iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
SIST

oSIST prEN IEC 62351-8:2025

(Main)

Power systems management and associated information exchange - Data and communications security - Part 8: Role-based access control for power system management

Power systems management and associated information exchange - Data and communications security - Part 8: Role-based access control for power system management

Energiemanagementsysteme und zugehöriger Datenaustausch – IT-Sicherheit für Daten und Kommunikation – Teil 8: Rollenbasierte Zugriffskontrolle für Energiemanagementsysteme

Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des communications et des données - Partie 8: Contrôle d'accès basé sur les rôles pour la gestion de systèmes de puissance

Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij - Varnost podatkov in komunikacij - 8. del: Kontrola dostopa do elektroenergetskega sistema na podlagi vlog

General Information

Status
Not Published
Public Enquiry End Date
29-May-2025
ICS
29.240.30 - Control equipment for electric power systems
33.200 - Telecontrol. Telemetering
35.240.50 - IT applications in industry
Technical Committee
PSE - Power systems management
Current Stage
4020 - Public enquire (PE) (Adopted Project)
Start Date
13-Mar-2025
Due Date
31-Jul-2025
Ref Project
prEN IEC 62351-8:2025 - Power systems management and associated information exchange - Data and communications security - Part 8: Role-based access control for power system management

Relations

Revises
SIST EN IEC 62351-8:2020 - Power systems management and associated information exchange - Data and communications security - Part 8: Role-based access control for power system management
Effective Date
23-May-2023

Buy Standard

prEN IEC 62351-8:2025 - BARVEprEN IEC 62351-8:2025 - BARVE
PreviousNext
Draft
prEN IEC 62351-8:2025 - BARVE
English language
111 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-maj-2025
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij -
Varnost podatkov in komunikacij - 8. del: Kontrola dostopa do
elektroenergetskega sistema na podlagi vlog
Power systems management and associated information exchange - Data and
communications security - Part 8: Role-based access control for power system
management
Energiemanagementsysteme und zugehöriger Datenaustausch – IT-Sicherheit für Daten
und Kommunikation – Teil 8: Rollenbasierte Zugriffskontrolle für
Energiemanagementsysteme
Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des
communications et des données - Partie 8: Contrôle d'accès basé sur les rôles pour la
gestion de systèmes de puissance
Ta slovenski standard je istoveten z: prEN IEC 62351-8:2025
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

57/2752/CDV
COMMITTEE DRAFT FOR VOTE (CDV)
PROJECT NUMBER:
IEC 62351-8 ED2
DATE OF CIRCULATION: CLOSING DATE FOR VOTING:
2025-03-07 2025-05-30
SUPERSEDES DOCUMENTS:
57/2663/CD, 57/2690A/CC
IEC TC 57 : POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE
SECRETARIAT: SECRETARY:
Germany Mr Heiko Englert
OF INTEREST TO THE FOLLOWING COMMITTEES: HORIZONTAL FUNCTION(S):
TC 65, TC 69, TC 88
ASPECTS CONCERNED:
SUBMITTED FOR CENELEC PARALLEL VOTING NOT SUBMITTED FOR CENELEC PARALLEL VOTING
Attention IEC-CENELEC parallel voting
The attention of IEC National Committees, members of CENELEC,
is drawn to the fact that this Committee Draft for Vote (CDV) is
submitted for parallel voting.
The CENELEC members are invited to vote through the CENELEC
online voting system.
This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which they are aware
and to provide supporting documentation.
Recipients of this document are invited to submit, with their comments, notification of any relevant “In Some Countries” clau ses to be
included should this proposal proceed. Recipients are reminded that the CDV stage is the final stage for submitting ISC c lauses. (SEE
AC/22/2007 OR NEW GUIDANCE DOC).

TITLE:
Power systems management and associated information exchange - Data and communications security - Part 8:
Role-based access control for power system management

PROPOSED STABILITY DATE: 2026
NOTE FROM TC/SC OFFICERS:
electronic file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions.
You may not copy or "mirror" the file or printed version of the document, or any part of it, for any other purpose without
permission in writing from IEC.

57/2752/CDV – 2 – IEC CDV 62351-8 © IEC 2025
CONTENTS
CONTENTS . 1
FOREWORD . 8
INTRODUCTION . 10
1 Scope . 12
2 Normative references . 13
3 Terms and definitions . 14
4 Abbreviated terms . 17
5 RBAC process model . 18
5.1 Overview of RBAC process model . 18
5.2 Generic RBAC concepts . 18
5.3 Separation of subjects, roles, and permissions . 20
5.3.1 RBAC model . 20
5.3.2 Subject assignment (subject-to-role mapping). 23
5.3.3 Role assignment (role-to-permission mapping) . 23
5.3.4 Permission definition . 23
5.3.5 operationSet assignment (mapping of roles-permission-combinations to
objects) . 23
5.4 Criteria for defining roles. 24
5.4.1 Policies . 24
5.4.2 Subjects, roles, and permissions . 24
5.4.3 Introducing roles reduces complexity . 24
6 Definition of roles and permission assignment . 25
6.1 General . 25
6.2 Pre-defined roles . 25
6.3 Role-to-permission assignment . 26
6.3.1 General . 26
6.3.2 Number of supported permissions by a role . 27
6.3.3 Number of supported roles . 27
6.3.4 Assigning permissions to roles . 27
6.4 Definition of (custom based) roles . 29
6.4.1 General . 29
6.4.2 Encoding of roles based on specific permissions . 30
6.4.3 Encoding of roles using constraints on existing permissions . 35
6.5 Consideration of operational states . 38
6.6 Security Event consideration for the engineering of roles and permissions . 39
7 Simplified role assignment . 40
7.1 General . 40
7.2 Application of roles associated with multiple role definitions (generic roles) . 40
7.3 Illustrative examples . 41
7.3.1 General . 41
7.3.2 Application of pre-defined role “VIEWER” on Device-X for all role
definitions . 41
7.3.3 Application of custom role “OPERATOR-DFR” on Device-Y for all
supported role definitions . 43
7.3.4 Application of pre-defined role “SECADM” for selected role definitions . 43

IEC CDV 62351-8 © IEC 2025 – 3 – 57/2752/CDV
8 Definition of access tokens . 45
8.1 General . 45
8.2 Supported profiles . 45
8.3 Role-based access control related Object Identifiers . 45
8.4 General structure of the access tokens . 46
8.4.1 Profile specific mandatory components in the access tokens . 46
8.4.2 Optional access token components . 47
8.4.3 Definition of specific fields . 47
8.5 Access token profiles . 52
8.5.1 General . 52
8.5.2 Profile A: X.509 Public-key certificate . 52
8.5.3 Profile B: X.509 Attribute certificate . 55
8.5.4 Profile C: JSON Web Token – JWT . 59
8.5.5 Profile D: RADIUS provided access token information . 61
8.5.6 Profile E: LDAP provided RBAC information . 64
9 Verification of access tokens . 69
9.1 General . 69
9.2 Multiple access token existence . 69
9.3 Subject authentication . 70
9.4 Access token availability . 70
9.5 Validity period . 70
9.6 Access token integrity . 71
9.7 Issuer . 71
9.8 RoleID . 71
9.9 Revision number . 71
9.10 Area of responsibility . 72
9.11 Role definition . 72
9.12 Revocation state . 72
9.13 Operation . 73
9.14 Sequence number . 73
9.15 Revocation methods . 73
9.15.1 General . 73
9.15.2 Supported methods . 74
10 RBAC access token distribution models . 74
10.1 General . 74
10.2 PUSH model . 74
10.3 PULL model . 76
11 Interaction with backend services for RBAC access token distribution . 77
11.1 General . 77
11.2 Using directory services with LDAP . 77
11.2.1 General . 77
11.2.2 Secure communication . 78
11.2.3 LDAP Directory organization . 79
11.3 Using OAuth to provide JWT token . 80
11.3.1 General . 80
11.3.2 Secure communication . 81
11.4 Using AAA services with RADIUS . 82

57/2752/CDV – 4 – IEC CDV 62351-8 © IEC 2025
11.4.1 General . 82
11.4.2 Secure communication . 82
11.4.3 Peer configuration . 83
11.4.4 RADIUS server organization .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

SIST
SIST EN IEC 62351-9:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment (IEC 62351-9:2023)
EN IEC 62351-9:2023

IEC 62351-9:2023 specifies cryptographic key management, primarily focused on the management of long-term keys, which are most often asymmetric key pairs, such as public-key certificates and corresponding private keys. As certificates build the base this document builds a foundation for many IEC 62351 services (see also Annex A). Symmetric key management is also considered but only with respect to session keys for group-based communication as applied in IEC 62351-6. The objective of this document is to define requirements and technologies to achieve interoperability of key management by specifying or limiting key management options to be used.
This document assumes that an organization (or group of organizations) has defined a security policy to select the type of keys and cryptographic algorithms that will be utilized, which may have to align with other standards or regulatory requirements. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. This document assumes that the reader has a basic understanding of cryptography and key management principles.
The requirements for the management of pairwise symmetric (session) keys in the context of communication protocols is specified in the parts of IEC 62351 utilizing or specifying pairwise communication such as:
• IEC 62351-3 for TLS by profiling the TLS options
• IEC 62351-4 for the application layer end-to-end security
• IEC TS 62351-5 for the application layer security mechanism for IEC 60870-5-101/104 and IEEE 1815 (DNP3)
The requirements for the management of symmetric group keys in the context of power system communication protocols is specified in IEC 62351-6 for utilizing group security to protect GOOSE and SV communication. IEC 62351-9 utilizes GDOI as already IETF specified group-based key management protocol to manage the group security parameter and enhances this protocol to carry the security parameter for GOOSE, SV, and PTP.
This document also defines security events for specific conditions which could identify issues which might require error handling. However, the actions of the organisation in response to these error conditions are beyond the scope of this document and are expected to be defined by the organizations security policy.
In the future, as public-key cryptography becomes endangered by the evolution of quantum computers, this document will also consider post-quantum cryptography to a certain extent. Note that at this time being no specific measures are provided.
This second edition cancels and replaces the first edition published in 2017. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Certificate components and verification of the certificate components have been added;
b) GDOI has been updated to include findings from interop tests;
c) GDOI operation considerations have been added;
d) GDOI support for PTP (IEEE 1588) support has been added as specified by IEC/IEEE 61850-9-3 Power Profile;
e) Cyber security event logging has been added as well as the mapping to IEC 62351-14;
f) Annex B with background on utilized cryptographic algorithms and mechanisms has been added.

  • Standard
    147 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-3:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP (IEC 62351-3:2023)
EN IEC 62351-3:2023

IEC 62351-3:2023 specifies how to provide confidentiality, integrity protection, and message level authentication for protocols that make use of TCP/IP as a message transport layer and utilize Transport Layer Security when cyber-security is required. This may relate to SCADA and telecontrol protocols, but also to additional protocols if they meet the requirements in this document.
IEC 62351-3 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (TLSv1.2 defined in RFC 5246, TLSv1.3 defined in RFC 8446). In the specific clauses, there will be subclauses to note the differences and commonalities in the application depending on the target TLS version. The use and specification of intervening external security devices (e.g., "bump-in-the-wire") are considered out-of-scope.
In contrast to previous editions of this document, this edition is self-contained in terms of completely defining a profile of TLS. Hence, it can be applied directly, without the need to specify further TLS parameters, except the port number, over which the communication will be performed. Therefore, this part can be directly utilized from a referencing standard and can be combined with further security measures on other layers. Providing the profiling of TLS without the need for further specifying TLS parameters allows declaring conformity to the described functionality without the need to involve further IEC 62351 documents.
This document is intended to be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol exchanges under similar boundary conditions. However, it is up to the individual protocol security initiatives to decide if this document is to be referenced.
The document also defines security events for specific conditions, which support error handling, security audit trails, intrusion detection, and conformance testing. Any action of an organization in response to events to an error condition described in this document are beyond the scope of this document and are expected to be defined by the organization’s security policy.
This document reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this document may need to be revised.
This second edition cancels and replaces the first edition published in 2014, Amendment 1:2018 and Amendment 2:2020. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Inclusion of the TLSv1.2 related parameter required in IEC 62351-3 Ed.1.2 to be specified by the referencing standard. This comprises the following parameter:
• Mandatory TLSv1.2 cipher suites to be supported.
• Specification of session resumption parameters.
• Specification of session renegotiation parameters.
• Revocation handling using CRL and OCSP.
• Handling of security events.
b) Inclusion of a TLSv1.3 profile to be applicable for the power system domain in a similar way as for TLSv1.2 session.

  • Standard
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-4:2019/A1:2020(Amendment)
Power systems management and associated information exchange - Data and communications security - Part 4: Profiles including MMS and derivatives
EN IEC 62351-4:2018/A1:2020
  • Amendment
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 62351-3:2015/A2:2020(Amendment)
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
EN 62351-3:2014/A2:2020
  • Amendment
    13 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-9:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment (IEC 62351-9:2023)
EN IEC 62351-9:2023

IEC 62351-9:2023 specifies cryptographic key management, primarily focused on the management of long-term keys, which are most often asymmetric key pairs, such as public-key certificates and corresponding private keys. As certificates build the base this document builds a foundation for many IEC 62351 services (see also Annex A). Symmetric key management is also considered but only with respect to session keys for group-based communication as applied in IEC 62351-6. The objective of this document is to define requirements and technologies to achieve interoperability of key management by specifying or limiting key management options to be used.
This document assumes that an organization (or group of organizations) has defined a security policy to select the type of keys and cryptographic algorithms that will be utilized, which may have to align with other standards or regulatory requirements. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. This document assumes that the reader has a basic understanding of cryptography and key management principles.
The requirements for the management of pairwise symmetric (session) keys in the context of communication protocols is specified in the parts of IEC 62351 utilizing or specifying pairwise communication such as:
• IEC 62351-3 for TLS by profiling the TLS options
• IEC 62351-4 for the application layer end-to-end security
• IEC TS 62351-5 for the application layer security mechanism for IEC 60870-5-101/104 and IEEE 1815 (DNP3)
The requirements for the management of symmetric group keys in the context of power system communication protocols is specified in IEC 62351-6 for utilizing group security to protect GOOSE and SV communication. IEC 62351-9 utilizes GDOI as already IETF specified group-based key management protocol to manage the group security parameter and enhances this protocol to carry the security parameter for GOOSE, SV, and PTP.
This document also defines security events for specific conditions which could identify issues which might require error handling. However, the actions of the organisation in response to these error conditions are beyond the scope of this document and are expected to be defined by the organizations security policy.
In the future, as public-key cryptography becomes endangered by the evolution of quantum computers, this document will also consider post-quantum cryptography to a certain extent. Note that at this time being no specific measures are provided.
This second edition cancels and replaces the first edition published in 2017. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Certificate components and verification of the certificate components have been added;
b) GDOI has been updated to include findings from interop tests;
c) GDOI operation considerations have been added;
d) GDOI support for PTP (IEEE 1588) support has been added as specified by IEC/IEEE 61850-9-3 Power Profile;
e) Cyber security event logging has been added as well as the mapping to IEC 62351-14;
f) Annex B with background on utilized cryptographic algorithms and mechanisms has been added.

  • Standard
    147 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-3:2023(Main)
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP (IEC 62351-3:2023)
EN IEC 62351-3:2023

IEC 62351-3:2023 specifies how to provide confidentiality, integrity protection, and message level authentication for protocols that make use of TCP/IP as a message transport layer and utilize Transport Layer Security when cyber-security is required. This may relate to SCADA and telecontrol protocols, but also to additional protocols if they meet the requirements in this document.
IEC 62351-3 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (TLSv1.2 defined in RFC 5246, TLSv1.3 defined in RFC 8446). In the specific clauses, there will be subclauses to note the differences and commonalities in the application depending on the target TLS version. The use and specification of intervening external security devices (e.g., "bump-in-the-wire") are considered out-of-scope.
In contrast to previous editions of this document, this edition is self-contained in terms of completely defining a profile of TLS. Hence, it can be applied directly, without the need to specify further TLS parameters, except the port number, over which the communication will be performed. Therefore, this part can be directly utilized from a referencing standard and can be combined with further security measures on other layers. Providing the profiling of TLS without the need for further specifying TLS parameters allows declaring conformity to the described functionality without the need to involve further IEC 62351 documents.
This document is intended to be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol exchanges under similar boundary conditions. However, it is up to the individual protocol security initiatives to decide if this document is to be referenced.
The document also defines security events for specific conditions, which support error handling, security audit trails, intrusion detection, and conformance testing. Any action of an organization in response to events to an error condition described in this document are beyond the scope of this document and are expected to be defined by the organization’s security policy.
This document reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this document may need to be revised.
This second edition cancels and replaces the first edition published in 2014, Amendment 1:2018 and Amendment 2:2020. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Inclusion of the TLSv1.2 related parameter required in IEC 62351-3 Ed.1.2 to be specified by the referencing standard. This comprises the following parameter:
• Mandatory TLSv1.2 cipher suites to be supported.
• Specification of session resumption parameters.
• Specification of session renegotiation parameters.
• Revocation handling using CRL and OCSP.
• Handling of security events.
b) Inclusion of a TLSv1.3 profile to be applicable for the power system domain in a similar way as for TLSv1.2 session.

  • Standard
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62351-4:2019/A1:2020(Amendment)
Power systems management and associated information exchange - Data and communications security - Part 4: Profiles including MMS and derivatives
EN IEC 62351-4:2018/A1:2020
  • Amendment
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 62351-3:2015/A2:2020(Amendment)
Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles including TCP/IP
EN 62351-3:2014/A2:2020
  • Amendment
    13 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 63522-17:2025(Main)
Electrical relays - Tests and Measurements - Part 7-17: Shock, Acceleration and Vibration
EN IEC 63522-17:2025

IEC 63522-17:2024 is used for testing electromechanical elementary relays (electromechanical relays, reed relays, reed contacts, reed switches and technology combination of these) and for evaluating their ability to perform under expected conditions of transportation, storage and all aspects of operational use.
This document defines a standard test method to simulate the mechanical stress on relays as it can occur in service, during handling or during transportation. This document comprises test procedures to simulate shock impacts, steady acceleration environments (such as moving vehicles, aircraft and projectiles) as well as vibration conditions.

  • Standard
    18 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 63522-48:2025(Main)
Electrical relays - Tests and measurements - Part 48: Contact failure rate test
EN IEC 63522-48:2025

IEC 63522-48:2024 is used for for testing electromechanical elementary relays (electromechanical relays, reed relays, reed contacts, reed switches and technology combinations of these) and for evaluating their ability to perform under expected conditions of transportation, storage and all aspects of operational use.
This document defines a standard test method for contact failure rate test of electromechanical elementary relays applied to low-load applications (e.g., CC 0, CC 1) and failure rates and failure rate levels at low loads under specified conditions.

  • Standard
    30 pages
    English language
    sale 10% off
    e-Library read for
    1 day