EN IEC 62351-6:2020 pdf download.Power systems management and associated information exchange - Data and communications security
4.1 Operational issues affecting choice of security options
For applications using Layer 2 IEC 61850-8-1 GOOSE and Layer 2 IEC 61850-9-2 Sampled Value and requiring 3 ms response times, multicast configurations and low CPU overhead,encryption is not recommended. Instead, the communication path selection process (e.g. the fact that Layer 2 GOOSE and SV are supposed to be restricted to a logical substation LAN) shall be used to provide confidentiality for information exchanges. However, this document does define a mechanism for allowing confidentiality for applications where the 3 ms delivery criterion is not a concern.
NOTE The actual performance characteristics of an implementation claiming conformance to this technical specification is outside the scope of this document.
5.5 Using OriginatorlD for Client/Server Services
There are several Common Data Classes (CDCs) defined in IEC 61850-7-3 and service tracking functions that explicitly define the ability to provide information about the originator of the control or service. The actual value representing the initiating entity in both IEC 61850-8-1 and IEC 61850-8-2 is originatorlD and is a 64-octet octetstring.
The use of certificate-based authentication and security provides a mechanism for providing authoritative information regarding the originator. However, the size restriction of originatorlD is not large enough to provide exposure of the Issuer and Serial Number. Therefore,implementations claiming conformance to this standard shall implement the optional DataAttribute certlssuer in the instance to the IEC 61850-7-3 CDCs of: CST, BTS, UTS, LTS,GTS, MTS, NTS, and STS.
The use of the value of the certlssuer Data Attribute follows:
●The value shall be a concatenation of the sequence of name values that may be present in the Issuer field. If there is more than one name in the sequence, the concatenation token shall be the “\” character, i.e. have a zero(0) length value if the client association is not authenticated.
●Have the value of the X.509 Issuer Name for a client association that is authenticated.
●If the concatenated value is greater than 255 characters, the value shall be truncated to 255 characters.
●If the client association was not authenticated through the use of certificates, the length of the certlssuer shall be zero(0) and therefore the value shall be NULL. All octets in the value shall be initialized to 0.
Implementations claiming conformance to this standard shall also utilize the originator lD Data Attribute as follows:
●If the certIssuer value is not NULL, the value of the X.509 certificate serial number shall be used for the value for clients associations that have been authenticated by use of a certificate. A certificate serial number is an encoded positive integer value. The encoded value shall be copied into the originatorlD value, not including the tag or length.
●If the certlssuer value is NULL, the value of the originatorlD may be "unknown" with“u” being the most significant octet of the value. Other values are a local issue.EN IEC 62351-6 pdf download.