This part of IEC 60870 describes messages and data formats for implementing IEC\/TS 62351- 5 for secure authentication as an extension to IEC 60870-5-101 and IEC 60870-5-104.<\/p>\n
The purpose of this base standard is to permit the receiver of any IEC 60870-5-101\/104 Application Protocol Data Unit (APDU) to verify that the APDU was transmitted by an authorized user and that the APDU was not modified in transit. It provides methods to authenticate not only the device which originated the APDU but also the individual human user if that capability is supported by the rest of the telecontrol system.<\/p>\n
This specification is also intended to be used, together with the definitions of IEC\/TS 62351-3, in conjunction with the IEC 60870-5-104 companion standard.<\/p>\n
The state machines, message sequences, and procedures for exchanging these messages are defined in the IEC\/TS 62351-5 specification. This base standard describes only the message formats, selected options, critical operations, addressing considerations and other adaptations required to implement IEC\/TS 62351 in the IEC 60870-5-101 and 104 protocols.<\/p>\n
The scope of this specification does not include security for IEC 60870-5-102 or IEC 60870-5-103. IEC 60870-5-102 is in limited use only and will therefore not be addressed. Users of IEC 60870-5-103 desiring a secure solution should implement IEC 61850 using the security measures from in IEC\/TS 62351 referenced in IEC 61850.<\/p>\n
Management of keys, certificates or other cryptographic credentials within devices or on communication links other than IEC 60870-5-101\/104 is out of the scope of this specification and may be addressed by other IEC\/TS 62351 specifications in the future.<\/p>\n
| PDF Pages<\/th>\n | PDF Title<\/th>\n<\/tr>\n | ||||||
|---|---|---|---|---|---|---|---|
| 4<\/td>\n | CONTENTS <\/td>\n<\/tr>\n | ||||||
| 7<\/td>\n | FOREWORD <\/td>\n<\/tr>\n | ||||||
| 9<\/td>\n | 1 Scope 2 Normative references <\/td>\n<\/tr>\n | ||||||
| 10<\/td>\n | 3 Terms, definitions and abbreviations 3.1 Terms and definitions <\/td>\n<\/tr>\n | ||||||
| 11<\/td>\n | 3.2 Abbreviated terms 4 Selected options 4.1 Overview of clause 4.2 MAC algorithms 4.3 Encryption algorithms 4.4 Maximum error count 4.5 Use of aggressive mode 5 Operations considered critical <\/td>\n<\/tr>\n | ||||||
| 12<\/td>\n | 6 Addressing information 7 Implementation of messages 7.1 Overview of clause 7.2 Data definitions 7.2.1 Causes of transmission 7.2.2 Type identifiers Tables Table 1 \u2013 Additional cause of transmission Table 2 \u2013 Additional type identifiers <\/td>\n<\/tr>\n | ||||||
| 13<\/td>\n | 7.2.3 Security statistics 7.2.4 Variable length data Table 3 \u2013 Maximum lengths of variable length data <\/td>\n<\/tr>\n | ||||||
| 14<\/td>\n | 7.2.5 Information object address 7.2.6 Transmitting extended ASDUs using segmentation Figures Figure 1 \u2013 ASDU segmentation control Figure 2 \u2013 Segmenting extended ASDUs <\/td>\n<\/tr>\n | ||||||
| 16<\/td>\n | Table 4 \u2013 ASDU segment reception state machine <\/td>\n<\/tr>\n | ||||||
| 17<\/td>\n | Figure 3 \u2013 Illustration of ASDU segment reception state machine <\/td>\n<\/tr>\n | ||||||
| 18<\/td>\n | 7.3 Application Service Data Units 7.3.1 TYPE IDENT 81: S_CH_NA_1Authentication challenge Figure 4 \u2013 ASDU: S_CH_NA_1 Authentication challenge <\/td>\n<\/tr>\n | ||||||
| 19<\/td>\n | 7.3.2 TYPE IDENT 82: S_RP_NA_1Authentication Reply Figure 5 \u2013 ASDU: S_RP_NA_1 Authentication Reply <\/td>\n<\/tr>\n | ||||||
| 20<\/td>\n | 7.3.3 TYPE IDENT 83: S_AR_NA_1Aggressive mode authentication request Figure 6 \u2013 ASDU: S_AR_NA_1 Aggressive Mode Authentication Request <\/td>\n<\/tr>\n | ||||||
| 21<\/td>\n | 7.3.4 TYPE IDENT 84: S_KR_NA_1Session key status request Figure 7 \u2013 ASDU: S_KR_NA_1 Session key status request <\/td>\n<\/tr>\n | ||||||
| 22<\/td>\n | 7.3.5 TYPE IDENT 85: S_KS_NA_1Session key status Figure 8 \u2013 ASDU: S_KS_NA_1 Session key status <\/td>\n<\/tr>\n | ||||||
| 23<\/td>\n | 7.3.6 TYPE IDENT 86: S_KC_NA_1Session key change Figure 9 \u2013 ASDU: S_KC_NA_1 Session key change <\/td>\n<\/tr>\n | ||||||
| 24<\/td>\n | 7.3.7 TYPE IDENT 87: S_ER_NA_1Authentication error Figure 10 \u2013 ASDU: S_ER_NA_1 Authentication error <\/td>\n<\/tr>\n | ||||||
| 25<\/td>\n | 7.3.8 TYPE IDENT 88: S_UC_NA_1User certificate Figure 11 \u2013 ASDU: S_UC_NA_1 User certificate <\/td>\n<\/tr>\n | ||||||
| 26<\/td>\n | 7.3.9 TYPE IDENT 90: S_US_NA_1User status change Figure 12 \u2013 ASDU: S_US_NA_1 User status change <\/td>\n<\/tr>\n | ||||||
| 27<\/td>\n | 7.3.10 TYPE IDENT 91: S_UQ_NA_1Update key change request Figure 13 \u2013 ASDU: S_UQ_NA_1 Update key change request <\/td>\n<\/tr>\n | ||||||
| 28<\/td>\n | 7.3.11 TYPE IDENT 92: S_UR_NA_1Update key change reply Figure 14 \u2013 ASDU: S_UR_NA_1 Update key change reply <\/td>\n<\/tr>\n | ||||||
| 29<\/td>\n | 7.3.12 TYPE IDENT 93: S_UK_NA_1Update key change\u00a0\uf02d\u00a0symmetric Figure 15 \u2013 ASDU: S_UK_NA_1 Update key change\u00a0\u2013\u00a0symmetric <\/td>\n<\/tr>\n | ||||||
| 30<\/td>\n | 7.3.13 TYPE IDENT 94: S_UA_NA_1Update key change\u00a0\uf02d\u00a0asymmetric Figure 16 \u2013 ASDU: S_UA_NA_1 Update key change\u00a0\u2013\u00a0asymmetric <\/td>\n<\/tr>\n | ||||||
| 31<\/td>\n | 7.3.14 TYPE IDENT 95: S_UC_NA_1Update key change confirmation Figure 17 \u2013 ASDU: S_UC_NA_1 Update key change confirmation <\/td>\n<\/tr>\n | ||||||
| 32<\/td>\n | 7.3.15 TYPE IDENT 41: S_IT_TC_1 Integrated totals containing time-tagged security statistics Figure 18 \u2013 ASDU: S_IT_TC_1 Integrated totals containing time-tagged security statistics <\/td>\n<\/tr>\n | ||||||
| 33<\/td>\n | 8 Implementation of procedures 8.1 Overview of clause 8.2 Initialization of aggressive mode <\/td>\n<\/tr>\n | ||||||
| 35<\/td>\n | Figure 19 \u2013 Example of successful initialization of challenge data <\/td>\n<\/tr>\n | ||||||
| 36<\/td>\n | 8.3 Refreshing challenge data 8.4 Co-existence with non-secure implementations 9 Implementation of IEC\/TS\u00a062351-3 using IEC\u00a060870-5-104 9.1 Overview of clause 9.2 Deprecation of non-encrypting cipher suites 9.3 Mandatory cipher suite 9.4 Recommended cipher suites <\/td>\n<\/tr>\n | ||||||
| 37<\/td>\n | 9.5 Negotiation of versions 9.6 Cipher renegotiation 9.7 Message authentication code 9.8 Certificate support 9.8.1 Overview of clause Table 5 \u2013 Recommended cipher suite combinations <\/td>\n<\/tr>\n | ||||||
| 38<\/td>\n | 9.8.2 Multiple Certificate Authorities (CAs) 9.8.3 Certificate size 9.8.4 Certificate exchange 9.8.5 Certificate comparison <\/td>\n<\/tr>\n | ||||||
| 39<\/td>\n | 9.9 Co-existence with non-secure protocol traffic 9.10 Use with redundant channels <\/td>\n<\/tr>\n | ||||||
| 40<\/td>\n | 10 Protocol Implementation Conformance Statement 10.1 Overview of clause 10.2 Required algorithms 10.3 MAC algorithms 10.4 Key wrap algorithms 10.5 Use of error messages 10.6 Update key change methods <\/td>\n<\/tr>\n | ||||||
| 41<\/td>\n | 10.7 User status change 10.8 Configurable parameters <\/td>\n<\/tr>\n | ||||||
| 42<\/td>\n | 10.9 Configurable statistic thresholds and statistic information object addresses 10.10 Critical functions <\/td>\n<\/tr>\n | ||||||
| 46<\/td>\n | Bibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" Telecontrol equipment and systems – Transmission protocols. Security extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols (applying IEC 62351)<\/b><\/p>\n |