1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationPower systems management and associated informationexchange Data and communications securityPart 8: Role-based access controlDD IEC/TS 62351-8:2011National forewordThis Draft for
2、 Development is the UK implementation of IEC/TS 62351-8:2011.The UK participation in its preparation was entrusted to Technical CommitteePEL/57, Power systems management and associated information exchange.A list of organizations represented on this committee can be obtained onrequest to its secreta
3、ry.This publication does not purport to include all the necessary provisions of acontract. Users are responsible for its correct application. BSI 2011ISBN 978 0 580 67829 5ICS 33.200 Compliance with a British Standard cannot confer immunity fromlegal obligations.This Draft for Development was publis
4、hed under the authority of theStandards Policy and Strategy Committee on 31 October 2011.Amendments issued since publicationAmd. No. Date Text affectedDRAFT FOR DEVELOPMENTDD IEC/TS 62351-8:2011IEC/TS 62351-8 Edition 1.0 2011-09 TECHNICAL SPECIFICATION Power systems management and associated informa
5、tion exchange Data and communications security Part 8: Role-based access control INTERNATIONAL ELECTROTECHNICAL COMMISSION X ICS 33.200 PRICE CODE ISBN 978-2-88912-723-8 Registered trademark of the International Electrotechnical Commission colourinsideDD IEC/TS 62351-8:2011 2 TS 62351-8 IEC:2011(E)
6、CONTENTS FOREWORD . 5 INTRODUCTION . 7 1 Scope . 8 2 Normative references 9 3 Terms, definitions and abbreviations . 10 3.1 Terms and definitions 10 3.2 Abbreviations . 12 4 RBAC process model 13 4.1 General . 13 4.2 Separation of subjects, roles, and rights. 14 4.2.1 General . 14 4.2.2 Subject assi
7、gnment 15 4.2.3 Role assignment 16 4.2.4 Right assignment . 16 4.3 Criteria for defining roles . 16 4.3.1 Policies 16 4.3.2 User, roles, and rights 16 4.3.3 Introducing roles reduces complexity 16 5 Definition of roles 17 5.1 Role-to-right assignment inside the object in general 17 5.1.1 General . 1
8、7 5.1.2 Number of supported rights 17 5.1.3 Number of supported roles . 17 5.1.4 Flexibility of role-to-right mapping 17 5.2 Role-to-right assignment with respect to power systems . 17 5.2.1 Mandatory roles and rights for logical-device access control . 17 5.2.2 Power utility automation IEC 61850 .
9、20 5.2.3 CIM IEC 61968 . 22 5.2.4 AMI 22 5.2.5 DER 22 5.2.6 Markets . 23 5.3 Role-to-right assignment with respect to other non-power system domains (e.g. industrial process control) 23 6 General architecture for the PUSH model 23 6.1 General . 23 6.2 Secure access to the LDAP-enabled service 24 7 G
10、eneral architecture for the PULL model . 24 7.1 General . 24 7.2 Secure access to the LDAP-enabled service 26 7.3 LDAP directory organization . 26 8 General application of RBAC access token . 26 8.1 General . 26 8.2 Session based approach 27 8.3 Message based approach 28 9 Definition of access token
11、s . 28 9.1 General . 28 DD IEC/TS 62351-8:2011TS 62351-8 IEC:2011(E) 3 9.2 Supported profiles . 29 9.3 Identification of access token . 29 9.4 General structure of the access tokens 29 9.4.1 Mandatory fields in the access tokens 29 9.4.2 Mandatory profile-specific fields . 29 9.4.3 Optional fields i
12、n the access tokens . 30 9.4.4 Definition of specific fields . 30 9.5 Specific structure of the access tokens 32 9.5.1 Profile A: X.509 ID certificate . 32 9.5.2 Profile B: X.509 attribute certificate 34 9.5.3 Profile C: Software token . 37 9.6 Distribution of the access tokens . 37 10 Transport pro
13、files . 38 10.1 Usage in TCP-based protocols . 38 10.2 Usage in non-Ethernet based protocols 38 11 Verification of access tokens. 38 11.1 Normative part . 38 11.1.1 General . 38 11.1.2 Access token authenticity . 38 11.1.3 Time period . 39 11.1.4 Access token integrity 39 11.2 Optional part 39 11.3
14、Revocation methods 39 11.3.1 General . 39 11.3.2 Supported methods 40 12 Interoperability 40 12.1 General . 40 12.2 Supported access tokens . 40 12.3 How to ensure backward compatibility 40 12.4 How to extend the list of roles and rights 41 12.5 How to map this specification to specific authorizatio
15、n mechanisms . 41 Bibliography 42 Figure 1 Generic framework for access control . 13 Figure 2 Diagram of RBAC with static and dynamic separation of duty according to (ANSI INCITS 359-2004) . 14 Figure 3 User, roles, rights and operations . 15 Figure 4 Schematic view of authorization mechanism based
16、on RBAC 24 Figure 5 Schematic view of authorization mechanism based on RBAC PULL model . 25 Figure 6 Session based RBAC approach 28 Table 1 List of pre-defined role-to-right assignment 18 Table 2 List of mandatory pre-defined rights . 19 Table 3 Pre-defined roles . 20 Table 4 Mandatory role-to-right
17、 mapping for service access control 21 Table 5 The ALLOW right . 21 Table 6 The DENY right 21 DD IEC/TS 62351-8:2011 4 TS 62351-8 IEC:2011(E) Table 7 VIEW right and associated ACSI services 22 Table 8 Mapping between ID and attribute certificate 36 DD IEC/TS 62351-8:2011TS 62351-8 IEC:2011(E) 5 INTE
18、RNATIONAL ELECTROTECHNICAL COMMISSION _ POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE DATA AND COMMUNICATIONS SECURITY Part 8: Role-based access control FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all natio
19、nal electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technical
20、 Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. In
21、ternational, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The
22、formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendation
23、s for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end use
24、r. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication
25、shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent ce
26、rtification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal
27、injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn to the Normative referenc
28、es cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for ide
29、ntifying any or all such patent rights. The main task of IEC technical committees is to prepare International Standards. In exceptional circumstances, a technical committee may propose the publication of a technical specification when the required support cannot be obtained for the publication of an
30、 International Standard, despite repeated efforts, or the subject is still under technical development or where, for any other reason, there is the future but no immediate possibility of an agreement on an International Standard. Technical specifications are subject to review within three years of p
31、ublication to decide whether they can be transformed into International Standards. IEC 62351-8, which is a technical specification, has been prepared by IEC technical committee 57: Power systems management and associated information exchange. DD IEC/TS 62351-8:2011 6 TS 62351-8 IEC:2011(E) The text
32、of this technical specification is based on the following documents: Enquiry draft Report on voting 57/1119/DTS 57/1153/RVC Full information on the voting for the approval of this technical specification can be found in the report on voting indicated in the above table. This publication has been dra
33、fted in accordance with the ISO/IEC Directives, Part 2. A list of all the parts in the IEC 62351 series, published under the general title Power systems management and associated information exchange Data and communications security, can be found on the IEC website. The committee has decided that th
34、e contents of this publication will remain unchanged until the stability date indicated on the IEC web site under “http:/webstore.iec.ch“ in the data related to the specific publication. At this date, the publication will be transformed into an International standard, reconfirmed, withdrawn, replace
35、d by a revised edition, or amended. A bilingual version of this publication may be issued at a later date. IMPORTANT The colour inside logo on the cover page of this publication indicates that it contains colours which are considered to be useful for the correct understanding of its contents. Users
36、should therefore print this document using a colour printer. DD IEC/TS 62351-8:2011TS 62351-8 IEC:2011(E) 7 INTRODUCTION This Technical specification covers access control in power systems. The power system environment supported by this specification is enterprise-wide and extends beyond traditional
37、 borders to include external providers, suppliers, and other energy partners. Driving factors are the liberalization of the energy sector, the increasingly decentralized generation of energy, and the need to control access to data of precious resources. This specification supports a distributed secu
38、rity environment in which security is also a distributed service. The power system sector is continually improving the delivery of energy by leveraging technical advances in computer-based applications. Utility operators, energy brokers and end-users are increasingly accessing multiple applications
39、to deliver, transmit and consume energy in a personalized way. These disparate applications are naturally connected to a common network infrastructure that typically supports protection equipment, substation automation protocols, inter-station protocols, remote access and business-to-business servic
40、es. Consequently, secure access to these distributed and often loosely coupled applications is even more important than access to an application running on a stand-alone object. Secure access to computer-based applications involves authentication of the user to the application. After authentication,
41、 the level at which a user can use the application is determined. The use of local mechanisms for authorization creates a patchwork of approaches which are difficult to uniformly administer across the breadth of a power system enterprise. Each application decides the authorization on its own logic.
42、If applications can use a network, a database can serve as a trusted source of users group or role affiliation. Thus, the access to a shared user base can be controlled centrally. Each application can then examine the rights listed for a subject and corresponding role and determine their level of au
43、thorization. The role of a user is transported in a container called an access token of that user to the object. Access tokens are created and administered by a (possibly federated) identity management tool. All access tokens have a lifetime and are subject to expiration. Prior to verification of th
44、e access token itself, the user transmitting the access token must be authenticated by the object. The object trusts the management tool to issue access tokens with suitable lifetime. This enables local verification of the access tokens validity at remote sites without the need to access a centraliz
45、ed repository (e.g. a centralized revocation list). Three different access token formats are supported as three different profiles. Two of them are X.509 Access tokens and the third is a software token similar to Kerberos. They can be used over TCP/IP and serial communication links. This specificati
46、on defines role-based access control (RBAC) for enterprise-wide use in power systems. It supports a distributed or service-oriented architecture where security is a distributed service and applications are consumers of distributed services. DD IEC/TS 62351-8:2011 8 TS 62351-8 IEC:2011(E) POWER SYSTE
47、MS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE DATA AND COMMUNICATIONS SECURITY Part 8: Role-based access control 1 Scope This technical specification covers the access control of users and automated agents in the following subjects to data objects in power systems by means of role-based access c
48、ontrol (RBAC). RBAC is not a new concept used by many operating systems to control access to system resources. RBAC is an alternative to the all-or-nothing super-user model. RBAC is in keeping with the security principle of least privilege, which states that no subject should be given more rights th
49、an necessary for performing that subjects job. RBAC enables an organization to separate super-user capabilities and package them into special user accounts termed roles for assignment to specific individuals according to their job needs. This enables a variety of security policies, networking, firewall, back-ups, and system operation. A site that prefers a single strong administrator but wants to let more sophisticated users fix portions of their ow
