|
IEC 61162-460
Edition 2.0 2020-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
A MENDMENT 1
AM ENDEMENT 1
Maritime navigation and radiocommunication equipmentand systems – Digital
interfaces –
Part 460: Multiple talkers and multiple listeners – Ethernet interconnection –
Safety and security
Matériels et systèmes de navigation et de radiocommunication maritimes –
Interfaces numériques –
Partie 460: Émetteurs multiples et récepteurs multiples – Interconnexion
Ethernet – Sûreté et sécurité
IEC 61162-460:2018-05/AMD1:2020-01(en-fr)
your local IEC member National Committee for further information.
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.
IEC Central Office Tel.: +41 22 919 02 11
3, rue de
CH-1211 Geneva 20
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.
IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org
The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,
variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English
committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.
and withdrawn publications. Also known as the International Electrotechnical Vocabulary
(IEV) online.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary
details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and
once a month by email. French extracted from the Terms and definitions clause of
IEC publications issued between 2002 and 2015. Some
IEC Customer Service Centre - webstore.iec.ch/csc entries have been collected from earlier publications of IEC
If you wish to give us your feedback on this publication or TC 37, 77, 86 and CISPR.
need further assistance, please contact the Customer Service
.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.
A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.
Recherche de publications IEC - Electropedia - www.electropedia.org
webstore.iec.ch/advsearchform Le premier dictionnaire d'électrotechnologie en ligne au
La recherche avancée permet de trouver des publications IEC monde, avec plus de 22 000 articles terminologiques en
en utilisant différents critères (numéro de référence, texte, anglais et en français, ainsi que les termes équivalents dans
comité d’études,…). Elle donne aussi des informations sur les 16 langues additionnelles. Egalement appelé Vocabulaire
projets et les publications remplacées ou retirées. Electrotechnique International (IEV) en ligne.
IEC Just Published - webstore.iec.ch/justpublished Glossaire IEC - std.iec.ch/glossary
Restez informé sur les nouvelles publications IEC. Just 67 000 entrées terminologiques électrotechniques, en anglais
Published détaille les nouvelles publications parues. et en français, extraites des articles Termes et définitions des
Disponible en ligne et une fois par mois par email. publications IEC parues entre 2002 et 2015. Plus certaines
entrées antérieures extraites des publications des CE 37, 77,
Service Clients - webstore.iec.ch/csc 86 et CISPR de l'IEC.
Si vous désirez nous donner des commentaires sur cette
publication ou si vous avez des questions contactez-nous:
[email protected] .
IEC 61162-460
Edition 2.0 2020-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
A MENDMENT 1
AM ENDEMENT 1
Maritime navigation and radiocommunication equipmentand systems – Digital
interfaces –
Part 460: Multiple talkers and multiple listeners – Ethernet interconnection –
Safety and security
Matériels et systèmes de navigation et de radiocommunication maritimes –
Interfaces numériques –
Partie 460: Émetteurs multiples et récepteurs multiples – Interconnexion
Ethernet – Sûreté et sécurité
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 47.020.70 ISBN 978-2-8322-7764-5
– 2 – IEC 61162-460:2018/AMD1:2020
© IEC 2020
FOREWORD
This amendment has been prepared by IEC technical committee 80: Maritime navigation and
radiocommunication equipment and systems.
The text of this amendment is based on the following documents:
FDIS Report on voting
80/943/FDIS 80/951/RVD
Full information on the voting for the approval of this amendment can be found in the report
on voting indicated in the above table.
The committee has decided that the contents of this amendment and the base publication will
remain unchanged until the stability date indicated on the IEC website under
"http://webstore.iec.ch" in the data related to the specific publication. At this date, the
publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
_____________
Introduction to the Amendment
This amendment provides greater clarity to the external security requirements in 6.3, updates
the alert management in 8.2.7 and associated tests in 10.11.6 to comply with bridge alert
management and provides an improved test of firewalls in 10.8.4.
_____________
2 Normative references
Delete the following existing normative references:
IEC 61924-2:2012, Maritime navigation and radiocommunication equipment and systems –
Integrated navigation systems – Part 2: Modular structure for INS – Operational and
performance requirements, methods of testing and required test results
IEC 62288:2014, Maritime navigation and radiocommunication equipment and systems –
Presentation of navigation-related information on shipborne navigational displays – General
requirements, methods of testing and required test results
© IEC 2020
Add the following new normative references:
IEC 62923-1, Maritime navigation and radiocommunication equipment and systems – Bridge
alert management – Part 1: Operational and performance requirements, methods of testing
and required test results
IEC 62923-2, Maritime navigation and radiocommunication equipment and systems – Bridge
alert management – Part 2: Alert and cluster identifiers and other additional features
6.3.1 Overview
Replace the existing first and second paragraphs with the following new text:
All traffic from uncontrolled networks is passed or processed through a 460-Gateway or 460-
Wireless gateway. A 460-Gateway consists of firewall(s) (see 6.3.2) and may include support
for one or any combination of the following functions:
• direct communication (see 6.3.3);
• DMZ with application servers (see 6.3.5.2);
• DMZ with interoperable access to file storage (see 6.3.5.3).
Firewall(s) provide network-access security for the uncontrolled network and the 460-Network.
Firewalls for external and internal interfaces may be provided by the same application.
The 460-Gateway components may be implemented in one device or in different devices.
Figure 2 shows an example of a 460-Network with a 460-Gateway.
6.3.2.1 External firewall
Replace the existing paragraph with the following new paragraph:
An external firewall blocks all traffic unless it is registered (i.e. whitelisted) and destined only
to equipment in the DMZ. This means that, in principle, all direct communication to or from a
460-Network is not allowed.
6.3.2.2 Internal firewall
Replace the existing paragraph with the following new paragraph:
An internal firewall blocks all traffic unless it is either destined to equipment in a 460-Network
and it originates from equipment in the DMZ or it is destined to equipment in the DMZ and it
originates from equipment in a 460-Network. All traffic passing through the internal firewall is
registered (i.e. whitelisted) in advance.
6.3.5.1 Firewall
Replace the existing title with the following new title:
6.3.5.1 General
Replace the existing second and third bullets with the following new bullets:
• firewall(s) shall be provided which are configured with the combination of source and
destination IP address, protocol and destination port number (see 6.3.2);
• all connections between uncontrolled networks and a 460-Network shall be registered (i.e.
all network traffic that does not match a set firewall rule shall be blocked by the firewall);
– 4 – IEC 61162-460:2018/AMD1:2020
© IEC 2020
6.3.5.2 Application server
Replace the existing second paragraph with the following new paragraph:
If provided, the application server shall provide an application level authentication
mechanism, such as password, smartcard, digital signature, dongle, etc., of clients from
uncontrolled networks.
8.2.7.1 Alerts and indication
Replace, in the existing first paragraph, the existing reference "IEC 62288" with
"IEC 62923-1".
Table 2 – Summary of alert of network monitoring
Replace the existing title of the second column "Cause" with "Purpose".
Replace, in the last column, the existing unique identifiers at alert source corresponding to the
alerts listed below with the following new identifiers:
Direct connection to uncontrolled network as a caution (see 6.3.4) 3159
Direct connection to uncontrolled network as a warning (see 6.3.4) 3158
Connected to uncontrolled network (see 6.3.5.1) 3163
Network traffic capacity may be exceeded (see 8.2.2) 3166
Network traffic capacity exceeded (see 8.2.2) 3168
Network redundancy lost for xxxx (see 8.2.3) 3173
8.2.7.2 Alert management interface
Replace the existing second paragraph with the following new paragraph:
The alert management interface, if provided, shall be compliant with the sentences of Annex E
and comply with the communication requirements of IEC 62923-1 and IEC 62923-2. In the
BAM concept, the network components act as alert sources.
8.2.7.4 Remote acknowledgement and silencing of alerts
Replace the existing first paragraph with the following new paragraph:
Remote acknowledgement shall only be possible for category B alerts.
10.8.4 Firewall
Replace the existing second paragraph with the following new paragraph:
Set an EUT in accordance with the manufacturer’s instructions between a 460-Network and
an uncontrolled network. Using a network scanner with port scan function, set it to scan the
entire address range for the 460-Network, DMZ and uncontrolled network. Use packet capture
software running in promiscuous mode and confirm by analytical evaluation that packets do
not pass through the EUT from the uncontrolled network to the 460-Network and vice-versa as
follows:
• port scan UDP and TCP test for all ports 1-65535 to the internal address range of the
460-Network;
• if DMZ is provided, port scan UDP and TCP test for all ports 1-65535 to the address range
of the DMZ;
© IEC 2020
• port scan UDP and TCP test for all ports 1-65535 to the address range of the uncontrolled
network.
Example test:
5
Using the Nmap network scanning tool with an address range for a 460-Network of
192.168.22.0/24, for a DMZ of 172.31.16.0/24 and for an uncontrolled network of
10.100.100.0/24.
• Port scan UDP and TCP test to the internal address range of the 460-Network:
complete a ping test with TCP port scan with the command "nmap -p 1-65535 -sV -sS -T4
192.168.22.0/24";
complete a ping test with UDP port scan with the command "nmap -p 1-65535 -sV -sU -T4
192.168.22.0/24".
• Port scan UDP and TCP test to the address range of the DMZ:
complete a ping test with TCP port scan with the command "nmap -p 1-65535 -sV -sS -T4
172.31.16.0/24";
complete a ping test with UDP port scan with the command "nmap -p 1-65535 -sV -sU -T4
172.31.16.0/24".
• Port scan UDP and TCP test to the address range of the uncontrolled network;
complete a ping test with TCP port scan with the command "nmap -p 1-65535 -sV -sS -T4
10.100.100.0/24";
complete a ping test with UDP port scan with the command "nmap -p 1-65535 -sV -sU -T4
10.100.100.0/24".
5 Nmap ("Network Mapper") is the trademark of a product supplied by the Nmap Project, a free and open source
utility for network discovery and security auditing (https://nmap.org). This information is given for the
convenience of users of this document and does not constitute an endorsement
...