IEC TS 62351-7 pdf download – Power systems management and associated information exchange – Data and communications security – Part 7: Network and system management (NSM) data object models

IEC TS 62351-7 pdf download – Power systems management and associated information exchange – Data and communications security – Part 7: Network and system management (NSM) data object models

IEC TS 62351-7 pdf download – Power systems management and associated information exchange – Data and communications security – Part 7: Network and system management (NSM) data object models
1 scope
Power systems operations are increasingly reliant on information infrastructures,includingcommunication networks, intelligent electronic devices (IEDs) and self-definingcommunication protocols. Therefore,management of the information infrastructure hasbecome crucial to providing the necessary high levels of security and reliability in powersystem operations. Using the concepts developed in the lETF simple network managementprotocol (SNMP) standards for network management,IEC/TS 62351-7 defines network andsystem management(NSM) data object models that are specific to power system operations.These NSM data objects will be used to monitor the health of networks and systems, to detectpossible security intrusions, and to manage the performance and reliability of the informationinfrastructure.
The NSM data objects use the naming conventions developed for IEC 61850,expanded toaddress NSM issues.These data objects, and the data types of which they are comprised, aredefined as abstract models of data objects. The actual bits-and-bytes formats of the dataobjects will depend upon the mapping of these abstract NSM data objects to specificprotocols,such as lEC 61850,IEC 60870-5,IEC 60870-6,IEC 61968/EC 61970 (CIM), webservices,SNMP or any other appropriate protocol. Those mappings will need to bestandardized in separate documents.
2Normative references
The following referenced documents are indispensable for the application of this document.For dated references, only the edition cited applies. For undated references, the latest editionof the referenced document (including any amendments) applies.
IEC/TS 62351-2,Power systems management and associated information exchange – Dataand communications security – Part 2: Glossary of terms
3Terms and definitions
For the purposes of the present document, the terms and definitions given in lEC/TS 62351-2apply.
4 Glossary of terms and definitionsSee lEC/TS 62351-2.
5Background of network and system management(NSM) requirements
5.1Objectives of IEC NsM standards5.1.1 scope of end-to-end security
End-to-end security encompasses not only deliberate attacks but also inadvertent actions.
This statement is crucial to understanding the scope of this standard. Although somedefinitions of *security” just include the protection of systems against the deliberate attacks ofterrorists or cyber hackers,often more damage is done by carelessness,equipment failuresand natural disasters than by those deliberate attacks. Therefore,in this standard,”securitycovers all hazards,including deliberate attacks,inadvertent mistakes,equipment failures,software problems and natural disasters. For the security and reliability of power systemoperations, it does not matter whether a problem was caused by a deliberate attack or by aninadvertent action.
ln addition, many of the same measures that could be used against deliberate attacks can beused against inadvertent actions.Therefore,it is useful and cost-effective to address bothtypes of security threats with the same types of security measures.
5.1.2End-to-end security measures
IEC/TS 62351-3 to IEC/TS 62351-6 address security measures for communication protocols.End-to-end security entails a much larger scope than just the authentication of users and theencryption of these protocols. End-to-end security involves security policies,access controlmechanisms,key management, audit logs, and other critical infrastructure protection also entails securing the information infrastructure itself.
As discussed in IEC/TS62351-1,security threat agents include:
a) lnadvertent: Threat agents which may cause inadvertent “attacks” on systems:
careless users;
employees who bypass security;safety system failures;
equipment failures;natural disasters.
b) Deliberate: Threat agents which undertake deliberate attacks;
disgruntled employee;
industrial espionage agents;vandals;
cyber hackers;viruses and worms;thieves;
The key point is that the overall security of power system operations is threatened not only bydeliberate acts of terrorism but by many other,sometimes deliberate, sometimes inadvertentthreats that can ultimately have more devastating consequences than direct espionage.
As noted in lEC/TS 62351-1,,securing protocols using lEC/TS 62351-3 to IECTS 62351-6essentially provides authentication and (for some protocols)encryption over thecommunications link,covering 3 of the 4 security requirements: integrity, confidentiality andnon-repudiation.These very important security measures still, however, leave serious gaps:
First, they cover only the protocols over the communications link,and do not addressthe end users and end equipment. Masquerading users,equipment failures orundetected intrusions can disrupt operations even if the data exchanges are continuingcorrectly.
Second, they do not address denial of service. Denial of service can take many forms,from slowed data exchanges,failures of equipment, faults in communication paths,sporadic or decreased availability, interference and theft.