IEC TS 60870-5-7:2025 远动设备和系统第5-7部分:传输协议IEC 60870-5-101和IEC 60870-5-104协议的安全扩展(应用IEC 62351)
标准编号:IEC TS 60870-5-7:2025
中文名称:远动设备和系统第5-7部分:传输协议IEC 60870-5-101和IEC 60870-5-104协议的安全扩展(应用IEC 62351)
英文名称:Telecontrol equipment and systems - Part 5-7: Transmission protocols - Security extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols (applying IEC 62351)
发布日期:2025-03-18
标准范围
技术规范IEC TS 60870-5-7:20 25描述了用于实现用于安全通信的IEC 62351-5:20 23的消息和数据格式,作为IEC 60870-5-101和IEC 60870-5-104的扩展。本文件的目的是允许任何IEC 60870-5-101/-104应用协议数据单元(APDU)的接收器验证APDU是由授权用户传输的,并且APDU在传输过程中没有被修改。本文件还旨在与IEC 62351-3:20 23的定义一起与IEC 60870-5-104配套标准一起使用。IEC 62351-5:20 23中定义了状态机、消息序列和交换这些消息的过程。本文档仅描述了在IEC 60870-5-101和IEC 60870-5-104协议。除了上一版本之外,本文档的新版本还通过利用IEC 62351-8 RBAC方法和IEC 62351-5:20 23中已定义的角色到权限映射来解决基于角色的访问控制。本文件的范围不包括IEC 60870-5-102或IEC 60870-5-103的安全性。IEC 60870-5-102仅在有限的范围内使用,因此将不予讨论。需要安全解决方案的IEC 60870-5-103用户需要使用IEC 61850中引用的IEC 62351中的安全措施来实现IEC 61850。IEC 60870-5-101/104以外的设备内或通信链路上的密钥、证书或其他加密凭证的管理超出了本文档的范围,将来可能由其他IEC 62351出版物解决。这第二版取消并取代了2013年出版的第一版。本版构成技术修订版。与上一版相比,此版本包括以下重大技术变更:a)本版相对于上一版进行了全面修订;b)与IEC 62351-3:20 23和IEC 62351-5:20 23的更新版本保持一致;c)定义应用层和传输层的特定轮廓;d)引入会话发起请求以处理被叫站重新建立连接的情况;e)包括用于IEC 60870-5-101的不平衡模式的组播安全性,包括密钥管理;f)考虑基于IEC 62351-8的RBAC。本技术规范应与IEC 62351-5:20 23和IEC 60870-5-104:2016结合使用。
IEC TS 60870-5-7:2025, which is a technical specification, describes messages and data formats for implementing IEC 62351-5:2023 for secure communication as an extension to IEC 60870-5-101 and IEC 60870-5-104.
The purpose of this document is to permit the receiver of any IEC 60870-5-101/-104 Application Protocol Data Unit (APDU) to verify that the APDU was transmitted by an authorized user and that the APDU was not modified in transit.
This document is also intended to be used, together with the definitions of IEC 62351-3:2023, in conjunction with the IEC 60870-5-104 companion standard.
The state machines, message sequences, and procedures for exchanging these messages are defined in IEC 62351-5:2023. This document describes only the message formats, selected options, critical operations, addressing considerations and other adaptations required to implement IEC 62351 in the IEC 60870-5-101 and IEC 60870-5-104 protocols.
In addition to the previous edition, this new edition of this document also addresses role-based access control, by utilizing the IEC 62351-8 RBAC approach and the already defined role to permission mapping from IEC 62351-5:2023.
The scope of this document does not include security for IEC 60870-5-102 or IEC 60870-5-103. IEC 60870-5-102 is in limited use only and will therefore not be addressed. Users of IEC 60870-5-103 desiring a secure solution need to implement IEC 61850 using the security measures from in IEC 62351 referenced in IEC 61850.
Management of keys, certificates or other cryptographic credentials within devices or on communication links other than IEC 60870-5-101/104 is out of the scope of this document and might be addressed by other IEC 62351 publications in the future.
This second edition cancels and replaces the first edition published in 2013. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) This edition has been completely revised with respect to the previous edition;
b) Alignment with updated versions of IEC 62351-3:2023 and IEC 62351-5:2023;
c) Definition of specific profiles for application layer and transport layer;
d) Introduction of Session Initiation Request to handle situations in which the called station reestablishes a connection;
e) Inclusion of multicast security for the unbalanced mode of IEC 60870-5-101 including key management;
f) Consideration of RBAC based on IEC 62351-8.
This Technical Specification is to be used in conjunction with IEC 62351-5:2023 and IEC 60870-5-104:2016.
标准预览图
