IEC 62351-3:20 23规定了如何为使用TCP/IP作为消息传输层的协议提供机密性、完整性保护和消息级身份验证，并在需要网络安全时利用传输层安全性。这可能涉及SCADA和远动协议，但也涉及附加协议（如果它们满足本文档中的要求）。 IEC 62351-3规定了如何通过对传输层安全性（TLS）的消息、过程和算法规范的约束来保护基于TCP/IP的协议（RFC 5246中定义的TLSv1.2，RFC 8446中定义的TLSv1.3）。在特定条款中，将有子条款来说明应用程序中的差异和共性，具体取决于目标TLS版本。介入外部安全设备的使用和规格（例如。g.，“线中的凸块”)被认为超出了范围。 与本文档的前几个版本不同，此版本在完全定义TLS配置文件方面是独立的。因此，它可以直接应用，而不需要指定除了将通过其执行通信的端口号之外的其他TLS参数。因此，该部分可以直接从参考标准中使用，并且可以与其他层上的进一步安全措施相结合。在不需要进一步指定TLS参数的情况下提供TLS的分析允许声明符合所描述的功能，而不需要涉及进一步的IEC 62351文档。 本文件旨在作为需要为其TCP/IP提供安全性的其他IEC标准的规范性部分引用。基于相似边界条件下的协议交换。但是，由各个协议安全计划决定是否引用本文档。 该文档还定义了特定条件下的安全事件，支持错误处理、安全审计跟踪、入侵检测和一致性测试。组织响应本文档中描述的错误条件事件的任何操作都超出了本文档的范围，预计将由组织的安全策略定义。 本文件反映了IEC电力系统管理协议的安全要求。如果其他标准提出了新的要求，可能需要对本文件进行修订。 本第二版取消并取代2014年出版的第一版，修正案1:2018年和修正案2:20 20。本版构成技术修订版。 与上一版相比，此版本包括以下重大技术变更: a）纳入IEC 62351-3 Ed.1.2中要求的TLSv1.2相关参数，由参考标准规定。这包括以下参数: ？必须支持TLSv1.2密码套件。 ？会话恢复参数的规范。 ？会话重新协商参数的规范。 ？使用CRL和OCSP进行撤销处理。 ？安全事件的处理。 b)以与TLSv1.2会话类似的方式包括适用于电力系统域的TLSv1.3简档。

IEC 62351-3:2023 specifies how to provide confidentiality, integrity protection, and message level authentication for protocols that make use of TCP/IP as a message transport layer and utilize Transport Layer Security when cyber-security is required. This may relate to SCADA and telecontrol protocols, but also to additional protocols if they meet the requirements in this document.
IEC 62351-3 specifies how to secure TCP/IP-based protocols through constraints on the specification of the messages, procedures, and algorithms of Transport Layer Security (TLS) (TLSv1.2 defined in RFC 5246, TLSv1.3 defined in RFC 8446). In the specific clauses, there will be subclauses to note the differences and commonalities in the application depending on the target TLS version. The use and specification of intervening external security devices (e.g., "bump-in-the-wire") are considered out-of-scope.
In contrast to previous editions of this document, this edition is self-contained in terms of completely defining a profile of TLS. Hence, it can be applied directly, without the need to specify further TLS parameters, except the port number, over which the communication will be performed. Therefore, this part can be directly utilized from a referencing standard and can be combined with further security measures on other layers. Providing the profiling of TLS without the need for further specifying TLS parameters allows declaring conformity to the described functionality without the need to involve further IEC 62351 documents.
This document is intended to be referenced as a normative part of other IEC standards that have the need for providing security for their TCP/IP-based protocol exchanges under similar boundary conditions. However, it is up to the individual protocol security initiatives to decide if this document is to be referenced.
The document also defines security events for specific conditions, which support error handling, security audit trails, intrusion detection, and conformance testing. Any action of an organization in response to events to an error condition described in this document are beyond the scope of this document and are expected to be defined by the organization’s security policy.
This document reflects the security requirements of the IEC power systems management protocols. Should other standards bring forward new requirements, this document may need to be revised.
This second edition cancels and replaces the first edition published in 2014, Amendment 1:2018 and Amendment 2:2020. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Inclusion of the TLSv1.2 related parameter required in IEC 62351-3 Ed.1.2 to be specified by the referencing standard. This comprises the following parameter:
？ Mandatory TLSv1.2 cipher suites to be supported.
？ Specification of session resumption parameters.
？ Specification of session renegotiation parameters.
？ Revocation handling using CRL and OCSP.
？ Handling of security events.
b) Inclusion of a TLSv1.3 profile to be applicable for the power system domain in a similar way as for TLSv1.2 session.