Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 10116-07:2009 — A Comprehensive Guide to Authenticated Encryption for Secure Industrial Automation
Understanding the Requirements, Implementation, and Compliance for Block Cipher Modes in Critical Infrastructure
IEC 10116-07:2009, formally titled Modes of Operation for Block Ciphers — Part 7: Authenticated Encryption for Industrial Automation Networks, significantly extends the foundational encryption modes defined in the base ISO/IEC 10116 standard. This standard specifies the implementation requirements for Authenticated Encryption (AE) and Authenticated Encryption with Associated Data (AEAD) modes tailored for resource-constrained devices operating in critical infrastructure. It serves as a critical building block for securing real-time communication protocols in smart grids, substations, and process control systems.
Scope
IEC 10116-07:2009 addresses the growing need for data confidentiality, integrity, and authenticity within a single, compact cryptographic primitive. It specifically targets programmable logic controllers (PLCs), remote terminal units (RTUs), and intelligent electronic devices (IEDs) that must process encrypted communication without introducing prohibitive latency. The standard strictly defines the use of Galois/Counter Mode (GCM) and Counter with CBC-MAC (CCM) for networks operating under the IEC 61850 and IEC 60870-5-104 protocols. The document provides mandatory and optional parameter profiles to ensure cross-vendor interoperability in multi-vendor substation environments.
Technical Requirements and Cryptographic Specifications
Permitted Modes and Parameters
The standard mandates specific parameter sets for GCM and CCM to ensure interoperability across devices from different vendors. Only the AES (Advanced Encryption Standard) block cipher with a 128-bit block size is permitted. The following table summarizes the mandatory and optional configurations.
| Mode | Key Size (bits) | Nonce Length (bytes) | Tag Length (bits) | Implementation Status |
|---|---|---|---|---|
| AES-GCM | 128 / 256 | 12 | 128 | Mandatory |
| AES-GCM | 128 | 12 | 64 / 96 | Optional |
| AES-CCM | 128 | 12 | 64 / 128 | Mandatory |
| AES-CCM | 256 | 7 / 13 | 96 | Optional |
Nonce Generation and Counter Management
A critical aspect of secure implementation defined in IEC 10116-07 is the deterministic generation of nonces (initial vectors). The standard requires that nonces be constructed using a 96-bit combination of a fixed device identifier and a packet sequence counter. Reuse of a nonce under the same key constitutes a critical security failure. Clause 7.2 outlines the strict inviolability of the nonce uniqueness property, requiring implementations to include monotonic counters that persist across device restarts.
Implementation Highlights for Embedded Systems
Hardware Acceleration and Performance
To achieve the performance required by IEC 61850-9-2 (Sampled Values) and GOOSE messages, hardware acceleration of the Galois Field multiplier in GCM is highly recommended. IEC 10116-07 provides compliance pathways for software-only implementations on low-power 16 and 32-bit MCUs, provided they can demonstrate a deterministic execution time to prevent side-channel leakage.
Implementation Tip: When implementing GCM according to IEC 10116-07, prioritize a constant-time execution path for both the AES encryption and the GHASH operation. Any conditional branching based on plaintext or the authentication tag will disqualify the device from certification under the associated security evaluation program.
Security Warning: The standard explicitly forbids the truncation of authentication tags below 64 bits in high-reliability substation automation networks. Utilizing a 32-bit tag significantly increases the probability of an undetected forgery during the operational lifetime of a substation.
Compliance and Certification Notes
Conformance Testing
Compliance with IEC 10116-07 is typically verified through a suite of test vectors covering edge cases in padding, nonce handling for huge message streams (up to 232 blocks), and tag verification. Independent testing laboratories accredited by the IECEx or national schemes validate the implementation against the mandatory parameter sets.
Best Practice: For compliance testing, ensure your module passes the CAVP (Cryptographic Algorithm Validation Program) GCM tests alongside the specific edge cases mandated by IEC 10116-07 Annex A. These include testing with empty associated data and empty plaintext simultaneously.
Interoperability Profiles
The standard defines a Mandatory Profile (Profile A) and a Performance Profile (Profile B). Profile A requires AES-128 GCM with a 128-bit tag. Profile B permits AES-256 GCM for forward security requirements in installations with a security lifespan beyond 2030.
Do Not Implement: IEC 10116-07:2009 formally deprecates the use of stand-alone CBC mode for encryption in favor of authenticated modes for all new installations. Relying on a separate MAC algorithm (e.g., Encrypt-then-MAC) is permitted but heavily discouraged due to implementation complexity leading to security bugs.
Frequently Asked Questions
Q: What is the difference between IEC 10116-07 and the base ISO/IEC 10116 standard?
A: The base ISO/IEC 10116 standard defines the fundamental block cipher modes of operation (ECB, CBC, CFB, OFB, CTR) without an authentication component. IEC 10116-07 focuses exclusively on authenticated encryption modes (GCM, CCM) and their specific parameterization for industrial automation and control system networks. It includes mandatory nonce formatting and interoperability profiles absent in the base standard.
A: The base ISO/IEC 10116 standard defines the fundamental block cipher modes of operation (ECB, CBC, CFB, OFB, CTR) without an authentication component. IEC 10116-07 focuses exclusively on authenticated encryption modes (GCM, CCM) and their specific parameterization for industrial automation and control system networks. It includes mandatory nonce formatting and interoperability profiles absent in the base standard.
Q: Is AES-256 mandatory for compliance with IEC 10116-07?
A: No. AES-128 is sufficient for the mandatory Profile A. AES-256 is only required for the Performance Profile B, which is intended for installations with a security lifespan requirement beyond 2030 or systems handling bulk power system data.
A: No. AES-128 is sufficient for the mandatory Profile A. AES-256 is only required for the Performance Profile B, which is intended for installations with a security lifespan requirement beyond 2030 or systems handling bulk power system data.
Q: Can IEC 10116-07 be implemented on a simple 8-bit microcontroller?
A: While mathematically possible, an 8-bit MCU without hardware AES acceleration will struggle to meet the latency requirements of IEC 61850 (typically under 3 ms for GOOSE messages). The standard recommends a 32-bit ARM Cortex-M series processor with a dedicated cryptography cell for compliance with real-time communication profiles.
A: While mathematically possible, an 8-bit MCU without hardware AES acceleration will struggle to meet the latency requirements of IEC 61850 (typically under 3 ms for GOOSE messages). The standard recommends a 32-bit ARM Cortex-M series processor with a dedicated cryptography cell for compliance with real-time communication profiles.
Q: How does this standard relate to IEC 62443?
A: IEC 10116-07 serves as a foundational cryptographic standard referenced by the IEC 62443 series of standards (Security for Industrial Automation and Control Systems). While IEC 62443 defines the security policy, patching, and risk assessment, IEC 10116-07 provides the specific cryptographic primitives and algorithms used to secure the communication channel.
A: IEC 10116-07 serves as a foundational cryptographic standard referenced by the IEC 62443 series of standards (Security for Industrial Automation and Control Systems). While IEC 62443 defines the security policy, patching, and risk assessment, IEC 10116-07 provides the specific cryptographic primitives and algorithms used to secure the communication channel.