IEC TS 62351-2:2008 pdf download – Power systems management and associated information exchange – Data and communications security – Part 2: Glossary of terms
1 Scope and object This part of IEC 62351 covers the key terms used in the IEC 62351 series, and is not meant to be a definitive list. Most terms used for cyber security are formally defined by other standards organizations, and so are included here with references to where they were originally defined.
2 Terms and definitions
2.1 Glossary references and permissions With permission granted by the appropriate organizations, the definitions in this glossary were copied from the following sources:
• [API 1 164] American Petroleum Institute. This standard on SCADA security provides guidance to the operators of Oil and Gas liquid pipeline systems for managing SCADA system integrity and security. The use of this document is not limited to pipelines, but should be viewed as a listing of best practices to be employed when reviewing and developing standards for a SCADA system. This document embodies the “API Security Guidelines for the Petroleum Industry.” This guideline is specifically designed to provide the operators with a description of industry practices in SCADA Security, and to provide the framework needed to develop sound security practices within the operator’s individual companies.
• [ATIS] ATIS Telecom Glossary 2007 at http://www.atis.org/glossary/. This web site incorporates and supersedes T1 .523-2001 , the ATIS Telecom Glossary of 2000 which was an expansion of FS-1 037C, the Federal Standard 1 037, Glossary of Telecommunication Terms initially published in 1 980 1 .
• [FIPS-1 40-2] This is the US Federal Information Processing Standard Publication 1 40-2, titled “Security Requirements for Cryptographic Modules”.
• [ISA99] This ISA Technical Report provides a framework for developing an electronic security program and provides a recommended organization and structure for the security plan. The information provides detailed information about the minimum elements to include. Site or entity specific information should be included at the appropriate places in the program.
• [ISO/IEC 27002:2005] “Information technology – Security techniques – Code of practice for information security management” is an internationally-accepted standard of good practice for information security. This standard was originally the British Standard, BS7799, and later was termed ISO/IEC 1 7799, and was recently renamed to ISO/IEC 27002:2005.
• [ISO/IEC] Many ISO/IEC documents contain term definitions that have been accepted as international standards. These documents are individually cited.
• [NIST SP 800-53: December 2007] National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems.
• [NIST SP 800-82: September 2007] National Institute of Standards and Technology (NIST) Guide to Industrial Control Systems Security
• [NIST SP 800-xx] Other National Institute of Standards and Technology (NIST) documents are cited.
• [NIST IR 7298] National Institute of Standards and Technology (NIST) Glossary of Key Information Security Terms. This document usually cites other sources, which are therefore cited directly in this document.
• [RFC 2828] IETF RFC 2828 standard glossary of terms used for the Internet
2.2 Glossary of security and related communication terms
2.2.1 Abstract Communication Service Interface (ACSI) A virtual interface to an IED providing abstract communication services, e.g. connection, variable access, unsolicited data transfer, device control and file transfer services, independent of the actual communication stack and profiles used. [IEC 61 850 series]
2.2.2 Access The ability and means to communicate with or otherwise interact with a system in order to use system resources to either handle information or gain knowledge of the information the system contains. [RFC 2828]
2.2.3 Access Authority An entity responsible for monitoring and granting access privileges for other authorized entities. [RFC 2828]
2.2.4 Access Control
1 . Prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner. [ISO/IEC 1 8028-2:2006]
2. Protection of resources against unauthorized access; a process by which use of resources is regulated according to a security policy and is permitted by only authorized system entities according to that policy. [RFC 2828]
3. Rules and deployment mechanisms which control access to information systems, and physical access to premises. The entire subject of Information Security is based upon Access Control, without which Information Security cannot, by definition, exist. [ISO/IEC 27002:2005]
