IEC 62351 is a standard developed by WG15 of

IEC The International Electrotechnical Commission (IEC; in French: ''Commission électrotechnique internationale'') is an international standards organization that prepares and publishes international standards for all electrical, electronic and r ...

TC57. This is developed for handling the security of TC 57 series of protocols including

IEC 60870-5 IEC 60870 part 5 Gordon R. Clarke et al, ''Practical modern SCADA protocols: DNP3, 60870.5 and related systems'', Newnes, 2004 is one of the IEC 60870 set of standards which define systems used for telecontrol (supervisory control and data acquis ...

series,

IEC 60870-6 IEC 60870 part 6 in electrical engineering and power system automation, is one of the IEC 60870 set of standards which define systems used for telecontrol ( supervisory control and data acquisition) in electrical engineering and power system aut ...

series,

IEC 61850 IEC 61850 is an international standard defining communication protocols for intelligent electronic devices at electrical substations. It is a part of the International Electrotechnical Commission's (IEC) Technical Committee 57 reference archit ...

series,

IEC 61970 The IEC 61970 series of standards by the International Electrotechnical Commission (IEC) deals with the application program interfaces for energy management systems (EMS). The series provides a set of guidelines and standards to facilitate: * The i ...

series &

IEC 61968 IEC 61968 is a series of standards under development that will define standards for information exchanges between electrical distribution systems. These standards are being developed by Working Group 14 of Technical Committee 57 of the IEC (IEC TC ...

series. The different security objectives include authentication of data transfer through

digital signatures A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...

, ensuring only authenticated access, prevention of

eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Etymology The verb ''eavesdrop'' is a back-formation from the noun ''eaves ...

, prevention of playback and spoofing, and

intrusion detection An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...

Standard details

* ''IEC 62351-1'' — Introduction to the standard * ''IEC 62351-2'' — Glossary of terms * ''IEC 62351-3'' — Security for any profiles including

TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...

. ** TLS Encryption ** Node Authentication by means of X.509 certificates ** Message Authentication * ''IEC 62351-4'' — Security for any profiles including MMS (e.g., ICCP-based

, etc.). ** Authentication for MMS ** TLS (RFC 2246)is inserted between RFC 1006 & RFC 793 to provide transport layer security * ''IEC 62351-5'' — Security for any profiles including

(e.g.,

DNP3 Distributed Network Protocol 3 (DNP3) is a set of communications protocols used between components in process automation systems. Its main use is in utilities such as electric and water companies. Usage in other industries is not common. It was ...

derivative) ** TLS for TCP/IP profiles and encryption for serial profiles. * ''IEC 62351-6'' — Security for

profiles. **

VLAN A virtual local area network (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer ( OSI layer 2).IEEE 802.1Q-2011, ''1.4 VLAN aims and benefits'' In this context, virtual, refers to a ph ...

use is made as mandatory for

GOOSE A goose ( : geese) is a bird of any of several waterfowl species in the family Anatidae. This group comprises the genera ''Anser'' (the grey geese and white geese) and '' Branta'' (the black geese). Some other birds, mostly related to the ...

** RFC 2030 to be used for SNTP * ''IEC 62351-7'' — Security through network and system management. ** Defines

Management Information Base A management information base (MIB) is a database used for managing the entities in a communication network. Most often associated with the Simple Network Management Protocol (SNMP), the term is also used more generically in contexts such as in ...

(MIBs) that are specific for the power industry, to handle network and system management through

SNMP Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour. Devices that typically ...

based methods. * ''IEC 62351-8'' — Role-based access control. ** Covers the access control of users and automated agents to data objects in power systems by means of role-based access control ( RBAC). * ''IEC 62351-9'' — Key Management ** Describes the correct and safe usage of safety-critical parameters, e.g. passwords, encryption keys. ** Covers the whole life cycle of cryptographic information (enrollment, creation, distribution, installation, usage, storage and removal). ** Methods for algorithms using asymmetric cryptography *** Handling of digital certificates (public / private key) *** Setup of the PKI environment with X.509 certificates *** Certificate enrollment by means of SCEP / CMP / EST *** Certificate revocation by means of CRL /

OCSP The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative t ...

** A secure distribution mechanism based on

GDOI Group Domain of Interpretation or GDOI is a cryptographic protocol for group key management. The GDOI protocol is specified in an IETF Standard, RFC 6407, and is based on Internet Security Association and Key Management Protocol (ISAKMP), RFC 2408 ...

and the

IKEv2 In computing, Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on version) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP.The Internet Key Excha ...

protocol is presented for the usage of symmetric keys, e.g. session keys. * ''IEC 62351-10'' — Security Architecture ** Explanation of security architectures for the entire IT infrastructure ** Identifying critical points of the communication architecture, e.g. substation control center, substation automation ** Appropriate mechanisms security requirements, e.g. data encryption, user authentication ** Applicability of well-proven standards from the IT domain, e.g. VPN tunnel, secure FTP, HTTPS * ''IEC 62351-11'' — Security for XML Files ** Embedding of the original XML content into an XML container ** Date of issue and access control for XML data ** X.509 signature for authenticity of XML data ** Optional data encryption

External links

Application of the IEC 62351 at IPCOMM GmbH

Report about the implementation of IEC 62351-7
* {{List of automation protocols #62351 Electric power Computer network security

Standard details

See also

External links