IEC TECTR62351-90-3 Edition 1.02021-03 TECHNICAL REPORT colour inside Power systems management and associated information exchange - Data and communications security - Part 90-3: Guidelines for network and system management 1-90-3:2021-03(en) R62351 IECTR THIS PUBLICATION IS COPYRIGHT PROTECTED Copyright @ 2021 IEC, Geneva, Switzerland copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or your local IEC member National Committee for further information. IEC Central Office Tel.: +41 22 919 02 11 3, rue de Varembé [email protected] CH-1211 Geneva 20 www.iec.ch Switzerland About the IEC The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes International Standards for all electrical, electronic and related technologies. About IEC publications The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the latest edition, a corrigendum or an amendment might have been published. IEC publications search-webstore.iec.ch/advsearchform IEC online collection -oc.iec.ch The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the publications previews. With a subscription you will always variety of criteria(referencenumber, text,technical committee, ...). It also gives information on projects, replaced have access to up to date content tailored to your needs. and withdrawn publications. Electropedia - www.electropedia.org IEC Just Published -webstore.iec.ch/justpublished The world's leading online dictionary on electrotechnology, Stay up to date on all new IEC publications. Just Published details all new publications released. Available online and and French, with equivalent terms in 18 additional languages. once a month by email. Also known as the International Electrotechnical Vocabulary (IEV) online. IECCustomerServiceCentre-webstore.iec.ch/csc If you wish to give us your feedback on this publication or needfurtherassistance, please contactthe Customer Service Centre: [email protected]. IEC IEC TR 62351-90-3 Edition 1.02021-03 TECHNICAL REPORT colour inside Power systems management and associated information exchange - Data and communications security Part 90-3: Guidelines for network and system management INTERNATIONAL ELECTROTECHNICAL COMMISSION ICS 33.200 ISBN 978-2-8322-9529-8 Warning! Make sure that you obtained this publication from an authorized distributor. ? Registered trademark of the International Electrotechnical Commission - 2 - IECTR62351-90-3:2021@IEC2021 CONTENTS FOREWORD 3 Scope 1 2 Normative references 3 Terms and definitions 6 4 Abbreviated terms and acronyms. Information collection, filtering and processing 5 5.1 IT/OT elements 5.2 Network and system monitoring tools. 5.2.1 SNMP monitoring agents 8 5.2.2 IDS/IPS probes ..... 8 5.2.3 Network and system management central platforms 9 5.3 Log management tools ... 10 5.3.1 Log collection architecture 10 5.3.2 Log agents 5.3.3 Log normalization ... 5.3.4 Security Information and Event Management (SIEM) 12 5.4 Other relevant data sources. 12 6 Information correlation and presentation 6.1 Information selection and collection profiles. .13 6.1.1 General .. 13 6.1.2 NSM and 62351-7 13 6.1.3 NSM and 61850-specific monitoring 6.1.4 NSM with other SNMP objects .. 16 6.1.5 Logs.. 17 6.2 Events, incidents and correlations.. 6.3 Security metrics (KPI) 18 6.4 Risk Management platforms 19 7 Monitoring use cases 19 7.1 General, 19 7.2 Substation . 7.3 DER systems . 20 7.4 Large Hydro.. 20 7.5 Generation. ..20 8 Monitoring profiles for attack scenarios. .20 8.1 General. .20 8.2 Scenario: Malicious IED program change.. ..20 8.3 Scenario: Unexpected 61850 Configuration .21 Scenario: Information gathering malware 8.4 21 Bibliography. 22 Figure 1 - NSM/Cybersecurity overall architecture. .9 Figure 2 - A logging infrastructure . - 3 - IEC TR 62351-90-3:2021 @ IEC 2