iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
IEC

IEC 62351-5:2023

(Main)

Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives

Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives

IEC 62351-5:2023 defines the application profile (A-profile) secure communication mechanism specifying messages, procedures and algorithms for securing the operation of all protocols based on or derived from IEC 60870-5, Telecontrol Equipment and Systems – Transmission Protocols.
For the measures described in this document to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process.
The subsequent audience for this document is intended to be the developers of products that implement these protocols.
Portions of this document may also be of use to managers and executives in order to understand the purpose and requirements of the work.
This document is organized working from the general to the specific, as follows:
• Clauses 2 through 4 provide background terms, definitions, and references.
• Clause 5 describes the problems this specification is intended to address.
• Clause 6 describes the mechanism generically without reference to a specific protocol.
• Clauses 7 and 8 describe the mechanism more precisely and are the primary normative part of this specification.
• Clause 9 define the interoperability requirements for this secure communication mechanism.
• Clause 10 describes the requirements for other standards referencing this document.
The actions of an organization in response to events and error conditions described in this document are expected to be defined by the organization’s security policy and they are beyond the scope of this document.
This International Standard cancels and replaces IEC TS 62351-5 published in 2013. It constitutes a technical revision. The primary changes in this International Standard are:
a) The secure communication mechanism is performed on per controlling station/controlled station association.
b) User management to add, change or delete a User, was removed.
c) Symmetric method to change the Update Key was removed.
d) Asymmetric method to the change Update Key was reviewed.
e) Challenge/Reply procedure and concepts were removed.
f) Aggressive Mode concept was replaced with the Secure Data message exchange mechanism.
g) Authenticated encryption of application data was added.
h) The list of permitted security algorithms has been updated.
i) The rules for calculating messages sequence numbers have been updated
j) Events monitoring and logging was added

Gestion des systèmes de puissance et échanges d’informations associées – Sécurité des communications et des données – Partie 5: Aspects de sécurité pour l’IEC 60870-5 et ses dérivés

IEC 62351-5:2023 définit le mécanisme de communication sécurisée du profil d'application (profil A) qui spécifie les messages, les procédures et les algorithmes pour sécuriser le fonctionnement de tous les protocoles fondés sur ou dérivés de l’IEC 60870-5, Matériels et systèmes de téléconduite – Protocoles de transmission.
Pour que les mesures décrites dans le présent document entrent en application, elles doivent être acceptées et référencées par les spécifications des protocoles eux-mêmes. Le présent document est rédigé dans le but de permettre ce processus.
Il est prévu que les lecteurs suivants du présent document soient les personnes chargées d’élaborer les produits qui mettent en œuvre ces protocoles.
Certaines parties du présent document peuvent également être utiles aux gestionnaires et aux cadres dirigeants pour comprendre le but et les exigences du travail.
Ce document est organisé du plus général au plus spécifique, comme suit:
• les Articles 2 à 4 fournissent des termes, des définitions et des références de contexte;
• l’Article 5 décrit les problèmes que la présente spécification est destinée à traiter;
• l’Article 6 décrit le mécanisme de manière générale, sans référence à un protocole spécifique;
• les Articles 7 et 8 décrivent le mécanisme plus précisément. Ils constituent la partie normative principale de la présente spécification;
• l’Article 9 définit les exigences d’interopérabilité pour ce mécanisme de communication sécurisée y compris la relation entre cette norme et la CEI 62351-3 pour la sécurité de la couche transport;
• l’Article 10 décrit les exigences des autres normes qui font référence au présent document.
Il est attendu que les actions d’une organisation en réponse aux événements et conditions d’erreurs décrits dans le présent document soient définies par la politique de sécurité de l’organisme. Elles ne relèvent pas du domaine d’application du présent document.
Cette Norme internationale annule et remplace l'IEC TS 62351-5 parue en 2013. Elle constitue une révision technique. Les modifications principales présentées dans la présente Norme internationale sont les suivantes:
a) le mécanisme de communication sécurisée est réalisé par une association poste de conduite/poste téléconduit;
b) la gestion des Utilisateurs, qui sert à ajouter, modifier ou supprimer un Utilisateur, a été supprimée;
c) la méthode symétrique, qui sert à modifier la Clé de Mise à Jour, a été supprimée;
d) la méthode asymétrique, qui sert à modifier la Clé de Mise à Jour, a été révisée;
e) la procédure et les concepts de Stimulation/Réponse ont été supprimés;
f) le concept de Mode Agressif a été remplacé par le mécanisme d’échange de messages de Données Sécurisées;
g) un chiffrement authentifié des données d’application a été ajouté;
h) la liste des algorithmes de sécurité admis a été mise à jour;
i) les règles de calcul des numéros de séquence des messages ont été mises à jour;
j) la surveillance et l’enregistrement des événements ont été ajoutés.

General Information

Status
Published
Publication Date
12-Jan-2023
ICS
33.200 - Telecontrol. Telemetering
Technical Committee
TC 57 - Power systems management and associated information exchange
Drafting Committee
WG 15 - TC 57/WG 15
Current Stage
PPUB - Publication issued
Start Date
02-Dec-2022
Completion Date
13-Jan-2023
Ref Project

Relations

Replaces
IEC TS 62351-5:2013 - Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives
Effective Date
05-Sep-2023

Buy Standard

IEC 62351-5:2023 - Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives Released:1/13/2023IEC 62351-5:2023 - Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives Released:1/13/2023
PreviousNext
Standard
IEC 62351-5:2023 - Power systems management and associated information exchange - Data and communications security - Part 5: Security for IEC 60870-5 and derivatives Released:1/13/2023
English and French language
263 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

IEC 62351-5
®

Edition 1.0 2023-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside


Power systems management and associated information exchange – Data and
communications security –
Part 5: Security for IEC 60870-5 and derivatives

Gestion des systèmes de puissance et échanges d’informations associés –
Sécurité des communications et des données –
Partie 5: Aspects de sécurité pour l’IEC 60870-5 et ses dérivés

IEC 62351-5:2023-01(en-fr)

---------------------- Page: 1 ----------------------
THIS PUBLICATION IS COPYRIGHT PROTECTED
Copyright © 2023 IEC, Geneva, Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.


Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni
utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et
les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Secretariat Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland

About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform IEC Products & Services Portal - products.iec.ch
The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the
variety of criteria (reference number, text, technical publications previews. With a subscription you will always have
committee, …). It also gives information on projects, replaced access to up to date content tailored to your needs.
and withdrawn publications.

Electropedia - www.electropedia.org
IEC Just Published - webstore.iec.ch/justpublished
The world's leading online dictionary on electrotechnology,
Stay up to date on all new IEC publications. Just Published
containing more than 22 300 terminological entries in English
details all new publications released. Available online and once
and French, with equivalent terms in 19 additional languages.
a month by email.
Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Customer Service Centre - webstore.iec.ch/csc
If you wish to give us your feedback on this publication or need
further assistance, please contact the Customer Service
Centre: sales@iec.ch.


A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Recherche de publications IEC - Découvrez notre puissant moteur de recherche et consultez
webstore.iec.ch/advsearchform gratuitement tous les aperçus des publications. Avec un
La recherche avancée permet de trouver des publications IEC abonnement, vous aurez toujours accès à un contenu à jour
en utilisant différents critères (numéro de référence, texte, adapté à vos besoins.
comité d’études, …). Elle donne aussi des informations sur les
projets et les publications remplacées ou retirées. Electropedia - www.electropedia.org

Le premier dictionnaire d'électrotechnologie en ligne au monde,
IEC Just Published - webstore.iec.ch/justpublished
avec plus de 22 300 articles terminologiques en anglais et en
Restez informé sur les nouvelles publications IEC. Just
français, ainsi que les termes équivalents dans 19 langues
Published détaille les nouvelles publications parues.
additionnelles. Egalement appelé Vocabulaire
Disponible en ligne et une fois par mois par email.
Electrotechnique International (IEV) en ligne.


Service Clients - webstore.iec.ch/csc
Si vous désirez nous donner des commentaires sur cette
publication ou si vous avez des questions contactez-nous:
sales@iec.ch.
IEC Products & Services Portal - products.iec.ch

---------------------- Page: 2 ----------------------
IEC 62351-5

®


Edition 1.0 2023-01




INTERNATIONAL



STANDARD




NORME


INTERNATIONALE
colour

inside










Power systems management and associated information exchange – Data and

communications security –

Part 5: Security for IEC 60870-5 and derivatives



Gestion des systèmes de puissance et échanges d’informations associés –

Sécurité des communications et des données –


Partie 5: Aspects de sécurité pour l’IEC 60870-5 et ses dérivés













INTERNATIONAL

ELECTROTECHNICAL

COMMISSION


COMMISSION

ELECTROTECHNIQUE


INTERNATIONALE




ICS 33.200 ISBN 978-2-8322-6017-3




Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale

---------------------- Page: 3 ----------------------
– 2 – IEC 62351-5:2023 © IEC 2023
CONTENTS
FOREWORD . 6
1 Scope . 8
2 Normative references . 9
3 Terms and definitions . 10
4 Abbreviated terms . 11
5 Problem description . 12
5.1 Overview of clause . 12
5.2 Specific threats addressed . 12
5.3 Design issues . 12
5.3.1 Overview of subclause . 12
5.3.2 Asymmetric communications . 12
5.3.3 Message-oriented . 12
5.3.4 Poor sequence numbers or no sequence numbers . 13
5.3.5 Limited processing power . 13
5.3.6 Limited bandwidth . 13
5.3.7 No access to authentication server . 13
5.3.8 Limited frame length . 13
5.3.9 Limited checksum . 14
5.3.10 Radio systems . 14
5.3.11 Dial-up systems . 14
5.3.12 Variety of protocols affected . 14
5.3.13 Differing data link layers . 14
5.3.14 Long upgrade intervals . 15
5.3.15 Remote sites . 15
5.3.16 Unreliable media . 15
5.4 General principles . 15
5.4.1 Overview of subclause . 15
5.4.2 Application layer only . 15
5.4.3 Generic definition mapped onto different protocols . 15
5.4.4 Bi-directional . 15
5.4.5 Management of cryptographic keys . 15
5.4.6 Backwards tolerance . 16
5.4.7 Upgradeable . 16
5.4.8 Multiple connections . 16
6 Theory of operation . 16
6.1 Overview of clause . 16
6.2 The secure communication . 16
6.2.1 Basic concepts . 16
6.2.2 Association ID . 17
6.2.3 Authenticating . 18
6.2.4 Central Authority . 18
6.2.5 Role Based Access Control (RBAC) . 18
6.2.6 Cryptographic keys . 18
6.2.7 Security statistics . 22
6.2.8 Security events . 22
7 Functional requirements . 22

---------------------- Page: 4 ----------------------
IEC 62351-5:2023 © IEC 2023 – 3 –
7.1 Overview of clause . 22
7.2 Procedures Overview . 22
7.3 State machine overview . 23
7.4 Timers and counters . 25
7.5 Security statistics and events . 25
7.5.1 General . 25
7.5.2 Special security thresholds . 29
7.5.3 Security statistics reporting . 29
7.5.4 Security events monitoring and logging . 29
8 Formal procedures . 30
8.1 Overview of subclause . 30
8.2 Distinction between messages and ASDUs . 30
8.2.1 General . 30
8.2.2 Messages datatypes and notations . 30
8.3 Station Association procedure . 30
8.3.1 General . 30
8.3.2 Public key certificates . 31
8.3.3 Configuration of authorized remote stations . 33
8.3.4 Pre-requisites to initiate the Station Association procedure . 33
8.3.5 Messages definition . 33
8.3.6 Controlling station state machine . 42
8.3.7 Controlled station state machine . 52
8.3.8 Verification of remote station’s certificate . 61
8.3.9 Verification of certificates during normal operations . 61
8.3.10 Update Keys derivation . 62
8.3.11 Controlling station directives for Station Association and Update Keys
management . 63
8.3.12 Controlled station directives for Station Association and Update Keys
management . 63
8.3.13 Initializing and updating Stations Association and Update Keys . 65
8.4 Session Key Change procedure . 66
8.4.1 General . 66
8.4.2 Messages definition . 67
8.4.3 Controlling station state machine . 76
8.4.4 Controlled station state machine . 85
8.4.5 Controlling station directives for Session Keys management. 93
8.4.6 Controlled station directives for Session Keys management . 93
8.4.7 Initializing and changing Session Keys . 94
8.5 Secure Data Exchange . 95
8.5.1 General . 95
8.5.2 Messages definition . 96
8.5.3 Controlling station state machine . 100
8.5.4 Controlled station state machine . 105
8.5.5 Controlling station directives for Secure Data Exchange . 109
8.5.6 Controlled station directives for Secure Data Exchange . 109
8.5.7 Example of Secure Data exchange during Station Association . 110
8.5.8 Example of Secure Data Exchange during Session Key Change . 111
9 Interoperability requirements . 113
9.1 Overview of clause . 113

---------------------- Page: 5 ----------------------
– 4 – IEC 62351-5:2023 © IEC 2023
9.2 Minimum requirements . 113
9.2.1 Overview of subclause . 113
9.2.2 Authentication algorithms . 113
9.2.3 Key wrap / transport algorithms . 113
9.2.4 Cryptographic keys . 114
9.2.5 Cryptographic curves . 114
9.2.6 Configurable values . 114
9.2.7 Cryptographic information . 116
9.3 Options . 116
9.3.1 Overview of subclause . 116
9.3.2 MAC/AEAD algorithms . 117
9.3.3 Key wrap / transport algorithms . 117
9.3.4 Cryptographic curves . 117
9.4 Use with TCP/IP . 117
9.5 Use with redundant channels . 117
10 Requirements for referencing this standard . 118
10.1 Overview of clause . 118
10.2 Selected options . 118
10.3 Message format mapping . 118
10.4 Reference to procedures . 118
10.5 Protocol information . 118
10.6 Controlled station response to unauthorized operations requests . 119
10.7 Transmission of security statistics . 119
10.8 Configurable values . 119
10.9 Protocol implementation conformance statement . 119
Annex A (informative) Security Event mapping to IEC 62351-14 . 120
A.1 General . 120
A.2 Mapping of IEC 62351-5 events specified in this document . 120
Bibliography . 122

Figure 1 – Overview of interaction between Central Authority and stations . 21
Figure 2 – Sequence of procedures . 23
Figure 3 – Station Association procedure . 34
Figure 4 – Station Association – Controlling station state machine . 43
Figure 5 – Station Association – Controlled station state machine . 53
Figure 6 – Example of Association ID, Update Keys and Session Keys initialization. 66
Figure 7 – Session Key Change procedure . 67
Figure 8 – Session Key Change – Controlling station state machine . 77
Figure 9 – Session Key Change – Controlled station state machine . 86
Figure 10 – Example of Session Key initialization and periodic update . 95
Figure 11 – Secure Data Exchange . 96
Figure 12 – Secure Data Exchange – Controlling station state machine . 101
Figure 13 – Secure Data Exchange – Controlled station state machine . 106
Figure 14 – Example of Secure Data Exchange during Station Association . 111
Figure 15 – Example of Secure Data messages exchanged during Session Key
Change . 112

---------------------- Page: 6 ----------------------
IEC 62351-5:2023 © IEC 2023 – 5 –
Table 1 – Scope of application to standards . 8
Table 2 – Summary of symmetric keys used . 19
Table 3 – Summary of asymmetric keys used . 19
Table 4 – States used in the controlling station state machine . 24
Table 5 – States used in the controlled station state machine . 24
Table 6 – Summary of timers and counters used . 25
Table 7 – Security statistics and associated events . 26
Table 8 – Elliptic curves . 31
Table 9 – Association Request message . 35
Table 10 – Association Response message . 36
Table 11 – Update Key Change Request message. 38
Table 12 – Data Included in MAC calculation (in order) . 40
Table 13 – Update Key Change Response message . 40
Table 14 – Data Included in MAC calculation (in order) . 41
Table 15 – Controlling station state machine: Station Association . 44
Table 16 – Controlled station state machine: Station Association . 54
Table 17 – List of pre-defined role-to-permission assignment . 64
Table 18 – Session Request message . 68
Table 19 – Session Response message . 70
Table 20 – Data Included in MAC calculation (in order) . 71
Table 20 – Session Key Change Request message . 72
Table 21 – Data Included in WKD (in order) . 73
Table 22 – Example of Session Key order . 74
Table 23 – Data Included in the MAC calculation (in order) . 74
Table 25 – Session Key Change Response message . 75
Table 26 – Data Included in the MAC calculation (in order) . 75
Table 27 – Controlling station state machine: Session Key Change . 78
Table 28 – Controlled station state machine: Session Key Change . 87
Table 29 – Secure Data message . 97
Table 29 – Secure Data Payload using MAC algorithm . 98
Table 31 – Data included in the MAC calculation in Secure Data Payload (in order) . 99
Table 32 – AEAD algorithm parameters to generate the Secure Data Payload (in order) . 99
Table 33 – Controlling station state machine: Secure Data Exchange . 102
Table 34 – Controlled station state machine: Secure Data Exchange . 107
Table 35 – Configuration of cryptographic information . 116
Table 36 – Legend for configuration of cryptographic information. 116
Table A.1 – Security event logs defined in IEC 62351-5 Ed.1 mapped to IEC 62351-14 . 120

---------------------- Page: 7 ----------------------
– 6 – IEC 62351-5:2023 © IEC 2023
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________

POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION
EXCHANGE – DATA AND COMMUNICATIONS SECURITY –

Part 5: Security for IEC 60870-5 and derivatives

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC Publication(s)"). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whats
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

IEC
IEC 60870-5-104:2006/AMD1:2016/COR1:2023(Amendment)
Corrigendum 1 - Amendment 1 - Telecontrol equipment and systems - Part 5-104: Transmission protocols - Network access for IEC 60870-5-101 using standard transport profiles
  • Standard
    1 page
    English and French language
    sale 15% off
IEC
IEC TR 61850-90-7:2023(Main)
Communication networks and systems for power utility automation - Part 90-7: Object models for power converters in distributed energy resources (DER) systems

IEC TR 61850-90-7:2023 is available as IEC TR 61850-90-7:2023 RLV which contains the International Standard and its Redline version, showing all changes of the technical content compared to the previous edition.IEC TR 61850-90-7:2023, which is a Technical Report, describes functions for power converter-based distributed energy resources (DER) systems, focused on DC-to-AC and AC-to-AC conversions and including photovoltaic systems (PV), battery storage systems, electric vehicle (EV) charging systems, and any other DER systems with a controllable power converter. The functions defined in this document were used to help define the information models described in IEC 61850-7-420 and which can be used in the exchange of information between these power converter-based DER systems and the utilities, energy service providers (ESPs), or other entities which are tasked with managing the volt, var, and watt capabilities of these power converter-based systems. These power converter-based DER systems can range from very small grid-connected systems at residential customer sites, to medium-sized systems configured as microgrids on campuses or communities, to very large systems in utility-operated power plants, and to many other configurations and ownership models. They may or may not combine different types of DER systems behind the power converter, such as a power converter-based DER system and a battery that are connected at the DC level. This second edition cancels and replaces the first edition published in 2013. This edition is primarily an editorial revision in order to be consistent with the publication of Edition 2 of IEC 61850-7-420:2021. This edition includes the following significant changes with respect to the previous edition:
a) Clause 3 has been updated.
b) Clause 8 (IEC 61850 information models for power converter-based functions) has been deleted. This clause defined data models with the transitional namespace “(Tr) IEC 61850-90-7:2012”. The data models are now defined in IEC 61850-7-420.

  • Technical report
    163 pages
    English language
    sale 15% off
IEC
IEC TR 61850-90-27:2023(Main)
Communication networks and systems for power utility automation - Part 90-27: Use of IEC 61850 for thermal energy systems connected to electric power grid

IEC TR 61850-90-27:2023, which is a Technical Report, is to provide basic aspects that need to be considered when using IEC 61850 for information exchange between systems and components to support applications for thermal systems connected to electric power networks. Thermal systems isolated from electric power networks are outside the scope of this document.
From the perspective of category, this document considers thermal systems that provide thermal energy services for residential and/or commercial buildings and districts. In other words, industrial thermal systems are outside the scope of this document.
From the perspective of energy transformation, this document deals with ones between electricity and thermal energy. Other types of energy such as gas will be documented in a future report.
From the perspective of resource, this document considers generic aspects of thermal energy generators, storage, and loads that may contribute to the operations and management of electric power networks. It also deals with specific types of resources that have electric parts such as power to heat (P2H) that is a kind of electric load, and combined heat and power (CHP) that is an electric generator. This document models the characteristics for such specific units of resources including alarms and ratings. On the other hand, it does not deal with other types of specific units according to the scope of this document. For example, gas boilers, thermal energy tanks, heat exchangers, HVAC, auxiliary devices for thermal systems are not modelled as logical nodes in this document.
As a summary, this document
- gives an overview of thermal energy resources connected to electric power networks.
- provides use cases for typical operations of thermal system and deducts exchanged information necessary for information modelling.
- provides mapping of requirements on LNs based on the use cases.
- defines generic logical nodes for resources in thermal systems.
- defines logical nodes for specific unit types of P2H and CHP.
- defines logical nodes for operations that may contribute to the operations of electric power networks.

  • Technical report
    180 pages
    English language
    sale 15% off
IEC
IEC 62351-3:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP

IEC 62351-3:2023 specifies how to provide confidentiality, integrity protection, and message level authentication for protocols that make use of TCP/IP as a message transport layer and utilize Transport Layer Security when cyber-security is required. This may relate to SCADA and telecontrol protocols, but also to additional protocols if they meet the requirements in this document.
IEC 62351-3 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (TLSv1.2 defined in RFC 5246, TLSv1.3 defined in RFC 8446). In the specific clauses, there will be subclauses to note the differences and commonalities in the application depending on the target TLS version. The use and specification of intervening external security devices (e.g., "bump-in-the-wire") are considered out-of-scope.
In contrast to previous editions of this document, this edition is self-contained in terms of completely defining a profile of TLS. Hence, it can be applied directly, without the need to specify further TLS parameters, except the port number, over which the communication will be performed. Therefore, this part can be directly utilized from a referencing standard and can be combined with further security measures on other layers. Providing the profiling of TLS without the need for further specifying TLS parameters allows declaring conformity to the described functionality without the need to involve further IEC 62351 documents.
This document is intended to be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol exchanges under similar boundary conditions. However, it is up to the individual protocol security initiatives to decide if this document is to be referenced.
The document also defines security events for specific conditions, which support error handling, security audit trails, intrusion detection, and conformance testing. Any action of an organization in response to events to an error condition described in this document are beyond the scope of this document and are expected to be defined by the organization’s security policy.
This document reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this document may need to be revised.
This second edition cancels and replaces the first edition published in 2014, Amendment 1:2018 and Amendment 2:2020. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Inclusion of the TLSv1.2 related parameter required in IEC 62351-3 Ed.1.2 to be specified by the referencing standard. This comprises the following parameter:
• Mandatory TLSv1.2 cipher suites to be supported.
• Specification of session resumption parameters.
• Specification of session renegotiation parameters.
• Revocation handling using CRL and OCSP.
• Handling of security events.
b) Inclusion of a TLSv1.3 profile to be applicable for the power system domain in a similar way as for TLSv1.2 session.

  • Standard
    103 pages
    English and French language
    sale 15% off
IEC
IEC 62351-9:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment

IEC 62351-9:2023 specifies cryptographic key management, primarily focused on the management of long-term keys, which are most often asymmetric key pairs, such as public-key certificates and corresponding private keys. As certificates build the base this document builds a foundation for many IEC 62351 services (see also Annex A). Symmetric key management is also considered but only with respect to session keys for group-based communication as applied in IEC 62351-6. The objective of this document is to define requirements and technologies to achieve interoperability of key management by specifying or limiting key management options to be used.
This document assumes that an organization (or group of organizations) has defined a security policy to select the type of keys and cryptographic algorithms that will be utilized, which may have to align with other standards or regulatory requirements. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. This document assumes that the reader has a basic understanding of cryptography and key management principles.
The requirements for the management of pairwise symmetric (session) keys in the context of communication protocols is specified in the parts of IEC 62351 utilizing or specifying pairwise communication such as:
• IEC 62351-3 for TLS by profiling the TLS options
• IEC 62351-4 for the application layer end-to-end security
• IEC TS 62351-5 for the application layer security mechanism for IEC 60870-5-101/104 and IEEE 1815 (DNP3)
The requirements for the management of symmetric group keys in the context of power system communication protocols is specified in IEC 62351-6 for utilizing group security to protect GOOSE and SV communication. IEC 62351-9 utilizes GDOI as already IETF specified group-based key management protocol to manage the group security parameter and enhances this protocol to carry the security parameter for GOOSE, SV, and PTP.
This document also defines security events for specific conditions which could identify issues which might require error handling. However, the actions of the organisation in response to these error conditions are beyond the scope of this document and are expected to be defined by the organizations security policy.
In the future, as public-key cryptography becomes endangered by the evolution of quantum computers, this document will also consider post-quantum cryptography to a certain extent. Note that at this time being no specific measures are provided.
This second edition cancels and replaces the first edition published in 2017. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Certificate components and verification of the certificate components have been added;
b) GDOI has been updated to include findings from interop tests;
c) GDOI operation considerations have been added;
d) GDOI support for PTP (IEEE 1588) support has been added as specified by IEC/IEEE 61850-9-3 Power Profile;
e) Cyber security event logging has been added as well as the mapping to IEC 62351-14;
f) Annex B with background on utilized cryptographic algorithms and mechanisms has been added.

  • Standard
    296 pages
    English and French language
    sale 15% off
IEC
IEC 62488-2:2017/COR2:2023(Corrigendum)
Corrigendum 2 - Power line communication systems for power utility applications - Part 2: Analogue power line carrier terminals or APLC
  • Standard
    1 page
    English and French language
    sale 15% off
IEC
IEC TS 61850-7-7:2018(Main)
Communication networks and systems for power utility automation - Part 7-7: Machine-processable format of IEC 61850-related data models for tools

IEC TS 61850-7-7:2018(E) specifies a way to model the code components of IEC 61850 data model (e.g., the tables describing logical nodes, common data classes, structured data attributes, and enumerations) in an XML format that can be imported and interpreted by tools. The purpose of this document is limited to the publication of the XML format which should support the data model part of any IEC 61850 related standard.

  • Technical specification
    122 pages
    English language
    sale 15% off
  • Technical specification
    69 pages
    English language
    sale 15% off
IEC
IEC TS 61850-7-7:2018/AMD1:2023(Amendment)
Amendment 1 - Communication networks and systems for power utility automation - Part 7-7: Machine-processable format of IEC 61850-related data models for tools
  • Technical specification
    12 pages
    English language
    sale 15% off
IEC
IEC TS 62351-100-6:2022(Main)
Power systems management and associated information exchange - Data and communication security - Part 100-6: Cybersecurity conformance testing for IEC 61850-8-1 and IEC 61850-9-2

IEC TS 62351-100-6:2022 (E), which is a technical specification, is part of the IEC 62351 suite of standards, which describes test cases for interoperability conformance testing of data and communication security for Substation Automation Systems [SAS] and telecontrol systems which implement IEC TS 62351-6. The tests described in this part do not evaluate the security of the implementation. Thus, citing conformance to this part does not imply that any particular security level has been achieved by the corresponding product, or by the system in which it is used.
The goal of this part of IEC 62351 is to enable interoperability by providing a standard method of testing protocol implementations, but it does not guarantee the full interoperability of devices. It is expected that using this specification during testing will minimize the risk of non-interoperability. Additional testing and assurance measures will be required to verify that a particular implementation of IEC TC 62351-6 has correctly implemented all the security functions and that they can be assured to be present in all delivered products. This topic is covered in other IEC standards, for example IEC 62443.
The scope of this document is to specify common available procedures and definitions for conformance and/or interoperability testing of IEC 62351-6, the IEC 61850-8-1, IEC 61850-9-2 and also their recommendations over IEC 62351-3 for profiles including TCP/IP and IEC 62351 4 for profiles including MMS. These are the security extensions for IEC 61850 and derivatives to enable unambiguous and standardized evaluation of IEC TS 62351-6 and its companion standards protocol implementations.
The detailed test cases per companion standard, containing among others mandatory and optional mandatory test cases per Secure Communication Application Function, secure ASDU (Application Service Data Unit) and transmission procedures, will become available as technical specifications (TS). Other functionality may need additional test cases, but this is outside the scope of this part of IEC 62351. This document is such a technical specification for the mentioned companion standard.
This document deals mainly with data and communication security conformance testing; therefore, other requirements, such as safety or EMC (Electromagnetic compatibility) are not covered. These requirements are covered by other standards (if applicable) and the proof of compliance for these topics is done according to these standards.

  • Technical specification
    32 pages
    English language
    sale 15% off
IEC
IEC TS 61850-1-2:2020/AMD1:2022(Amendment)
Amendment 1 - Communication networks and systems for power utility automation - Part 1-2: Guideline on extending IEC 61850
  • Technical specification
    10 pages
    English language
    sale 15% off