IEC 62351-9:20 23规定了加密密钥管理，主要关注长期密钥的管理，长期密钥通常是非对称密钥对，例如公钥证书和相应的私钥。作为证书的基础，本文档为许多IEC 62351服务奠定了基础（另见附录A）。还考虑对称密钥管理，但仅针对IEC 62351-6中应用的用于基于组的通信的会话密钥。本文档的目标是通过指定或限制要使用的密钥管理选项来定义实现密钥管理互操作性的要求和技术。 本文档假设一个组织（或一组组织）已经定义了一个安全策略来选择将使用的密钥和加密算法的类型，这可能必须与其他标准或法规要求保持一致。因此，本文档仅规定了这些选定密钥和加密基础设施的管理技术。本文档假设读者对密码学和密钥管理原理有基本的了解。 在IEC 62351利用或指定成对通信的部分中规定了在通信协议的上下文中管理成对对称（会话）密钥的要求，例如: ？通过分析TLS选项实现TLS的IEC 62351-3 ？IEC 62351-4适用于应用层端到端安全性 ？IEC TS 62351-5，适用于IEC 60870-5-101/104和IEEE 1815(DNP3)的应用层安全机制 电力系统通信协议上下文中对称组密钥管理的要求在IEC 62351-6用于利用组安全性来保护GOOSE和SV通信。IEC 62351-9利用GDOI作为IETF已经指定的基于组的密钥管理协议来管理组安全参数，并增强该协议以携带GOOSE、SV和PTP的安全参数。 本文档还定义了特定条件下的安全事件，这些条件可以识别可能需要错误处理的问题。但是，组织对这些错误情况的响应超出了本文档的范围，预计将由组织的安全策略定义。 未来，随着公钥密码学受到量子计算机进化的威胁，本文也将在一定程度上考虑后量子密码学。注意，此时没有提供具体的措施。这第二版取消并取代了2017年出版的第一版。本版构成技术修订版。 与上一版相比，此版本包括以下重大技术变更: a)增加了证书组件和对证书组件的验证； b)GDOI已更新，以包括互操作测试的结果； c)增加了GDOI操作考虑； d)根据IEC/IEEE 61850-9-3功率配置文件的规定，增加了对PTP(IEEE 1588)的GDOI支持； e)添加了网络安全事件日志以及到IEC 62351-14的映射； f)增加了关于所使用的密码算法和机制背景的附件B。

IEC 62351-9:2023 specifies cryptographic key management, primarily focused on the management of long-term keys, which are most often asymmetric key pairs, such as public-key certificates and corresponding private keys. As certificates build the base this document builds a foundation for many IEC 62351 services (see also Annex A). Symmetric key management is also considered but only with respect to session keys for group-based communication as applied in IEC 62351-6. The objective of this document is to define requirements and technologies to achieve interoperability of key management by specifying or limiting key management options to be used.
This document assumes that an organization (or group of organizations) has defined a security policy to select the type of keys and cryptographic algorithms that will be utilized, which may have to align with other standards or regulatory requirements. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. This document assumes that the reader has a basic understanding of cryptography and key management principles.
The requirements for the management of pairwise symmetric (session) keys in the context of communication protocols is specified in the parts of IEC 62351 utilizing or specifying pairwise communication such as:
？ IEC 62351-3 for TLS by profiling the TLS options
？ IEC 62351-4 for the application layer end-to-end security
？ IEC TS 62351-5 for the application layer security mechanism for IEC 60870-5-101/104 and IEEE 1815 (DNP3)
The requirements for the management of symmetric group keys in the context of power system communication protocols is specified in IEC 62351-6 for utilizing group security to protect GOOSE and SV communication. IEC 62351-9 utilizes GDOI as already IETF specified group-based key management protocol to manage the group security parameter and enhances this protocol to carry the security parameter for GOOSE, SV, and PTP.
This document also defines security events for specific conditions which could identify issues which might require error handling. However, the actions of the organisation in response to these error conditions are beyond the scope of this document and are expected to be defined by the organizations security policy.
In the future, as public-key cryptography becomes endangered by the evolution of quantum computers, this document will also consider post-quantum cryptography to a certain extent. Note that at this time being no specific measures are provided.
This second edition cancels and replaces the first edition published in 2017. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Certificate components and verification of the certificate components have been added;
b) GDOI has been updated to include findings from interop tests;
c) GDOI operation considerations have been added;
d) GDOI support for PTP (IEEE 1588) support has been added as specified by IEC/IEEE 61850-9-3 Power Profile;
e) Cyber security event logging has been added as well as the mapping to IEC 62351-14;
f) Annex B with background on utilized cryptographic algorithms and mechanisms has been added.