EN 62351-3-2014 en Power systems management and associated information exchange - Data and communications security - Part 3 Communication network and system security - Profiles inc.pdf

1、BSI Standards PublicationPower systems management and associated informationexchange Data and communications securityPart 3: Communication network and system security Profiles including TCP/IPBS EN 62351-3:2014National forewordThis British Standard is the UK implementation of EN 62351-3:2014. It isi

2、dentical to IEC 62351-3:2014. It supersedes DD IEC/TS 62351-3:2007 whichis withdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee PEL/57, Power systems management and associated information exchange.A list of organizations represented on this committee can be obtained

3、onrequest to its secretary.This publication does not purport to include all the necessary provisions ofa contract. Users are responsible for its correct application. The British Standards Institution 2015Published by BSI Standards Limited 2015.ISBN 978 0 580 82842 3ICS 33.200Compliance with a Britis

4、h Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 31 January 2015.Amendments/corrigenda issued since publicationDate Text affectedBRITISH STANDARDBS EN 62351-3:2014EUROPEAN STANDARDNORME EU

5、ROPENNEEUROPISCHE NORMEN 62351-3 December 2014 ICS 33.200 English Version Power systems management and associated information exchange - Data and communications security - Part 3:Communication network and system security - Profiles including TCP/IP (IEC 62351-3:2014) Gestion des systmes de puissance

6、 et changesdinformations associs - Scurit des communications etdes donnes - Partie 3: Scurit des rseaux et dessystmes de communication - Profils comprenant TCP/IP (CEI 62351-3:2014) Management von Systemen der Energietechnik undzugehriger Datenaustausch - Daten- undKommunikationssicherheit - Teil 3:

7、 Sicherheit von Kommunikationsnetzen und Systemen - Profileeinschlielich TCP/IP (IEC 62351-3:2014) This European Standard was approved by CENELEC on 2014-12-02. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Stand

8、ard the status of a national standard without any alteration.Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CENELEC member. This European Standard exists in three official versions (Engl

9、ish, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.CENELEC members are the national electrotechnical committees of

10、Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,

11、Spain, Sweden, Switzerland, Turkey and the United Kingdom. European Committee for Electrotechnical Standardization Comit Europen de Normalisation ElectrotechniqueEuropisches Komitee fr Elektrotechnische Normung CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CENELEC All rights

12、of exploitation in any form and by any means reserved worldwide for CENELEC Members. Ref. No. EN 62351-3:2014 E EN 62351-3:2014 - 2 - Foreword The text of document 57/1498/FDIS, future edition 1 of IEC 62351-3, prepared by IEC/TC 57 “Power systems management and associated information exchange“ was

13、submitted to the IEC-CENELEC parallel vote and approved by CENELEC as EN 62351-3:2014. The following dates are fixed: latest date by which the document has to be implemented at national level by publication of an identical national standard or by endorsement (dop) 2015-09-02 latest date by which the

14、 national standards conflicting with the document have to be withdrawn (dow) 2017-12-02 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CENELEC and/or CEN shall not be held responsible for identifying any or all such patent rights

15、. Endorsement notice The text of the International Standard IEC 62351-3:2014 was approved by CENELEC as a European Standard without any modification. BS EN 62351-3:2014- 3 - EN 62351-3:2014 Annex ZA (normative) Normative references to international publications with their corresponding European publ

16、ications The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies

17、. NOTE 1 When an International Publication has been modified by common modifications, indicated by (mod), the relevant EN/HD applies. NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here: www.cenelec.eu. Publication Year Title EN/HD Ye

18、ar IEC/TS 62351-1 2007 Power systems management and associated information exchange - Data and communications security - Part 1: Communication network and system security - Introduction to security issues - - IEC/TS 62351-2 2008 Power systems management and associated information exchange - Data and

19、 communications security - Part 2: Glossary of terms - - IEC/TS 62351-9 - 1)Power systems management and associated information exchange - Data and communications security - Part 9: Key management - - ISO/IEC 9594-8 - Information technology - Open Systems Interconnection - The Directory - Part 8: Pu

20、blic-key and attribute certificate frameworks - - RFC 4492 2006 Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) - - RFC 5246 2008 The Transport Layer Security (TLS) Protocol Version 1.2 - - RFC 5280 2008 Internet X.509 Public Key Infrastructure Certificate and Cert

21、ificate Revocation List (CRL) Profile - - RFC 5746 2010 Transport Layer Security (TLS) Renegotiation Indication Extension - - RFC 6066 2011 2)Transport Layer Security (TLS) Extensions: Extension Definitions - - RFC 6176 2011 Prohibiting Secure Sockets Layer (SSL) Version 2.0 - - 1)At draft stage. 2)

22、Supersedes RFC 4366:2006, Transport Layer Security (TLS) Extensions. BS EN 62351-3:2014 2 IEC 62351-3:2014 IEC 2014 CONTENTS 1 Scope 5 1.1 Scope . 5 1.2 Intended Audience 5 2 Normative references 5 3 Terms, definitions and abbreviations . 6 3.1 Terms, definitions and abbreviations . 6 3.2 Additional

23、 abbreviations 6 4 Security issues addressed by this standard . 6 4.1 Operational requirements affecting the use of TLS in the telecontrol environment 6 4.2 Security threats countered 7 4.3 Attack methods countered . 7 5 Mandatory requirements 7 5.1 Deprecation of cipher suites 7 5.2 Negotiation of

24、versions . 8 5.3 Session resumption 8 5.4 Session renegotiation . 8 5.5 Message Authentication Code . 9 5.6 Certificate support 9 Multiple Certification Authorities (CAs) . 9 5.6.1Certificate size . 10 5.6.2Certificate exchange 10 5.6.3Public-key certificate validation 10 5.6.45.7 Co-existence with

25、non-secure protocol traffic 12 6 Optional security measure support. 12 7 Referencing standard requirements . 12 8 Conformance . 13 Bibliography 14 BS EN 62351-3:2014IEC 62351-3:2014 IEC 2014 5 POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE DATA AND COMMUNICATIONS SECURITY Part 3: Commu

26、nication network and system security Profiles including TCP/IP 1 Scope 1.1 Scope This part of IEC 62351 specifies how to provide confidentiality, integrity protection, and message level authentication for SCADA and telecontrol protocols that make use of TCP/IP as a message transport layer when cyber

27、-security is required. Although there are many possible solutions to secure TCP/IP, the particular scope of this part is to provide security between communicating entities at either end of a TCP/IP connection within the end communicating entities. The use and specification of intervening external se

28、curity devices (e.g. “bump-in-the-wire”) are considered out-of-scope. This part of IEC 62351 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (defined in RFC 5246) so that they are ap

29、plicable to the telecontrol environment of the IEC. TLS is applied to protect the TCP communication. It is intended that this standard be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol. However, it is up to the individu

30、al protocol security initiatives to decide if this standard is to be referenced. This part of IEC 62351 reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this standard may need to be revised. 1.2 Intended Audience

31、 The initial audience for this specification is intended to be experts developing or making use of IEC protocols in the field of power systems management and associated information exchange. For the measures described in this specification to take effect, they must be accepted and referenced by the

32、specifications for the protocols themselves, where the protocols make use of TCP/IP security. This document is written to enable that process. The subsequent audience for this specification is intended to be the developers of products that implement these protocols. Portions of this specification ma

33、y also be of use to managers and executives in order to understand the purpose and requirements of the work. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edit

34、ion cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. IEC TS 62351-1:2007, Power systems management and associated information exchange Data and communications security Part 1: Communication network and system security Introducti

35、on to security issues IEC TS 62351-2:2008, Power systems management and associated information exchange Data and communications security Part 2: Glossary of terms BS EN 62351-3:2014 6 IEC 62351-3:2014 IEC 2014 IEC TS 62351-9, Power systems management and associated information exchange Data and comm

36、unications security Part 9: Key Management1ISO/IEC 9594-8, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks RFC 4492:2006, Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) RFC 5246:2008, The TLS Proto

37、col Version 1.22RFC 5280:2008, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile RFC 5746:2010, Transport Layer Security (TLS) Renegotiation Indication Extension RFC 6066:2006, Transport Layer Security Extensions RFC 6176:2011, Prohibiting Secure Sock

38、ets Layer (SSL) Version 2.0 3 Terms, definitions and abbreviations 3.1 Terms, definitions and abbreviations For the purposes of this document, the terms, definitions and abbreviations given in IEC TS 62351-2, Glossary, apply . 3.2 Additional abbreviations CRL Certificate Revocation List DER Distingu

39、ished Encoding Rules ECDSA Elliptic Curve Digital Signature Algorithm ECGDSA Elliptic Curve German Digital Signature Algorithm (see ISO/IEC 15946-2) OCSP Online Certificate Status Protocol (see RFC 6960) PIXIT Protocol Implementation eXtra Information for Testing 4 Security issues addressed by this

40、standard 4.1 Operational requirements affecting the use of TLS in the telecontrol environment The IEC telecontrol environment has different operational requirements from many Information Technology (IT) applications that make use of TLS in order to provide security protection. The most differentiati

41、ng, in terms of security, is the duration of the TCP/IP connection for which security needs to be maintained. Many IT protocols have short duration connections, which allow the encryption algorithms to be renegotiated at connection re-establishment. However, the connections within a telecontrol envi

42、ronment tend to have longer durations, often “permanent”. It is the longevity of the connections in the field of power systems management and associated information exchange that give rise to the need for special consideration. In this regard, in order to provide protection for the “permanent” conne

43、ctions, a mechanism for updating the session key is specified within this standard, based upon the TLS features of session resumption and session re-negotiation while also considering the relationship with certificate revocation state information. Another issue addressed within this standard is how

44、to achieve interoperability between different implementations. TLS allows for a wide variety of cipher suites to be supported and _ 1Under consideration. 2This is typically referred to as SSL/TLS. BS EN 62351-3:2014IEC 62351-3:2014 IEC 2014 7 negotiated at connection establishment. However, it is co

45、nceivable that two implementations could support mutually exclusive sets of cipher suites. This standard specifies that referring standards must specify at least one common cipher suite and a set of TLS parameters that allow interoperability. Additionally, this standard specifies the use of particul

46、ar TLS capabilities that allow for specific security threats to be countered. Note that TLS utilizes X.509 certificates (see also ISO/IEC 9594-8 or RFC 5280) for authentication. In the context of this specification the term certificates always relates to public key certificates (in contrast to attri

47、bute certificates). NOTE It is intended that certificate management necessary to operate TLS be specified in compliance with IEC TS 62351-9. 4.2 Security threats countered See IEC TS 62351-1 for a discussion of security threats and attack methods. TCP/IP and the security specifications in this part

48、of IEC 62351 cover only to the communication transport layers (OSI layers 4 and lower). This part of IEC 62351 does not cover security for the communication application layers (OSI layers 5 and above) or application-to-application security. The specific threats countered in this part of IEC 62351 fo

49、r the transport layers include: Unauthorized modification or insertion of messages through message level authentication and integrity protection of messages. Additionally, when the information has been identified as requiring confidentiality protection: Unauthorized access or theft of information through message level encryption of the messages 4.3 Attack methods countered The following security attack methods are countered through the appropriate implementation of the specifications and