IEC TS 62351-6:2007 pdf download – Power systems management and associated information exchange – Data and communications security – Part 6: Security for IEC 61850
1.2object
The initial audience for this specification is intended to be the members of the working groupsdeveloping or making use of the protocols listed in Table 1.For the measures described inthis specification to take effect,they must be accepted and referenced by the specificationsfor the protocols themselves.This document is written to enable that process.
The subsequent audience for this specification is intended to be the developers of productsthat implement these protocols.
Portions of this specification may also be of use to managers and executives in order tounderstand the purpose and requirements of the work.
2Normative references
The following referenced documents are indispensable for the application of this document.For dated references, only the edition cited applies. For undated references, the latest editionof the referenced document (including any amendments) applies.
IEC 61850 (all parts),Communication networks and systems in substations
IEC 61850-6,Communication networks and systems in substations – Part 6: Configurationdescription language for communication in electrical substations related to lEDs
IEC 61850-8-1,Communication networks and systems in substations – Part 8-1: SpecificCommunication Service Mapping (SCSM) – Mappings to MMs (ISO 9506-1 and lSO 9506-2)and to lSOIEC 8802-3
IEC 61850-9-1,Communication networks and systems in substations – Part 9-1: SpecificCommunication Service Mapping (SCSM) – Sampled values over serial unidirectionalmultidrop point to point link
IEC 61850-9-2,Communication networks and systems in substations – Part 9-2: SpecificCommunication Service Mapping (SCSM) – Sampled values over ISO/IEC 8802-3
IEC 62351-1,Power systems management and associated information exchange – Data andcommunications security – Part 1 : Communication network and system security – Introductionto security issues
IEC 62351-2,Power systems management and associated information exchange – Data andcommunications security – Part 2: Glossary of terms
IEC 62351-4,Power systems management and associated information exchange – Data andcommunications security – Part 4: Profiles including MMS
ISO 9506(all parts),Industrial automation systems – Manufacturing Message Specification
ISO/IEC 8802-3,Information technology – Telecommunications and information exchangebetween systems – Local and metropolitan area networks – Specific requirements – Part 3:Carrier sense multiple access with collision detection(CSMA/CD) access method andphysical layer specifications
ISo/IEC13239,Information technology – Telecommunications and information exchangebetween systems – High-level data link control (HDLC) procedures
IEEE Std.802.1Q-2003,Virtual Bridged Local Area Networks
RFC 2030,Simple Network Time Protocol (SNTP) Version 4 for IPv4,IPv6 and osI
RFC 2313,PKCS #1:RSA Encryption Version 1.5
RFC 3447,Public-Key Cryptography Standards(PKCS)#1:RSA Cryptography Specificationsversion 2.1
RFC 4634, us Secure Hash Algorithms (SHA and HMAC-SHA)
3Definitions
For the purposes of this document, the terms and definitions contained in lEC 62351-2 apply.
4Security issues addressed by this specification
4.1Operational issues affecting choice of security options
For applications using GooSE and IEC 61850-9-2 and requiring 4 ms response times,multicast configurations and low CPU overhead, encryption is not recommended. Instead, thecommunication path selection process (e.g. the fact that GooSE and SMV are supposed tobe restricted to a logical substation LAN) shall be used to provide confidentiality forinformation exchanges.However,this specification does define a mechanism for allowingconfidentiality for applications where the 4 ms delivery criterion is not a concern.
With the exception of confidentiality, this specification sets forth a mechanism that allows co-existence of secure and non-secure PDUs.
4.2security threats countered
See lEC 62351-1 for a discussion of security threats and attack methods.
lf encryption is not employed, then the specific threats countered in this part include:
unauthorized modification of information through message level authentication of themessages.
lf encryption is employed, then the specific threats countered in this part include:
unauthorized access to information through message level authentication andencryption of the messages;
unauthorized modification (tampering) or theft of information through message levelauthentication and encryption of the messages.
4.3Attack methods countered
The following security attack methods are intended to be countered through the appropriateimplementation of the specification/recommendations found within this document:
man-in-the-middle: this threat will be countered through the use of a MessageAuthentication Code mechanism specified within this document;
tamper detection/message integrity: These threats will be countered through thealgorithm used to create the authentication mechanism as specified within thisdocument;
replay: this threat will be countered through the use of specialized processing statemachines specified within lEC 62351-4 and this document.
5 correlation of lEC 61850 parts and lEC 62351 parts
5.1 IEC 61850 security for profiles using lso 9506 (MMS)5.1.1General
IEC 61850 implementations claiming conformance to this specification and declaring supportfor the lEC 61850-8-1 profile utilizing TCP/IP and lSO 9506(MMS) shall implement Clauses 5and 6 of lEC 62351-4.In addition to the lEC 62351-4 specification, extensions to lEC 61850-6(the Substation Configuration Language) shall be supported as prescribed in 7.2.3.IEC TS 62351-6 pdf download.