BS DD IEC TS 62351-6-2007 Power systems management and associated information exchange - Data and communication security - Security for IEC 61850 profiles《动力系统管理和相关的信息交换 数据和通信安全 IE.pdf

1、 g49g50g3g38g50g51g60g44g49g42g3g58g44g55g43g50g56g55g3g37g54g44g3g51g40g53g48g44g54g54g44g50g49g3g40g59g38g40g51g55g3g36g54g3g51g40g53g48g44g55g55g40g39g3g37g60g3g38g50g51g60g53g44g42g43g55g3g47g36g58exchange Data and communications security Part 6: Security for IEC 61850 ICS 33.200Power systems ma

2、nagement and associated information DRAFT FOR DEVELOPMENTDD IEC/TS 62351-6:2007DD IEC/TS 62351-6:2007This Draft for Development was published under the authority of the Standards Policy and Strategy Committee on 31 July 2007 BSI 2007ISBN 978 0 580 56448 2to withdraw it. Comments should be sent to th

3、e Secretary of the responsible BSI Technical Committee at British Standards House, 389 Chiswick High Road, London W4 4AL.The UK participation in its preparation was entrusted to Technical Committee PEL/57, Power systems management and associated information exchange.A list of organizations represent

4、ed on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Amendments issued since publicationAmd. No. Date Commentsresponsible for its conversion to an in

5、ternational standard. A review of this publication will be initiated not later than 3 years after its publication by the international organization so that a decision can be taken on its status. Notification of the start of the review period will be made in an announcement in the appropriate issue o

6、f Update Standards.According to the replies received by the end of the review period, the responsible BSI Committee will decide whether to support the conversion into an international Standard, to extend the life of the Technical Specification or National forewordThis Draft for Development is the UK

7、 implementation of IEC/TS 62351-6:2007.This publication is not to be regarded as a British Standard.It is being issued in the Draft for Development series of publications and is of a provisional nature. It should be applied on this provisional basis, so that information and experience of its practic

8、al application can be obtained.Comments arising from the use of this Draft for Development are requested so that UK experience can be reported to the international organization TECHNICAL SPECIFICATION IECTS 62351-6First edition2007-06Power systems management and associated information exchange Data

9、and communications security Part 6: Security for IEC 61850 Reference number IEC/TS 62351-6:2007(E) DD IEC/TS 62351-6:2007CONTENTS 1 Scope and object3 1.1 Scope3 1.2 Object .3 2 Normative references .3 3 Definitions 4 4 Security issues addressed by this specification 4 4.1 Operational issues affectin

10、g choice of security options4 4.2 Security threats countered.5 4.3 Attack methods countered .5 5 Correlation of IEC 61850 parts and IEC 62351 parts 5 5.1 IEC 61850 security for profiles using ISO 9506 (MMS) 5 5.1.1 General .5 5.1.2 Control centre to substation.5 5.1.3 Substation communications .5 5.

11、2 IEC 61850 security for profiles using VLAN IDs .6 6 IEC 61850 security for SNTP6 7 IEC 61850 security for profiles using VLAN technologies6 7.1 Overview of VLAN usage and IEC 61850 (informative) 6 7.2 Extended PDU.6 7.2.1 General format of extended PDU .6 7.2.2 Format of extension octets 7 7.2.3 S

12、ubstation configuration language.10 8 Conformance11 8.1 General conformance 11 8.2 Conformance for implementations claiming ISO 9506 profile security 12 8.3 Conformance for implementations claiming VLAN profile security12 8.4 Conformance for implementations claiming SNTP profile security13 Bibliogra

13、phy14 Figure 1 General format of extended PDU6 Figure 2 SCL extensions for certificates.10 Figure 3 Extension to AccessPoint SCL definition 11 Table 1 Scope of application to standards3 Table 2 Extract from IEC 61850-9-2 (informative) 9 Table 3 Conformance table 12 Table 4 PICS for ISO 9506 profile1

14、2 Table 5 PICS for VLAN profiles12 Table 6 PICS for SNTP profiles13 DD IEC/TS 62351-6:2007 2 POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE DATA AND COMMUNICATIONS SECURITY Part 6: Security for IEC 61850 1 Scope and object 1.1 Scope This part of IEC 62351 specifies messages, procedures

15、, and algorithms for securing the operation of all protocols based on or derived from the standard IEC 61850. This specification applies to at least those protocols listed in Table 1. Table 1 Scope of application to standards Number Name IEC 61850-8-1 Communication networks and systems in substation

16、s Part 8-1: Specific Communication Service Mapping (SCSM) Mappings to MMS (ISO/IEC 9506-1 and ISO/IEC 9506-2) and to ISO/IEC 8802-3 IEC 61850-9-2 Communication networks and systems in substations Part 9-2: Specific Communication Service Mapping (SCSM) Sampled values over ISO/IEC 8802-3 IEC 61850-6 C

17、ommunication networks and systems in substations Part 6: Configuration description language for communication in electrical substations related to IEDs 1.2 Object The initial audience for this specification is intended to be the members of the working groups developing or making use of the protocols

18、 listed in Table 1. For the measures described in this specification to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process. The subsequent audience for this specification is intended to be the develope

19、rs of products that implement these protocols. Portions of this specification may also be of use to managers and executives in order to understand the purpose and requirements of the work. 2 Normative references The following referenced documents are indispensable for the application of this documen

20、t. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. IEC 61850 (all parts), Communication networks and systems in substations IEC 61850-6, Communication networks and systems in substations P

21、art 6: Configuration description language for communication in electrical substations related to IEDs IEC 61850-8-1, Communication networks and systems in substations Part 8-1: Specific Communication Service Mapping (SCSM) Mappings to MMS (ISO 9506-1 and ISO 9506-2) and to ISO/IEC 8802-3 DD IEC/TS 6

22、2351-6:2007 3 IEC 61850-9-1, Communication networks and systems in substations Part 9-1: Specific Communication Service Mapping (SCSM) Sampled values over serial unidirectional multidrop point to point link IEC 61850-9-2, Communication networks and systems in substations Part 9-2: Specific Communica

23、tion Service Mapping (SCSM) Sampled values over ISO/IEC 8802-3 IEC 62351-1, Power systems management and associated information exchange Data and communications security Part 1: Communication network and system security Introduction to security issues IEC 62351-2, Power systems management and associ

24、ated information exchange Data and communications security Part 2: Glossary of terms IEC 62351-4, Power systems management and associated information exchange Data and communications security Part 4: Profiles including MMS ISO 9506 (all parts), Industrial automation systems Manufacturing Message Spe

25、cification ISO/IEC 8802-3, Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements Part 3: Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer specifications ISO/IEC 13

26、239, Information technology Telecommunications and information exchange between systems High-level data link control (HDLC) procedures IEEE Std. 802.1Q-2003, Virtual Bridged Local Area Networks RFC 2030, Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI RFC 2313, PKCS #1: RSA Encr

27、yption Version 1.5 RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 RFC 4634, US Secure Hash Algorithms (SHA and HMAC-SHA) 3 Definitions For the purposes of this document, the terms and definitions contained in IEC 62351-2 apply. 4 Security issues ad

28、dressed by this specification 4.1 Operational issues affecting choice of security options For applications using GOOSE and IEC 61850-9-2 and requiring 4 ms response times, multicast configurations and low CPU overhead, encryption is not recommended. Instead, the communication path selection process

29、(e.g. the fact that GOOSE and SMV are supposed to be restricted to a logical substation LAN) shall be used to provide confidentiality for information exchanges. However, this specification does define a mechanism for allowing confidentiality for applications where the 4 ms delivery criterion is not

30、a concern. NOTE The actual performance characteristics of an implementation claiming conformance to this technical specification is outside the scope of this specification. DD IEC/TS 62351-6:2007 4 With the exception of confidentiality, this specification sets forth a mechanism that allows co-existe

31、nce of secure and non-secure PDUs. 4.2 Security threats countered See IEC 62351-1 for a discussion of security threats and attack methods. If encryption is not employed, then the specific threats countered in this part include: unauthorized modification of information through message level authentic

32、ation of the messages. If encryption is employed, then the specific threats countered in this part include: unauthorized access to information through message level authentication and encryption of the messages; unauthorized modification (tampering) or theft of information through message level auth

33、entication and encryption of the messages. 4.3 Attack methods countered The following security attack methods are intended to be countered through the appropriate implementation of the specification/recommendations found within this document: man-in-the-middle: this threat will be countered through

34、the use of a Message Authentication Code mechanism specified within this document; tamper detection/message integrity: These threats will be countered through the algorithm used to create the authentication mechanism as specified within this document; replay: this threat will be countered through th

35、e use of specialized processing state machines specified within IEC 62351-4 and this document. 5 Correlation of IEC 61850 parts and IEC 62351 parts 5.1 IEC 61850 security for profiles using ISO 9506 (MMS) 5.1.1 General IEC 61850 implementations claiming conformance to this specification and declarin

36、g support for the IEC 61850-8-1 profile utilizing TCP/IP and ISO 9506 (MMS) shall implement Clauses 5 and 6 of IEC 62351-4. In addition to the IEC 62351-4 specification, extensions to IEC 61850-6 (the Substation Configuration Language) shall be supported as prescribed in 7.2.3. IEC 61850-8-1 specifi

37、es the use of MMS within a substation. However, the scope of this specification provides security specifications for use within the substation and external to the substation (e.g. Control Centre to Substation). 5.1.2 Control centre to substation The IEC 62351-4 standard shall be used without any oth

38、er additions. 5.1.3 Substation communications The following cipher suite shall be supported in addition to those specified in IEC 62351-4. TLS_DH_RSA_WITH_AES_128_SHA NOTE This additional cipher suite is suggested in order to allow less CPU utilization when the communication environment is within a

39、substation. DD IEC/TS 62351-6:2007 5 5.2 IEC 61850 security for profiles using VLAN IDs For the IEC 61850 profiles specified that make use of VLAN IDs (e.g. IEC 61850-8-1 GOOSE, IEC 61850-9-1, and IEC 61850-9-2) profile security shall be provided as specified in Clause 7. 6 IEC 61850 security for SN

40、TP RFC 2030, including mandatory use of the authentication algorithms, shall be used. 7 IEC 61850 security for profiles using VLAN technologies 7.1 Overview of VLAN usage and IEC 61850 (informative) This specification extends the normal IEC 61850 GOOSE and SMV PDUs. The outline of a PDU for GSE Mana

41、gement and GOOSE is given in Annex C of IEC 61850-8-1. 7.2 Extended PDU 7.2.1 General format of extended PDU Octets 8 7 6 5 4 3 2 1 1 Ethertype 2 3 APPID 6 5 Length 6 7 Length of extension 8 9 CRC of octets 10 1-8 11 . Ether-type PDU GOOSE/SMV APDU Extension m-2 Figure 1 General format of extended P

42、DU Figure 1 depicts the fact that the Reserved1 and Reserved2 fields are to be used for implementations claiming conformance to this specification in regards to GOOSE and SMV. This specification specifies that the: Reserved1 field shall be used to specify the number of octets conveyed by the extensi

43、on octets. This value shall be contained in the first octet of the Reserved1 field. The valid range of values is zero(0) through 255. A value of zero(0) shall indicate that no extension octets are present. The second octet of the Reserved1 field shall be reserved for future use; IEC 1053/07 DD IEC/T

44、S 62351-6:2007 6 Reserved2 field shall contain a 16-bit CRC, as calculated per ISO/IEC 13239 (ISO HDLC). The CRC shall be calculated over Octets 1-8 of the VLAN information of the Extended PDU. The CRC shall be present if the Extension Length has a non-zero value. 7.2.2 Format of extension octets Th

45、e format of the extension octet area shall be: Extension:= 0 IMPLICIT SEQUENCE 1 IMPLICIT SEQUENCE Reserved OPTIONAL, 2 IMPLICIT OCTETSTRING Private OPTIONAL, 3 IMPLICIT AuthenticationValue OPTIONAL, Extension shall be encoded per ASN.1 Basic Encoding Rules. The Reserved SEQUENCE is used to reserve

46、future standardized extension per this specification. If no extension, besides Authentication and Encryption is defined in this specification, this SEQUENCE shall not be present. Therefore a SEQUENCE of NULL length shall be considered non-conformant to this specification. The Private SEQUENCE is pro

47、vided to allow vendors to convey Private information. The scope of the semantics and syntax of the contents of this SEQUENCE is out-of-scope of this specification and shall only be interoperable via prior agreement. This SEQUENCE shall only be present if there are actual contents being conveyed. 7.2

48、.2.1 the Reserved octets shall be decrypted by using the appropriate key and algorithm (reverse of clause 7.2.2.1); if the calculated AuthenticationValue and de-signed AuthenticationValue match, then the client should proceed with the processing of the APDU. 7.2.2.4 GOOSE replay In order to augment

49、and protect from GOOSE replay, the security extensions shall be used. Additionally, the following should be used. The process of verifying the AuthenticationValue (see 7.2.2.3) shall occur prior to the additional processing within this clause. The client should establish and track its current time. A GOOSE whose timestamp exceeds a 2 min skew should not be processed. The skew period shall be configurable and i