IEC 62351-7-2017 Power systems management and associated information exchange - Data and communications security - Part 7 Network and System Management (NSM) da.pdf

1、 IEC 62351-7 Edition 1.0 2017-07 INTERNATIONAL STANDARD Power systems management and associated information exchange Data and communications security Part 7: Network and System Management (NSM) data object models IEC 62351-7:2017-07(en) colour inside THIS PUBLICATION IS COPYRIGHT PROTECTED Copyright

2、 2017 IEC, Geneva, Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or IECs member National

3、 Committee in the country of the requester. If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or your local IEC member National Committee for further information. IEC Central Office Tel.: +41 22 91

4、9 02 11 3, rue de Varemb Fax: +41 22 919 03 00 CH-1211 Geneva 20 infoiec.ch Switzerland www.iec.ch About the IEC The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes International Standards for all electrical, electronic and related techn

5、ologies. About IEC publications The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the latest edition, a corrigenda or an amendment might have been published. IEC Catalogue - webstore.iec.ch/catalogue The stand-alone application for con

6、sulting the entire bibliographical information on IEC International Standards, Technical Specifications, Technical Reports and other documents. Available for PC, Mac OS, Android Tablets and iPad. IEC publications search - www.iec.ch/searchpub The advanced search enables to find IEC publications by a

7、 variety of criteria (reference number, text, technical committee,). It also gives information on projects, replaced and withdrawn publications. IEC Just Published - webstore.iec.ch/justpublished Stay up to date on all new IEC publications. Just Published details all new publications released. Avail

8、able online and also once a month by email. Electropedia - www.electropedia.org The worlds leading online dictionary of electronic and electrical terms containing 20 000 terms and definitions in English and French, with equivalent terms in 16 additional languages. Also known as the International Ele

9、ctrotechnical Vocabulary (IEV) online. IEC Glossary - std.iec.ch/glossary 65 000 electrotechnical terminology entries in English and French extracted from the Terms and Definitions clause of IEC publications issued since 2002. Some entries have been collected from earlier publications of IEC TC 37,

10、77, 86 and CISPR. IEC Customer Service Centre - webstore.iec.ch/csc If you wish to give us your feedback on this publication or need further assistance, please contact the Customer Service Centre: csciec.ch. IEC 62351-7 Edition 1.0 2017-07 INTERNATIONAL STANDARD Power systems management and associat

11、ed information exchange Data and communications security Part 7: Network and System Management (NSM) data object models INTERNATIONAL ELECTROTECHNICAL COMMISSION ICS 33.200 ISBN 978-2-8322-4442-5 Registered trademark of the International Electrotechnical Commission Warning! Make sure that you obtain

12、ed this publication from an authorized distributor. colour inside 2 IEC 62351-7:2017 IEC 2017 CONTENTS FOREWORD . 8 1 Scope 10 2 Normative references 10 3 Terms and definitions 12 4 Abbreviated terms and acronyms . 13 5 Overview of Network and System Management (NSM) 14 5.1 Objectives . 14 5.2 NSM c

13、oncepts. 15 5.2.1 Simple Network Management Protocol (SNMP) . 15 5.2.2 ISO NSM categories 15 5.2.3 NSM “data objects” for power system operations . 16 5.2.4 Other NSM protocols . 16 5.3 Communication network management . 16 5.3.1 Network configuration 16 5.3.2 Network backup . 17 5.3.3 Communication

14、s failures and degradation . 17 5.4 Communication protocols 18 5.5 End systems management 18 5.6 Intrusion detection systems (IDS) . 19 5.6.1 IDS guidelines . 19 5.6.2 IDS: Passive observation techniques . 20 5.6.3 IDS: Active security monitoring architecture with NSM data objects . 20 5.7 End-to-en

15、d security . 21 5.7.1 End-to-end security concepts. 21 5.7.2 Role of NSM in end-to-end security . 22 5.8 NSM requirements: detection functions . 24 5.8.1 Detecting unauthorized access 24 5.8.2 Detecting resource exhaustion as a denial of service (DoS) attack 24 5.8.3 Detecting invalid buffer access

16、DoS attacks 25 5.8.4 Detecting tampered/malformed PDUs 25 5.8.5 Detecting physical access disruption . 25 5.8.6 Detecting invalid network access . 25 5.8.7 Detecting coordinated attacks 26 5.9 Abstract object and agent UML descriptions 26 5.9.1 Purpose of UML . 26 5.9.2 Abstract types and base types

17、 . 27 5.9.3 Enumerated Types. 28 5.9.4 Abstract agents . 28 5.9.5 Unsolicited Event Notification 31 5.9.6 UML Model extension 31 5.10 Abstract Object UML translation to SNMP . 31 5.10.1 Simple Network Management Protocol (SNMP) . 31 5.10.2 Management information bases (MIBs) 32 5.11 SNMP mapping of

18、UML model Objects 33 5.12 SNMP Security 34 6 Abstract objects . 36 IEC 62351-7:2017 IEC 2017 3 6.1 General . 36 6.2 Package Abstract Types . 37 6.2.1 General . 37 6.2.2 BooleanValue 37 6.2.3 BooleanValueTs 37 6.2.4 CounterTs 37 6.2.5 CntRs 38 6.2.6 Floating . 38 6.2.7 FloatingTs . 38 6.2.8 EntityInd

19、ex 39 6.2.9 Integer . 39 6.2.10 IntegerTs . 39 6.2.11 InetAddress . 40 6.2.12 InetAddressType . 40 6.2.13 MacAddress . 40 6.2.14 Selector . 40 6.2.15 Timestamp . 41 6.2.16 CharString . 41 6.2.17 CharStringTs . 41 6.2.18 AbstractBaseType root class . 41 6.2.19 AbstractAgent root class 42 6.3 Package

20、EnumeratedTypes 42 6.3.1 General . 42 6.3.2 AppDatStKind enumeration 42 6.3.3 PhyHealthKind enumeration. 42 6.3.4 ExtKind enumeration . 42 6.3.5 IntKind enumeration. 43 6.3.6 LnkKind enumeration . 43 6.3.7 PSPAccKind enumeration 43 6.3.8 ProtIdKind enumeration . 43 6.3.9 EventKind enumeration 44 6.3

21、.10 TimSyncIssueKind enumeration . 44 6.3.11 SecurityProfileKind enumeration 45 6.3.12 TimSyncSrcKind enumeration 45 6.3.13 AppDatStType . 45 6.3.14 PhyHealthType 46 6.3.15 ExtType . 46 6.3.16 IntType 46 6.3.17 EventType . 46 6.3.18 PSPAccType . 47 6.3.19 ProtIdType . 47 6.3.20 TimSyncIssueType 47 6

22、.3.21 SecurityProfileType . 47 6.3.22 TimSyncSrcType . 48 6.3.23 LnkType 48 7 Agents . 48 7.1 Package Overview 48 7.2 Package Environmental Agent 50 7.2.1 General . 50 4 IEC 62351-7:2017 IEC 2017 7.2.2 Environmental . 51 7.2.3 PSUPEntry 51 7.2.4 Notification 52 7.2.5 SecurityNotification 52 7.3 Pack

23、age IED Agent . 53 7.3.1 General . 53 7.3.2 IED 54 7.3.3 CPUEntry 55 7.3.4 EXTEntry . 56 7.3.5 STOREEntry 56 7.3.6 Notification 57 7.3.7 SecurityNotification 57 7.4 Package Application Protocols Agents 57 7.4.1 General . 57 7.4.2 Package Common objects . 58 7.4.3 Package IEEE 1815 and IEC 60870-5 Ag

24、ent 59 7.4.4 Package IEC61850 Agent 68 7.5 Package Interfaces Agent . 87 7.5.1 General . 87 7.5.2 Interface 88 7.5.3 Interfaces 88 7.5.4 ETHEntry . 90 7.5.5 KEYEntry . 90 7.5.6 SEREntry. 91 7.5.7 ALGEntry . 91 7.5.8 USBEntry. 92 7.5.9 Notification 92 7.6 Package Clocks Agent 93 7.6.1 General . 93 7.

25、6.2 Clock . 93 7.6.3 ClockEntry . 94 7.6.4 SecurityNotification 95 7.7 Network and Transport Agents 95 7.7.1 TCP . 95 7.7.2 User Datagram Protocol (UDP) 95 7.7.3 IP 95 8 SNMP security . 96 9 Secured time synchronization 96 Annex A (normative) SNMP MIB Mapping 97 Annex B (informative) Mapping of rele

26、vant IEC 61850 Objects . 229 Bibliography 230 Figure 1 Example of a power system SCADA architecture extended with NSM Data Objects . 15 Figure 2 IDS Information exchange between applications: generic communication topology 19 Figure 3 Active security monitoring architecture with NSM data objects 21

27、Figure 4 Comparison of NSM data objects with IEC 61850 objects . 23 IEC 62351-7:2017 IEC 2017 5 Figure 5 Management of both the power system infrastructure and the information infrastructure 23 Figure 6 Abstract types 27 Figure 7 Enumerated types 28 Figure 8 Subagents 29 Figure 9 Environmental agent

28、 30 Figure 10 Model stereotypes 30 Figure 11 Object identifier structure . 32 Figure 12 SNMP table 34 Figure 13 SNMP RFCs map and security . 35 Figure 14 SNMP Entity . 36 Figure 15 Class diagram Overview:Part7 Classes Overview 49 Figure 16 Class diagram Environmental Agent:Environmental . 50 Figure

29、17 Class diagram IED Agent:IED . 53 Figure 18 Class diagram Common objects:Application Protocol common objects . 58 Figure 19 Class diagram IEEE 1815 and IEC 60870-5 Agent:IEEE 1815 and IEC 60870 Agent Relationships . 60 Figure 20 Class diagram ACSI:ACSI . 69 Figure 21 Class diagram MMS:MMS . 71 Fig

30、ure 22 Class diagram SV and GSE common objects:SV and GSE common objects 76 Figure 23 Class diagram SV:SV 78 Figure 24 Class diagram GSE:GSE . 82 Figure 25 Class diagram Interfaces Agent:Interfaces 87 Figure 26 Class diagram Clocks Agent:Clocks Agent 93 Table 1 Attributes of Abstract Types:BooleanVa

31、lue . 37 Table 2 Attributes of Abstract Types:BooleanValueTs . 37 Table 3 Attributes of Abstract Types:CounterTs 38 Table 4 Attributes of Abstract Types:CntRs . 38 Table 5 Attributes of Abstract Types:Floating 38 Table 6 Attributes of Abstract Types:FloatingTs 39 Table 7 Attributes of Abstract Types

32、:EntityIndex . 39 Table 8 Attributes of Abstract Types:Integer . 39 Table 9 Attributes of Abstract Types:IntegerTs 39 Table 10 Attributes of Abstract Types:InetAddress 40 Table 11 Attributes of Abstract Types:InetAddressType 40 Table 12 Attributes of Abstract Types:MacAddress . 40 Table 13 Attribute

33、s of Abstract Types:Selector 41 Table 14 Attributes of Abstract Types:Timestamp . 41 Table 15 Attributes of Abstract Types:CharString 41 Table 16 Attributes of Abstract Types:CharStringTs 41 Table 17 Literals of EnumeratedTypes:AppDatStKind . 42 Table 18 Literals of EnumeratedTypes:PhyHealthKind 42

34、6 IEC 62351-7:2017 IEC 2017 Table 19 Literals of EnumeratedTypes:ExtKind . 43 Table 20 Literals of EnumeratedTypes:IntKind 43 Table 21 Literals of EnumeratedTypes:LnkKind 43 Table 22 Literals of EnumeratedTypes:PSPAccKind . 43 Table 23 Literals of EnumeratedTypes:ProtIdKind . 44 Table 24 Literals of

35、 EnumeratedTypes:EventKind . 44 Table 25 Literals of EnumeratedTypes:TimSyncIssueKind 44 Table 26 Literals of EnumeratedTypes:SecurityProfileKind . 45 Table 27 Literals of EnumeratedTypes:TimSyncSrcKind . 45 Table 28 Attributes of EnumeratedTypes:AppDatStType . 46 Table 29 Attributes of EnumeratedTy

36、pes:PhyHealthType 46 Table 30 Attributes of EnumeratedTypes:ExtType . 46 Table 31 Attributes of EnumeratedTypes:IntType 46 Table 32 Attributes of EnumeratedTypes:EventType . 47 Table 33 Attributes of EnumeratedTypes:PSPAccType . 47 Table 34 Attributes of EnumeratedTypes:ProtIdType 47 Table 35 Attrib

37、utes of EnumeratedTypes:TimSyncIssueType 47 Table 36 Attributes of EnumeratedTypes:SecurityProfileType . 48 Table 37 Attributes of EnumeratedTypes:TimSyncSrcType . 48 Table 38 Attributes of EnumeratedTypes:LnkType 48 Table 39 Attributes of Environmental Agent:Environmental . 51 Table 40 Attributes o

38、f Environmental Agent:PSUPEntry 51 Table 41 Attributes of Environmental Agent:Notification 52 Table 42 Attributes of Environmental Agent:SecurityNotification . 52 Table 43 Attributes of IED Agent:IED 54 Table 44 Attributes of IED Agent:CPUEntry. 55 Table 45 Attributes of IED Agent:EXTEntry . 56 Tabl

39、e 46 Attributes of IED Agent:STOREEntry 56 Table 47 Attributes of IED Agent:Notification 57 Table 48 Attributes of IED Agent:SecurityNotification 57 Table 49 Attributes of Common objects:CommonProtocolInfo . 58 Table 50 Attributes of IEEE 1815 and IEC 60870-5 Agent:60870andDNPProtocolInfo . 61 Table

40、 51 Attributes of IEEE 1815 and IEC 60870-5 Agent:Association 62 Table 52 Attributes of IEEE 1815 and IEC 60870-5 Agent:Summary . 64 Table 53 Attributes of IEEE 1815 and IEC 60870-5 Agent:60870andDNPSecurityNotification . 65 Table 54 Attributes of IEEE 1815 and IEC 60870-5 Agent:60870andDNPNotificat

41、ion . 65 Table 55 Attributes of IEEE 1815 and IEC 60870-5 Agent:MasterAssociation 66 Table 56 Attributes of IEEE 1815 and IEC 60870-5 Agent:OutstationAssociation . 67 Table 57 Attributes of ACSI:ACSISummary . 70 Table 58 Attributes of MMS:MMSProtocolInfo . 72 Table 59 Attributes of MMS:MMSProvider .

42、 73 Table 60 Attributes of MMS:MMSAssociation 74 IEC 62351-7:2017 IEC 2017 7 Table 61 Attributes of MMS:MMSSecurityNotification 75 Table 62 Attributes of MMS:MMSNotification 75 Table 63 Attributes of SV and GSE common objects:GSEandSVCommon 76 Table 64 Attributes of SV and GSE common objects:GSEandS

43、VPublisherAssociation 77 Table 65 Attributes of SV and GSE common objects:GSEandSVSubscriberAssociation 77 Table 66 Attributes of SV:SVProvider 79 Table 67 Attributes of SV:SVPublisherAssociationIP . 79 Table 68 Attributes of SV:SVPublisherAssociationL2 80 Table 69 Attributes of SV:SVSubcriberAssoci

44、ationIP. 80 Table 70 Attributes of SV:SVSubcriberAssociationL2 81 Table 71 Attributes of SV:SVNotification . 81 Table 72 Attributes of GSE:GSESubscriberAssociation . 83 Table 73 Attributes of GSE:GSEProvider 83 Table 74 Attributes of GSE:GSEPublisherAssociationIP 84 Table 75 Attributes of GSE:GSEPub

45、lisherAssociationL2 . 84 Table 76 Attributes of GSE:GSESubcriberAssociationIP . 85 Table 77 Attributes of GSE:GSESubscriberAssociationL2 . 85 Table 78 Attributes of GSE:GSENotification 86 Table 79 Attributes of Interfaces Agent:Interface. 88 Table 80 Attributes of Interfaces Agent:Interfaces . 89 Ta

46、ble 81 Attributes of Interfaces Agent:ETHEntry . 90 Table 82 Attributes of Interfaces Agent:KEYEntry . 90 Table 83 Attributes of Interfaces Agent:SEREntry . 91 Table 84 Attributes of Interfaces Agent:ALGEntry . 91 Table 85 Attributes of Interfaces Agent:USBEntry . 92 Table 86 Attributes of Interface

47、s Agent:Notification . 92 Table 87 Attributes of Clocks Agent:Clock 93 Table 88 Attributes of Clocks Agent:ClockEntry 94 Table 89 Attributes of Clocks Agent:SecurityNotification . 95 Table B.1 IEC 61850-7-4 objects mapping . 229 8 IEC 62351-7:2017 IEC 2017 INTERNATIONAL ELECTROTECHNICAL COMMISSION _

48、 POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE DATA AND COMMUNICATIONS SECURITY Part 7: Network and System Management (NSM) data object models FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fie