HOME Cart(12) Quotation About-Us Policy PDFs Standard-List
www.ChineseStandard.net Database: 189760 (25 Oct 2025)

GB/T 25320.4-2024 English PDF

Standard ID	Contents [version]	USD	STEP2	[PDF] delivered in	Standard Title (Description)	Status	PDF
GB/T 25320.4-2024	English	RFQ	ASK	3 days [Need to translate]	Power systems management and associated information exchange - Data and communications security - Part 4: Profiles including MMS and derivatives	Valid	GB/T 25320.4-2024

PDF similar to GB/T 25320.4-2024

Standard similar to GB/T 25320.4-2024

GB/T 40427 GB/T 40588 GB/T 33593 GB/T 25320.6 GB/T 25320.11 GB/Z 25320.7

Basic data

Standard ID	GB/T 25320.4-2024 (GB/T25320.4-2024)
Description (Translated English)	Power systems management and associated information exchange - Data and communications security - Part 4: Profiles including MMS and derivatives
Sector / Industry	National Standard (Recommended)
Classification of Chinese Standard	F21
Classification of International Standard	29.240.30
Word Count Estimation	118,131
Date of Issue	2024-12-31
Date of Implementation	2025-07-01
Older Standard (superseded by this standard)	GB/Z 25320.4-2010
Issuing agency(ies)	State Administration for Market Regulation, China National Standardization Administration

GB/T 25320.4-2024: Power systems management and associated information exchange - Data and communications security - Part 4: Profiles including MMS and derivatives

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
ICS 29.240.30 CCSF21 National Standard of the People's Republic of China Replaces GB /Z 25320.4-2010 Power system management and information exchange Data and communications security Part 4.Protocol suite including MMS and its annexes (IEC 62351-4.2018,MOD) Published on 2024-12-31 Implemented on 2025-07-01 State Administration for Market Regulation The National Standardization Administration issued

Preface V Introduction VII 1 Scope 1 1.1 Overview 1 1.2 Code Components 1 2 Normative references 1 3 Terms, definitions and abbreviations 3 3.1 Overview 3 3.2 Terms and Definitions 4 3.3 Abbreviations 7 4 Security issues covered by this document 8 4.1 Communication Reference Model 8 4.2 Security of application and transport protocol suites 8 4.3 Compatibility Mode and Native Mode 9 4.4 Responding to Security Threats 9 4.5 Methods to deal with attacks10 4.6 Log 10 5 Specific requirements 11 5.1 Specific requirements of ICCP/IEC 60870-6-x communication stack 11 5.2 Specific requirements of IEC 61850 11 6 Transmission Security11 6.1 Overview 11 6.2 Application of Transport Layer Security (TLS) 11 6.3 Transport Security in the OSI Operating Environment 13 6.4 Communication security in the XMPP operating environment 15 7 Application Layer Security Overview (Informative) 15 7.1 Overview 15 7.2 Description Techniques 16 8 Application of encryption algorithm 17 8.1 Overview 17 8.2 Basic encryption definition 17 8.3 Public Key Algorithm 18 8.4 Hash Algorithms 18 8.5 Signature Algorithm 18 8.6 Symmetric Key Algorithms 19 8.7 Authenticated Encryption Algorithm 19 8.8 Integrity Check Value Algorithm 20 9 Object Identifier Allocation (Normative) 20 10 General OSI upper layer requirements (normative) 20 10.1 Overview 20 10.2 OSI upper layer common requirements 21 10.3 Session Layer Protocol Requirements 21 10.4 Presentation Layer Protocol Requirements 22 10.5 Association Control Service Element (ACSE) Protocol Requirements 24 11 Application Security Protocol Set (Normative) 25 11.1 OSI Requirements for Application Protocol Suite 25 11.2 MMS authentication value 27 12 End-to-end application security model 28 12.1 Introduction and overall architecture 28 12.2 Abstract Syntax Specification 30 13 End-to-end application security (normative) 30 13.1 Association Management 30 13.2 Data transmission phase 35 13.3 ClearToken Data Type 36 13.4 Identity Authentication and Integrity Specifications 42 14 End-to-end secure error handling (normative) 43 14.1 Overview 43 14.2 Diagnostic criteria 43 14.3 End-to-end security handshake request and acceptance checks 46 14.4 Security protocol control information inspection during data transmission 48 15 End-to-end security in the OSI operating environment 48 15.1 Overview 48 15.2 Additional upper-level requirements 49 15.3 Association Management in the OSI Environment 49 15.4 Data Transmission in an OSI Environment 52 15.5 OSI Upper Layer Routing 52 15.6 OSI Operational Environment Check 54 16 End-to-end security in the XMPP operating environment 55 16.1 Overview of XMPP Operating Environment Packaging 55 16.2 Mapping of SecPDU to iq Section 55 16.3 Mapping of SecPDU to message section 56 16.4 XMPP Stanza Error Handling 56 16.5 XML Namespaces 57 16.6 Encoding of EnvPDU in XMPP Section 58 16.7 Multiple Associations 58 16.8 Release Collision Considerations 58 17 Consistency58 17.1 General 58 17.2 Symbols 58 17.3 Consistency of the operating environment 59 17.4 Consistency of operating modes 59 17.5 Compatibility Mode Consistency 59 17.6 Native Mode Consistency 60 Appendix A (Normative) ASN.1 Specification for the Application Security Protocol Suite 62 Appendix B (Normative) ASN.1 Specification for End-to-End Security 64 Appendix C (Normative) W3C XSD Specification for End-to-End Security 72 Appendix D (Normative) ASN.1 Model in the OSI Operating Environment 84 D.1 Overview 84 D.2 ASN.1 Model 84 Appendix E (Normative) ASN.1 Model and W3C Schema Document XSD 87 for XMPP Operation Environment E.1 Overview 87 E.2 ASN.1 model in the XMPP operating environment 87 E.3 W3C Schema Document XSD 90 for XMPP Operational Environment Appendix F (Normative) Virtual API Specification Template 94 F.1 Overview 94 F.2 ASN.1 model corresponding to virtual API 94 F.3 ASN.1 model corresponding to virtual API in OSI environment 95 F.4 W3C Schema Document XSD 95 for Virtual API Appendix G (Normative) End-Entity Public Key Certificate Specification 97 G.1 Overview 97 G.2 General requirements 97 G.3 Length considerations 97 G.4 Basic structural requirements and recommendations 97 G.5 Extension 98 G.6 Special requirements for the operating environment 99 Appendix H (Normative) Low-Level Requirements for the OSI Operating Environment 100 H.1 Scope of application 100 H.2 Transport Protocol TP0 100 H.3 IETF RFC1006 101 Appendix I (Informative) ASN.1 Definition of ACSE 102 References 108 Figure 1 Application and transport protocol set (informative) 8 Figure 2 Transport configuration with and without TLS protection13 Figure 3 Establishing a connection 21 Figure 4 User data included in the session layer data transmission SPDU 23 Figure 5 End-to-end security building blocks 29 Figure 6 Relationship between environment, end-to-end security, and protected protocols29 Figure 7 Relationship between APDUs 29 Figure 8 Scope of end-to-end security specification30 Figure 9 Upper layer routing 53 Figure F.1 Virtual API concept 94 Table 1 Relationship between security and security measure combinations 9 Table 2 GB /Z 25320.4-2010 recommended cipher suite 14 Table 3 Cipher suite combinations used in this document 15 Table 4 Mapping between SecPDUs and ACSEAPDUs 49 Table 5 Mapping of SecPDU to XMPP Section 55 Table 6 Consistency of operating environment 59 Table 7 Operation mode consistency 59 Table 8 TLS cipher suite consistency in compatibility mode 60 Table 9 Encryption Mode Consistency 60 Table 10 TLS cipher suite consistency in native mode 60 Table 11 E2E security encryption algorithm consistency 61 Table H.1 Maximum frame length of various TPDUs in transport protocol TP0 100

Foreword

This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1.Structure and drafting rules for standardization documents" Drafting. This document is Part 4 of GB/T (Z) 25320 "Power system management and information exchange data and communication security". GB/T (Z) 25320 has published the following parts. --- Part 1.Introduction to security issues of communication networks and systems; --- Part 2.Terminology; --- Part 3.Communication network and system security protocol suite including TCP/IP; --- Part 4.Contains the MMS protocol set and its annexes; --- Part 5.Safety of GB/T 18657 and its derivative standards; --- Part 6.Safety of IEC 61850; --- Part 7.Data object model for network and system management (NSM); --- Part 11.Security of XML documents; --- Part 100-1.Conformance test cases for IEC TS62351-5 and IEC TS60870-5-7; --- Part 100-3.Conformance test cases for IEC 62351-3 and security communications extensions including the TCP/IP protocol suite. This document replaces GB /Z 25320.4-2010 "Power system management and information exchange data and communication security Part 4.Packet Compared with GB /Z 25320.4-2010, in addition to structural adjustments and editorial changes, the main technical changes are as follows. a) The scope of application has been changed (see Chapter 1, Chapter 1 of the.2010 edition); b) The terms and definitions have been changed and abbreviations have been added (see Chapter 3, Chapter 3 of the.2010 edition); c) The safety issues involved in this document have been changed (see Chapter 4, see Chapter 4 of the.2010 edition); d) Application Protocol Profile (A-Profile) security has been deleted (see Chapter 5 of the.2010 edition); e) Deleted the Transport Protocol Suite (T-Profile) security (see Chapter 6 of the.2010 edition); f) Added specific requirements (see Chapter 5); g) increased transmission security (see Chapter 6); h) Added an overview of application layer security (see Chapter 7); i) Added the application of encryption algorithm (see Chapter 8); j) Added object identifier allocation (see Chapter 9); k) Added general OSI upper layer requirements (see Chapter 10); l) Added end-to-end application security model (see Chapter 12); m) Increased end-to-end application security (see Chapter 13); n) Added end-to-end security error handling (see Chapter 14); o) Added end-to-end security in the OSI operating environment (see Chapter 15); p) Increased E2E security in the XMPP operating environment (see Chapter 16); q) Changed consistency (see Chapter 17, see Chapter 7 of the.2010 edition); r) Added the ANS.1 specification of the application security protocol suite (see Appendix A); s) Added the ANS.1 specification for end-to-end security (see Appendix B); t) Added the W3C XSD specification for end-to-end security (see Appendix C); u) Added the ANS.1 model in the OSI operating environment (see Appendix D); v) Added the ANS.1 model and W3C schema document XSD in the XMPP operating environment (see Appendix E); w) Added virtual API template specification (see Appendix F); x) Added the end-entity public key certificate specification (see Appendix G); y) Added the underlying requirements for the OSI operating environment (see Appendix H). This document is modified to adopt IEC 62351-4.2018 "Power system management and information exchange data and communication security Part 4.Packet Protocol set including MMS and its annexes. The technical differences between this document and IEC 62351-4.2018 and their reasons are as follows. ---Normative references IEC 62351-3, IEC TS62351-8, IEC 62351-9, ISO 8601-1 are updated to the latest versions. Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility for identifying patents. This document was proposed by the China Electricity Council. This document is under the jurisdiction of the National Technical Committee for Standardization of Power System Management and Information Exchange (SAC/TC82). This document was drafted by. China Electric Power Research Institute Co., Ltd., State Grid Corporation of China National Electric Power Dispatching and Control Center, China Power dispatching of China Southern Power Grid Co., Ltd., State Grid Shanghai Electric Power Company, State Grid Tianjin Electric Power Company, Guangdong Power Grid Co., Ltd. Control Center, State Grid Electric Power Research Institute Co., Ltd., Nanjing NARI Relay Protection Engineering Technology Co., Ltd., Dongfang Electronics Co., Ltd., NARI Nanjing Control Systems Co., Ltd., Xuji Electric Co., Ltd., Guodian Nanjing Automation Co., Ltd., Changyuan Shenzhen Ruijibao Automation Co., Ltd., Jicheng Electronics Co., Ltd., Beijing Sifang Relay Protection Engineering Technology Co., Ltd., and NARI Technology Co., Ltd. Co., Ltd., Shanghai Kuanyu Industrial Network Equipment Co., Ltd. The main drafters of this document are. Zhang Jinhu, Ji Xin, Zhang Xiao, Su Yang, Wang Zhihua, Wu Jinyu, Gao Xiang, Lu Jiangang, Zhao Ruifeng, Sun Dan, Zhang Xiaofei, Li Guanghua, Wen Shufeng, Sheng Fu, Jia Deshun, Wan Shoufeng, Liu Wenbiao, Xu Hao, Sun Fanen, Shen Yan, Xu Ai, Li Hongchi, Nan Wei, Tang Fangjian, Wang Zhenzhen, An Tai, Zhang Dan, Zhang Liang, and Xiao Tao. The previous versions of this document and the documents it replaces are as follows. ---First published in.2010 as GB /Z 25320.4-2010; ---This is the first revision.

Introduction

GB/T (Z) 25320 "Power system management and information exchange data and communication security" aims to reduce communication and computing as much as possible. The malicious attacks in the computer network will cause harm to the data and communication security of the power system, and improve the communication protocols used in the power system. The proposed security loopholes and improve the security management of power system information infrastructure are to be composed of the following parts. --- Part 1.Introduction to security issues of communication networks and systems. The purpose is to introduce other parts of GB/T (Z) 25320 It mainly introduces readers to various aspects of information security applied to power system operation. --- Part 2.Terminology. The purpose is to introduce the key terms used in GB/T 25320(Z). --- Part 3.Communication network and system security includes the TCP/IP protocol suite. The purpose is to specify how to The message, process and algorithm specifications of the layer security protocol provide security protection for TCP/IP-based protocols, so that these protocols can Applicable to the telecontrol environment of IEC TC57. --- Part 4.Contains the MMS protocol set and its annexes. The purpose is to specify the requirements for the MMS protocol based on GB/T 16720 (ISO 9506). The process, protocol extensions and algorithms for security protection using the Message Making Specification (MMS) and its derivative standards. --- Part 5.GB/T 18657 and its derivative standards. The purpose is to define the application profile (a-profile) security The full communication mechanism specifies the requirements for the telecontrol equipment and systems based on or derived from IEC 60870-5 (GB/T 18657 "Telecontrol Equipment and Systems Part 5. The messages, processes, and algorithms that are used to secure the operation of all protocols in the IEEE Transmission Protocol. --- Part 6.Security of IEC 61850.The purpose is to specify the operation of all protocols based on or derived from IEC 61850. The messages, processes and algorithms used for security protection. --- Part 7.Data object model for network and system management (NSM). The purpose is to define the data object model specific to power system operation. A data object model for network and system management. --- Part 8.Role-based access control. The purpose is to provide role-based access control for power system management. --- Part 9.Cybersecurity key management for power system equipment. The purpose is to specify or restrict the key management to be used options to define requirements and techniques for achieving key management interoperability. --- Part 10.Security architecture guidelines. The purpose is to describe the security architecture guidelines for power systems based on basic safety controls. --- Part 11.Security of XML files. The purpose is to standardize the configuration files (XML files) in the communication process of smart substations security. --- Part 12.Rapid recovery and safety recommendations for distributed energy (DER) systems. The purpose is to improve the Safety and reliability of DER systems. --- Part 13.Guidance on safety topics covered in standards and specifications. The purpose is to provide information on standards and specifications used in the power industry. which safety issues could or should be covered in a standard (IEC or other). --- Part 90-1.Guidelines for role-based access control in power systems. The purpose is to develop a A standardized way to define roles and role mapping. --- Part 90-2.Deep packet inspection for encrypted communications. The purpose is to describe the application of deep packet inspection to communication channels protected by IEC 62351. DPI latest technology. --- Part 90-3.Guidelines for network and system management. The purpose is to provide guidelines for processing IT and OT data. --- Part 100-1.Conformance test cases for IEC TS62351-5 and IEC TS60870-5-7.The purpose is to provide Test cases for conformance and/or interoperability testing of IEC 62351-5.2023 and IEC TS60870-5-7.2013. --- Part 100-3.Conformance test cases for IEC 62351-3 and extensions for secure communications including the TCP/IP protocol suite. Purpose It provides IEC 62351-3.2023 conformance test cases and verifies all safety extensions and protocol behaviors that affect Configuration of parameters. --- Part 100-6.Cybersecurity conformance testing for IEC 61850-8-1 and IEC 61850-9-2. Test cases for data and communication security interoperability conformance testing of power station automation systems and telecontrol systems. GB/T (Z) 25320 "Power system management and information exchange data and communication security" defines the power system related communication protocols (IEC 60870-5, IEC 60870-6, IEC 61850, IEC 61970 and IEC 61968 series), also defines the communication The security threats and attacks that may occur during the communication process and the security response measures. This document is part 4 of GB/T (Z) 25320 "Power system management and information exchange data and communication security", which is based on GB/T 16720 (ISO 9506) Manufacturing Message Specification (MMS) and its derivative standards for security protection processes, protocol expansion and algorithm. Power system management and information exchange Data and communications security Part 4.Protocol suite including MMS and its annexes

1 Scope

1.1 Overview This document extends the scope of GB /Z 25320.4-2010[1]1) and specifies a compatibility mode that provides compatibility with GB /Z 25320.4-2010 specifies interoperability between implementations of GB /Z 25320.4-2010 and specifies an extended function called native mode. 1) Numbers in square brackets refer to references. This document clarifies the security requirements for the transport layer and the application layer. GB /Z 25320.4-2010 mainly provides security requirements for manufacturing messages based on the application layer. The MMS specification provides some limited support for authentication during the handshake phase. This document also provides support for the handshake phase and the data transfer phase. Provides support for extended integrity and authentication, shared key management and data transmission encryption at the application layer, and provides zero or more GB /Z 25320.4-2010 only supports MMS-based systems, i.e., systems using open systems interoperability. This document also supports application protocols that use other protocol stacks, such as the Internet Protocol Suite (see 4.1). Support is extended to protect application protocols encoded using XML. This extended security at the application layer is called E2E security. In addition to E2E security, this document also provides a mapping method for environment protocols that carry security related information. OSI and XMPP environments. This document is normatively referenced as a standard for the use of application protocols (such as MMS) in a secure manner. It is expected that there will be implementations based on the GB /Z 25320.4-2010 transmission security protocol set and application security protocol set specifications, especially in control This document contains the specifications of GB /Z 25320.4-2010.Supports the implementation of these specifications Will cooperate with implementations based on GB /Z 25320.4-2010. NOTE. Strictly speaking, the Application Security Protocol Suite is not a protocol stack, but the term is retained here for historical reasons. This document defines a set of mandatory and optional security specifications for protecting application protocols. The initial users of this document are members of the working group that develops or uses the protocol. In order for the measures described in this document to be effective, the protocol specifications should Accept and cite these measures. The intended users of this document are product developers who implement these protocols and end-users who wish to specify requirements for their own environments. user. Portions of this document may also be of use to managers and executives in order to understand the purpose and requirements of the job. 1.2 Code Components When purchasing IEC documentation, the buyer may sell software containing this documentation to end users directly or through distributors under the terms of the IEC software license. portdocuments/IEC _62351-4.ASN_1.XSD.ful.zip. The code components in this document are contained in Appendix A, Appendix B, Appendix C, Appendix D, and Appendix E.

2 Normative references

The contents of the following documents constitute the essential clauses of this document through normative references in this document.