EN 62351-7-2017 en Power systems management and associated information exchange - Data and communications security - Part 7 Network and System Management (NSM) data object models.pdf

1、BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Power systems management and associated information exchange - Data and communications securityPart 7: Network and System Management (NSM) data object modelsBS EN 623517:2017EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE

2、NORM EN 62351-7 December 2017 ICS 33.200 English Version Power systems management and associated information exchange - Data and communications security - Part 7: Network and System Management (NSM) data object models (IEC 62351-7:2017) Gestion des systmes dalimentation et change dinformations assoc

3、ies - Scurit des donnes et des communications - Partie 7: Modles dobjets de donnes pour la gestion des rseaux et systmes (NSM) (IEC 62351-7:2017) Datenmodelle, Schnittstellen und Informationsaustausch fr Planung und Betrieb von Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Te

4、il 7: Netzwerk und System-Management (NSM) Daten-Objekt-Modelle (IEC 62351-7:2017) This European Standard was approved by CENELEC on 2017-08-22. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status o

5、f a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CENELEC member. This European Standard exists in three official versions (English, French, Ge

6、rman). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Belgi

7、um, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain,

8、 Sweden, Switzerland, Turkey and the United Kingdom. European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels 2017 CENELEC All rights o

9、f exploitation in any form and by any means reserved worldwide for CENELEC Members. Ref. No. EN 62351-7:2017 E National forewordThis British Standard is the UK implementation of EN 623517:2017. It is identical to IEC 623517:2017. It supersedes DD IEC/TS 623517:2010, which is withdrawn.The UK partici

10、pation in its preparation was entrusted to Technical Committee PEL/57, Power systems management and associated information exchange.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisi

11、ons of a contract. Users are responsible for its correct application. The British Standards Institution 2018 Published by BSI Standards Limited 2018ISBN 978 0 580 89558 6ICS 33.200Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published und

12、er the authority of the Standards Policy and Strategy Committee on 31 January 2018.Amendments/corrigenda issued since publicationDate Text affectedBRITISH STANDARDBS EN 623517:2017EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN 62351-7 December 2017 ICS 33.200 English Version Power systems mana

13、gement and associated information exchange - Data and communications security - Part 7: Network and System Management (NSM) data object models (IEC 62351-7:2017) Gestion des systmes dalimentation et change dinformations associes - Scurit des donnes et des communications - Partie 7: Modles dobjets de

14、 donnes pour la gestion des rseaux et systmes (NSM) (IEC 62351-7:2017) Datenmodelle, Schnittstellen und Informationsaustausch fr Planung und Betrieb von Energieversorgungsunternehmen - Daten- und Kommunikationssicherheit - Teil 7: Netzwerk und System-Management (NSM) Daten-Objekt-Modelle (IEC 62351-

15、7:2017) This European Standard was approved by CENELEC on 2017-08-22. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliogr

16、aphical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the respon

17、sibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finlan

18、d, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. European Committee for

19、 Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels 2017 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC

20、Members. Ref. No. EN 62351-7:2017 E BS EN 623517:2017EN 62351-7:2017 2 European foreword The text of document 57/1857/FDIS, future edition 1 of IEC 62351-7, prepared by IEC/TC 57 “Power systems management and associated information exchange“ was submitted to the IEC-CENELEC parallel vote and approve

21、d by CENELEC as EN 62351-7:2017. The following dates are fixed: latest date by which the document has to be implemented at national level by publication of an identical national standard or by endorsement (dop) 2018-06-15 latest date by which the national standards conflicting with the document have

22、 to be withdrawn (dow) 2020-12-15 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights. This document has been prepared under a mandate given to CENELE

23、C by the European Commission and the European Free Trade Association. Endorsement notice The text of the International Standard IEC 62351-7:2017 was approved by CENELEC as a European Standard without any modification. In the official version, for Bibliography, the following notes have to be added fo

24、r the standards indicated: IEC 61850-7-2 NOTE Harmonized as EN 61850-7-2. IEC 61850-7-4 NOTE Harmonized as EN 61850-7-4. IEC 61850-8-1 NOTE Harmonized as EN 61850-8-1. IEC 61850-9-2 NOTE Harmonized as EN 61850-9-2. BS EN 623517:2017EN 62351-7:2017 3 Annex ZA (normative) Normative references to inter

25、national publications with their corresponding European publications The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest

26、 edition of the referenced document (including any amendments) applies. NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the relevant EN/HD applies. NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this a

27、nnex is available here: www.cenelec.eu. Publication Year Title EN/HD Year IEC/TS 62351-1 - Power systems management and associated information exchange - Data and communications security - Part 1: Communication network and system security - Introduction to security issues - - IEC/TS 62351-2 - Power

28、systems management and associated information exchange - Data and communications security - Part 2: Glossary of terms - - IEC 62351-3 - Power systems management and associated information exchange - Data and communications security - Part 3: Communication network and system security - Profiles inclu

29、ding TCP/IP EN 62351-3 - IEC 62351-4 1- Power systems management and associated information exchange - Data and communications security - Part 4: Profiles including MMS prEN 62351-4 2- IEC/TS 62351-5 - Power systems management and associated information exchange - Data and communications security -

30、Part 5: Security for IEC 60870-5 and derivatives - - IEC/TS 62351-8 - Power systems management and associated information exchange - Data and communications security - Part 8: Role-based access control - - IEC 62351-9 - Power systems management and associated information exchange - Data and communic

31、ations security - Part 9: Cyber security key management for power system equipment EN 62351-9 - 1Under preparation. Stage at the time of publication: IEC CDV 62351-4:2017. 2Under preparation. Stage at the time of publication: prEN 62351-4:2017. BS EN 623517:2017EN 62351-7:2017 4 Publication Year Tit

32、le EN/HD Year IEEE 754 2008 IEEE Standard for Binary Floating-Point Arithmetic - - IETF RFC 2578 1999 Structure of Management Information Version 2 (SMIv2), April 1999, http:/tools.ietf.org/html/rfc2578 - - IETF RFC 3410 2002 Introduction and Applicability Statements for Internet Standard Management

33、 Framework, December 2002, http:/tools.ietf.org/rfc/rfc3410 - - IETF RFC 3414 2002 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), December 2002, http:/tools.ietf.org/rfc/rfc3414 - - IETF RFC 3826 2004 The Advanced Encryption Standard (AES) Cipher Al

34、gorithm in the SNMP User-based Security Model, June 2004, http:/www.rfc-editor.org/rfc/rfc3826 - - IETF RFC 4022 2005 Management Information Base for the Transmission Control Protocol (TCP), March 2005, http:/tools.ietf.org/html/rfc4022 - - IETF RFC 4113 2005 Management Information Base for the User

35、 Datagram Protocol (UDP), June 2005, http:/tools.ietf.org/html/rfc4113 - - IETF RFC 4292 2006 IP Forwarding Table MIB, April 2006, http:/www.rfc-editor.org/rfc/rfc4292 - - IETF RFC 4293 2006 Management Information Base for the Internet Protocol (IP), April 2006, http:/tools.ietf.org/rfc/rfc4293 - -

36、IETF RFC 4898 2007 TCP Extended Statistics MIB, May 2007, http:/tools.ietf.org/rfc/rfc4898 - - IETF RFC 5132 2007 IP Multicast MIB, December 2007, http:/tools.ietf.org/rfc/rfc5132 - - IETF RFC 5905 2010 Network Time Protocol Version 4: Protocol and Algorithms Specification, June 2010, http:/tools.ie

37、tf.org/rfc/rfc5905 - - IETF RFC 5590 2009 Transport Subsystem for the Simple Network Management Protocol (SNMP), June 2009, http:/tools.ietf.org/rfc/rfc5590 - - IETF RFC 5591 2009 Transport Security Model for the Simple Network Management Protocol (SNMP), June 2009, http:/tools.ietf.org/rfc/rfc5591

38、- - IETF RFC 5592 2009 Secure Shell Transport Model for the Simple Network Management Protocol (SNMP), June 2009, http:/www.rfc-editor.org/rfc/rfc5592 - - BS EN 623517:2017EN 62351-7:2017 5 Publication Year Title EN/HD Year IETF RFC 5953 2010 Transport Layer Security (TLS) Transport Model for the Si

39、mple Network Management Protocol (SNMP), August 2010, http:/www.rfc-editor.org/rfc/rfc5953 - - IETF RFC 6347 2012 Datagram Transport Layer Security Version 1.2, January 2012, http:/tools.ietf.org/rfc/rfc6347 - - IETF RFC 6353 2011 Transport Layer Security (TLS) Transport Model for the Simple Network

40、 Management Protocol (SNMP), July 2011, http:/tools.ietf.org/rfc/rfc6353 - - IETF RFC 7860 2016 HMAC-SHA-2, Authentication Protocols in User-Based Security Model (USM) for SNMPv3, April 2016, http:/tools.ietf.org/rfc/rfc7860 - - BS EN 623517:2017This page deliberately left blank 2 IEC 62351-7:2017 I

41、EC 2017 CONTENTS FOREWORD . 8 1 Scope 10 2 Normative references 10 3 Terms and definitions 12 4 Abbreviated terms and acronyms . 13 5 Overview of Network and System Management (NSM) 14 5.1 Objectives . 14 5.2 NSM concepts. 15 5.2.1 Simple Network Management Protocol (SNMP) . 15 5.2.2 ISO NSM categor

42、ies 15 5.2.3 NSM “data objects” for power system operations . 16 5.2.4 Other NSM protocols . 16 5.3 Communication network management . 16 5.3.1 Network configuration 16 5.3.2 Network backup . 17 5.3.3 Communications failures and degradation . 17 5.4 Communication protocols 18 5.5 End systems managem

43、ent 18 5.6 Intrusion detection systems (IDS) . 19 5.6.1 IDS guidelines . 19 5.6.2 IDS: Passive observation techniques . 20 5.6.3 IDS: Active security monitoring architecture with NSM data objects . 20 5.7 End-to-end security . 21 5.7.1 End-to-end security concepts. 21 5.7.2 Role of NSM in end-to-end

44、 security . 22 5.8 NSM requirements: detection functions . 24 5.8.1 Detecting unauthorized access 24 5.8.2 Detecting resource exhaustion as a denial of service (DoS) attack 24 5.8.3 Detecting invalid buffer access DoS attacks 25 5.8.4 Detecting tampered/malformed PDUs 25 5.8.5 Detecting physical acc

45、ess disruption . 25 5.8.6 Detecting invalid network access . 25 5.8.7 Detecting coordinated attacks 26 5.9 Abstract object and agent UML descriptions 26 5.9.1 Purpose of UML . 26 5.9.2 Abstract types and base types . 27 5.9.3 Enumerated Types. 28 5.9.4 Abstract agents . 28 5.9.5 Unsolicited Event No

46、tification 31 5.9.6 UML Model extension 31 5.10 Abstract Object UML translation to SNMP . 31 5.10.1 Simple Network Management Protocol (SNMP) . 31 5.10.2 Management information bases (MIBs) 32 5.11 SNMP mapping of UML model Objects 33 5.12 SNMP Security 34 6 Abstract objects . 36 2 IEC 62351-7:2017

47、IEC 2017 CONTENTS FOREWORD . 8 1 Scope 10 2 Normative references 10 3 Terms and definitions 12 4 Abbreviated terms and acronyms . 13 5 Overview of Network and System Management (NSM) 14 5.1 Objectives . 14 5.2 NSM concepts. 15 5.2.1 Simple Network Management Protocol (SNMP) . 15 5.2.2 ISO NSM catego

48、ries 15 5.2.3 NSM “data objects” for power system operations . 16 5.2.4 Other NSM protocols . 16 5.3 Communication network management . 16 5.3.1 Network configuration 16 5.3.2 Network backup . 17 5.3.3 Communications failures and degradation . 17 5.4 Communication protocols 18 5.5 End systems manage

49、ment 18 5.6 Intrusion detection systems (IDS) . 19 5.6.1 IDS guidelines . 19 5.6.2 IDS: Passive observation techniques . 20 5.6.3 IDS: Active security monitoring architecture with NSM data objects . 20 5.7 End-to-end security . 21 5.7.1 End-to-end security concepts. 21 5.7.2 Role of NSM in end-to-end security . 22 5.8 NSM requirements: detection functions . 24 5.8.1 Detecting unauthorized access 24 5.8.2 Detecting resource exhaustion as a denial of service (DoS) attack 24 5.8.3 Detecti