IEC 62351

IEC 62351 is the current standard for security in energy management systems an associated data exchange. It describes measures to comply with the four major requirements for secure data communications / data processing: confidentiality, data integrity, authentication and non-repudiation.

IEC 62351 includes the following individual standards:

  • IEC 62351-1
    Overview of the entire document IEC 62351 and introduction to IT security aspects for the operation of power supply systems
  • IEC 62351-2
    Glossary of terms and abbreviations
  • IEC 62351-3
    End-to-end data traffic protection of TCP/IP-based connections using TLS [RFC5246] with mandatory mutual authentication of client and server based on X.509 certificates
  • IEC 62351-4
    Security measure for MMS-based protocols (e.g. IEC 60870-6, IEC 61850) by securing the transport layer according to IEC 62351-3 and definition of an authentication mechanism "SECURE" on the application layer for MMS associations using X.509 certificates
  • IEC 62351-5
    Security for IEC 60870-5 and derived protocols (e.g. IEC 60870-5-104 / IEC 60870-5-101 / DNP 3.0) on the application layer through the means of authorizing the access to cricital resources of a substation based on role-based access control (RBAC) and statistical recording of security relevant incidents
  • IEC 62351-6
    Security for IEC 61850 protocol by using VLAN marks and X.509 signatures on GOOSE and SMV telegrams
  • IEC 62351-7
    Security through the use of networking and system administration tools in order to enable monitoring of power grid infrastructure, i.e. using MIB definitions for IEDs, which provide relevant system information about the device and the communication lines via the SNMP protocol in a standardized way
  • IEC 62351-8
    Definition of methods to process and to manage access rights for users and services based on a role based access control (RBAC) scheme. The identity information, as wells as the role name is stored in an access token (ASN.1 syntax), which is exchanged in a cryptographically secure way between the systems using different transport mechanisms, i.e. X.509 certificates, X.509 attribute certificates, software token. An LDAP system centrally manages the access tokens and enables the access (PUSH- / PULL-mechanism) to the identity information of the communication partner. Furthermore, predefined default roles are established (see table below) and the access rights in the context of IEC 61850 are defined (e.g. listing of all objects within a "logical device").
    predefined role profiles
    table: predefined role profiles
  • IEC 62351-9
    "Cyber security", the key management for power supply systems, deals with the correct and safe usage of safety-critical parameters, e.g. passwords, encryption keys and the whole life cycle of cryptographic information (enrollment, creation, distribution, installation, usage, storage and removal). For algorithms applying asymmetric cryptography, the handling of digital certificates (public / private key), the necessary infrastructure (PKI, X.509 certificates) and the mechanisms concerning different management aspects (e.g. certificate request (SCEP, CMP) certificate revocation (CRL, OCSP), are defined. A secure distribution mechanism based on GDOI [RFC6407] and the IKEv2 protocol [RFC7427] is presented for the usage of symmetric keys, e.g. session keys.
  • IEC 62351-10
    The norm explains security architectures of the entire IT infrastructure, with additional focus on special security requirements in the field of power generation. Critical points of the communication architecture are identified (e.g. substation control center, substation automation) and appropriate security mechanisms (e.g. data encryption, user authentication) are proposed. The application of the mechanisms from IEC 62351 and well-proven standards from the IT domain (e.g. VPN tunnel, secure FTP, HTTPS) are combined to cope with the security requirements.
  • IEC 62351-11
    Security for XML files through embedding of the original XML content into an XML container, which enables optional data encryption, X.509 signature for authenticity of XML data, date of issue and access control of XML data.

The following illustration shows the mapping of the different IEC 62351 parts to standardized protocols in the domain of energy management:

relevance of the IEC 62351 parts to protocols of the IEC TC 57 working group
figure: relevance of the IEC 62351 parts to protocols of the IEC TC 57 working group

ISO/OSI Model

7 Application Layer IEC62351-11
IEC62351-9 (X.509 certificates)
6 Presentation Layer n/a
5 Session Layer IEC62351-5
IEC62351-6 (signatures)
IEC62351-8 (LDAP accesses)
IEC62351-9 (SCEP)
4 Transport Layer IEC62351-3 (TLS)
IEC62351-4 (TLS and MSS authentication)
3 Network Layer n/a
2 Link Layer IEC62351-6 (VLAN)
1 Physical Layer n/a

Implemented Protocol Stacks

DNP V3.00, Master

DNP V3.00, Slave

IEC 60870-5-104, Master

IEC 60870-5-104, Slave

IEC 61850, Client

IEC 61850, Server

Applicable Products

  • ipConv
    ipConv

    Universal protocol converter for highest degree of flexibility

References

  • Project CFE
    Project CFE, Mexico

    Products: ipConv
    Protocol Stacks: Conitel-2020, Slave DNP V3.00, Slave DNP V3.00, Master Harris-5000/6000, Slave Recon, Slave Indactic 33/41, 2033, Slave Fuji, Slave XMAT, Master

  • ELIA
    ELIA, Belgium

    Products: ipConv
    Protocol Stacks: Modbus TCP/IP, Master IEC 60870-5-104, Slave Telegyr 065, Master Telegyr 102, Master Telegyr 809, Master Tracec 32, 62, 92, 92P, 122, 130 & 142 Master

  • Storebælt
    Storebælt, Denmark

    Products: ipConv
    Protocol Stacks: IEC 60870-5-104, Master IEC 60870-5-104, Slave Simatic TDC, Master Modbus TCP/IP, Master

  • SEC SVC
    SEC SVC, Saudi Arabia

    Products: ipConv
    Protocol Stacks: IEC 60870-5-101, Slave IEC 60870-5-104, Slave IEC 61850, Client Simatic TDC, Master

  • HVDC
    HVDC, New Zealand

    Products: ipConv ipConvLite
    Protocol Stacks: DNP V3.00, Slave DNP V3.00, Master TASE.2, Server TASE.2, Client Modbus, Master Simatic TDC, Master

  • BLS Lötschbergtunnel II
    BLS Lötschbergtunnel II, Switzerland

    Products: ipConv ipRoute
    Protocol Stacks: IEC 60870-5-104, Master IEC 60870-5-104, Slave SNMP, Client

  • BLS AlpTransit - Lötschbergtunnel
    BLS AlpTransit - Lötschbergtunnel, Switzerland

    Products: ipConv ipRoute
    Protocol Stacks: OPC DA 3.0, Server IEC 60870-5-104, Slave IEC 60870-5-101, Master IEC 60870-5-104, Master SNMP, Client

  • BASSLINK HVDC Victoria / Tasmania
    BASSLINK HVDC Victoria / Tasmania, Australia

    Products: ipConv
    Protocol Stacks: DNP V3.00, Slave Simatic TDC, Master