Monday, October 1, 2012

MMS, IEC 61850-8-1, and IEC 62351 (Security)

Just a brief information on security in the MMS mapping of IEC 61400-25-4 and IEC 61850-8-1.

ISO 8650-1 (ACSE) defines the details of Authentication referred to in IEC 62351-4:

Excerpt of 62351-4:

clip_image001

See example of ACSE AARQ  in Wireshark (connecting to an IEC 61850 IED, password “glue” – in plain text):

clip_image002

So, it would be sufficient to refer to IEC 62351-4 in IEC 61400-25-4 Edition 2 and in IEC 61850-8-1.

The following experience may be yours as well:

  1. Think of an IEC 61400-25-4 / IEC 61850-8-1 MMS Server in an IED.
  2. MMS allows to set a username and password.
  3. The client is for example the Omicron IED Scout.
  4. You can use a password to protect the access to that server (to some extent).
  5. Many clients do not support to use a password to be sent to the server. So access from a couple of SCADA clients is not easy to manage … or even not possible at all.

It is highly recommended that the user community feeds back their experience with MMS passwords to the standardization groups like IEC TC 57 WG 10, 15, 17, 18, 19, ...

If you have a special experience or requirement on MMS password exchange, please let me know.

Thanks for your feedback.

No comments: