EN 62351-9-2017 en Power systems management and associated information exchange - Data and communications security - Part 9 Cyber security key management for power system equipment.pdf

1、Power systems management and associated information exchange Data and communications security Part 9: Cyber security key management for power system equipment (IEC 62351-9:2017)BS EN 62351-9:2017BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06EUROPEAN STANDARD NORME

2、EUROPENNE EUROPISCHE NORM EN 62351-9 July 2017 ICS 33.200 English Version Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment (IEC 62351-9 :2017) Gestion des systmes de puissance et changes

3、 dinformations associs - Scurit des communications et des donnes - Partie 9: Gestion de cl de cyberscurit des quipements de systme de puissance (IEC 62351-9 :2017) Energiemanagementsysteme und zugehriger Datenaustausch - IT-Sicherheit fr Daten und Kommunikation - Teil 9: Cyber security Schlssel-Mana

4、gement fr Stromversorgungsanlagen (IEC 62351-9 :2017) This European Standard was approved by CENELEC on 2017-06-22. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without

5、 any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other

6、 language made by translation under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus

7、, the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey

8、and the United Kingdom. European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CENELEC All rights of exploitation in any form and by

9、 any means reserved worldwide for CENELEC Members. Ref. No. EN 62351-9:2017 E National forewordThis British Standard is the UK implementation of EN 62351-9:2017. It is identical to IEC 62351-9:2017.The UK participation in its preparation was entrusted to Technical Committee PEL/57, Power systems man

10、agement and associated information exchange.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standa

11、rds Institution 2017 Published by BSI Standards Limited 2017ISBN 978 0 580 94718 6ICS 33.200Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 July 2017.Amendmen

12、ts/corrigenda issued since publicationDate Text affectedBRITISH STANDARDBS EN 623519:2017EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN 62351-9 July 2017 ICS 33.200 English Version Power systems management and associated information exchange - Data and communications security - Part 9: Cyber s

13、ecurity key management for power system equipment (IEC 62351-9 :2017) Gestion des systmes de puissance et changes dinformations associs - Scurit des communications et des donnes - Partie 9: Gestion de cl de cyberscurit des quipements de systme de puissance (IEC 62351-9 :2017) Energiemanagementsystem

14、e und zugehriger Datenaustausch - IT-Sicherheit fr Daten und Kommunikation - Teil 9: Cyber security Schlssel-Management fr Stromversorgungsanlagen (IEC 62351-9 :2017) This European Standard was approved by CENELEC on 2017-06-22. CENELEC members are bound to comply with the CEN/CENELEC Internal Regul

15、ations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CENELEC m

16、ember. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official vers

17、ions. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, th

18、e Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung CEN-CENELE

19、C Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members. Ref. No. EN 62351-9:2017 E BS EN 623519:2017EN 62351-9:2017 2 European foreword The text of document 57/1838/FDIS, future edition 1 of I

20、EC 62351-9, prepared by IEC/TC 57 “Power systems management and associated information exchange“ was submitted to the IEC-CENELEC parallel vote and approved by CENELEC as EN 62351-9:2017. The following dates are fixed: latest date by which the document has to be implemented at national level by publ

21、ication of an identical national standard or by endorsement (dop) 2018-03-22 latest date by which the national standards conflicting with the document have to be withdrawn (dow) 2020-06-22 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent r

22、ights. CENELEC shall not be held responsible for identifying any or all such patent rights. This document has been prepared under a mandate given to CENELEC by the European Commission and the European Free Trade Association. Endorsement notice The text of the International Standard IEC 62351-9:2017

23、was approved by CENELEC as a European Standard without any modification. In the official version, for Bibliography, the following notes have to be added for the standards indicated: IEC 62351-3 NOTE Harmonized as EN 62351-3. BS EN 623519:2017EN 62351-9:2017 2 European foreword The text of document 5

24、7/1838/FDIS, future edition 1 of IEC 62351-9, prepared by IEC/TC 57 “Power systems management and associated information exchange“ was submitted to the IEC-CENELEC parallel vote and approved by CENELEC as EN 62351-9:2017. The following dates are fixed: latest date by which the document has to be imp

25、lemented at national level by publication of an identical national standard or by endorsement (dop) 2018-03-22 latest date by which the national standards conflicting with the document have to be withdrawn (dow) 2020-06-22 Attention is drawn to the possibility that some of the elements of this docum

26、ent may be the subject of patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights. This document has been prepared under a mandate given to CENELEC by the European Commission and the European Free Trade Association. Endorsement notice The text of the Intern

27、ational Standard IEC 62351-9:2017 was approved by CENELEC as a European Standard without any modification. In the official version, for Bibliography, the following notes have to be added for the standards indicated: IEC 62351-3 NOTE Harmonized as EN 62351-3. EN 62351-9:2017 3 Annex ZA (normative) No

28、rmative references to international publications with their corresponding European publications The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated refer

29、ences, the latest edition of the referenced document (including any amendments) applies. NOTE 1 When an International Publication has been modified by common modifications, indicated by (mod), the relevant EN/HD applies. NOTE 2 Up-to-date information on the latest versions of the European Standards

30、listed in this annex is available here: www.cenelec.eu Publication Year Title EN/HD Year IEC/TS 62351-2 - Power systems management and associated information exchange - Data and communications security - Part 2: Glossary of terms - - ISO/IEC 9594-8/ Rec. ITU-T X.509 2017 2016 Information technology

31、- Open Systems Interconnection - The Directory - Part 8: Public-key and attribute certificate frameworks - - ISO/IEC 9834-1/ Rec. ITU-T X.660 2012 2011 Information technology - Procedures for the operation of object identifier registration authorities: General procedures and top arcs of the internat

32、ional object identifier tree - - RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2 - - RFC 5272 - Certificate Management over CMS (CMC) - - RFC 5934 - Trust Anchor Management Protocol (TAMP) - - RFC 6407 - The Group Domain of Interpretation - - IETF RFC 6960 - X.509 - Internet Publi

33、c Key Infrastructure Online Certificate Status Protocol - OCSP - - RFC 7030 - Enrolment over Secure Transport - - SCEP IETF Draft, Simple Certificate Enrolment Protocol, draft-gutmann-scep-04.txt BS EN 623519:2017This page deliberately left blank 2 IEC 62351-9:2017 IEC 2017 CONTENTS FOREWORD . 6 1 S

34、cope 8 2 Normative references 8 3 Terms and definitions 9 4 Abbreviations and acronyms 14 5 Cryptographic applications for power system implementations . 15 5.1 Cryptography, cryptographic keys, and security objectives 15 5.2 Types of cryptography 16 5.3 Uses of cryptography 16 5.3.1 Goals of cyber

35、security 16 5.3.2 Confidentiality 17 5.3.3 Data integrity . 17 5.3.4 Authentication 18 5.3.5 Non-repudiation . 18 5.3.6 Trust 18 6 Key management concepts and methods in power system operations . 19 6.1 Key management system security policy . 19 6.2 Key management design principles for power system

36、operations 19 6.3 Use of Transport Layer Security (TLS) 19 6.4 Cryptographic key usages . 19 6.5 Trust using a public-key infrastructure (PKI) 20 6.5.1 Registration authorities (RA) 20 6.5.2 Certification authority (CA) 20 6.5.3 Public-key certificates 20 6.5.4 Attribute certificates . 21 6.5.5 Publ

37、ic-key certificate and attribute certificate extensions . 21 6.6 Trust via non-PKI self-signed certificates 22 6.7 Authorization and validation lists . 22 6.7.1 General . 22 6.7.2 AVLs in non-constrained environments 23 6.7.3 AVLs in constrained environments . 23 6.7.4 Use of self-signed public-key

38、certificates in AVLs 23 6.8 Trust via pre-shared keys 23 6.9 Session keys 24 6.10 Protocols used in trust establishment 24 6.10.1 Certification request 24 6.10.2 Trust Anchor Management Protocol (TAMP) 24 6.10.3 Simple Certificate Enrolment Protocol (SCEP) . 24 6.10.4 Internet X.509 PKI Certificate

39、Management Protocol (CMP) . 24 6.10.5 Certificate Management over CMS (CMC) . 25 6.10.6 Enrolment over Secure Transport (EST) 25 6.10.7 Summary view on the different protocols . 25 6.11 Group keys . 26 6.11.1 Purpose of group keys . 26 6.11.2 Group Domain of Interpretation (GDOI) . 26 6.12 Key manag

40、ement lifecycle 31 2 IEC 62351-9:2017 IEC 2017 CONTENTS FOREWORD . 6 1 Scope 8 2 Normative references 8 3 Terms and definitions 9 4 Abbreviations and acronyms 14 5 Cryptographic applications for power system implementations . 15 5.1 Cryptography, cryptographic keys, and security objectives 15 5.2 Ty

41、pes of cryptography 16 5.3 Uses of cryptography 16 5.3.1 Goals of cyber security 16 5.3.2 Confidentiality 17 5.3.3 Data integrity . 17 5.3.4 Authentication 18 5.3.5 Non-repudiation . 18 5.3.6 Trust 18 6 Key management concepts and methods in power system operations . 19 6.1 Key management system sec

42、urity policy . 19 6.2 Key management design principles for power system operations 19 6.3 Use of Transport Layer Security (TLS) 19 6.4 Cryptographic key usages . 19 6.5 Trust using a public-key infrastructure (PKI) 20 6.5.1 Registration authorities (RA) 20 6.5.2 Certification authority (CA) 20 6.5.3

43、 Public-key certificates 20 6.5.4 Attribute certificates . 21 6.5.5 Public-key certificate and attribute certificate extensions . 21 6.6 Trust via non-PKI self-signed certificates 22 6.7 Authorization and validation lists . 22 6.7.1 General . 22 6.7.2 AVLs in non-constrained environments 23 6.7.3 AV

44、Ls in constrained environments . 23 6.7.4 Use of self-signed public-key certificates in AVLs 23 6.8 Trust via pre-shared keys 23 6.9 Session keys 24 6.10 Protocols used in trust establishment 24 6.10.1 Certification request 24 6.10.2 Trust Anchor Management Protocol (TAMP) 24 6.10.3 Simple Certifica

45、te Enrolment Protocol (SCEP) . 24 6.10.4 Internet X.509 PKI Certificate Management Protocol (CMP) . 24 6.10.5 Certificate Management over CMS (CMC) . 25 6.10.6 Enrolment over Secure Transport (EST) 25 6.10.7 Summary view on the different protocols . 25 6.11 Group keys . 26 6.11.1 Purpose of group ke

46、ys . 26 6.11.2 Group Domain of Interpretation (GDOI) . 26 6.12 Key management lifecycle 31 BS EN 623519:2017IEC 62351-9:2017 IEC 2017 3 6.12.1 Key management in the life cycle of an entity 31 6.12.2 Cryptographic key lifecycle 32 6.13 Certificate management processes . 34 6.13.1 Certificate manageme

47、nt process 34 6.13.2 Initial certificate creation 34 6.13.3 Enrolment of an entity 34 6.13.4 Certificate signing request (CSR) process . 36 6.13.5 Certificate revocation lists (CRLs) 37 6.13.6 Online certificate status protocol (OCSP) . 38 6.13.7 Server-based certificate validation protocol (SCVP) .

48、 41 6.13.8 Short-lived certificates . 41 6.13.9 Certificate renewal . 42 6.14 Alternative process for asymmetric keys generated outside the entity . 43 6.15 Key distribution for symmetric keys with different time frames . 44 7 General key management requirements . 44 7.1 Asymmetric and symmetric key

49、 management requirements . 44 7.2 Required cryptographic materials 44 7.3 Public-Key certificates requirements . 45 7.4 Cryptographic key protection. 45 7.5 Use of existing security key management infrastructure 45 7.6 Use of object identifiers 45 8 Asymmetric key management 45 8.1 Certificate generation and installation . 45 8.1.1 Private and public key generation and installation 45 8.1.2 Private and public key renewal 46 8.1.3 Random Number Generation . 46 8.1.4 Certificate policy 46 8.1.5 E