-50% discount* If you buy the same UNE standard in different languages. * Discount on the lower pvp.

IEC 62351-9:2023

Power systems management and associated information exchange - Data and communications security - Part 9: Cyber security key management for power system equipment

Edition date: 2023-06-06
In Force
Available languages: English, French
Summary: IEC 62351-9:2023 specifies cryptographic key management, primarily focused on the management of long-term keys, which are most often asymmetric key pairs, such as public-key certificates and corresponding private keys. As certificates build the base this document builds a foundation for many IEC 62351 services (see also Annex A). Symmetric key management is also considered but only with respect to session keys for group-based communication as applied in IEC 62351-6. The objective of this document is to define requirements and technologies to achieve interoperability of key management by specifying or limiting key management options to be used.
This document assumes that an organization (or group of organizations) has defined a security policy to select the type of keys and cryptographic algorithms that will be utilized, which may have to align with other standards or regulatory requirements. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. This document assumes that the reader has a basic understanding of cryptography and key management principles.
The requirements for the management of pairwise symmetric (session) keys in the context of communication protocols is specified in the parts of IEC 62351 utilizing or specifying pairwise communication such as:
• IEC 62351-3 for TLS by profiling the TLS options
• IEC 62351-4 for the application layer end-to-end security
• IEC TS 62351-5 for the application layer security mechanism for IEC 60870-5-101/104 and IEEE 1815 (DNP3)
The requirements for the management of symmetric group keys in the context of power system communication protocols is specified in IEC 62351-6 for utilizing group security to protect GOOSE and SV communication. IEC 62351-9 utilizes GDOI as already IETF specified group-based key management protocol to manage the group security parameter and enhances this protocol to carry the security parameter for GOOSE, SV, and PTP.
This document also defines security events for specific conditions which could identify issues which might require error handling. However, the actions of the organisation in response to these error conditions are beyond the scope of this document and are expected to be defined by the organizations security policy.
In the future, as public-key cryptography becomes endangered by the evolution of quantum computers, this document will also consider post-quantum cryptography to a certain extent. Note that at this time being no specific measures are provided.
This second edition cancels and replaces the first edition published in 2017. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Certificate components and verification of the certificate components have been added;
b) GDOI has been updated to include findings from interop tests;
c) GDOI operation considerations have been added;
d) GDOI support for PTP (IEEE 1588) support has been added as specified by IEC/IEEE 61850-9-3 Power Profile;
e) Cyber security event logging has been added as well as the mapping to IEC 62351-14;
f) Annex B with background on utilized cryptographic algorithms and mechanisms has been added.

IEC 62351-9:2023 spécifie la gestion des clés cryptographiques, principalement axée sur la gestion des clés à long terme, qui sont le plus souvent des paires de clés asymétriques, telles que des certificats de clés publiques et les clés privées correspondantes. Comme les certificats constituent la base, le présent document établit une fondation pour de nombreux services de l’IEC 62351 (voir également Annex A). La gestion des clés symétriques est également prise en compte, mais uniquement en ce qui concerne les clés de session pour les communications de groupe, telles qu’elles sont appliquées dans l’IEC 62351-6. L’objectif du présent document est de définir les exigences et les technologies permettant d’assurer l’interopérabilité de la gestion des clés en spécifiant ou en limitant les options de gestion de clés à utiliser.
Le présent document présume qu’une organisation (ou un groupe d’organisations) a défini une politique de sécurité pour sélectionner le type de clés et d’algorithmes cryptographiques qui seront utilisés, qui peuvent être à aligner sur d’autres normes ou exigences réglementaires. Le présent document spécifie donc uniquement les techniques de gestion de ces infrastructures de clé et de cryptographie sélectionnées. Le présent document présume que le lecteur a des notions de base en cryptographie et sur les principes de gestion des clés.
Les exigences relatives à la gestion des paires de clés (de session) symétriques dans le contexte des protocoles de communication sont spécifiées dans les parties de l’IEC 62351 qui utilisent ou spécifient une communication par paire, telles que:
• l’IEC 62351-3 pour TLS en profilant les options TLS;
• l’IEC 62351-4 pour la sécurité de bout en bout de la couche application;
• l’IEC 62351-5 pour le mécanisme de sécurité de la couche application pour l’IEC 60870-5-101/104 et l’IEEE 1815 (DNP3).
Les exigences relatives à la gestion des clés de groupe symétriques dans le contexte des protocoles de communication des systèmes de puissance sont spécifiées dans l’IEC 62351-6 pour l’utilisation de sécurité de groupe pour protéger les communications GOOSE et SV. L’IEC 62351-9 utilise GDOI comme protocole de gestion de clés par groupe déjà spécifié par l’IETF (Internet Engineering Task Force) pour gérer le paramètre de sécurité de groupe et améliore ce protocole pour transporter le paramètre de sécurité pour les communications GOOSE, SV et PTP.
Le présent document définit également les événements de sécurité pour des conditions spécifiques susceptibles d’identifier des problèmes pouvant exiger un traitement des erreurs. Cependant, les actions de l’organisation en réponse à ces conditions d’erreur ne relèvent pas du domaine d’application du présent document et sont censées être définies par la politique de sécurité des organisations.
À l’avenir, lorsque la cryptographie à clé publique sera mise en danger par l’évolution des ordinateurs quantiques, le présent document examinera également la cryptographie post-quantique dans une certaine mesure. Il est à noter qu’à l’heure actuelle, aucune mesure spécifique n’est prévue.
Cette deuxième édition annule et remplace la première édition parue en 2017. Cette édition constitue une révision technique.
Cette édition inclut les modifications techniques majeures suivantes par rapport à l’édition précédente:
a) des composants de certificats et leur vérification ont été ajoutés;
b) le GDOI a été mis à jour pour inclure les résultats des essais d’interopérabilité;
c) des aspects liés au fonctionnement du GDOI ont été ajoutés;
d) la prise en charge du GDOI pour PTP (IEEE 1588) a été ajoutée comme spécifié par le profil de puissance de l’IEC/IEEE 61850-9-3;
e) l’enregistrement des événements de cybersécurité a été ajouté, ainsi que la mise en correspondance avec l’IEC 62351-14;
f) l’Annex B qui fournit des informations sur les algorithmes et mécanismes cryptographiques utilisés a été ajoutée.
ICS: 33.200-Telecontrol. Telemetering (SCADA)
CTN: TC 57 - 1273

Standards Cancellations

Anula a IEC 62351-9:2017

Otras Relaciones

Acuerdo de Frankfurt FprEN IEC 62351-9:2023

The book in the author's words

Ultricies magna feugiat malesuada sociosqu varius vivamus cubilia parturient, himenaeos vitae vehicula nam placerat netus urna platea, nostra rutrum felis mattis penatibus velit quisque.

Button
Frequently Asked Questions Do you have any questions about our products?
  • Standards UNE, EN, ISO, IEC, BSI, DIN, ASTM, AFNOR, IEEE, SAE
  • In addition, you can request the rules of the rest of the organizations through the e-mail normas@aenor.com
  • Technical books on paper and in electronic format (PDF, epub).

The standards can be purchased in PDF, reading or paper. The reading standards are not download files, they can only be viewed in the client area. The standards ordered on paper and some of the books in the catalogue are printed on demand. 

Check deadlines in normas@aenor.com.

The license of use is for one user and one device, if you want to reproduce the content of the standard, you must request a license that will have an additional cost. Send us your inquiry here 

The AENOR standards and books that appear in the online store can only be purchased exclusively through the website. AENOR does not have a physical store.

Purchase procedure: by clicking on "Buy" the desired products will go to the shopping cart. If there are display problems, the recommended browser is Chrome.

To formalize the purchase you must access the customer area. If you are not registered as a customer, you must fill in a form with the data along with a password and username. This will create the account.

Once the "Customer data" form has been completed, "Order in progress" will be displayed with all the items loaded in the shopping cart, their prices, taxes established in current legislation and shipping costs if applicable.

The prices of the standards and books that appear in the various sections do not include taxes or shipping costs.

AENOR promotional codes consist of alphanumeric characters and can only be applied to online purchases, received through a specific offer and for a limited time. To apply your promotional code, you just have to enter it in step 2 of 4 of the purchase process on the website and click on "apply", after you have identified yourself and chosen the payment methods. Promo codes are not cumulative.

 

  • Credit or debit card (Visa, Mastercard) and PayPal.
  • Bank transfer. If you opt for this form of payment, you must first send AENOR a copy of the transfer by email to normas@aenor.com
  • The purchase invoice can be downloaded from the customer area, in my previous orders

In the case of clients of companies based abroad, the taxpayer identification number of the corresponding country (for example, in Argentina the CUIT), must be filled in the CIF/NIF - VAT field .

  • Direct download via the website in the Customer Area. In the customer area, which can only be accessed with a password and username, the products purchased will be available for a period of fifteen days from the date of purchase, as long as the payment has been accepted. Files in digital format are protected and in no case editable. Before purchasing them, it is important that the license of use is read and accepted as a prior step to purchase.
  • Shipping by courier. Products purchased on physical media are shipped by courier. The maximum delivery time in Spanish territory, from the acceptance of the order by AENOR, is:
  •  Approximately seven working days for all standards purchased through the store in paper format.
  • Approximately three days for books purchased through the store. Stocks of paper books are limited and their offer on the website does not imply availability within the indicated period. In the event that the requested book is not available, the customer is notified of the delay in receiving the order, which will be approximately seven working days. 

For the rest of the products that are not on the website, check availability and delivery time at normas@aenor.com.

1. For digital products (PDF, Epub), once delivery has been made by direct download via the website in the Customer Area, you will not have the right to exercise your right of withdrawal.

2. For personalised products on paper, once the purchase has been made, you will not have the right to exercise your right of withdrawal.

3.  For all other paper products, you have the right to withdraw from the sale within 14 calendar days from the date of purchase. Remember that for the return it is essential that the product is in perfect condition, sealed by the packaging and preserving its original packaging. The customer will be responsible for pickup and shipping costs.

The order invoice includes shipping costs, so there is no amount to pay to the courier. Shipping costs are calculated based on both the final destination of the order and the number of products ordered. They include transport and packaging costs. Shipping costs are subject to periodic revisions. Outlet books will have free shipping costs only if the shipment is made in the Peninsula.

Destination Up to three standards and/or publications From three standards and/or publications
Peninsula 7,31€ 8,60€
Balearic Islands 18,04€ 23,34€
Canary Islands, Ceuta and Melilla  18,04€ 23,34€
Europe 59,17€ 80,07€
United States and Canada 70,07€ 96,94€
Rest of the world 91,94€ 115,91€
  • Purchases made by residents of the Member States of the European Union will be subject to the payment of VAT (value added tax).
  • ​​
  • In the case of legal persons and natural persons who, acting as entrepreneurs, are domiciled in a Member State of the European Union (except residents in Spain) and have an intra-community NIF/VAT registered in the VIES census, they will be exempt from paying VAT, being an essential condition the sending of this document by email to normas@aenor.com.
  • Purchases made in a private capacity (natural person), regardless of where they have their residence, will be subject to the payment of VAT.
  • Purchases made by entities in non-EU countries will be exempt from paying VAT, as long as they send the corresponding tax residence document by email to normas@aenor.com.
  • The sale operations will be understood to have been carried out at AENOR's registered office: Génova 6, 28004, Madrid – Spain. 

The contract for the purchase of products through this Website shall be governed by Spanish law. Any dispute arising out of or in connection with the use of the Website or such contract shall be subject to the exclusive jurisdiction of the Courts and Tribunals of Madrid.

Notwithstanding the foregoing, if you are entering into this contract as a consumer under the terms of Royal Decree 1/2007, nothing in this clause shall affect the rights that may be granted to you as such under applicable law.