SIST EN 62351-3:2015/A2:2020

SLOVENSKI STANDARD
SIST EN 62351-3:2015/A2:2020
01-junij-2020
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij -
Varnost podatkov in komunikacij - 3. del: Varnost komunikacijskih omrežij in
sistemov - Profili za TCP/IP - Dopolnilo A2
Power systems management and associated information exchange - Data and
communications security - Part 3: Communication network and system security - Profiles
including TCP/IP
Datenmodelle, Schnittstellen und Informationsaustausch für Planung und Betrieb von
Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 3:
Sicherheit von Kommunikationsnetzen und Systemen - Profile einschließlich TCP/IP
Gestion des systèmes de puissance et échanges d’informations associés - Sécurité des
communications et des données - Partie 3: Sécurité des réseaux et des systèmes de
communication - Profils comprenant TCP/IP
Ta slovenski standard je istoveten z: EN 62351-3:2014/A2:2020
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
SIST EN 62351-3:2015/A2:2020 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 62351-3:2015/A2:2020

---------------------- Page: 2 ----------------------
SIST EN 62351-3:2015/A2:2020


EUROPEAN STANDARD EN 62351-3:2014/A2

NORME EUROPÉENNE

EUROPÄISCHE NORM
May 2020
ICS 33.200

English Version
Power systems management and associated information
exchange - Data and communications security - Part 3:
Communication network and system security - Profiles including
TCP/IP
(IEC 62351-3:2014/A2:2020)
Gestion des systèmes de puissance et échanges Management von Systemen der Energietechnik und
d'informations associés - Sécurité des communications et zugehöriger Datenaustausch - Daten- und
des données - Partie 3: Sécurité des réseaux et des Kommunikationssicherheit - Teil 3: Sicherheit von
systèmes de communication - Profils comprenant TCP/IP Kommunikationsnetzen und Systemen - Profile
(IEC 62351-3:2014/A2:2020) einschließlich TCP/IP
(IEC 62351-3:2014/A2:2020)
This amendment A2 modifies the European Standard EN 62351-3:2014; it was approved by CENELEC on 2020-04-02. CENELEC
members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this amendment the
status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This amendment exists in three official versions (English, French, German). A version in any other language made by translation under the
responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as
the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.


European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2020 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
 Ref. No. EN 62351-3:2014/A2:2020 E

---------------------- Page: 3 ----------------------
SIST EN 62351-3:2015/A2:2020
EN 62351-3:2014/A2:2020 (E)
European foreword
The text of document 57/2149/FDIS, future IEC 62351-3/A2, prepared by IEC/TC 57 "Power systems
management and associated information exchange" was submitted to the IEC-CENELEC parallel vote
and approved by CENELEC as EN 62351-3:2014/A2:2020.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2021-01-02
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2023-04-02
document have to be withdrawn

Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a mandate given to CENELEC by the European Commission
and the European Free Trade Association.
Endorsement notice
The text of the International Standard IEC 62351-3:2014/A2:2020 was approved by CENELEC as a
European Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 62351-7 NOTE Harmonized as EN 62351-7
1 2
IEC 62351-14 NOTE Harmonized as EN IEC 62351-14


1
To be published. Stage at the time of publication: IEC/PCC 62351-14:2020.
2
To be published. Stage at the time of publication: prEN IEC 62351-14:2019.
2

---------------------- Page: 4 ----------------------
SIST EN 62351-3:2015/A2:2020
EN 62351-3:2014/A2:2020 (E)
Annex ZA
(normative)

Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.

Add the following reference:
Publication Year Title EN/HD Year
IEC 62351-7 - Power systems management and associated EN 62351-7 -
information exchange - Data and
communications security - Part 7: Network
and System Management (NSM) data object
models



3

---------------------- Page: 5 ----------------------
SIST EN 62351-3:2015/A2:2020

---------------------- Page: 6 ----------------------
SIST EN 62351-3:2015/A2:2020



IEC 62351-3

®


Edition 1.0 2020-02




INTERNATIONAL



STANDARD




NORME



INTERNATIONALE




A MENDMENT 2

AM ENDEMENT 2





Power systems management and associated information exchange – Data

and communications security –

Part 3: Communication network and system security – Profiles including TCP/IP




Gestion des systèmes de puissance et échanges d'informations associés –

Sécurité des communications et des données –


Partie 3: Sécurité des réseaux et des systèmes de communication – Profils

comprenant TCP/IP












INTERNATIONAL

ELECTROTECHNICAL

COMMISSION


COMMISSION

ELECTROTECHNIQUE


INTERNATIONALE




ICS 33.200 ISBN 978-2-8322-7713-3




Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale

---------------------- Page: 7 ----------------------
SIST EN 62351-3:2015/A2:2020
– 2 – IEC 62351-3:2014/AMD2:2020
© IEC 2020
FOREWORD
This amendment to International Standard IEC 62351-3 has been prepared by IEC technical
committee 57: Power systems management and associated information exchange.
The text of this standard is based on the following documents:
FDIS Report on voting
57/2149/FDIS 57/2167/RVD

Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts in the IEC 62351 series, published under the general title Power systems
management and associated information exchange – Data and communications security, can
be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until the
stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data related to
the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.

____________

INTRODUCTION to Amendment 2
This amendment to International Standard IEC 62351-3 and its Amendment 1 (2018) has been
prepared in order to address the following issues:
– Support for TLS versions 1.1 and 1.0 is made optional instead of mandatory to address
known weaknesses. This is aligned with the defined security warnings for TLS versions 1.1
and 1.0.
– Update of TLS version handling during renegotiation and resumption to avoid TLS version
downgrade/upgrade within a same session.
– Updated explanatory text for session renegotiation to make the communication relations
clearer.
– Deprecation of RSA1024 and SHA-1 algorithms. This underlines the desire to disallow them
in the next edition.
– Inclusion of PICS section for mandatory and optional settings in TLS.
– Updated text for and enhancements of security events to better align with IEC 62351-14.
– Inclusion of general remarks for the security event handling.
– Update of references.

---------------------- Page: 8 ----------------------
SIST EN 62351-3:2015/A2:2020
IEC 62351-3:2014/AMD2:2020 – 3 –
© IEC 2020
Moreover, explanatory text has been included to better describe certain options as well as an
adjustment to the requirements for referencing standards.
2 Normative references
Add the following new document to the list of references:
IEC 62351-7, Power systems management and associated information exchange – Data and
communications security – Part 7: Network and System Management (NSM) data object models
4 Security issues addressed by this standard
4.2 Security threats countered
Replace the existing text of the second paragraph of Subclause 4.2 as modified by Amendment
1 with the following new text:
TCP/IP and the security specifications in this part of IEC 62351 cover only the communication
transport layers (OSI layers 4 and lower). Specifically, TLS protects the transported messages
from OSI layer 5 and above in a transparent way. This part of IEC 62351 does not cover security
functionality specific for the communication application layers (OSI layers 5 and above) or
application-to-application security.
Add, after existing Subclause 4.3 as modified by Amendment 1, the following new
Subclause 4.4:
4.4 Handling of security events
Throughout the document security events are defined as warnings and alarms. These security
events are intended to support the error handling and thus to increase system resilience.
Implementations should provide a mechanism for announcing security events.
It is recommended that the security warning and alarms throughout the document are
implemented by cyber security events as specified by IEC 62351-14 or by monitoring objects
as specified by IEC 62351-7.
Note that warnings and alarms are used to indicate the severity of an event from a security
point of view. The following notion is used:
– A warning was intended to raise awareness but to indicate that it may be safe to proceed.
– An alarm is an indication to not proceed.
In any case, it is expected that an operator’s security policy determines the final handling based
on the operational environment.
5 Mandatory requirements
5.1 Deprecation of cipher suites
Replace the existing text of the second paragraph of Subclause 5.1 with the following new text:
If the communication connection is encrypted the following cipher suites may be used:
– TLS_RSA_WITH_NULL_SHA
– TLS_RSA_WITH_NULL_SHA256
Replace the existing text of the fourth paragraph of Subclause 5.1 as added by Amendment 1
with the following new text:

---------------------- Page: 9 ----------------------
SIST EN 62351-3:2015/A2:2020
– 4 – IEC 62351-3:2014/AMD2:2020
© IEC 2020
The support of SHA-1 is deprecated. Its use is limited to backward compatibility. SHA-256 shall
be supported and is the preferred hash algorithm to be used.
Add, at the end of Subclause 5.1, the following new text:
The failure in finding a matching cipher suite during the TLS handshake shall raise a security
event ("alarm: no matching TLS cipher suites”).
5.2 Negotiation of versions
Replace the existing text of the first paragraph of Subclause 5.2 with the following new text:
TLS v1.2 as defined in RFC 5246 (sometimes referred to as SSL v3.3) is the default version
that shall be supported. Higher versions may be supported.
NOTE 1 This document refers to features defined for TLS 1.2. Higher versions of TLS, like TLS 1.3, do not
necessarily support all features listed in this document.
It is recommended that the TLS client initiating a TLS connection indicates the highest TLS
version supported in the ClientHello message of the TLS handshake. The receiving TLS
server may accept higher versions if functional supported and allowed by the security policy of
the operating environment.
To ensure backward compatibility implementations may optionally support TLS version 1.0 and
1.1 (sometimes referred to as SSL v3.1 and v3.2). The TLS handshake provides a built-in
mechanism that shall be used to support version negotiation. The peer initiating a TLS
connection shall always indicate the highest TLS version supported during the TLS handshake
message. The application of TLS versions other than v1.2 is a matter of the local security policy.
Proposal of versions prior to TLS 1.0 shall result in no secure connection being established
(see also RFC 6176).
NOTE 2 For TLS 1.0 and TLS 1.1 certain security issues are known, The optional support is
...