Draft TR IEC 62351-90-2: Deep Packet Inspection (DPI) of Encrypted Communication

IEC TC 57 just published the document 57/1939/DTR:

Power systems management and associated information exchange –
Data and communications security –
IEC TR 62351-90-2: Deep Packet Inspection (DPI) of encrypted communications

This technical report analyses the impact of encrypted communication channels in power systems introduced with IEC 62351. As defined in IEC 62351 an encrypted channel can be employed when communicating with IEDs and encryption can be adopted at message level as well. For example, the use of encrypting TLS setups according to IEC 62351-3 introduces some issues when Deep Packet Inspection (DPI) is needed to inspect the communication channel for monitoring, auditing and validation needs.
In this report we analyze different techniques that can be employed to circumvent this issues when DPI of communications is required.

The voting closes 2017-12-22

Draft of First Amendment to IEC 62351-3 (power system security) Published

Draft IEC 62351-3/AMD1 ED1 (57/1894/CDV)
Amendment 1 – Power systems management and associated information exchange – Data and communications security – Part 3: Communication network and system security – Profiles including TCP/IP
The crucial amendment has been prepared by IEC TC57 Working Group 15 in order to address the following:

1. Definition of additional security warnings for TLS versions 1.1 and 1.0
2. Alignment of handling of revoked or expired certificates for TLS session resumption and TLS session renegotiation
3. Clarification regarding session resumption and session renegotiation invocation based on session time.
4. Enhancement of session resumption approach with the option of session tickets to better align with the upcoming new version of TLS
5. Enhancement of the utilized public key methods for signing and key management with ECDSA based algorithms
6. Update of the requirements for referencing standards
7. Update of bibliograph

The CDV ballot ends 2017-11-03

Draft for Role Based Access Control (RBAC) Published (IEC 62351-90-1)

IEC TC 57 published the IEC TR 62351-90-1 Draft for Role Based Access Control (RBAC) [57/1905/DTR]:

IEC 62351 Data and communications security –
Part 90-1: Guidelines for handling role-based access control in power systems

The voting period closes on 2017-09-29.

"The power system sector is adopting security measures to ensure the reliable delivery of energy. One of these measures comprises Role-based Access Control (RBAC), allowing utility operators, energy brokers and end-users to utilize roles to restrict the access to equipment and energy automation functionalities on a need-to-handle basis. The specific measures to realize this functionality have been defined in the context of IEC 62351-8. It defines 3 profiles for the transmission of RBAC related information. This information is, but not limited to, being contained in public key certificates, attribute certificates, or software tokens. Moreover, especially for IEC 61850, it defines a set of mandatory roles and associated rights. The standard itself also allows the definition of custom roles and associated rights, but this is not specified in a way to ensure interoperability."

Data and communication security is a crucial issue in the communication between multiple IEC 61850 clients and an IED with a single IEC 61850 Server. The administration of the roles and further behavior requires a highly complex (centralized!?) administration and a complex functionality in each IED implementing RBAC.

The following aspects have a big impact on implementations:

1. TCP/IP Networking,
2. General security measures like TLS,
3. RBAC, 
4. MMS,
5. IEC 61850 Services, Models and Configuration, and
6. Power system functionalities (key for the power delivery system) on top

The bulk of resources needed are mainly independent of the MMS protocol and services. People that want to use other protocols cannot really expect that the cost for getting secure communication and data will be lowered - the most efforts are related to non-protocol issues.
The second, third, fifth, and sixth bullet are most crucial.
In addition to the cost of implementing RBAC (including the other required parts of the series IEC 62351) one has to understand that the operation, management, engineering, and configuration of RBAC consumes a relatively huge amount of resources of the embedded controllers or other platforms.
That is one of the crucial reasons why many IEDs installed today cannot (and likely will not) be upgraded for measures defined in the IEC 62351 series.

Recommendation: As soon as possible get started to understand the impact of the measures defined in IEC 62351 and how to implement some or many of these measures.

Related documents of the series IEC 62351 IEC/TS 62351, Power systems management and associated information exchange – Data and communications security – are:

Part 1: Communication network and system security – Introduction to security issues
Part 3: Communication network and system security – Profiles including TCP/IP
Part 4: Profiles including MMS
Part 5: Security for IEC 60870-5 and derivatives
Part 8: Role-based Access Control

Data And Communication Security for MMS is Speeding Up

IEC TC 57 is about to accelerate the publication of a new Standard on Security:
IEC 62351-4 ED1 (57/1860/CDV):
Power systems management and associated information exchange -
Data and communications security -
Part 4: Profiles including MMS
Closing date for voting: 2017-08-11

The current part 4 is just a TS (technical Specification). The need for a definitive solution for secure MMS communication is at hand.

"Scope
This second edition of this part of IEC 62351 substantially extents the scope of the first edition [KHS: TS only!]. While the first edition primarily provided some limited support for authentication during handshake for the Manufacturing Message Specification (MMS) based applications, this second edition provides support for extended integrity and authentication both for the handshake phase, and for the data transfer phase. In addition, it provides for shared key management and data transfer encryption and it provides security end-to-end (E2E) with zero or more intermediate entities. While the first edition only provides support for systems based on the MMS, i.e., systems using Open Systems Interworking (OSI) protocols, this second edition also provides support for application protocols using other protocol stacks, e.g., a TCP/IP protocol stack. This support is extended to protect application protocols using XML encoding [KHS: IEC 61850-8-2] and other protocols that have a handshake that can support the Diffie-Hellman key exchange. This extended security is referred to as E2E-security.
It is intended that this part of IEC 62351 be referenced as normative part of IEC TC 57 standards that have a need for using application protocols, e.g., MMS, in a secure manner.
It is anticipated that there are implementation, in particular Inter-Control Centre Communications Protocol (ICCP) implementations that are dependent on the first edition of this part of IEC 52315. The first edition specification of the A-security-profile is therefore included as separate sections. Implementations supporting this A-security-profile will interwork with implementation supporting the first edition of this part of IEC 62351.
Special diagnostic information is provided for exception conditions for E2E-security.
This part of IEC 62351 represents a set of mandatory and optional security specifications to
be implemented for protected application protocols."

By the way: The best security standard is useless if it is not implemented (and even worse when it is available but not used) in as many devices as possible! Talk to your management to get the resources (hardware, software, peopleware) to implement this new part - as soon as possible.

Draft IEC 61850-8-2 SCSM – Mapping to XER and XMPP

Some 20 years after the first draft IEC 61850-8-2 SCSM (Mapping to Profibus FMS) we could expect the real IEC 61850-8-2 to be available by end of 2015.

The draft 8-2 provides an additional mapping of the messages of MMS by XER (XML Encoding Rule) and XMPP.

The MMS messages for IEC 61850-8-2 (above TCP/TLS/XMPP) are just differently encoded as in IEC 61850-8-1, as can be seen by the following example:

ASN.1 BER uses a binary encoding that produces less overhead compared to XER. But there will be many benefits provided by IEC 61850-8-2.

According to a presentation by Siemens during the Hanover Fair 2015, these are the main conclusions:

1. It provides a secure and powerful communication for public networks considering end-to-middle and end-to-end security relations
2. IEC 61850-8-2 is intended to use for power management and demand response of DER (distributed energy resources)
3. In 2015 the IEC TC57 working group WG17 will finalize and publish this new specification

Click HERE for the full presentation [pdf, 3 MB]

Standard IEC 62351-3 “Communication network and system security - Profiles including TCP/IP” published

IEC TC 57 has published the crucial standard for security:

Standard IEC 62351-3
Power systems management and associated information exchange - Data and communications security -
Part 3: Communication network and system security - Profiles including TCP/IP

Partie 3: Sécurité des réseaux et des systèmes de communication – Profils comprenant TCP/IP

This part of IEC 62351 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (defined in RFC 5246) so that they are applicable to the telecontrol environment of the IEC. TLS is applied to protect the TCP communication. It is intended that this standard be referenced as a normative part of other IEC standards (e.g., IEC 60870-5, IEC 60870-6, IEC 61850, IEC 61400-25, …) that have the need for providing security for their TCP/IP-based protocol.

Now it is up to the vendors and users to implement this standard or require it, respectively.

There is no accuse anymore that IEC 61850 has no security measures defined in form of a standard that can officially be referenced.

Click HERE for the preview of the new standard.

Just published FDIS IEC 62351-3 Communication network and system security – Profiles including TCP/IP

Security is discussed all over. IEC TC 57 has just published the following Final Draft International Standard:

FDIS IEC 62351-3 (57/1498/FDIS):
Power systems management and associated information exchange – Data and
communications security – Part 3: Communication network and system security – Profiles including TCP/IP

This part 3 was a Technical Specification. The just published FDIS will – once approved as standard cancel and replace IEC TS 62351-3:2007.

The voting on the FDIS closes 2014-10-10. Please check with your TC 57 national mirror committee to get a copy of the draft for comments.

The standard will cover the following:

A crucial definition of this standard will be to require “TLS v1.2 as defined in RFC 5246 (sometimes referred to as SSL v3.3) or higher shall be supported.”

Be smart and build-in security measures like the ones defined in the IEC 62351-3 Standard! You have to ask for it if you are a user – or you must implement it if you are a manufacturer of smart devices.

IEC 61850 Security – Siemens SIPROTEC 5

Siemens published an informative document on Security of their communication systems supporting IE 61850, IEC 60870-5-103, DNP3 etc:

SIPROTEC 5 Application Note
SIP5-APN-009:
Communication Architecture Under Cyber Security Aspects

I was a bit surprised that the IEC 61850-8-1 (MMS) communication in SIPROTEC 5 IEDs is not secured. The paper even does not mention the IEC 62351 series … which at least recommends to apply TLS for the TCP communication and MMS.

Click HERE to download the document.

Security Standard IEC 62351-3 on its way

The Technical Specification IEC TS 62351-3, First edition, 2007-06 is underway to become an International Standard (57/1319/CDV):

Power systems management and associated information exchange –
Data and communications security –
Part 3: Communication network and system security – Profiles including TCP/IP

The CVD is out for ballot until 2013-07-05.

IEC 62351-3 specifies how to secure TCP/IP-based protocols through constraints on the
specification of the messages, procedures, and algorithms of Transport Layer Security (TLS)
(defined in RFC 5246) so that they are applicable to the telecontrol environment of IEC TC57. It is intended that this standard be referenced as a normative part of other IEC TC57 standards that have the need for providing security for their TCP/IP-based protocol.

The conformance is very strict:

8 Conformance
Conformance to this part shall be determined by the implementation of all parts of clause 5.

The definition of clause 5 could be implemented today already: the content is available in the Technical Specification IEC TS 62351-3.

There is no (and never was an) excuse to not implement quite secure communication.

Tissue Database for IEC 62351 just opened

The Tissue Database for IEC 62351:

Power systems management and associated information exchange – Data and communications security

has been opened for immediate access. Nine parts have been published so far. You may post your feedback (bug reports, …) now.

Access the Tissue Database for IEC 62351.

IEC 60870-5-104 and IEC 61850 for Vattenfall’s VHP-Ready (Virtual Heat and Power Ready) Version 3.0

Vattenfall Europe Wärme AG has published Version 3.0 (October 2012) of their technical specification for virtual power plants: VHP-READY – Virtual Heat & Power Ready. This version comprises a complete profile of models for use of both standards. A detailed list of Signals respective Logical Nodes and Data Objects has been specified.

The new version specifies the use of IEC 60870-5-104 and IEC 61850:

• IEC 60870-5-104 or IEC 61850 / 61850-7-420 (two options)
• TCP/IP
• SSL/TLS
• SNTP/NTP

Download the complete specification version 3.0 [German only, pdf, 670 KB].

This specification is exactly what the market needs to do: Specify in some level of details what is required for a typical application!

Congratulation to Vattenfall to lead the market (to a great extent) in preparing and presenting a publicly available specification of a profile for virtual power plants based on two international Standards: IEC 60870-5-104 and IEC 61850 (IEC 61850-7-420).

IEC 62351 added to SGIP Catalog of Standards

Thirteen new standards have been added to the SGIP’s Catalog of Standards (CoS) , bringing the total number of standards currently in the CoS to 56.  The newly added standards include also IEC 62351:

IEC 62351 Parts 1 – 7
The scope of the IEC 62351 series is information security for power system control operations. The primary objective is to undertake the development of standards for security of the communication protocols defined by IEC TC 57, specifically the IEC 60870-5 series, the IEC 60870-6 series, the IEC 61850 series, the IEC 61970 series, and the IEC 61968 series.  Another objective is to undertake the development of standards and/or technical reports on end-to-end security issues.

• IEC 62351-1:  Communication network and system security – Introduction to security issues
• IEC 62351-2:  Glossary of terms
• IEC 62351-3:  Communication network and system security – Profiles including TCP/IP
• IEC 62351-4:  Profiles including MMS
• IEC 62351-5:  Security for IEC 60870-5 and derivatives
• IEC 62351-6:  Security for IEC 61850
• IEC 62351-7:  Network and system management (NSM) data object models

Note also this paper on TLS security issues (published the other day).

The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks. TLS has become the de facto secure protocol of choice for Internet and mobile applications. DTLS is a variant of TLS that is growing in importance.

That is why security experts should read the paper.