🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
BSI PD IEC TR 62351-90-1:2018

BSI PD IEC TR 62351-90-1:2018

$167.15

Power systems management and associated information exchange. Data and communications security – Guidelines for handling role-based access control in power systems

Published By Publication Date Number of Pages
BSI 2018 40
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Category:

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

This part of IEC 62351, which is a technical report, addresses the handling of access control of users and automated agents to data objects in power systems by means of role-based access control (RBAC) as defined in IEC TS 62351-8. IEC TS 62351-8 defines three different profiles to distribute role information and also defines a set of mandatory roles to be supported. Adoption of RBAC has shown that the defined mandatory roles are not always sufficient and it is recommended that the method for defining custom roles be standardized to ensure interoperability. Hence, the main focus of this document lies in developing a standardized method for defining and engineering custom roles, their role-to-right mappings and the corresponding infrastructure support needed to utilize these custom roles in power systems. This is achieved by defining categories and sub level categories, which provide a distinction of actions, connected with dedicated rights as well as a proposal for a format to distribute the custom role-to-right mappings. Moreover, a format is being proposed to distribute the information on custom defined roles and associated rights by utilizing XACML as an established standard for access control.

Besides the discussion of handling custom roles, this document also addresses the following issues:

  • Providing recommendations and/or examples for role-right-operation and (object) association to ensure interoperability from operational and developers point of view.

  • Providing mechanisms and rules to avoid overloading of existing roles by allowing for an aligned way to define new (custom) roles.

  • Easing the administration of roles in IEDs from a device management point of view:

    • Allowing for centralized assignment of roles, by maintaining the same associations on device/application level.

    • Avoiding the definition of role-right-operation on command level to cope with diverse application environment of IEC TS 62351-8 (e.g. IED, substation level, control centre, SCADA).

  • Enhancing available constraints for acting in a specific role considering the local environment with respect to operational constraints.

PDF Catalog

PDF Pages PDF Title
2 undefined
4 CONTENTS
6 FOREWORD
8 INTRODUCTION
9 1 Scope
2 Normative references
10 3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
3.2 Abbreviated terms
11 4 Overview
4.1 General
12 4.2 Current definitions from IEC TS 62351-8
13 Figures
Figure 1 – Scope of RBAC as defined in IEC TS 62351-8
Tables
Table 1 – Pre-defined roles in IEC TS 62351-8
14 4.3 Example standards and guidelines requiring RBAC
4.3.1 General
4.3.2 BDEW Whitepaper
4.3.3 IEEE 1686
15 4.3.4 ISO/IEC 27019
4.3.5 IEC 62443
16 4.3.6 NERC CIP
4.3.7 BSI TR 03109
4.3.8 Further requirements
5 Categorization of actions to ease the definition of custom roles
5.1 General
17 5.2 Main category overview
Figure 2 – Main categories
18 5.3 Category: Administration
Figure 3 – Level structure of categories (example)
Table 2 – Subcategories for administration
19 5.4 Category: Provisioning
5.5 Category: Operation
Table 3 – Subcategories for provisioning
Table 4 – Subcategories for operation
20 5.6 Category: Audit
6 RBAC Operation
6.1 General
6.2 Synchronous versus asynchronous RBAC operation
Table 5 – Subcategories for audit
21 6.3 Role changes during a communication session
6.4 Application of RBAC under specific circumstances
Figure 4 – Online engineering session (synchronous)
23 Figure 5 – Enhancement of the RBAC approach with operational constraints
24 7 Information exchange of defined custom roles and associated rights
7.1 General
7.2 Encoding and exchange of custom Role Definitions
Figure 6 – XACML Overview
25 Figure 7 – Terminating XACML at the IED directly
26 Figure 8 – Terminating XACML at the security engineering tool
27 7.3 Encoding and exchange of IEC TS 62351-8 defined roles
Figure 9 – XACML policy file mapping
31 7.4 User defined roles
7.4.1 Usage
7.4.2 Example
Table 6 – User defined role definition
32 7.5 Role polymorphism
7.5.1 Encoding in XACML
33 7.5.2 Examples
Figure 10 – AoR decision point
35 Figure 11 – Role polymorphism decision point
37 7.6 Roles to rights mapping data
38 Bibliography

Related products

BSI PD IEC TR 62351-90-1:2018
$167.15