ДСТУ IEC/TS 62351-8:2016 Керування енергетичними системами та пов`язаний із ним інформаційний обмін. Безпека даних та комунікацій. Частина 8. Керування доступом із використанням ролей (IEC/TS 62351-8:2011, ID...

НАЦІОНАЛЬНИЙ СТАНДАРТ УКРАЇНИ

IEC/TS 62351-8:2011

POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE — DATA AND COMMUNICATIONS SECURITY

Part 8: Role-based access control

ДСТУ IEC/TS 62351-8:2016

КЕРУВАННЯ ЕНЕРГЕТИЧНИМИ СИСТЕМАМИ ТА ПОВ’ЯЗАНИЙ ІЗ НИМ ІНФОРМАЦІЙНИЙ ОБМІН.

БЕЗПЕКА ДАНИХ ТА КОМУНІКАЦІЙ

Частина 8. Керування доступом із використанням ролей

(IEC/TS 62351-8:2011, IDT)

 

Київ

   
(ДП «УкрНДНЦ»)

 2016

 

CONTENTS

Foreword

Introduction

1 Scope

2 Normative references

3 Terms, definitions and abbreviations

3.1 Terms and definitions

3.2 Abbreviations

4 RBAC process model

4.1 General

4.2 Separation of subjects, roles, and rights

4.2.1 General

4.2.2 Subject assignment

4.2.3 Role assignment

4.2.4 Right assignment

4.3 Criteria for defining roles

4.3.1 Policies

4.3.2 User, roles, and rights

4.3.3 Introducing roles reduces complexity

5 Definition of roles

5.1 Role-to-right assignment inside the object in general

5.1.1 General

5.1.2 Number of supported rights

5.1.3 Number of supported roles

5.1.4 Flexibility of role-to-right mapping

5.2 Role-to-right assignment with respect to power systems

5.2.1 Mandatory roles and rights for logical-device access control

5.2.2 Power utility automation - IEC 61850

5.2.3 СІМ-IEC 61968

5.2.4 AMI

5.2.5 DER

5.2.6 Markets

5.3 Role-to-right assignment with respect to other non-power system domains (e.g. industrial process control)

6 General architecture for the PUSH model

6.1 General

6.2 Secure access to the LDAP-enabled service

7 General architecture for the PULL model

7.1 General

7.2 Secure access to the LDAP-enabled service

7.3 LDAP directory organization

8 General application of RBAC access token

8.1 General

8.2 Session based approach

8.3 Message based approach

9 Definition of access tokens

9.1 General

9.2 Supported profiles

9.3 Identification of access token

9.4 General structure of the access tokens

9.4.1 Mandatory fields in the access tokens

9.4.2 Mandatory profile-specific fields

9.4.3 Optional fields in the access tokens

9.4.4 Definition of specific fields

9.5 Specific structure of the access tokens

9.5.1 Profile A: X.509 ID certificate

9.5.2 Profile В: X.509 attribute certificate

9.5.3 Profile C: Software token

9.6 Distribution of the access tokens

10 Transport profiles

10.1 Usage in TCP-based protocols

10.2 Usage in non-Ethernet based protocols

11 Verification of access tokens

11.1 Normative part

11.1.1 General

11.1.2 Access token authenticity

11.1.3 Time period

11.1.4 Access token integrity

11.2 Optional part

11.3 Revocation methods

11.3.1 General

11.3.2 Supported methods

12 Interoperability

12.1 General

12.2 Supported access tokens

12.3 How to ensure backward compatibility

12.4 How to extend the list of roles and rights

12.5 How to map this specification to specific authorization mechanisms

Bibliography

Figure 1 - Generic framework for access control

Figure 2 - Diagram of RBAC with static and dynamic separation of duty according to (ANSI INCITS 359-2004)

Figure 3 - User, roles, rights and operations

Figure 4 - Schematic view of authorization mechanism based on RBAC

Figure 5 - Schematic view of authorization mechanism based on RBAC PULL model

Figure 6 - Session based RBAC approach

Table 1 - List of pre-defined role-to-right assignment

Table 2 - List of mandatory pre-defined rights

Table 3 - Pre-defined roles

Table 4 - Mandatory role-to-right mapping for service access control

Table 5 - The ALLOW right

Table 6 - The DENY right

Table 7 - VIEW right and associated ASCI services

Table 8 - Mapping between ID and attribute sertificate