{"id":426496,"date":"2024-10-20T07:02:20","date_gmt":"2024-10-20T07:02:20","guid":{"rendered":"https:\/\/pdfstandards.shop\/product\/uncategorized\/bs-en-iec-62351-52023-tc\/"},"modified":"2024-10-26T13:18:32","modified_gmt":"2024-10-26T13:18:32","slug":"bs-en-iec-62351-52023-tc","status":"publish","type":"product","link":"https:\/\/pdfstandards.shop\/product\/publishers\/bsi\/bs-en-iec-62351-52023-tc\/","title":{"rendered":"BS EN IEC 62351-5:2023 – TC"},"content":{"rendered":"

This part of IEC 62351 defines the application authentication mechanism (A-profile) specifying messages, procedures and algorithms for securing the operation of all protocols based on or derived from IEC 60870-5: Telecontrol Equipment and Systems – Transmission Protocols. This Standard applies to at least those protocols listed in Table 1. [Table 1] The initial audience for this International Standard is intended to be the members of the working groups developing the protocols listed in Table 1. For the measures described in this standard to take effect, they must be accepted and referenced by the specifications for the protocols themselves. This document is written to enable that process. The working groups in charge of take this standard to the specific protocols listed in Table 1 may choose not to do so. The subsequent audience for this specification is intended to be the developers of products that implement these protocols. Portions of this standard may also be of use to managers and executives in order to understand the purpose and requirements of the work. This document is organized working from the general to the specific, as follows: – Clauses 2 through 4 provide background terms, definitions, and references. – Clause 5 describes the problems this specification is intended to address. – Clause 6 describes the mechanism generically without reference to a specific protocol. – Clauses 7 and 8 describe the mechanism more precisely and are the primary normative part of this specification. – Clause 9 define the interoperability requirements for this authentication mechanism. – Clause 10 describes the requirements for other standards referencing this specification Unless specifically labelled as informative or optional, all clauses of this specification are normative.<\/p>\n

PDF Catalog<\/h4>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
PDF Pages<\/th>\nPDF Title<\/th>\n<\/tr>\n
1<\/td>\n30470729 <\/td>\n<\/tr>\n
231<\/td>\nA-30400482 <\/td>\n<\/tr>\n
232<\/td>\nundefined <\/td>\n<\/tr>\n
235<\/td>\nAnnex A (normative)Normative references to international publicationswith their corresponding European publications <\/td>\n<\/tr>\n
237<\/td>\nEnglish
CONTENTS <\/td>\n<\/tr>\n
241<\/td>\nFOREWORD <\/td>\n<\/tr>\n
243<\/td>\n1 Scope
Tables
Table 1 \u2013 Scope of application to standards <\/td>\n<\/tr>\n
244<\/td>\n2 Normative references <\/td>\n<\/tr>\n
245<\/td>\n3 Terms and definitions <\/td>\n<\/tr>\n
246<\/td>\n4 Abbreviated terms <\/td>\n<\/tr>\n
247<\/td>\n5 Problem description
5.1 Overview of clause
5.2 Specific threats addressed
5.3 Design issues
5.3.1 Overview of subclause
5.3.2 Asymmetric communications
5.3.3 Message-oriented <\/td>\n<\/tr>\n
248<\/td>\n5.3.4 Poor sequence numbers or no sequence numbers
5.3.5 Limited processing power
5.3.6 Limited bandwidth
5.3.7 No access to authentication server
5.3.8 Limited frame length <\/td>\n<\/tr>\n
249<\/td>\n5.3.9 Limited checksum
5.3.10 Radio systems
5.3.11 Dial-up systems
5.3.12 Variety of protocols affected
5.3.13 Differing data link layers <\/td>\n<\/tr>\n
250<\/td>\n5.3.14 Long upgrade intervals
5.3.15 Remote sites
5.3.16 Unreliable media
5.4 General principles
5.4.1 Overview of subclause
5.4.2 Application layer only
5.4.3 Generic definition mapped onto different protocols
5.4.4 Bi-directional
5.4.5 Management of cryptographic keys <\/td>\n<\/tr>\n
251<\/td>\n5.4.6 Backwards tolerance
5.4.7 Upgradeable
5.4.8 Multiple connections
6 Theory of operation
6.1 Overview of clause
6.2 The secure communication
6.2.1 Basic concepts <\/td>\n<\/tr>\n
252<\/td>\n6.2.2 Association ID <\/td>\n<\/tr>\n
253<\/td>\n6.2.3 Authenticating
6.2.4 Central Authority
6.2.5 Role Based Access Control (RBAC)
6.2.6 Cryptographic keys <\/td>\n<\/tr>\n
254<\/td>\nTable 2 \u2013 Summary of symmetric keys used
Table 3 \u2013 Summary of asymmetric keys used <\/td>\n<\/tr>\n
256<\/td>\nFigures
Figure 1 \u2013 Overview of interaction between Central Authority and stations <\/td>\n<\/tr>\n
257<\/td>\n6.2.7 Security statistics
6.2.8 Security events
7 Functional requirements
7.1 Overview of clause
7.2 Procedures Overview <\/td>\n<\/tr>\n
258<\/td>\n7.3 State machine overview
Figure 2 \u2013 Sequence of procedures <\/td>\n<\/tr>\n
259<\/td>\nTable 4 \u2013 States used in the controlling station state machine
Table 5 \u2013 States used in the controlled station state machine <\/td>\n<\/tr>\n
260<\/td>\n7.4 Timers and counters
7.5 Security statistics and events
7.5.1 General
Table 6 \u2013 Summary of timers and counters used <\/td>\n<\/tr>\n
261<\/td>\nTable 7 \u2013 Security statistics and associated events <\/td>\n<\/tr>\n
264<\/td>\n7.5.2 Special security thresholds
7.5.3 Security statistics reporting
7.5.4 Security events monitoring and logging <\/td>\n<\/tr>\n
265<\/td>\n8 Formal procedures
8.1 Overview of subclause
8.2 Distinction between messages and ASDUs
8.2.1 General
8.2.2 Messages datatypes and notations
8.3 Station Association procedure
8.3.1 General <\/td>\n<\/tr>\n
266<\/td>\n8.3.2 Public key certificates
Table 8 \u2013 Elliptic curves <\/td>\n<\/tr>\n
268<\/td>\n8.3.3 Configuration of authorized remote stations
8.3.4 Pre-requisites to initiate the Station Association procedure
8.3.5 Messages definition <\/td>\n<\/tr>\n
269<\/td>\nFigure 3 \u2013 Station Association procedure <\/td>\n<\/tr>\n
270<\/td>\nTable 9 \u2013 Association Request message <\/td>\n<\/tr>\n
271<\/td>\nTable 10 \u2013 Association Response message <\/td>\n<\/tr>\n
273<\/td>\nTable 11 \u2013 Update Key Change Request message <\/td>\n<\/tr>\n
275<\/td>\nTable 12 \u2013 Data Included in MAC calculation (in order)
Table 13 \u2013 Update Key Change Response message <\/td>\n<\/tr>\n
276<\/td>\nTable 14 \u2013 Data Included in MAC calculation (in order) <\/td>\n<\/tr>\n
277<\/td>\n8.3.6 Controlling station state machine <\/td>\n<\/tr>\n
278<\/td>\nFigure 4 \u2013 Station Association \u2013 Controlling station state machine <\/td>\n<\/tr>\n
279<\/td>\nTable 15 \u2013 Controlling station state machine: Station Association <\/td>\n<\/tr>\n
287<\/td>\n8.3.7 Controlled station state machine <\/td>\n<\/tr>\n
288<\/td>\nFigure 5 \u2013 Station Association \u2013 Controlled station state machine <\/td>\n<\/tr>\n
289<\/td>\nTable 16 \u2013 Controlled station state machine: Station Association <\/td>\n<\/tr>\n
296<\/td>\n8.3.8 Verification of remote station\u2019s certificate
8.3.9 Verification of certificates during normal operations <\/td>\n<\/tr>\n
297<\/td>\n8.3.10 Update Keys derivation <\/td>\n<\/tr>\n
298<\/td>\n8.3.11 Controlling station directives for Station Association and Update Keys management
8.3.12 Controlled station directives for Station Association and Update Keys management <\/td>\n<\/tr>\n
299<\/td>\nTable 17 \u2013 List of pre-defined role-to-permission assignment <\/td>\n<\/tr>\n
300<\/td>\n8.3.13 Initializing and updating Stations Association and Update Keys <\/td>\n<\/tr>\n
301<\/td>\n8.4 Session Key Change procedure
8.4.1 General
Figure 6 \u2013 Example of Association ID, Update Keys and Session Keys initialization <\/td>\n<\/tr>\n
302<\/td>\n8.4.2 Messages definition
Figure 7 \u2013 Session Key Change procedure <\/td>\n<\/tr>\n
303<\/td>\nTable 18 \u2013 Session Request message <\/td>\n<\/tr>\n
305<\/td>\nTable 19 \u2013 Session Response message <\/td>\n<\/tr>\n
306<\/td>\nTable 20 \u2013 Data Included in MAC calculation (in order) <\/td>\n<\/tr>\n
307<\/td>\nTable 21 \u2013 Session Key Change Request message <\/td>\n<\/tr>\n
308<\/td>\nTable 22 \u2013 Data Included in WKD (in order) <\/td>\n<\/tr>\n
309<\/td>\nTable 23 \u2013 Example of Session Key order
Table 24 \u2013 Data Included in the MAC calculation (in order) <\/td>\n<\/tr>\n
310<\/td>\nTable 25 \u2013 Session Key Change Response message
Table 26 \u2013 Data Included in the MAC calculation (in order) <\/td>\n<\/tr>\n
311<\/td>\n8.4.3 Controlling station state machine <\/td>\n<\/tr>\n
312<\/td>\nFigure 8 \u2013 Session Key Change \u2013 Controlling station state machine <\/td>\n<\/tr>\n
313<\/td>\nTable 27 \u2013 Controlling station state machine: Session Key Change <\/td>\n<\/tr>\n
320<\/td>\n8.4.4 Controlled station state machine <\/td>\n<\/tr>\n
321<\/td>\nFigure 9 \u2013 Session Key Change \u2013 Controlled station state machine <\/td>\n<\/tr>\n
322<\/td>\nTable 28 \u2013 Controlled station state machine: Session Key Change <\/td>\n<\/tr>\n
328<\/td>\n8.4.5 Controlling station directives for Session Keys management
8.4.6 Controlled station directives for Session Keys management <\/td>\n<\/tr>\n
329<\/td>\n8.4.7 Initializing and changing Session Keys <\/td>\n<\/tr>\n
330<\/td>\n8.5 Secure Data Exchange
8.5.1 General
Figure 10 \u2013 Example of Session Key initialization and periodic update <\/td>\n<\/tr>\n
331<\/td>\n8.5.2 Messages definition
Figure 11 \u2013 Secure Data Exchange <\/td>\n<\/tr>\n
332<\/td>\nTable 29 \u2013 Secure Data message <\/td>\n<\/tr>\n
333<\/td>\nTable 30 \u2013 Secure Data Payload using MAC algorithm <\/td>\n<\/tr>\n
334<\/td>\nTable 31 \u2013 Data included in the MAC calculation in Secure Data Payload (in order)
Table 32 \u2013 AEAD algorithm parameters to generate the Secure Data Payload (in order) <\/td>\n<\/tr>\n
335<\/td>\n8.5.3 Controlling station state machine <\/td>\n<\/tr>\n
336<\/td>\nFigure 12 \u2013 Secure Data Exchange \u2013 Controlling station state machine <\/td>\n<\/tr>\n
337<\/td>\nTable 33 \u2013 Controlling station state machine: Secure Data Exchange <\/td>\n<\/tr>\n
340<\/td>\n8.5.4 Controlled station state machine <\/td>\n<\/tr>\n
341<\/td>\nFigure 13 \u2013 Secure Data Exchange \u2013 Controlled station state machine <\/td>\n<\/tr>\n
342<\/td>\nTable 34 \u2013 Controlled station state machine: Secure Data Exchange <\/td>\n<\/tr>\n
344<\/td>\n8.5.5 Controlling station directives for Secure Data Exchange
8.5.6 Controlled station directives for Secure Data Exchange <\/td>\n<\/tr>\n
345<\/td>\n8.5.7 Example of Secure Data exchange during Station Association <\/td>\n<\/tr>\n
346<\/td>\n8.5.8 Example of Secure Data Exchange during Session Key Change
Figure 14 \u2013 Example of Secure Data Exchange during Station Association <\/td>\n<\/tr>\n
347<\/td>\nFigure 15 \u2013 Example of Secure Data messages exchanged during Session Key Change <\/td>\n<\/tr>\n
348<\/td>\n9 Interoperability requirements
9.1 Overview of clause
9.2 Minimum requirements
9.2.1 Overview of subclause
9.2.2 Authentication algorithms
9.2.3 Key wrap \/ transport algorithms <\/td>\n<\/tr>\n
349<\/td>\n9.2.4 Cryptographic keys
9.2.5 Cryptographic curves
9.2.6 Configurable values <\/td>\n<\/tr>\n
351<\/td>\n9.2.7 Cryptographic information
9.3 Options
9.3.1 Overview of subclause
Table 35 \u2013 Configuration of cryptographic information
Table 36 \u2013 Legend for configuration of cryptographic information <\/td>\n<\/tr>\n
352<\/td>\n9.3.2 MAC\/AEAD algorithms
9.3.3 Key wrap \/ transport algorithms
9.3.4 Cryptographic curves
9.4 Use with TCP\/IP
9.5 Use with redundant channels <\/td>\n<\/tr>\n
353<\/td>\n10 Requirements for referencing this standard
10.1 Overview of clause
10.2 Selected options
10.3 Message format mapping
10.4 Reference to procedures
10.5 Protocol information <\/td>\n<\/tr>\n
354<\/td>\n10.6 Controlled station response to unauthorized operations requests
10.7 Transmission of security statistics
10.8 Configurable values
10.9 Protocol implementation conformance statement <\/td>\n<\/tr>\n
355<\/td>\nAnnex A (informative)Security Event mapping to IEC 62351-14
A.1 General
A.2 Mapping of IEC 62351-5 events specified in this document
Table A.1 \u2013 Security event logs defined in IEC 62351-5 Ed.1 mapped to IEC 62351-14 <\/td>\n<\/tr>\n
357<\/td>\nBibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

Tracked Changes. Power systems management and associated information exchange. Data and communications security – Security for IEC 60870-5 and derivatives<\/b><\/p>\n\n\n\n\n
Published By<\/td>\nPublication Date<\/td>\nNumber of Pages<\/td>\n<\/tr>\n
BSI<\/b><\/a><\/td>\n2023<\/td>\n358<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"featured_media":426505,"template":"","meta":{"rank_math_lock_modified_date":false,"ep_exclude_from_search":false},"product_cat":[2641],"product_tag":[],"class_list":{"0":"post-426496","1":"product","2":"type-product","3":"status-publish","4":"has-post-thumbnail","6":"product_cat-bsi","8":"first","9":"instock","10":"sold-individually","11":"shipping-taxable","12":"purchasable","13":"product-type-simple"},"_links":{"self":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product\/426496","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product"}],"about":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/types\/product"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/media\/426505"}],"wp:attachment":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/media?parent=426496"}],"wp:term":[{"taxonomy":"product_cat","embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product_cat?post=426496"},{"taxonomy":"product_tag","embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product_tag?post=426496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}