IEC 62351 - Security
IEC 62351은 IEC 60870-5 시리즈, IEC 60870-6 series, IEC 61850 series, IEC 61970 series 및 IEC 61968 series를 포함한 일련의 protocol의 추가 보안을 제공하기 위해 개발된 표준입니다.
다양한 보안 목표에는 디지털 서명을 통한 데이터 전송 인증, 인증된 access 만 보장, 도청 방지, 재생 및 spoofing 방지, 침입 탐지 등이 있습니다.
Xelas Energy는 MMS 보안 62351-4, GOSE/SV 보안 62351-6을 구현했습니다.
IEC 62351-4: Security for any profiles including MMS ( ICCP-based IEC 60870-6, IEC 61850) contains the following sections:
- Authentication for MMS.
- TLS (RFC 2246) is inserted between RFC 1006 & RFC 793 to provide transport layer security.
- TLS stands for Transport Layer Security and defines encryption algorithms.
- RFC1006 is the standard which defines OSI on top of TCP/IP. The RFC1006 stack is completely developed and maintained by Xelas Energy Software.
- RFC 793 is the standard which defines TCP/IP.
IEC 62351-6: GOOSE / SV Security
This security module is available for both the regular GOOSE/SV protocols as well as the R-GOOSE/R-SV protocols.
Integration with Xelas Energy Management Products
IEC-62351-4 and IEC-62351-6 security is integrated with the IEC 61850 client development and embedded server/client development products as an optional plugin.
In this picture on the left the 'client' is described and on the right the 'server' side is described.
The client consists out of IEC 61850/61400 MMS based adapters, a database, a Web GUI and services on top of the database. This runs on top of the RFC 1006 stack.
The IEC 61850 server also runs on top of the RFC 1006 stack, and is configured with a SCL/ICD file, a configuration file used during bootup.
The IEC 62351 adapter plugin is available for both client and server, as described in the picture above.
It provides the following functions :
· Authentication for MMS : This is performed during association establishment in ACSE layer (one of the OSI layers). The client passes an authentication string, which is verified by the server. The server can define the aut
hentication the SCL/ICD file
· TLS Encryption : on the client side, in the database/GUI IEC 62351 or RFC 1006 can ve configured as a profile. Within process management the IEC 62351 client adapter can be started and stopped. On the server side
(or server simulator) a IEC 62351 server adapter (or task on embedded platform such as VxWorks) can be configured as well. These adapters facilitate the TLS encryption.
The solution is backwards compatible. If a server dose not support IEC 62351, on the client side RFC1006 can be configured as a profile. This defines regular OSI on top of TCP/IP protocol.
The 62351-6 security module has the following features:
· Authentication security
· HMAC algorithm SHA-256 (256, 128 or 80 bit)
·AES-128 or AES-256
· Configurable per IE 61850 dataset for GOOSE or SV Control block
· Available for IEC 61850 and 61850-5 (Routed GOOSE and SV)
The solution is backwards compatible. If a server does not support IEC 62351, on the client side RFC1006 can be configured as a profile. This defines regular OSI on top of TCP./IP protocol.
Java configuration Tool
Both security implementations make use of JAVA based GUI configuration tool. The configuration tool takes care of importing and distribution of the X.509 certificates.
VIEW61850 Embedded SERVER/CLIENT Development
VIEWIEC 61850 Simulators
VIEWIEC 61850 Conformance Testing
VIEW61850 Protocol Stack Libraries
VIEWR-GOOSE / R-SV
VIEWIEC 61850 Modbus Gateway
VIEWSubstation Data Gateway
VIEWIEC 60870-5-104 Gateway
VIEWNetwirk Data Inregration Framework
VIEW61850 CLIENT Development