IEC 62351-3 pdf free download

IEC 62351-3 pdf free download.Power systems management and associated information exchange – Data and communications security – Part 3: Communication network and system security – Profiles including TCP/IP.
Another issue addressed within this standard is how to achieve interoperability between different implementations. TLS allows for a wide variety of cipher suites to be supported and negotiated at connection establishment. However, it is conceivable that two implementations could support mutually exclusive sets of cipher suites. This standard specifies that referring standards must specify at least one common cipher suite and a set of TLS parameters that allow interoperability.
Additionally, this standard specifies the use of particular TLS capabilities that allow for specific security threats to be countered.
Note that TLS utilizes X.509 certificates (see also ISO/IEC 9594-8 or RFC 5280) for authentication. In the context of this specification the term certificates always relates to public-key certificates (in contrast to attribute certificates).
NOTE It is intended that certificate management necessary to operate TLS be specified in compliance with lEO TS
62351 -9.
4.2 Security threats countered
See IEC TS 62351-1 for a discussion of security threats and attack methods.
TCP/IP and the security specifications in this part of IEC 62351 cover only to the communication transport layers (OSI layers 4 and lower). This part of IEC 62351 does not cover security functionality specific for the communication application layers (OSI layers 5 and above) or application-to-application security.
NOTE The application of TLS as profiled in this document supports the protection of information sent over the TLS protected connection.
The specific threats countered in this part of lEG 62351 for the transport layers include:
— Unauthorized modification or insertion of messages through message level authentication and integrity protection of messages.
Additionally, when the information has been identified as requiring confidentiality protection:
— Unauthorized access or theft of information through message level encryption of the messages
4.3 Attack methods countered
The following security attack methods are countered through the appropriate implementation of the specifications and recommendations in this part of IEC 62351.
— Man-in-the-middle: This threat is countered through the use of a Message Authentication Code mechanism or digital signatures specified within this document.
— Replay: This threat is countered through the use of specialized processing state machines specified by the normative references of this document.
— Eavesdropping: This threat is countered through the use of encryption.
NOTE The actual performance characteristics of an implementation claiming conformance to this standard are
out-of-scope of this standard.
5 Mandatory requirements
5.1 Deprecation of cipher suites
Any cipher suite that specifies NULL for encryption shall not be used for communication outside the administrative domain, if the encryption of this communication connection by other means cannot be guaranteed.
NOTE 1 This standard does not exclude the use of encrypted communications through the use of cryptographic based VPN tunnels. The use of such VPNs is out-of-scope of this standard.
If the communication connection is encrypted the following cipher suites may be used:
— TLS_RSA_NULL_WITH_NULL_SHA
— TLS_RSA_NULL_WITH_NULL_SHA256
5.2 Negotiation of versions
TLS vl.2 as defined in RFC 5246 (sometimes referred to as SSL v3.3) or higher shall be supported. To ensure backward compatibility implementations shall also support TLS version 1.0 and 1.1 (sometimes referred to as SSL v3.i and v3.2). The TLS handshake provides a built-in mechanism that shall be used to support version negotiation. The IEC 62351 peer initiating a TLS connection shall always indicate the highest TLS version supported during the TLS handshake message. The application of TLS versions other than vi .2 is a matter of the local security policy. Proposal of versions prior to TLS 1 .0 shall result in no secure connection being established (see also RFC 6176).
The proposal of versions prior to TLS 1 .0 or SSL 3.1 should raise a security event (“incident:unsecure communication”). Implementations should provide a mechanism for announcing security events.
NOTE The option to remotely monitor security events is preferred.
The proposal of versions TLS 1.0 or TLS 1.1 should raise a security warning (“warning:insecure TLS version”). Implementations should provide a mechanism for announcing security warnings.IEC 62351-3 pdf download.