IEC 62351 is a standard developed by WG15 of

IEC The International Electrotechnical Commission (IEC; ) is an international standards organization that prepares and publishes international standards for all electrical, electronic and related technologies. IEC standards cover a vast range of ...

TC57. This is developed for handling the security of TC 57 series of protocols including IEC 60870-5 series, IEC 60870-6 series, IEC 61850 series, IEC 61970 series & IEC 61968 series. The different security objectives include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of

eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Etymology The verb ''eavesdrop'' is a back-formation from the noun ''eave ...

, prevention of playback and spoofing, and

intrusion detection An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collec ...

Standard details

* ''IEC 62351-1'' — Introduction to the standard * ''IEC 62351-2'' — Glossary of terms * ''IEC 62351-3 Ed. 2'' — Security for any profiles including

TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suite are ...

. Current edition was published 06/2023, replacing edition 1.2. ** TLS Encryption ** Node Authentication by means of X.509 certificates ** Message Authentication * ''IEC 62351-4'' — Security for any profiles including MMS (e.g., ICCP-based IEC 60870-6, IEC 61850, etc.). ** Authentication for MMS ** TLS (RFC 2246)is inserted between RFC 1006 & RFC 793 to provide transport layer security * ''IEC 62351-5'' — Security for any profiles including IEC 60870-5 (e.g., DNP3 derivative) ** TLS for TCP/IP profiles and encryption for serial profiles. * ''IEC 62351-6'' — Security for IEC 61850 profiles. **

VLAN A virtual local area network (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer ( OSI layer 2).IEEE 802.1Q-2011, ''1.4 VLAN aims and benefits'' In this context, virtual refers to a ...

use is made as mandatory for

GOOSE A goose (: geese) is a bird of any of several waterfowl species in the family Anatidae. This group comprises the genera '' Anser'' (grey geese and white geese) and '' Branta'' (black geese). Some members of the Tadorninae subfamily (e.g., Egy ...

** RFC 2030 to be used for SNTP * ''IEC 62351-7'' — Security through network and system management. ** Defines

Management Information Base A management information base (MIB) is a database used for managing the entities in a communication network. Most often associated with the Simple Network Management Protocol (SNMP), the term is also used more generically in contexts such as in ...

(MIBs) that are specific for the power industry, to handle network and system management through

SNMP Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically su ...

based methods. * ''IEC 62351-8'' — Role-based access control. ** Covers the access control of users and automated agents to data objects in power systems by means of role-based access control (

RBAC In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users, and to implementing mandatory access control (MAC) or discretionary access control (DAC). Ro ...

). * ''IEC 62351-9'' — Key Management ** Describes the correct and safe usage of safety-critical parameters, e.g. passwords, encryption keys. ** Covers the whole life cycle of cryptographic information (enrollment, creation, distribution, installation, usage, storage and removal). ** Methods for algorithms using asymmetric cryptography *** Handling of digital certificates (public / private key) *** Setup of the PKI environment with X.509 certificates *** Certificate enrollment by means of SCEP / EST, while allowing the use of other enrollment protocols ***

Certificate revocation In public key cryptography, a public key certificate, certificate may be revoked before it expires, which signals that it is no longer valid. Without revocation, an attacker could exploit such a compromised or misissued certificate until expiry. ...

by means of CRL / OCSP ** A secure distribution mechanism based on

GDOI Group Domain of Interpretation or GDOI is a cryptographic protocol for group key management. The GDOI protocol is specified in an IETF Standard, RFC 6407, and is based on Internet Security Association and Key Management Protocol (ISAKMP), RFC 240 ...

and the IKEv1 protocol is presented for the usage of symmetric keys, e.g. session keys. * ''IEC 62351-10'' — Security Architecture ** Explanation of security architectures for the entire IT infrastructure ** Identifying critical points of the communication architecture, e.g. substation control center, substation automation ** Appropriate mechanisms security requirements, e.g. data encryption, user authentication ** Applicability of well-proven standards from the IT domain, e.g. VPN tunnel, secure FTP, HTTPS * ''IEC 62351-11'' — Security for XML Files ** Embedding of the original XML content into an XML container ** Date of issue and access control for XML data ** X.509 signature for authenticity of XML data ** Optional data encryption

External links

Application of the IEC 62351 at IPCOMM GmbH

Report about the implementation of IEC 62351-7
* {{List of automation protocols #62351 Electric power Computer network security

Standard details

See also

External links