This part of IEC 60870 describes messages and data formats for implementing IEC/TS 62351- 5 for secure authentication as an extension to IEC 60870-5-101 and IEC 60870-5-104.

The purpose of this base standard is to permit the receiver of any IEC 60870-5-101/104 Application Protocol Data Unit (APDU) to verify that the APDU was transmitted by an authorized user and that the APDU was not modified in transit. It provides methods to authenticate not only the device which originated the APDU but also the individual human user if that capability is supported by the rest of the telecontrol system.

This specification is also intended to be used, together with the definitions of IEC/TS 62351-3, in conjunction with the IEC 60870-5-104 companion standard.

The state machines, message sequences, and procedures for exchanging these messages are defined in the IEC/TS 62351-5 specification. This base standard describes only the message formats, selected options, critical operations, addressing considerations and other adaptations required to implement IEC/TS 62351 in the IEC 60870-5-101 and 104 protocols.

The scope of this specification does not include security for IEC 60870-5-102 or IEC 60870-5-103. IEC 60870-5-102 is in limited use only and will therefore not be addressed. Users of IEC 60870-5-103 desiring a secure solution should implement IEC 61850 using the security measures from in IEC/TS 62351 referenced in IEC 61850.

Management of keys, certificates or other cryptographic credentials within devices or on communication links other than IEC 60870-5-101/104 is out of the scope of this specification and may be addressed by other IEC/TS 62351 specifications in the future.

PDF Catalog

PDF Pages	PDF Title
4	CONTENTS
7	FOREWORD
9	1 Scope 2 Normative references
10	3 Terms, definitions and abbreviations 3.1 Terms and definitions
11	3.2 Abbreviated terms 4 Selected options 4.1 Overview of clause 4.2 MAC algorithms 4.3 Encryption algorithms 4.4 Maximum error count 4.5 Use of aggressive mode 5 Operations considered critical
12	6 Addressing information 7 Implementation of messages 7.1 Overview of clause 7.2 Data definitions 7.2.1 Causes of transmission 7.2.2 Type identifiers Tables Table 1 – Additional cause of transmission Table 2 – Additional type identifiers
13	7.2.3 Security statistics 7.2.4 Variable length data Table 3 – Maximum lengths of variable length data
14	7.2.5 Information object address 7.2.6 Transmitting extended ASDUs using segmentation Figures Figure 1 – ASDU segmentation control Figure 2 – Segmenting extended ASDUs
16	Table 4 – ASDU segment reception state machine
17	Figure 3 – Illustration of ASDU segment reception state machine
18	7.3 Application Service Data Units 7.3.1 TYPE IDENT 81: S_CH_NA_1Authentication challenge Figure 4 – ASDU: S_CH_NA_1 Authentication challenge
19	7.3.2 TYPE IDENT 82: S_RP_NA_1Authentication Reply Figure 5 – ASDU: S_RP_NA_1 Authentication Reply
20	7.3.3 TYPE IDENT 83: S_AR_NA_1Aggressive mode authentication request Figure 6 – ASDU: S_AR_NA_1 Aggressive Mode Authentication Request
21	7.3.4 TYPE IDENT 84: S_KR_NA_1Session key status request Figure 7 – ASDU: S_KR_NA_1 Session key status request
22	7.3.5 TYPE IDENT 85: S_KS_NA_1Session key status Figure 8 – ASDU: S_KS_NA_1 Session key status
23	7.3.6 TYPE IDENT 86: S_KC_NA_1Session key change Figure 9 – ASDU: S_KC_NA_1 Session key change
24	7.3.7 TYPE IDENT 87: S_ER_NA_1Authentication error Figure 10 – ASDU: S_ER_NA_1 Authentication error
25	7.3.8 TYPE IDENT 88: S_UC_NA_1User certificate Figure 11 – ASDU: S_UC_NA_1 User certificate
26	7.3.9 TYPE IDENT 90: S_US_NA_1User status change Figure 12 – ASDU: S_US_NA_1 User status change
27	7.3.10 TYPE IDENT 91: S_UQ_NA_1Update key change request Figure 13 – ASDU: S_UQ_NA_1 Update key change request
28	7.3.11 TYPE IDENT 92: S_UR_NA_1Update key change reply Figure 14 – ASDU: S_UR_NA_1 Update key change reply
29	7.3.12 TYPE IDENT 93: S_UK_NA_1Update key change  symmetric Figure 15 – ASDU: S_UK_NA_1 Update key change – symmetric
30	7.3.13 TYPE IDENT 94: S_UA_NA_1Update key change  asymmetric Figure 16 – ASDU: S_UA_NA_1 Update key change – asymmetric
31	7.3.14 TYPE IDENT 95: S_UC_NA_1Update key change confirmation Figure 17 – ASDU: S_UC_NA_1 Update key change confirmation
32	7.3.15 TYPE IDENT 41: S_IT_TC_1 Integrated totals containing time-tagged security statistics Figure 18 – ASDU: S_IT_TC_1 Integrated totals containing time-tagged security statistics
33	8 Implementation of procedures 8.1 Overview of clause 8.2 Initialization of aggressive mode
35	Figure 19 – Example of successful initialization of challenge data
36	8.3 Refreshing challenge data 8.4 Co-existence with non-secure implementations 9 Implementation of IEC/TS 62351-3 using IEC 60870-5-104 9.1 Overview of clause 9.2 Deprecation of non-encrypting cipher suites 9.3 Mandatory cipher suite 9.4 Recommended cipher suites
37	9.5 Negotiation of versions 9.6 Cipher renegotiation 9.7 Message authentication code 9.8 Certificate support 9.8.1 Overview of clause Table 5 – Recommended cipher suite combinations
38	9.8.2 Multiple Certificate Authorities (CAs) 9.8.3 Certificate size 9.8.4 Certificate exchange 9.8.5 Certificate comparison
39	9.9 Co-existence with non-secure protocol traffic 9.10 Use with redundant channels
40	10 Protocol Implementation Conformance Statement 10.1 Overview of clause 10.2 Required algorithms 10.3 MAC algorithms 10.4 Key wrap algorithms 10.5 Use of error messages 10.6 Update key change methods
41	10.7 User status change 10.8 Configurable parameters
42	10.9 Configurable statistic thresholds and statistic information object addresses 10.10 Critical functions
46	Bibliography

Published By	Publication Date	Number of Pages
BSI	2013	48


PDF Format	Searchable	Printable	Preview Now

Status	Definitive
Pages	48
Publication Date	2013-07-31
ISBN	978 0 580 70458 1
Standard Number	PD IEC/TS 60870-5-7:2013
Title	Telecontrol equipment and systems – Transmission protocols. Security extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols (applying IEC 62351)
Identical National Standard Of	IEC TS 60870-5-7:2013
Descriptors	Information exchange, Control systems, Communication procedures, Coded character sets, Open systems interconnection, Telecommunication systems, Data link layer (OSI), Application layer (OSI), Data transmission, Remote control systems, Physical layer (OSI)
Publisher	BSI
Committee	PEL/57
ICS Codes	33.200 - Telecontrol. Telemetering

BSI PD IEC/TS 60870-5-7:2013

PDF Catalog

Related products