Role-based Access Control - On its way to become Standard

IEC 62351-8 is on its way to become an IEC Standard (57/2017/CD):

Power systems management and associated information exchange – Data and communications security –
Part 8: Role-based access control

The part 8 is currently a Technical Specification. This will change in the next step.

The 62 page CD has been published for commenting until 2018-09-28

"This document provides standard for access control in power systems. The power system
environment supported by this standard is enterprise-wide and extends beyond traditional
borders to include external providers, suppliers, and other energy partners. ...

The following interactions are in scope:

• local (direct wired) access to the object by a human user;
• local (direct wired) access to the object by a local and automated computer agent, e.g. another object at the field site;
• direct access by a user to the object using the objects’ built-in HMI or panel;
• remote (via dial-up or wireless media) access to the object by a human user;
• remote (via dial-up or wireless media) access to the object by a remote automated computer agent, e.g. another object at another substation, a distributed energy resource at an end-user’s facility, or a control centre application."

IEC just published Draft Guidelines for Handling Role-based Access Control in Power Systems

IEC TC 57 just published (57/1764/DC):

Draft IEC TR 62351-90-1, Power systems management and associated information exchange – Data and communications security – Part 90-1: Guidelines for Handling Role-based Access Control in Power Systems

This draft technical report addresses the handling of access control of users and automated agents
to data objects in power systems by means of role-based access control (RBAC) as defined in
IEC 62351-8. IEC 62351-8 defines three different profiles to distribute role information and
also defines a set of mandatory roles to be supported. Adoption of RBAC has shown that the
defined mandatory roles are not always sufficient and that the method for defining custom
roles should be standardized to ensure interoperability. Hence, the main focus of this
document lies in developing a standardized method for defining and engineering custom
roles, their role-to-right mappings and the corresponding infrastructure support needed to
utilize these custom roles in power systems.

Comments are welcome latest by 2016-10-07.

New part IEC 61850-90-19: Using Role Based Access Control (RBAC) and IEC 61850

IEC TC 57 has just proposed a new part of the series IEC 61850:
57/1740/DC:
IEC TR 61850-90-19: Communication networks and systems for power utility automation –
Part 90-19: Using Role Based Access Control (RBAC) and IEC 61850
This document is intended to extent IEC TS 62351-8 and provide configuration and maintenance or RBAC for IEC 61850 devices and applications.

Role-based access control for IEC 61850, ...

The IEC TC 57 Committee Draft for IEC/TS 62351-8 Ed. 1.0 has been published the other day (document 57/1001/CD):
Power systems management and associated information exchange - Data and communications security - Part 8: Role-based access control.

Closing date for comments: 2009-08-07
(contact your national TC 57 committee for a copy).

This document provides a technical specification for access control in power systems. The power system environment supported by this specification is enterprise-wide and extends beyond traditional borders to include external providers, suppliers, and other energy partners.

This specification defines role-based access control (RBAC) for enterprise-wide use in power systems. It supports a distributed or service-oriented architecture where security is distributed service and applications are consumers of distributed services.

The access control for IEC 61850 data objects is to implement by the virtual access view with the following roles:

• VIEW right: Allows the user/role to discover what objects are present within a Logical Device. If this right is not granted to a user/role, the Logical Device for which the View privilege has not been granted shall not appear.
• READ right: Allows the user/role to obtain the values of objects that are present within a logical device.
• DATASET right: Allows the user/role to have full management rights for both permanent and non-permanent DataSets.
• REPORTING right: Allows a user/role to use buffered reporting as well as un-buffered reporting.
• FILE right: Allows the user/role to have restricted rights for File Services.
• CONTROL right: Allows a user to perform control operations.
• CONFIG right: Allows a user to remotely configure certain aspects of the server.
• SETTINGGROUP right: Allows a user to remotely configure Settings Groups.
• MNGT right: Allows the role to transfer substation configuration language files and other files, as well as delete existing files.
• SECURITY: Allows a user/role to perform security functions at both a Server/Service Access Point and Logical Device basis.