Service providers create security policies by balancing the requirements of their regulatory environment and the results of their risk assessments. Different regulatory environments may mandate requirements that trade ease of data access with information assurance. The use of TLS, ACLs, and other security controls give the service provider the flexibility to meet these needs. Security policies are a combination of ACL attribute values and additional security controls dictated by the service provider. Implementation of security policies is out of scope of this standard. For the purpose of certification testing, the following table represents the default security policy for each function set. Servers SHALL be configurable to support each default policy for all implemented function sets during certification testing.
The function set column in Table 12 reflects the functionsImplemented attribute in DeviceInformation.
Table 12 —Attribute values for default security policy
Function set | aclDefaultAccess AuthType | Device certificate needed | Registered device |
Device capability | 0xf | No | No |
Self device resource | 0xc | No | Yes |
End device resource | 0xc | No | Yes |
Function set assignments | 0x8 | Yes | Yes |
Subscription/Notification mechanism | 0x8 | Yes | Yes |
Response | 0x8 | Yes | Yes |
Time | 0x8 | Yes | Yes |
Device information | 0x8 | Yes | Yes |
Power status | 0x8 | Yes | Yes |
Network status | 0x8 | Yes | Yes |
Log event | 0x8 | Yes | Yes |
Configuration resource | 0x8 | Yes | Yes |
Software download | 0x8 | Yes | Yes |
DRLC | 0x8 | Yes | Yes |
Metering | 0x8 | Yes | Yes |
Pricing | 0xc | No | Yes |
Messaging | 0xc | No | Yes |
Billing | 0x8 | Yes | Yes |
Prepayment | 0x8 | Yes | Yes |
Flow reservation | 0x8 | Yes | Yes |
DER control | 0x8 | Yes | Yes |
The aclDefaultAccess attribute Method value SHOULD match the Allowed Methods for each resource enumerated in the IEEE 2030.5 WADL (IEEE Std 2030.5 supplemental material). The Method value MUST contain GET (0x01). The aclDefaultAccess attribute DeviceType value should be “any device type”
(0). Servers SHALL support the default policies for certification testing. Servers MAY additionally support alternative policies. For example, to meet regulatory requirements, a utility may mandate a policy that provides unauthenticated pricing information from a pricing server over the port associated with HTTP to
any IEEE 2030.5 device. Based on risk assessments, service providers may have differing policies for devices enrolled in high-incentive Demand Response/Load Control programs than those enrolled in low- incentive programs, to include additional requirements such as DeviceType authorization. Servers SHOULD provide the functionality to support multiple security policies to meet the requirements of different service providers.