Sunday, May 3, 2009

Role-based access control for IEC 61850, ...

The IEC TC 57 Committee Draft for IEC/TS 62351-8 Ed. 1.0 has been published the other day (document 57/1001/CD):
Power systems management and associated information exchange - Data and communications security - Part 8: Role-based access control.

Closing date for comments: 2009-08-07
(contact your national TC 57 committee for a copy).

This document provides a technical specification for access control in power systems. The power system environment supported by this specification is enterprise-wide and extends beyond traditional borders to include external providers, suppliers, and other energy partners.

This specification defines role-based access control (RBAC) for enterprise-wide use in power systems. It supports a distributed or service-oriented architecture where security is distributed service and applications are consumers of distributed services.

The access control for IEC 61850 data objects is to implement by the virtual access view with the following roles:

  • VIEW right: Allows the user/role to discover what objects are present within a Logical Device. If this right is not granted to a user/role, the Logical Device for which the View privilege has not been granted shall not appear.
  • READ right: Allows the user/role to obtain the values of objects that are present within a logical device.
  • DATASET right: Allows the user/role to have full management rights for both permanent and non-permanent DataSets.
  • REPORTING right: Allows a user/role to use buffered reporting as well as un-buffered reporting.
  • FILE right: Allows the user/role to have restricted rights for File Services.
  • CONTROL right: Allows a user to perform control operations.
  • CONFIG right: Allows a user to remotely configure certain aspects of the server.
  • SETTINGGROUP right: Allows a user to remotely configure Settings Groups.
  • MNGT right: Allows the role to transfer substation configuration language files and other files, as well as delete existing files.
  • SECURITY: Allows a user/role to perform security functions at both a Server/Service Access Point and Logical Device basis.

No comments: