EN IEC 62351-6 pdf download

EN IEC 62351-6 pdf download.POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE – DATA AND COMMUNICATION SECURITY
1 Scope and object
1.1 Scope This part of IEC 62351 specifies messages, procedures, and algorithms for securing the operation of all protocols based on or derived from the IEC 61 850 series. This document applies to at least those protocols listed in Table 1 .The initial audience for this document is intended to be the members of the working groups developing or making use of the protocols listed in Table 1 . For the measures described in this specification to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process. The subsequent audience for this document is intended to be the developers of products that implement these protocols. Portions of this document may also be of use to managers and executives in order to understand the purpose and requirements of the work.
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions For the purposes of this document, the terms and definitions given in IEC TS 62351 -2 and IEC 61 850-2 apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: • IEC Electropedia: available at http://www.electropedia.org/ • ISO Online browsing platform: available at http://www.iso.org/obp 3.1 .1 electronic security perimeter logical border surrounding a network interconnecting critical cyber assets 3.1 .2 client functional unit that establishes an association and issues requests and receives services from a server. 3.1 .3 server functional unit that receives an association from a Client and provides services requested by the Client
4 Security issues addressed by this document
4.1 Operational issues affecting choice of security options For applications using Layer 2 IEC 61 850-8-1 GOOSE and Layer 2 IEC 61 850-9-2 Sampled Value and requiring 3 ms response times, multicast configurations and low CPU overhead, encryption is not recommended. Instead, the communication path selection process (e.g. the fact that Layer 2 GOOSE and SV are supposed to be restricted to a logical substation LAN) shall be used to provide confidentiality for information exchanges. However, this document does define a mechanism for allowing confidentiality for applications where the 3 ms delivery criterion is not a concern. NOTE The actual performance characteristics of an implementation claiming conformance to this technical specification is outside the scope of this document. With the exception of confidentiality, this document sets forth a mechanism that allows co- existence of secure and non-secure PDUs. 4.2 Security threats countered See IEC TS 62351 -1 for a discussion of security threats and attack methods. If encryption is not employed, then the specific threats countered in this clause include: • unauthorized modification (tampering) of information through message level authentication of the messages. If encryption is employed, then the specific threats countered in this clause include: • unauthorized access to information through message level authentication and encryption of the messages; • unauthorized modification (tampering) or theft of information through message level authentication and encryption of the messages. • information disclosure is countered.4.3 Attack methods countered The following security attack methods are intended to be countered through the appropriate implementation of the specifications/recommendations found within this document: • man-in-the-middle: this threat will be countered through the use of a Message Authentication Code mechanism specified within this document; • tamper detection/message integrity: These threats will be countered through the algorithm used to create the authentication mechanism as specified within this document; • replay: this threat will be countered through the use of specialized processing state machines specified within IEC 62351 -4 and this document.
5 Correlation of IEC 61 850 parts and IEC 62351 parts
5.1 General There are four levels of interaction between the parts of the IEC 62351 series and parts of the IEC 61 850 series. This part is concerned with the:• Communication profile security regarding: – IEC 61 850-8-1 Application Profile for Client/Server communications. – IEC 61 850-8-2 Application Profile for Client/Server communications. – IEC 61 850-8-1 Layer 2 T-Profile for GOOSE/GSE – IEC 61 850-8-1 Layer 2 T-Profile for Multicast Sampled Values – IEC 61 850-8-1 Layer 3 Routable GOOSE and Sampled Values • Configuration extensions required for configuration of the Application and Transport communication profiles of concern. These extensions would impact IEC 61 850-6. • Object definitions, regarding security and identification, that are exposed at run-time as part of the IEC 61 850-8-1 and IEC 61 850-8-2 object mappings. • The binding of Originator ID values to authenticated peers for Client/Server services. The scope of this document provides security specifications for use within an Electronic Security Perimeter (ESP) and between ESPs.