IEC TR 62210-2003 Power system control and associated communications - Data and communication security《动力系统控制和相关通信.数据和通信安全》.pdf

1、TECHNICAL REPORT IECTR 62210 First edition 2003-05 Power system control and associated communications Data and communication security Reference number IEC/TR 62210:2003(E)Publication numbering As from 1 January 1997 all IEC publications are issued with a designation in the 60000 series. For example,

2、 IEC 34-1 is now referred to as IEC 60034-1. Consolidated editions The IEC is now publishing consolidated versions of its publications. For example, edition numbers 1.0, 1.1 and 1.2 refer, respectively, to the base publication, the base publication incorporating amendment 1 and the base publication

3、incorporating amendments 1 and 2. Further information on IEC publications The technical content of IEC publications is kept under constant review by the IEC, thus ensuring that the content reflects current technology. Information relating to this publication, including its validity, is available in

4、the IEC Catalogue of publications (see below) in addition to new editions, amendments and corrigenda. Information on the subjects under consideration and work in progress undertaken by the technical committee which has prepared this publication, as well as the list of publications issued, is also av

5、ailable from the following: IEC Web Site (www.iec.ch) Catalogue of IEC publications The on-line catalogue on the IEC web site (http:/www.iec.ch/searchpub/cur_fut.htm) enables you to search by a variety of criteria including text searches, technical committees and date of publication. On-line informa

6、tion is also available on recently issued publications, withdrawn and replaced publications, as well as corrigenda. IEC Just Published This summary of recently issued publications (http:/www.iec.ch/online_news/ justpub/jp_entry.htm) is also available by email. Please contact the Customer Service Cen

7、tre (see below) for further information. Customer Service Centre If you have any questions regarding this publication or need further assistance, please contact the Customer Service Centre: Email: custserviec.ch Tel: +41 22 919 02 11 Fax: +41 22 919 03 00TECHNICAL REPORT IEC TR 62210 First edition 2

8、003-05 Power system control and associated communications Data and communication security PRICE CODE IEC 2003 Copyright - all rights reserved No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without

9、 permission in writing from the publisher. International Electrotechnical Commission, 3, rue de Varemb, PO Box 131, CH-1211 Geneva 20, Switzerland Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmailiec.ch Web: www.iec.ch X For price, see current catalogue Commission Electrotechnique

10、 Internationale International Electrotechnical Commission 2 TR 62210 IEC:2003(E) CONTENTS FOREWORD 4 1 Scope and object. 5 2 Overview . 5 3 Reference documents 6 4 Terms, definitions and abbreviations 6 4.1 Terms and definitions . 6 4.2 Abbreviations.10 5 Introduction to security11 5.1 How to use th

11、is report11 6 The security analysis process .12 6.1 Network topologies 14 6.2 User consequence based analysis.16 6.2.1 Stakeholders16 6.3 Consequences to be considered18 6.3.1 Financial18 6.3.2 Asset destruction/degradation19 6.3.3 Inability to restore service20 6.4 Consequences and security threats

12、 .20 7 Focus of security work within this report .22 7.1 Justification of application level security focus.22 7.2 Security analysis technique .23 7.2.1 Security objectives.23 7.2.2 General threats24 7.2.3 Specific threats to be considered in PP24 8 Vulnerabilities.27 8.1 Threats to topologies .27 8.

13、2 Current IEC Technical Committee 57 protocols29 8.2.1 TASE.1 29 8.2.2 TASE.2 30 8.2.3 IEC 60870-5 30 8.2.4 IEC 6133430 8.2.5 IEC 6185031 9 Recommendations for future IEC Technical Committee 57 security work 32 Annex A (informative) What is a protection profile? 35 Annex B (informative) Protection p

14、rofile for TASE.2 .37 Annex C (Informative) Example of consequence diagrams .43 Figure 1 Normal corporate security process .12 Figure 2 Business information flow.14 Figure 3 General communication topology16 Figure 4 Consequence diagram: inability to restore service21TR 62210 IEC:2003(E) 3 Figure 5 W

15、AN/LAN topology.27 Figure 6 Levels of vulnerability.28 Table 1 Matrix to determine business process importance17 Table 2 Asset to business process relationships 20 Table 3 Communication model security matrix22 4 TR 62210 IEC:2003(E) INTERNATIONAL ELECTROTECHNICAL COMMISSION _ POWER SYSTEM CONTROL AN

16、D ASSOCIATED COMMUNICATIONS Data and communication security FOREWORD 1) The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of the IEC is to promote international

17、 co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, the IEC publishes International Standards. Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject

18、dealt with may participate in this preparatory work. International, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. The IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions det

19、ermined by agreement between the two organizations. 2) The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested National Comm

20、ittees. 3) The documents produced have the form of recommendations for international use and are published in the form of standards, technical specifications, technical reports or guides and they are accepted by the National Committees in that sense. 4) In order to promote international unification,

21、 IEC National Committees undertake to apply IEC International Standards transparently to the maximum extent possible in their national and regional standards. Any divergence between the IEC Standard and the corresponding national or regional standard shall be clearly indicated in the latter. 5) The

22、IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any equipment declared to be in conformity with one of its standards. 6) Attention is drawn to the possibility that some of the elements of this technical report may be the subject of patent rights. The

23、 IEC shall not be held responsible for identifying any or all such patent rights. The main task of IEC technical committees is to prepare International Standards. However, a technical committee may propose the publication of a technical report when it has collected data of a different kind from that

24、 which is normally published as an International Standard, for example “state of the art”. IEC 62210, which is a technical report, has been prepared by IEC technical committee 57: Power system control and associated communications. The text of this technical report is based on the following document

25、s: Enquiry draft Report on voting 57/613/DTR 57/630/RVC Full information on the voting for the approval of this technical report can be found in the report on voting indicated in the above table. This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. The committee has d

26、ecided that the contents of this publication will remain unchanged until 2006. At this date, the publication will be reconfirmed; withdrawn; replaced by a revised edition, or amended. A bilingual version of this technical report may be issued at a later date.TR 62210 IEC:2003(E) 5 POWER SYSTEM CONTR

27、OL AND ASSOCIATED COMMUNICATIONS Data and communication security 1 Scope and object This Technical Report applies to computerised supervision, control, metering, and protection systems in electrical utilities. It deals with security aspects related to communication protocols used within and between

28、such systems, the access to, and use of the systems. NOTE This report does not include recommendations or criteria development associated with physical security issues. Realistic threats to the system and its operation are discussed. The vulnerability and the consequences of intrusion are exemplifie

29、d. Actions and countermeasures to improve the current situation are discussed but solutions are to be considered issues for future work items. 2 Overview Safety, security, and reliability have always been important issues in the design and operation of systems in electrical utilities. Supervision, p

30、rotection, and control system have been designed with the highest possible level of safety, security, and reliability. The communication protocols have been developed with a residual error rate approaching zero. All these measures have been taken to minimise the risk of danger for personnel and equi

31、pment and to promote an efficient operation of the power network. Physical threats on vulnerable objects have been handled in the classical ways by locked buildings, fences and guards but the quite possible terrorist threat of tripping a critical breaker by a faked SCADA command on a tapped communic

32、ation link has been neglected. There is no function in the currently used protocols that ensure that the control command comes from an authorised source. The deregulated electricity market has imposed new threats: knowledge of the assets of a competitor and the operation of his system can be benefic

33、ial and acquisition of such information is a possible reality. The communication protocols and systems need protection from advertent and inadvertent intruders, the more the protocols are open and standardised and the more the communication system is integrated in the corporate and world-wide commun

34、ication network. This Technical Report discusses the security process of the electrical utility. The security process involves the corporate security policy, the communication network security, and the (end-to-end) application security. The security of the total system depends on secure network devi

35、ces, i.e. the security of any device that can communicate. A secure network device has to be capable of performing safe communication and of authenticating the access level of the user. Intrusive attacks have to be efficiently detected, recorded and prosecuted as part of an active audit system. The

36、threats are analysed based on possible consequences to a system, i.e. what is the worst that could happen if an illicit intruder has ambition and resources? The vulnerability of a utility and its assets are analysed together with the threats. 6 TR 62210 IEC:2003(E) Having shown that there exists thr

37、eats to vulnerable points in the systems of electrical utilities the countermeasures are discussed with special focus on the communication protocols defined by IEC Technical Committee 57: the IEC 60870-5 series, the IEC 61334 series, the IEC 60870-6 series and the IEC 61850 series. Proposals on new

38、work items to include security aspects in these protocols are given. 3 Reference documents The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced doc

39、ument (including any amendments) applies. IEC 60870-5 (all parts), Telecontrol equipment and systems Part 5: Transmission protocols IEC 60870-6 (all parts), Telecontrol equipment and systems Part 6: Telecontrol protocols compatible with ISO standards and ITU-T recommendations IEC 61334 (all parts),

40、Distribution automation using distribution line carrier systems IEC 61850 (all parts), Communication networks and systems in substations ISO/IEC 7498-1, Information technology Open Systems Interconnection Basic Reference Model: The Basic Model ISO 7498-2:1989, Information processing systems Open Sys

41、tems Interconnection Basic Reference Model Part 2: Security Architecture ISO/IEC 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview ISO/IEC 10181-7:1996, Information technology Open Systems Interconnection Security frameworks for open sys

42、tems: Security audit and alarms framework ISO/IEC 15408-1, Information technology Security techniques Evaluation criteria for IT Security Part 1: Introduction and general model ISO/IEC 15408-2, Information technology Security techniques Evaluation criteria for IT Security Part 2: Security functional

43、 requirements ISO/IEC 15408-3, Information technology Security techniques Evaluation criteria for IT Security Part 3: Security assurance requirements 4 Terms, definitions and abbreviations 4.1 Terms and definitions 4.1.1 accountability property that ensures that the actions of an entity may be trace

44、d uniquely to the entity 4.1.2 asset Anything that has value to the organisation ISO/IEC TR 13335-1:1997TR 62210 IEC:2003(E) 7 4.1.3 authenticity property that ensures that the identity of a subject or resource is the one claimed. Authenticity applies to entities such as users, processes, systems an

45、d information 4.1.4 authorisation violation entity authorised to use a system for one purpose uses it for another, unauthorised purpose 4.1.5 availability property of being accessible and usable upon demand by an authorised entity ISO 7498-2: 1989 4.1.6 baseline controls minimum set of safeguards es

46、tablished for a system or organisation ISO/IEC TR 13335-1:1997 4.1.7 confidentiality property that information is not made available or disclosed to unauthorised individuals, entities, or processes ISO 7498-2:1989 4.1.8 data integrity property that data has not been altered or destroyed in an unauth

47、orised manner ISO 7498-2:1989 4.1.9 denial of service authorised communications flow is intentionally impeded 4.1.10 eavesdropping information is revealed to an unauthorised person monitoring communication traffic 4.1.11 hack threat that may be a combination of one or more of the following threats:

48、authorisation violation; information leakage; integrity violation; and masquerade 4.1.12 hash function (mathematical) function that maps values from a (possibly very) large set of values into a smaller range of values 4.1.13 information leakage unauthorised entity obtains secure/restricted informati

49、on 4.1.14 integrity violation information is created or modified by an unauthorised entity 8 TR 62210 IEC:2003(E) 4.1.15 intercept/alter communication packet is intercepted, modified, and then forwarded as if it were the original packet 4.1.16 masquerade unauthorised entity attempts to assume the identity of a trusted party 4.1.17 reliability property of consistent intended behaviour and resul