during manufacturing . 27
B.4 Recommendations for manufacturers putting devices on the market . 27
B.5 Recommendations for integrators building systems within facilities . 27
B.6 Recommendations for commissioning . 27
B.7 Recommendations for facility managers operating systems within facilities . 28
B.8 Recommendations for facility managers during maintenance . 28
B.9 Recommendations for facility managers during de-commissioning . 28
B.10 Recommendations for facility managers during disposal . 28
Bibliography . 29
Figure 1 – Generic examples for classification of device(s) within an organisational
environment . 13
Figure 2 – Typical graph of acceptable and non-acceptable risks . 15
Figure 3 – Requirements in 5 phases . 16
Figure 4 – Examples of device accesses . 17
Figure A.1 – Example of generic system use-case . 20
Figure A.2 – Example of data processing within DGW, EDL and ESE . 22
Figure A.3 – Example of device assets together with its interfaces . 26
Table 1 – Example of a simple 3 × 3 risk matrix . 15
Table A.1 – Example of generic roles . 19
Table A.2 – Kind of data measured by PMD and PQI . 21
Table A.3 – Generic device feared events (potential security problems) . 23
Table A.4 – Generic device-feared events (security problems) definition . 24
Table A.5 – Generic example of device accesses . 26
– 4 – IEC TS 63383:2022 © IEC 2022
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
CYBERSECURITY ASPECTS OF DEVICES USED
FOR POWER METERING AND MONITORING, POWER QUALITY
MONITORING, DATA COLLECTION AND ANALYSIS
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC Publication(s)"). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
rights. IEC shall not be held responsible for identifying any or all such patent rights.
IEC TS 63383 has been prepared by IEC technical committee 85: Measuring equipment for
electrical and electromagnetic quantities. It is a Technical Specification.
The text of this Technical Specification is based on the following documents:
Draft Report on voting
85/832/DTS 85/839/RVDTS
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this Technical Specification is English.
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
described in greater detail at www.iec.ch/publications.
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.