IEC 62351
IEC 62351 is a standard developed by WG15 of IEC TC57. This is developed for handling the security of TC 57 series of protocols including IEC 60870-5 series, IEC 60870-6 series, IEC 61850 series, IEC 61970 series & IEC 61968 series. The different security objectives include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.
Standard details
[edit]- IEC 62351-1 — Introduction to the standard
- IEC 62351-2 — Glossary of terms
- IEC 62351-3 — Security for any profiles including TCP/IP.
- TLS Encryption
- Node Authentication by means of X.509 certificates
- Message Authentication
- IEC 62351-4 — Security for any profiles including MMS (e.g., ICCP-based IEC 60870-6, IEC 61850, etc.).
- Authentication for MMS
- TLS (RFC 2246)is inserted between RFC 1006 & RFC 793 to provide transport layer security
- IEC 62351-5 — Security for any profiles including IEC 60870-5 (e.g., DNP3 derivative)
- TLS for TCP/IP profiles and encryption for serial profiles.
- IEC 62351-6 — Security for IEC 61850 profiles.
- IEC 62351-7 — Security through network and system management.
- Defines Management Information Base (MIBs) that are specific for the power industry, to handle network and system management through SNMP based methods.
- IEC 62351-8 — Role-based access control.
- Covers the access control of users and automated agents to data objects in power systems by means of role-based access control (RBAC).
- IEC 62351-9 — Key Management
- Describes the correct and safe usage of safety-critical parameters, e.g. passwords, encryption keys.
- Covers the whole life cycle of cryptographic information (enrollment, creation, distribution, installation, usage, storage and removal).
- Methods for algorithms using asymmetric cryptography
- Handling of digital certificates (public / private key)
- Setup of the PKI environment with X.509 certificates
- Certificate enrollment by means of SCEP / CMP / EST
- Certificate revocation by means of CRL / OCSP
- A secure distribution mechanism based on GDOI and the IKEv2 protocol is presented for the usage of symmetric keys, e.g. session keys.
- IEC 62351-10 — Security Architecture
- Explanation of security architectures for the entire IT infrastructure
- Identifying critical points of the communication architecture, e.g. substation control center, substation automation
- Appropriate mechanisms security requirements, e.g. data encryption, user authentication
- Applicability of well-proven standards from the IT domain, e.g. VPN tunnel, secure FTP, HTTPS
- IEC 62351-11 — Security for XML Files
- Embedding of the original XML content into an XML container
- Date of issue and access control for XML data
- X.509 signature for authenticity of XML data
- Optional data encryption