基于IEC62351的变电站自动化系统通信安全的研究_龙林德

基于IEC 62305-2010的雷电灾害风险评估中重要参数的分析 The analysis of the concernment parameter in lightning risk assessmentbased on IEC62305-2010王颖波 1 孙雁冰2 胡晓兵3（1福建省防雷中心 福州 350001）（2 福建省气象局 福州 353001)（3 福建省永春县气象局 泉州 362600)摘要：结合国内外各行业的风险评估方法与自身评估经验，针对被广泛用于雷电灾害风险评估中的IEC 62305-2010的评估方法，对其中比较重要或难以明确的参数提供界定的参考。

关键词：雷电灾害 风险评估 IEC 62305目前国内雷击风险评估的工作开展已久，主要参考的规范有《雷电防护第2部分：风险管理》、GB/T21714.2-2008《雷电防护第2部分：风险管理》和QX/T85-2007《雷电灾害风险评估技术规范》，这些规范颁布和实施有效地推动了雷击风险评估的发展，也为雷电灾害的风险提供了定量的评估方法。

可是由于以上标准均是以IEC的评估模型为原版，对发源于西方国家的这种风险参数的界定如何根据我国国情对其进行消化，仍有许多问题亟待解决。

同时，基于IEC62305-2010的评估方法中参数取值非常灵活，主观性较强，很多参数变量是通过典型值定性分析确定的，这必将无法满足风险评估精细化的要求，因此参数的定量分析就变得尤为重要，这也就对风险评估编制人员有了更高的要求。

笔者正是以IEC62305-2010为例，结合多年的评估经验，选择评估过程中比较重要或难以界定的参数提出自身的见解以供参考。

的ALARP原则1.可容忍风险值RT学者们普遍认为任何灾害风险是不可能被消除的【1】，因此在IEC 62305-2010中提出了可容忍风险值（tolerable risk）的概念。

该标准对于各类风险的可容忍值提出了典型值（表1）以供参考。

２眦６２３５倡际标准的组成荔墓嚣麓淼鲁嚣裟粲裟｝
ＴＣＰｆＩ．ＰＩ拘…Ａ，Ｃ。

ＳＩ，。

．兰璺Ｅ．Ｃ６，０，８．７０…－５－１０—４．一…。

部分针对电力工业定义了管理信息库，通过简单网…妻了篓苎兰堑篓盐，翼竺竺ｉ！髦粤翼变堂络喜理协议（ｓＮＭＰ）相３ｑ１、ｌＶｌＸ）ｑ妄。

能某五釜网络和篆磊管
一…胃一旧心忡＾¨雌旧’一洲ｗ。

正旺’小矶量娑冀≥銎喜翌耋整性，而孔：曩三擘詈耋三喜三矗ｊ主釜善薹信息库支持箍蓓蒜蚕凳萎甚？‘篆磊
方面应用非常普遍。

ＩＥＣ６２３５１．３描述了用于变电站
操作的ＴＬｓ参数设置。

不同的是，ＩＥＣ６２３５１．３防止和应用健康，入侵检测系统（ＩＤｓ），以及其它针对电
关安全规范。

ＩＥＣ６２３５１・４提供了ＭＭｓ相关的安全
备，但是需要设计大量特有的ＭＩＢ对象用来描述电孥苎，竺８璺璺王ＴＡＳＥ．２、（ＩＣ．！皇？ＩＥ．Ｃ．１１８５０．，它力系统运行中非常特殊的设备和环境。

圭茎要耋詈霎竺型詈曼：耋拿孽要，譬裂苎苎兰二图１为目前变音站自动化系统主流通信规约与
……“…～”
塞曼萎墨鐾萎星耋竺蒌耋妄黔毗并ｊ晰有一…２３５１名ｒ…ｇｇ募晶爵夏裂■………一系统都需要同时做安全防护升级。

施仅仅限于一些安全认证机制，包括欺骗，重播，导：．主１流Ｔ通ｌａ：冀黧盖兰；慧譬；：黧０：：：意于。

基于IEC 61850的数字化变电站过程层仿真设计的开题报告1. 研究背景与意义随着电力系统的不断现代化和智能化，数字化变电站已经成为未来电力系统的发展趋势。

而数字化变电站的核心技术就是IEC 61850通信协议。

该协议可以实现数字化设备间的联接和通信，使得变电站的控制、保护、监测等功能可以更加智能化和集成化。

因此，在数字化变电站的建设和运行过程中，IEC 61850技术的应用和优化成为了关键问题。

为了更好地应用IEC 61850技术，提高数字化变电站的运行效率和安全性，需要进行大量的仿真与优化工作。

仿真技术可以模拟各种变电站工作情况，分析其性能和稳定性，预测出现问题的可能性和影响，并提供相关的优化方案。

因此，基于IEC 61850的数字化变电站过程层仿真设计是一项紧迫的任务。

2. 研究内容和方法本项目的研究内容主要是基于IEC 61850的数字化变电站过程层仿真设计，包括以下内容：（1）数字化变电站IEC 61850标准的分析和应用（2）数字化变电站过程层的建模和仿真（3）数字化变电站过程层仿真模型的验证和优化本项目采用以下方法进行研究：（1）文献研究：对IEC 61850标准及其在数字化变电站中的应用进行深入的文献调研，并结合实际应用经验进行分析和总结。

（2）系统建模：根据数字化变电站的功能和特性，构建系统的过程层模型，并采用仿真软件构建数字化变电站的仿真模型。

（3）仿真分析：针对数字化变电站中可能出现的问题和风险，进行仿真分析，并给出可行的优化方案。

（4）实验验证：通过对仿真模型的测试和验证，检验仿真结果的准确性和可靠性。

3. 预期成果与创新点本项目的预期成果包括：（1）数字化变电站过程层的仿真模型；（2）数字化变电站过程层的仿真分析结果及优化方案；（3）数字化变电站IEC 61850应用的案例分析。

本项目的创新点在于：（1）建立基于IEC 61850的数字化变电站过程层仿真模型，提供数字化变电站技术开发和优化的参考工具；（2）探索数字化变电站过程层中的问题和风险，并提供相应的解决方案；（3）通过案例分析，总结数字化变电站IEC 61850的应用经验和优化策略。

浅谈IEC 62351安全标准在矿山电脑安全保障中的应用摘要：从实际办公单位电脑的使用和通信出发，浅谈iec 62351电力信息传输安全标准在其中能发挥的作用，以及在今后信息安全保障来看，iec 62351可以给我们带来的优势，防止各种网络安全攻击，制定一套信息安全传输的方案，用来实现信息传输中的完整性，机密性和不可抵赖性，达到保障数字矿山网络的信息安全。

关键词：iec 62351；数字矿山；信息安全；通信中图分类号：tm63；tm76文献标识码：a文章编号：1007-9599 (2013) 05-0000-021引言随着微电子技术、计算机技术和通信技术的发展，在计算机通信上的安全问题也随之出现，是在通信传输中，信息的安全传输却没有得到解决，信息的安全传输对数字化矿山起着十分关键的作用，网络信息安全尤为重要，利用不同的方案来实现信息传输中的安全是这篇论文来研究的课题。

2内容在数字化矿上发展的今天，无纸化办公以及网络办公已经实现，很多矿山设计方案，图纸等信息都在电脑上储存，利用网络传输，如何来保障它们在期间的安全呢？用什么标准来实现电脑用户的规范操作以及信息传输中的安全呢？我们从iec 62351的安全标准中得到提示，然后借鉴过来在数字化矿山的使用，其中明确定义了通信中的信息安全问题，涉及到了许多方面，归纳起来分别为机器端，软件服务，通信传输协议和通信介质。

在iec 62351中提到的安全攻击有：（1）机器端：伪装、绕过控制、偷窃、失职、否认、人为物理入侵；（2）软件服务：伪装、绕过控制、木马、病毒、陷门、故障；（3）通信传输协议：偷听、伪装、中途截取、重放、资源耗尽；（4）通信介质：资源耗尽、不见出错、流量分析、中途截取。

当然，iec 62351也相应的对安全攻击做出了防范对策：（1）机器端：人物的身份认证、授权、权限管理；（2）软件服务：软件识别、授权、测试、管理；（3）通信传输协议：加密、传输认证、访问控制、数字签名；（4）通信介质：受权限访问控制、加密、控制多余信息和通道。

山东农业大学学报(自然科学版),2019,50(6):1087-1092VOL.50NO.62019Journal of Shandong Agricultural University (Natural Science Edition )doi:10.3969/j.issn.1000-2324.2019.06.035数字优先出版:2019-06-25基于IEC-62351-8和角色访问控制的智能电网系统互操作控制策略张艳肖1,李守智2,高立刚31.西安交通大学城市学院,陕西西安7100182.西安理工大学自动化学院,陕西西安7100483.西北勘测设计研究院,陕西西安710065摘要:为研究智能电网不同关键领域的分布式系统互操作性，本文以程序观测数据和IEC-62351-8标准定义的角色访问控制模型为基础，将图论作为电力系统控制网络的结构可控性的核心理念，遵循两个基本观测规则，描述了应用程序的控制水平观测度。

提出了基于IEC-62351-8和角色访问控制（RBAC ）的策略执行系统，实现在安全可靠架构下的控制事务透明性。

另外，为实现这些图的互连，采用基于超节点概念的去中心化架构，仿真实验结果验证了所提方法的有效性。

关键词:智能电网;角色访问;控制策略中图法分类号:V242.3文献标识码:A 文章编号:1000-2324(2019)06-1087-06Interoperability Control Strategy of Smart Grid System Based on IEC-62351-8and Role Access ControlZHANG Yan-xiao 1,LI Shou-zhi 2,GAO Li-gang 31.City College of Xi'an Jiaotong University,Xi’an 710018,China2.Automation College/Xi’an University of Technology,Xi’an 710048,China3.Northwest Research Institute of Survey and Design,Xi’an 710065,ChinaAbstract:To study the interoperability of distributed systems in different key areas of smart grid,a policy execution system based on IEC-62351-8and Role-Based Access Control (RBAC)is proposed to achieve transparency of control transactions in a secure and reliable architecture.This method is based on the context observation degree and the role access control model defined by IEC-62351-8standard,the graph theory is regarded as the core idea of the structure controllability of power system control network,and two basic observation rules are followed to describe the control level observation degree of application context.In addition,in order to realize the interconnection of these graphs,a decentralized architecture based on the concept of super-nodes is adopted.The simulation results verify the effectiveness of the proposed method.Keywords:Smart grid;role access;control strategy近些年，智能电网的各个领域的研究均取得了巨大进展[1]。

57/755/CDCOMMITTEE DRAFT (CD)Title:Data and Communication Security – Part 4: Profiles Including MMSIntroductory noteNOTE:At the request of the WG 15 convenor and in agreement with IEC Central Office, the TC 57 chairman andsecretary, the structure of the IEC 62351 series has been re-arranged as follows:IEC 62351-1: Data and Communication Security – Part 1: Introduction and OverviewIEC 62351-2: Data and Communication Security – Part 2: Glossary of TermsIEC 62351-3: Data and Communication Security – Part 3: Profiles Including TCP/IP.IEC 62351-4: Data and Communication Security – Part 4: Profiles Including MMS.IEC 62351-5: Data and Communication Security – Part 5: Security for IEC 60870-5 and DerivativesIEC 62351-6: Data and Communication Security – Part 6: Security for IEC 61850 Profiles.IEC 62351-7: Data and Communication Security – Part 7: Management Information Base (MIB)Requirements for End-to-End Network ManagementParts 1, 3, 4, 5, and 6 are circulated in May 2005, parts 2 and 7 will be circulated by the end of the year2005.All above-mentioned part numbers were covered by the original NWIPs and therefore no extra NWIP isrequired.(see next page)Copyright © 2005 International Electrotechnical Commission, IEC . All rights reserved. It ispermitted to download this electronic file, to make a copy and to print out the content for the solepurpose of preparing National Committee positions. You may not copy or "mirror" the file orprinted version of the document, or any part of it, for any other purpose without permission inwriting from IEC.57/755/CD2This document on cyber security cut across many traditional boundaries, and needs to be reviewed by alarger audience than the usual IEC TC57 working groups (although they are the primary audience).Therefore, it is suggested that the following organizations and groups be invited to review the document(as appropriate to their interests):●IEC TC57: WG03, WG07, WG10, WG15, WG16, WG17, WG18, WG19●Other IEC TCs: TC8, TC13 WG 14, TC88 WG25●ISO TC184/SC5 WG2●Cigre: CIGRÉ JWG D2/B3/C2 on Security - A. Torkilseng (NO)●ISA – SP99 "Bryan L Singer" bryan_singer@●American Gas Association (AGA) – Bill Rush●UCA International Users Group – Kay Clinard●DNP Users Group – Grant Gilchrist●IEEE: PSCC WG on Security Risk Assessment – Frances Cleveland, SCC36 – Frances Cleveland57/755/CD 3IEC 62351-4Committee Draft (CD)Version 1April, 2005Data andCommunications SecurityProfiles Including MMSContents1Scope and purpose (8)1.1Intended audience and use (8)2Normative References (8)3Definitions (9)4Profile Security (9)5Profile Security (10)5.1A-Profile (10)5.2MMS (10)5.3ACSE (11)5.3.1AARQ (13)5.3.2AARE (14)5.4T-Profile (14)5.4.1TCP T-Profiles (14)5.4.2OSI T-Profiles (17)6Annex 1 – IEC 60870-6 TASE.2 Security (18)List of FiguresFigure 1: TCP T-Profiles (14)List of TablesTable 1: TP0 Maximum Sizes (15)INTERNATIONAL ELECTROTECHNICAL COMMISSION____________Data and Communication SecurityFOREWORD1) The IEC (International Electrotechnical Commission) is a worldwide organisation for standardisation comprisingall national electrotechnical committees (IEC National Committees). The object of the IEC is to promote international co-operation on all questions concerning standardisation in the electrical and electronic fields. To this end and in addition to other activities, the IEC publishes International Standards. Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and non-governmental organisations liaising with the IEC also participate in this preparation. The IEC collaborates closely with the International Organisation for Standardisation (ISO) in accordance with conditions determined by agreement between the two organisations.2) The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, aninternational consensus of opinion on the relevant subjects since each technical committee has representation from all interested National Committees.3) The documents produced have the form of recommendations for international use and are published in theform of standards, technical specifications, technical reports or guides and they are accepted by the National Committees in that sense.4) In order to promote international unification, IEC National Committees undertake to apply IEC InternationalStandards transparently to the maximum extent possible in their national and regional standards. Any divergence between the IEC Standard and the corresponding national or regional standard shall be clearly indicated in the latter.5) The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for anyequipment declared to be in conformity with one of its standards.6) Attention is drawn to the possibility that some of the elements of this International Standard may be the subjectof patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to provide supporting documentation.This working draft of the International Standard IEC 62351 Part 3 has been prepared by IEC technical committee 57: Working Group 15 on Data and Communications Security.It is part of the standard series IEC 62351, a set of specifications for data and communication security. At time of publication of this part, the following parts are intended to be part of IEC 62351:•IEC 62351-1: Data and Communication Security – Introduction and Overview•IEC 62351-2: Data and Communication Security – Glossary of Terms•IEC 62351-3: Data and Communication Security – Profiles Including TCP/IP. These security standards cover those profiles used by IEC 60870-6 (TASE.2), IEC 60870-5Part 104, derivatives such as DNP3 over TCP/IP, and IEC 61850 over TCP/IP.•IEC 62351-4: Data and Communication Security – Profiles Including MMS. These security standards cover those profiles used by TASE.2 and IEC 61850.IEC 62351-6© IEC:2005 7 57/755/CD •IEC 62351-5: Data and Communication Security – Security for IEC 60870-5 and Derivatives (i.e. DNP3). These security standards cover both serial and networkedprofiles used by IEC 60870-5 and DNP.•IEC 62351-6: Data and Communication Security – Security for IEC 61850 Profiles.These security standards cover those profiles in IEC 61850-7-2 that are not based on TCP/IP – GOOSE, GSSE, and SMV.•IEC 62351-7: Data and Communication Security – Management Information Base (MIB) Requirements for End-to-End Network Management. These security standards define Management Information Base (MIBs) that are specific for the power industry, to handle network and system management through SNMP-based capabilities.IEC 62351 DATA COMMUNICATIONS SECURITY –Part 4: Communication Network and System Security - Profiles IncludingMMSEditors Note: Please note that Annex 1 is normative. IEC TC57 WG07 members need to decide if this annex should stay normative or to change it to informative. . If Annex 1 is made informative, then WG07 will need to take up an NWIP to reference this standard.Editors Note: Please note that the OSI T-Profile has not been secured within this standard. Comments are welcome for the establishment of a NWIP to profile OSI T-Profile security.1 Scope and purposeThis part of IEC 62351 specifies procedures, protocol extensions,, and algorithms to facilitate securing ISO 9506 – Manufacturing Message Specification (MMS) based applications. It is intended that this standard be referenced as a normative part of other IEC TC57 standards that have the need for using MMS in a secure manner.This standard represents a set of mandatory and optional security specifications to be implemented for applications when using ISO/IEC 9506 (Manufacturing Automation Specification).Note: Within the scope of IEC TC57, there are two identified standards that may be impacted: IEC 61850-8-1 and IEC 60870-6.This standard contains a set of specifications that are to be used by referencing standards in order to secure information transferred when using MMS. The recommendations are based upon specific communication profile protocols used in order to convey MMS information.The two identified IEC standards make use MMS in a 7-layer connection-oriented mechanism. Each of the standards are used over either the OSI or TCP profiles.1.1 Intended audience and useThe initial audience for this specification is intended to be the members of the working groups developing or making use of the protocols within IEC TC57. For the measures described in this specification to take effect, they must be accepted and referenced by the specifications for the protocols themselves, where the protocols make use of ISO 9506. This document is written to enable that process.The subsequent audience for this specification is intended to be the developers of products that implement these protocols.Portions of this specification may also be of use to managers and executives in order to understand the purpose and requirements of the work.2 Normative ReferencesStandard NameISO/ISP 14226-1:1996 Industrial automation systems -- International Standardized Profile AMM11: MMS General Applications Base Profile -- Part 1: Specification of ACSE, Presentation and Session protocols for use by MMSISO/ISP 14226-2:1996 Industrial automation systems -- International Standardized Profile AMM11: MMS General Applications Base Profile -- Part 2: Common MMS requirementsISO/ISP 14226-3:1996 1996 Industrial automation systems -- International Standardized Profile AMM11: MMS General Applications Base Profile -- Part 3: Specific MMS requirementsISO 9506-1 Industrial automation systems -- Manufacturing Message Specification -- Part 1: Service definitionISO 9506-2 Industrial automation systems -- Manufacturing Message Specification -- Part 2: Protocol specificationISO/IEC 8649 Information technology -- Open Systems Interconnection -- Service definitionfor the Association Control Service ElementISO/IEC 8650 Information technology -- Open Systems Interconnection -- Connection-oriented protocol for the Association Control Service Element: ProtocolspecificationIEC 61351-3 DATA COMMUNICATIONS SECURITY – Part 3: Communication Networkand System Security - Profiles Including TCP/IP3 DefinitionsSee IEC 62351-2.4 Profile SecurityThe communication security, specified in this standard, shall be discussed in terms of: •Application profiles: An A-Profile defines the set of protocols and requirements for layers 5-7 of the OSI Reference Model.•Transport profiles: A T-Profile defines the set of protocols and requirements for layers 1-4 of the OSI Reference Model.There have been one(1) A-Profile and two(2) T-Profiles identified within the TC57 context. This standard shall specify security extensions for all of the identified profiles.5 Profile Security5.1 A-Profile5.2 MMSThe implementation of MMS must provide some mechanism for configuring and making use of the capabilities of the secure profile. In general, there needs to be provided:• A mechanism for configuration of certificate information and the binding of that information to access authentication (e.g., the bilateral tables).• A mechanism for configuration of the acceptable incoming association profile for a given bilateral table. It is suggested that the following choices be provided:DON’T_CARE: would indicate either a secure or non-secure profile would be allowed to establish a MMS association.NON_SECURE: would indicate that the non-secure profile must be used in order to allow establishment of a MMS association.SECURE: would indicate that the secure profile must be used in order to allow establishment of a MMS association.• A mechanism for configuration of the profile to use in order to initiate a MMS association. It is suggested that the following choices be provided:NON_SECURE: would indicate that the non-secure profile must be used in order to allow establishment of a MMS association.SECURE: would indicate that the non-secure profile must be used in order to allow establishment of a MMS association.• A mechanism to convey/verify the association parameters. These parameters should include: Presentation Address; Profile used indication (e.g., secure or non-secure);and ACSE Authentication parameters. The indication of the use of a “secure profile”shall be reserved if the secure transport layer, as set forth within this document, has been negotiated as part of the MMS association1.This information shall be used, in conjunction with the configured MMS expected association values, to determine if a MMS association should be established. The entity that determines the actual acceptance is a local issue.It is a mandatory requirement that changes in the configuration parameters, discussed above, not require all MMS associations to be terminated in order for the configuration changes to take affect.It is strongly suggested that a MMS implementation log events and information associated with rejected associations that were rejected due to security violations.LoggingIt is important that care be taken to log security related violations in a separate log whose contents is inherently secure from manipulation (e.g., modification of information or deletion of information). Implementers should strive to archive enough information so that security audit and prosecution is facilitated. The actual implementation of this recommendation is a local issue.5.3 ACSEPeer entity authentication shall occur at association set up time. Authentication information shall be carried in the calling-authentication-value and responding-authentication-value fields of the authentication Functional Unit (FU) of the ACSE AARQ and AARE PDUs respectively. The bit strings for the sender-acse-requirements and responder-acse-requirements fields of the authentication FU shall be DEFAULTED to include the authentication FU, when ACSE security is in use. Otherwise, the bits shall be DEFAULTED to exclude the authentication FU (this provides backward compatibility).The calling-authentication-value and responding-authentication-value fields are of type Authentication-value that is further defined in ISO 8650 as a CHOICE. The CHOICE for the Authentication-value shall be EXTERNAL. The presentation context shall include a reference to the abstract syntax that is used for the EXTERNAL.The ACSE mechanism-name field shall be used to denote the format of the authentication-value field being conveyed. The definition of the mechanism-name field (both for AARQ and AARE) shall be:The ICCP authentication value (following ) shall be carried in the Authentication-value field of the authentication FU of ACSE. This value shall be used when peer entity authentication is required. The value shall be carried as the “external” as defined by the ACSE Authentication-value production (replicated below) as a SingleASN1Type.Note: The following production is a reproduction from ISO/IEC 8650 and is for informative purposes only.———————1 This allows for the ACSE Authentication to be used over either the secure or non-secure profiles to achievestronger authentication.Authentication-value ::= CHOICE {charstring [0] IMPLICIT GraphicString,bitstring [1] IMPLICIT BIT STRING,external [2] IMPLICIT EXTERNAL,other [3] IMPLICIT SEQUENCE {other-mechanism-nameMECHANISM-NAME.&id({ObjectSet}),other-mechanism-valueMECHANISM-NAME.&Type}}STASE-MMS-Authentication-value {iso member-body usa(840) ansi-t1-259-1997(0) stase(1) stase-authentication-value(0) abstractSyntax(1) version1(1)}DEFINITIONS IMPLICIT TAGS ::= BEGIN-- EXPORTS everythingIMPORTSSenderId, ReceiverId, Signature, SignatureCertificateFROM ST-CMIP-PCI {iso member-body usa(840) ansi-t1-259-1997(0) stase(1) stase-pci(1) abstractSyntax(4) version1(1)};MMS_Authentication-value ::= CHOICE{certificate-based [0] IMPLICIT SEQUENCE {authentication-Certificate [0] IMPLICIT &SignatureCertificate,time [1] IMPLICIT GENERALZEDTIME,signature [2] IMPLICIT &SignedValue},…}END&SignatureCertificateSignatureCertificate::= OCTET STRING -- size shall have a minimum-maximum size of 8192 octets.[Note:] The contents of the SignatureCertificate OCTET STRING shall be a Basic Encoding Rules encoded X.509 certificate (specified in CMIP). The certificate exchange shall be bi-directional and shall be a individual certificate from a configured and trusted certificate authority. If any of these conditions are not met, the connection shall be terminated appropriately.Identification of individual certificates shall be based upon the certificate Subject, as a minimum.In order to achieve interoperability of certificates, it is necessary to set a maximum allowed size for the certificates exchanged by ACSE. This size shall be limited to a maximum encoding size of 8192 octets.It is a local issue if a larger certificate can be accepted.If the certificate size exceeds the minimum-maximum (e.g. 8192) or the local maximum, then the connection shall be refused and a disconnect shall occur.&SignedValueThe value of the SignedValue shall be the value of the time field signed as specified by the PKCS#1 Version 2. The value is the encoded GENERAILZEDTIME string but does not include the ASN1 tag or length. This value shall be signed per the RSA signing algorithm in the specification. A key length of 1024 bits shall be supported as a minimum-maximum.The definition of the SignedValue shall be governed by the DigitalSignature definition found in RFC 2313:“For digital signatures, the content to be signed is first reduced to a message digest with a message-digest algorithm (such as MD5), and then an octet string containing the message digest is encrypted with the RSA private key of the signer of the content.The content and the encrypted message digest are represented together according to the syntax in PKCS #7 to yield a digital signature.”RFC 2437 (specification for PKCS#1 Version 2) specifies RSASSA-PKCS1-v1_5 as the signature algorithm, This is the algorithm that shall be used by implementations claiming conformance to this specification. The Hash algorithm shall be SHA1.timeThis parameter shall be the GENERALIZEDTIME representation of the GMT value of the time at which the Authentication-value was created.The accuracy of this time is a local issue but shall be as accurate as possible. It is equally valid to determine the value of the time parameter during the invocation of the MMS Intiate.Request service, Initiate.Response service, or during the encoding of the ACSE PDUs for those services.5.3.1 AARQThe sender of an AARQ shall encode the appropriate ACSE AuthenticationMechanism and AuthenticationValue fields and send the AARQ through the use of the Presentation-Connect service.The receiver of an AARQ-indication shall use the AuthenticationMechanism and AuthenticationValue fields to attempt to verify the signed value. If the decoded signed value is not equal to the value of the time field then the receiver shall cause a P-ABORT to be issued. If the time field value is more than ten (10) minutes2 difference from the local time, the receiver shall cause a P-ABORT to be issued.If the receiver of the AARQ has received the same signed value within the last ten (10) minutes, then the receiver shall cause a P-ABORT to be issued.———————2 This means that there is a window of vulnerability of 10 minutes in which the same signed value could be usedby an attacker.If the signed value has not caused a P-ABORT, then the signed value and other security parameters, shall be passed to the ACSE user (e.g., MMS or TASE.2 or the local Application). The method by which these parameters are passed is a local issue.5.3.2 AAREThe sender of an AARQ shall encode the appropriate ACSE AuthenticationMechanism and AuthenticationValue fields and send the AARQ through the use of the Presentation-Connect service.The receiver of an AARQ-indication shall use the AuthenticationMechanism and AuthenticationValue fields to attempt to verify the signed value. If the decoded signed value is not equal to the value of the time field then the receiver shall cause a P-ABORT to be issued. If the time field value is more than ten (10) minutes3 difference from the local time, the receiver shall cause a P-ABORT to be issued.If the receiver of the AARQ has received the same signed value within the last ten (10) minutes, then the receiver shall cause a P-ABORT to be issued.If the signed value has not caused a P-ABORT, then the signed value and other security parameters shall be passed to the ACSE user (e.g., MMS or TASE.2 or the local Application). The method by which these parameters are passed is a local issue.5.4 T-ProfileAn implementation that claims conformance to this standard shall support security for the TCP T-Profile as a minimum. An implementation may optionally support the security specifications for the OSI T-Profile.5.4.1 TCP T-ProfilesThe security recommendations for the TCP T-Profile do not attempt to specify security recommendations for TCP, IP, or Ethernet. Rather the specifications within this standard specify how to properly use Transport Layer Security and the securing of RFC-1006.The security TCP T-Profile inserts makes use of TLS (as specified by RFC 2246 ) to provide encryption and nodal authentication prior to RFC-1006.Figure 1: TCP T-Profiles———————3 This means that there is a window of vulnerability of 10 minutes in which the same signed value could be usedby an attacker.Figure 1 shows the two relevant TCP T-Profiles. One is the standard non-secure RFC-1006 T-Profile as specified by IETF. The other is the secure RFC-1006 profile that is specified within this standard.5.4.1.1 TPO5.4.1.1.1 Enforcement of maximum lengthsTP0 specifies the maximum size of TPDU. It is recommended that implementations use Table 1 to make sure that the RFC-1006 length does not exceed the maximum size. It is a local issue in regards to the processing of a TPDU whose RFC-1006 size is incorrect.Table 1: TP0 Maximum SizesOSI TP0 Primitive RFC-1006HeaderISO TP0 LI Field ISO TP0 User Data RFC-1006 Length Range Octets Minimum Maximum Minimum Maximum Mimum MaximumCR4 7 254 0 0 11 258 CC4 7 254 0 0 11 258 DR4 7 254 0 0 11 258 DC4 7 254 0 0 11 258 DT 4 3 3 1 204848 2055 ER4 5 254 0 0 9 259 ED Not Allowed due to TP0 restrictionAK Not Allowed due to TP0 restrictionEA Not Allowed due to TP0 restrictionRJ Not Allowed due to TP0 restriction5.4.1.1.2 Response to TP0 Unsupported TPDUsIt is recommended that the reception of an ED, AK, EA, or RJ TPDU be ignored.———————4 Maximum based upon negotiation of CR/CC exchange. 128 octets is the minimum allowed.5.4.1.1.3 Transport SelectorsThe International Standardized Profiles (ISP) for MMS specify that the Transport Selectors (TSELs) shall have a maximum size of thirty-two (32) octets. However, the parameterization of the selector according to ISO/IEC 8073, may have a length of 255 octets.An implementation that receives a TSEL whose length is greater than thirty-two (32) shall cause the connection to be aborted.5.4.1.2 RFC-1006It is recommended that the following enhancements be made to an RFC-1006 implementation when it is used in either the secure or non-secure T-Profile.5.4.1.2.1 Version NumberThe local implementation shall ignore the value of the RFC-1006 version field value. Local processing of the OSI TPDU(s) shall continue as if the field value was three (3).5.4.1.2.2 LengthThe RFC-1006 length field shall be limited to a value of no greater than 2056 octets. This length corresponds to the maximum TP0 TPDU allowed (e.g. 2048 octets).The processing of a length that is greater than 2056 is a local issue. However it is strongly suggested to disconnect the connection.5.4.1.2.3 Keep-aliveImplementations that claim conformance to this standard shall make use of the TCP-KEEPALIVE function. The timeout function should be set to approximately one (1) minute, or less.5.4.1.3 TLS Requirements5.4.1.3.1 TCP Port UsageThe non-secure T-Profile shall use TCP port 102 as specified by RFC-1006.Implementations claiming conformance to this standard shall use TCP port 3782 to indicate the use of the secure TCP T-Profile.5.4.1.3.2 Simultaneous SupportThe following requirement applies to implementations that claim support for more than one simultaneous MMS association. For such implementations, it shall be possible to communicate via the secure and non-secure T-profiles simultaneously.5.4.1.3.3 Use of TLSTransport Layer security shall be used as specified by IEC 62351-3.5.4.1.3.3.1 Cipher RenegotiationAn implementation that claims conformance to this specification shall support minimum-maximum renegotiation of: five-thousand (5000) ISO TPUs sent and/or ten(10) minutes elapsing from the previous renegotiation.5.4.1.3.3.2 Certificate SizeAn implementation that claims conformance to this specification shall support a minimum-maximum certificate size of 8192 octets. It is a local issue if larger certificates are supported.An implementation that receives a certificate larger than the size that it can support shall terminate the connection.5.4.1.3.3.3 Certificate RevocationThe default evaluation period for revoked certificates shall be twelve(12) hours. This evaluation period shall be configurable.An implementation that claims conformance to this standard shall terminate a connection where one of the certificates used to establish the connection is revoked.5.4.1.3.3.4 Mandatory Cipher SuitesIt is recommended that the following TLS cipher suites be considered for use:Recommended Cipher Suite CombinationsKey Exchange Encryption HashAlgorithm SignatureTLS_RSA_ WITH_RC4_128_ SHATLS_RSA_ WITH_3DES_EDE_CBC_ SHATLS_DH_ DSS_ WITH_3DES_EDE_CBC_ SHATLS_DH_ RSA_ WITH_3DES_EDE_CBC_ SHATLS_DHE_ DSS_ WITH_3DES_EDE_CBC_ SHATLS_DHE_ RSA_ WITH_3DES_EDE_CBC_ SHATLS_DH_ DSS_ WITH_AES_128_ SHATLS_DH_ DSS_ WITH_AES_256_ SHATLS_DH_ WITH_AES_128_ SHATLS_DH_ WITH_AES_256_ SHAAll implementations that claim conformance to this standard shall support at least TLS_HD_DSS_WITH_AES_256_SHA.Other standards that reference this standard may add additional mandatory cipher suites.5.4.2 OSI T-ProfilesThe security of OSI T-profiles is out-of-scope of this standard.6 Annex 1 – IEC 60870-6 TASE.2 SecurityEditors Note: Please note that this clause is normative. IEC TC57 WG07 members need to decide if this annex should stay normative or to change it to informative. . If this clause is made informative, then WG07 will need to take up an NWIP to reference this standard.IEC 60870-6 implementations, claiming to implement IEC TC57 standardized security, shall conform to this standard.。

放式系统，它主张通过以太网实现变电站设备间的互联和通信。

目前基于以太网的综合解决方案已被市场证明具有广泛的应用前景，但随之而来的网络安全问题却日益突出。

变电站自动化系统遭遇网络非法入侵的风险以及被入侵后所造成的危害及影响的范围都随着网络规模的扩展和自动化水平的提高而与日俱增。

由信息安全问题引发的电力系统事故已有所报道[2，3]。

目前，国际电工委IEC TC57成立了WG15工作组，正在针对现有的变电站通信标准拟定相应的安全规范IEC 62351[4]，同时国际大电网会议（CIGRE）保护与自动化研究委员会（SC B5）也成立了专门的工作组（WG B5.38），主要研究针对继电保护和自动化安全系统的威胁攻击手段，考察各种网络安全方案的可行性及其经济效益。

1变电站的网络安全介绍1.1网络安全标准1997年，国际电工委IEC TC57已意识到通信协议需要配套相关的安全标准，于是临时成立工作组成立，主要研究电力系统控制及其数据通信安全，负责制订与IEC TC57的通信协议（IEC 60870-5/6，IEC61850）相关的安全标准。

目前，IEC TC57WG15针对变电站内主要通信规约，制定了IEC62351国际安全标准（草案），其目的就是解决电力通信领域的安全问题。

1.2安全威胁IEC61850是一个开放式的国际标准，遵循IEC61850的变电站系统有着传统变电站系统不可替代的优势。

IEC61850旨在解决不同厂商设备的互操作性问题，它明文规范了变电站的网络通信协议，但没有对变电站网络系统提供相关的安全规范。

这对于开放式变电站信息系统的安全性和可靠性而言，显然是不容忽视的问题。

尤其是过程总线数据对传输的实时性要求极为苛刻，安全措施一旦采取不当，会给电力系统的安全稳定运行带来严重的影响。

变电站来自外部的网络安全威胁有非法截获、中断、篡改、伪造、恶意程序、权限管理不当、Internet的安全漏洞等。

来自内部人员的威胁[5]也越来越受到关注。

基于IEC62351船舶电力系统通信安全研究发布时间：2021-07-31T06:26:18.672Z 来源：《电力设备》2021年第3期作者：李琳[导读] 结合该标准提供的安全解决方案，可以从通信技术角度极大增强船舶电力系统的安全性。

（交通运输部烟台打捞局）摘要：现在电力系网络化、智能化不断提高，电力系统通信安全也愈发受到关注。

船舶电力系统安全诉求也从操作管理方面逐渐延伸到通信过程本身。

针对现有电力系统通信协议中暴露出的安全问题，IEC组织提出了IEC62351数据与通信安全标准。

本文将结合最新的IEC 62351标准，对电力系统通信过程中安全改进进行重点阐述，介绍如何提高船舶电力系统的通信安全性。

关键词：IEC62351；船舶电力系统；通信安全Abstract: Now the network and intelligence of the power system are improving, and the communication security of the power system is getting more and more attention. The safety appeal of ship power system is also gradually extended from operation management to communication process itself.IEC62351 data and communication security standard is proposed by IEC to solve the security problems exposed in the existing communication protocols of power systems. Based on the latest IEC 62351 standard, this paper will focus on the safety improvement in the communication process of power system, and introduce how to improve the communication security of ship power system. Key works: IEC62351; marine?electric?power?system；Communication security 0 引言随着船舶电力系统网络化、智能化水平不断提高，主控单元与各数据采集单元、操作单元间的数据通信也逐渐复杂化。

IEC62351变电站二次系统安全加固方案1. 概述通信协议是电力系统运行的最关键部分之一，它负责从现场设备取回信息和发送控制命令至现场设备。

虽然通信协议具有关键作用，但迄今这些通信协议还很少加入任何安全措施。

协议安全性的缺失使得攻击者一旦绕过外围的物理防护措施，直接进入调度中心或变电站内部，就可直接通过通信协议实现对现场设备的控制。

安全性、安全防护和可靠性始终是电力行业中系统设计和运行的重要问题，随着变电站的智能化、网络化，电力系统越来越多依赖于信息基础设施，该行业中计算机安全正变得日益重要。

通常情况下存在四种类型计算机安全威胁：1）未经授权访问信息；2）未经授权修改或窃取信息；3）拒绝服务；4）抵赖或不可追溯。

对应的，计算机用户或软件应用存在四种基本安全需求：1）机密性（Confidentiality）：防止对信息的未经授权访问；2）完整性（Integrity）：防止未经授权修改或窃取信息；3）可用性（Availability）：防止拒绝服务和保证对信息的授权访问；4）不可抵赖性或可追溯性（Non-repudiation or Accountability ）：防止否认已发生的行为或伪称发生了行为（实际上并没发生）。

下图展示了常见的攻击类型和安全威胁的关系：上述安全威胁和安全需求在电力通信协议中具有相应的体现，如保密性体现为数据在通过通信协议编码传输的过程中不被旁路监听，完整性体现为传输数据不可篡改，等等。

因此，某些具体的信息化技术手段被开发出以用于实现此类安全需求，主要包括加密、认证、授权和访问控制，以及防重放和防篡改。

在本方案中，重点讨论通过针对基于IEC61850变电站协议进行安全改造，提供以下能力：1）提供认证以最小化中间人攻击的威胁；2）提供认证以最小化某些类型的旁路控制威胁；3）提供认证以最小化无意和恶意的人员行为威胁；4）通过数字签名，提供实体认证：a）确保对信息的唯一授权访问；b）支持实现通信访问控制；5）通过加密，提供认证密钥的机密性；6）对那些具有额外的资源，具有处理额外负载能力的通信双方，通过加密，提供消息的机密性；7）篡改检测，提供完整性；8）防止重放和欺骗；现有的智能变电站通信主要包括MMS协议和GOOSE/SMV协议，从网络协议的层次化角度观察，一个完整的MMS数据包涉及了OSI 7层模型，GOOSE/SMV数据传输则仅使用物理层、链路层及应用层三个层次。

基于IEC 61850的智能变电站虚回路体系的应用进展研究吴珲瑛
【期刊名称】《通讯世界》
【年(卷),期】2016(000)024
【摘要】与传统变电站相比,智能变电站最大的区别就在于其取消了硬电缆回路,依赖通讯网络实现站内信息的传输、共享,建立起一套虚拟回路体系,这一体系的建立标准是IEC 61850标准.本文里,我们就结合当前智能变电站虚拟回路体系建设的实际情况对其应用进展进行研究.
【总页数】2页(P208-209)
【作者】吴珲瑛
【作者单位】国网福建晋江供电公司
【正文语种】中文
【中图分类】TM63
【相关文献】
1.基于IEC61850标准的智能变电站系统应用分析 [J], 闫洪林;公茂法;李岚冰;李超
2.基于IEC 61850的智能变电站虚回路体系的应用进展研究 [J], 吴珲瑛;
3.基于IEC 61850智能变电站MMS通信仿真平台的研制与应用 [J], 魏芳;王俊辉;李婷;许梦阳;谢海彪
4.基于IEC-61850规约智能变电站在佛山供电局的应用 [J], 刘毅
5.基于IEC61850的智能变电站二次回路安全隔离措施 [J], 李剑
因版权原因，仅展示原文概要，查看原文内容请购买。

光伏电站自动化通信网络安全管理发布时间：2022-10-18T07:40:32.772Z 来源：《福光技术》2022年21期作者：丁国平张会忠王毅丞[导读] 本文的主旨为深入探究中大容量地面光伏发电及变电站自动化通信网络安全管理对策，以期能够提高光伏发电站自动化通信网络安全管理的技术含量，为发电站自动化通信网络的安全运行提供可靠保障。

以文献探究为理论基础，通过本文分析可知，应从提高整个光伏电站内部通信系统网络安全管理质量、强化光伏电站网络设备安全管理力度、提升相关人员网络安全管理水平等几方面入手，有助于提升光伏电站自动化通信网络安全管理的有效性。

丁国平张会忠王毅丞中国电建集团华东勘测设计研究院有限公司浙江杭州 311122摘要：本文的主旨为深入探究中大容量地面光伏发电及变电站自动化通信网络安全管理对策，以期能够提高光伏发电站自动化通信网络安全管理的技术含量，为发电站自动化通信网络的安全运行提供可靠保障。

以文献探究为理论基础，通过本文分析可知，应从提高整个光伏电站内部通信系统网络安全管理质量、强化光伏电站网络设备安全管理力度、提升相关人员网络安全管理水平等几方面入手，有助于提升光伏电站自动化通信网络安全管理的有效性。

关键词：光伏电站；自动化；通信；网络安全；管理随着我国的经济的发展，用电需求增长迅速，各类清洁能源，如光伏、风电以及配套的新型储能系统是近年来我国电力发展增长的一大主力。

一般像容量大于100MW的光伏电站主要由光伏发电部分及配套升压变电部分组成。

光伏发电设备及其配套的110kV或220kV升压变电站均会配置先进的自动化监控系统、网络调度自动化系统等。

而自动化通信网络功能是组成这些系统极为重要的一项功能。

随着电力系统智能化和网络通信地建设，电力系统的通信网络比传统通信系统更加开放，远程终端等接入也越来越方便。

但同时也带来一些安全隐患，如网络病毒、恶意的网络攻击、恶意远程操作、数据更改等。