ImageVerifierCode 换一换
格式:PDF , 页数:18 ,大小:524.18KB ,
资源ID:548345      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-548345.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS DD IEC TS 62351-6-2007 Power systems management and associated information exchange - Data and communication security - Security for IEC 61850 profiles《动力系统管理和相关的信息交换 数据和通信安全 IE.pdf)为本站会员(appealoxygen216)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS DD IEC TS 62351-6-2007 Power systems management and associated information exchange - Data and communication security - Security for IEC 61850 profiles《动力系统管理和相关的信息交换 数据和通信安全 IE.pdf

1、 g49g50g3g38g50g51g60g44g49g42g3g58g44g55g43g50g56g55g3g37g54g44g3g51g40g53g48g44g54g54g44g50g49g3g40g59g38g40g51g55g3g36g54g3g51g40g53g48g44g55g55g40g39g3g37g60g3g38g50g51g60g53g44g42g43g55g3g47g36g58exchange Data and communications security Part 6: Security for IEC 61850 ICS 33.200Power systems ma

2、nagement and associated information DRAFT FOR DEVELOPMENTDD IEC/TS 62351-6:2007DD IEC/TS 62351-6:2007This Draft for Development was published under the authority of the Standards Policy and Strategy Committee on 31 July 2007 BSI 2007ISBN 978 0 580 56448 2to withdraw it. Comments should be sent to th

3、e Secretary of the responsible BSI Technical Committee at British Standards House, 389 Chiswick High Road, London W4 4AL.The UK participation in its preparation was entrusted to Technical Committee PEL/57, Power systems management and associated information exchange.A list of organizations represent

4、ed on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Amendments issued since publicationAmd. No. Date Commentsresponsible for its conversion to an in

5、ternational standard. A review of this publication will be initiated not later than 3 years after its publication by the international organization so that a decision can be taken on its status. Notification of the start of the review period will be made in an announcement in the appropriate issue o

6、f Update Standards.According to the replies received by the end of the review period, the responsible BSI Committee will decide whether to support the conversion into an international Standard, to extend the life of the Technical Specification or National forewordThis Draft for Development is the UK

7、 implementation of IEC/TS 62351-6:2007.This publication is not to be regarded as a British Standard.It is being issued in the Draft for Development series of publications and is of a provisional nature. It should be applied on this provisional basis, so that information and experience of its practic

8、al application can be obtained.Comments arising from the use of this Draft for Development are requested so that UK experience can be reported to the international organization TECHNICAL SPECIFICATION IECTS 62351-6First edition2007-06Power systems management and associated information exchange Data

9、and communications security Part 6: Security for IEC 61850 Reference number IEC/TS 62351-6:2007(E) DD IEC/TS 62351-6:2007CONTENTS 1 Scope and object3 1.1 Scope3 1.2 Object .3 2 Normative references .3 3 Definitions 4 4 Security issues addressed by this specification 4 4.1 Operational issues affectin

10、g choice of security options4 4.2 Security threats countered.5 4.3 Attack methods countered .5 5 Correlation of IEC 61850 parts and IEC 62351 parts 5 5.1 IEC 61850 security for profiles using ISO 9506 (MMS) 5 5.1.1 General .5 5.1.2 Control centre to substation.5 5.1.3 Substation communications .5 5.

11、2 IEC 61850 security for profiles using VLAN IDs .6 6 IEC 61850 security for SNTP6 7 IEC 61850 security for profiles using VLAN technologies6 7.1 Overview of VLAN usage and IEC 61850 (informative) 6 7.2 Extended PDU.6 7.2.1 General format of extended PDU .6 7.2.2 Format of extension octets 7 7.2.3 S

12、ubstation configuration language.10 8 Conformance11 8.1 General conformance 11 8.2 Conformance for implementations claiming ISO 9506 profile security 12 8.3 Conformance for implementations claiming VLAN profile security12 8.4 Conformance for implementations claiming SNTP profile security13 Bibliogra

13、phy14 Figure 1 General format of extended PDU6 Figure 2 SCL extensions for certificates.10 Figure 3 Extension to AccessPoint SCL definition 11 Table 1 Scope of application to standards3 Table 2 Extract from IEC 61850-9-2 (informative) 9 Table 3 Conformance table 12 Table 4 PICS for ISO 9506 profile1

14、2 Table 5 PICS for VLAN profiles12 Table 6 PICS for SNTP profiles13 DD IEC/TS 62351-6:2007 2 POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE DATA AND COMMUNICATIONS SECURITY Part 6: Security for IEC 61850 1 Scope and object 1.1 Scope This part of IEC 62351 specifies messages, procedures

15、, and algorithms for securing the operation of all protocols based on or derived from the standard IEC 61850. This specification applies to at least those protocols listed in Table 1. Table 1 Scope of application to standards Number Name IEC 61850-8-1 Communication networks and systems in substation

16、s Part 8-1: Specific Communication Service Mapping (SCSM) Mappings to MMS (ISO/IEC 9506-1 and ISO/IEC 9506-2) and to ISO/IEC 8802-3 IEC 61850-9-2 Communication networks and systems in substations Part 9-2: Specific Communication Service Mapping (SCSM) Sampled values over ISO/IEC 8802-3 IEC 61850-6 C

17、ommunication networks and systems in substations Part 6: Configuration description language for communication in electrical substations related to IEDs 1.2 Object The initial audience for this specification is intended to be the members of the working groups developing or making use of the protocols

18、 listed in Table 1. For the measures described in this specification to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process. The subsequent audience for this specification is intended to be the develope

19、rs of products that implement these protocols. Portions of this specification may also be of use to managers and executives in order to understand the purpose and requirements of the work. 2 Normative references The following referenced documents are indispensable for the application of this documen

20、t. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. IEC 61850 (all parts), Communication networks and systems in substations IEC 61850-6, Communication networks and systems in substations P

21、art 6: Configuration description language for communication in electrical substations related to IEDs IEC 61850-8-1, Communication networks and systems in substations Part 8-1: Specific Communication Service Mapping (SCSM) Mappings to MMS (ISO 9506-1 and ISO 9506-2) and to ISO/IEC 8802-3 DD IEC/TS 6

22、2351-6:2007 3 IEC 61850-9-1, Communication networks and systems in substations Part 9-1: Specific Communication Service Mapping (SCSM) Sampled values over serial unidirectional multidrop point to point link IEC 61850-9-2, Communication networks and systems in substations Part 9-2: Specific Communica

23、tion Service Mapping (SCSM) Sampled values over ISO/IEC 8802-3 IEC 62351-1, Power systems management and associated information exchange Data and communications security Part 1: Communication network and system security Introduction to security issues IEC 62351-2, Power systems management and associ

24、ated information exchange Data and communications security Part 2: Glossary of terms IEC 62351-4, Power systems management and associated information exchange Data and communications security Part 4: Profiles including MMS ISO 9506 (all parts), Industrial automation systems Manufacturing Message Spe

25、cification ISO/IEC 8802-3, Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements Part 3: Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer specifications ISO/IEC 13

26、239, Information technology Telecommunications and information exchange between systems High-level data link control (HDLC) procedures IEEE Std. 802.1Q-2003, Virtual Bridged Local Area Networks RFC 2030, Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI RFC 2313, PKCS #1: RSA Encr

27、yption Version 1.5 RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 RFC 4634, US Secure Hash Algorithms (SHA and HMAC-SHA) 3 Definitions For the purposes of this document, the terms and definitions contained in IEC 62351-2 apply. 4 Security issues ad

28、dressed by this specification 4.1 Operational issues affecting choice of security options For applications using GOOSE and IEC 61850-9-2 and requiring 4 ms response times, multicast configurations and low CPU overhead, encryption is not recommended. Instead, the communication path selection process

29、(e.g. the fact that GOOSE and SMV are supposed to be restricted to a logical substation LAN) shall be used to provide confidentiality for information exchanges. However, this specification does define a mechanism for allowing confidentiality for applications where the 4 ms delivery criterion is not

30、a concern. NOTE The actual performance characteristics of an implementation claiming conformance to this technical specification is outside the scope of this specification. DD IEC/TS 62351-6:2007 4 With the exception of confidentiality, this specification sets forth a mechanism that allows co-existe

31、nce of secure and non-secure PDUs. 4.2 Security threats countered See IEC 62351-1 for a discussion of security threats and attack methods. If encryption is not employed, then the specific threats countered in this part include: unauthorized modification of information through message level authentic

32、ation of the messages. If encryption is employed, then the specific threats countered in this part include: unauthorized access to information through message level authentication and encryption of the messages; unauthorized modification (tampering) or theft of information through message level auth

33、entication and encryption of the messages. 4.3 Attack methods countered The following security attack methods are intended to be countered through the appropriate implementation of the specification/recommendations found within this document: man-in-the-middle: this threat will be countered through

34、the use of a Message Authentication Code mechanism specified within this document; tamper detection/message integrity: These threats will be countered through the algorithm used to create the authentication mechanism as specified within this document; replay: this threat will be countered through th

35、e use of specialized processing state machines specified within IEC 62351-4 and this document. 5 Correlation of IEC 61850 parts and IEC 62351 parts 5.1 IEC 61850 security for profiles using ISO 9506 (MMS) 5.1.1 General IEC 61850 implementations claiming conformance to this specification and declarin

36、g support for the IEC 61850-8-1 profile utilizing TCP/IP and ISO 9506 (MMS) shall implement Clauses 5 and 6 of IEC 62351-4. In addition to the IEC 62351-4 specification, extensions to IEC 61850-6 (the Substation Configuration Language) shall be supported as prescribed in 7.2.3. IEC 61850-8-1 specifi

37、es the use of MMS within a substation. However, the scope of this specification provides security specifications for use within the substation and external to the substation (e.g. Control Centre to Substation). 5.1.2 Control centre to substation The IEC 62351-4 standard shall be used without any oth

38、er additions. 5.1.3 Substation communications The following cipher suite shall be supported in addition to those specified in IEC 62351-4. TLS_DH_RSA_WITH_AES_128_SHA NOTE This additional cipher suite is suggested in order to allow less CPU utilization when the communication environment is within a

39、substation. DD IEC/TS 62351-6:2007 5 5.2 IEC 61850 security for profiles using VLAN IDs For the IEC 61850 profiles specified that make use of VLAN IDs (e.g. IEC 61850-8-1 GOOSE, IEC 61850-9-1, and IEC 61850-9-2) profile security shall be provided as specified in Clause 7. 6 IEC 61850 security for SN

40、TP RFC 2030, including mandatory use of the authentication algorithms, shall be used. 7 IEC 61850 security for profiles using VLAN technologies 7.1 Overview of VLAN usage and IEC 61850 (informative) This specification extends the normal IEC 61850 GOOSE and SMV PDUs. The outline of a PDU for GSE Mana

41、gement and GOOSE is given in Annex C of IEC 61850-8-1. 7.2 Extended PDU 7.2.1 General format of extended PDU Octets 8 7 6 5 4 3 2 1 1 Ethertype 2 3 APPID 6 5 Length 6 7 Length of extension 8 9 CRC of octets 10 1-8 11 . Ether-type PDU GOOSE/SMV APDU Extension m-2 Figure 1 General format of extended P

42、DU Figure 1 depicts the fact that the Reserved1 and Reserved2 fields are to be used for implementations claiming conformance to this specification in regards to GOOSE and SMV. This specification specifies that the: Reserved1 field shall be used to specify the number of octets conveyed by the extensi

43、on octets. This value shall be contained in the first octet of the Reserved1 field. The valid range of values is zero(0) through 255. A value of zero(0) shall indicate that no extension octets are present. The second octet of the Reserved1 field shall be reserved for future use; IEC 1053/07 DD IEC/T

44、S 62351-6:2007 6 Reserved2 field shall contain a 16-bit CRC, as calculated per ISO/IEC 13239 (ISO HDLC). The CRC shall be calculated over Octets 1-8 of the VLAN information of the Extended PDU. The CRC shall be present if the Extension Length has a non-zero value. 7.2.2 Format of extension octets Th

45、e format of the extension octet area shall be: Extension:= 0 IMPLICIT SEQUENCE 1 IMPLICIT SEQUENCE Reserved OPTIONAL, 2 IMPLICIT OCTETSTRING Private OPTIONAL, 3 IMPLICIT AuthenticationValue OPTIONAL, Extension shall be encoded per ASN.1 Basic Encoding Rules. The Reserved SEQUENCE is used to reserve

46、future standardized extension per this specification. If no extension, besides Authentication and Encryption is defined in this specification, this SEQUENCE shall not be present. Therefore a SEQUENCE of NULL length shall be considered non-conformant to this specification. The Private SEQUENCE is pro

47、vided to allow vendors to convey Private information. The scope of the semantics and syntax of the contents of this SEQUENCE is out-of-scope of this specification and shall only be interoperable via prior agreement. This SEQUENCE shall only be present if there are actual contents being conveyed. 7.2

48、.2.1 the Reserved octets shall be decrypted by using the appropriate key and algorithm (reverse of clause 7.2.2.1); if the calculated AuthenticationValue and de-signed AuthenticationValue match, then the client should proceed with the processing of the APDU. 7.2.2.4 GOOSE replay In order to augment

49、and protect from GOOSE replay, the security extensions shall be used. Additionally, the following should be used. The process of verifying the AuthenticationValue (see 7.2.2.3) shall occur prior to the additional processing within this clause. The client should establish and track its current time. A GOOSE whose timestamp exceeds a 2 min skew should not be processed. The skew period shall be configurable and i

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1