Protocols
Contact Request   
HOME
Products
Protocols
References
Hardware
NEW!! Training

IEC 62351

DOWNISO/OSI Model
DOWNImplemented Protocol Stacks
DOWNApplicable Products
DOWNReferences

IEC 62351 is the current standard for security in energy management systems an associated data exchange. It describes measures to comply with the four major requirements for secure data communications / data processing: confidentiality, data integrity, authentication and non-repudiation.

IEC 62351 includes the following individual standards:

  • IEC 62351-1
    Overview of the entire document IEC 62351 and introduction to IT security aspects for the operation of power supply systems
  • IEC 62351-2
    Glossary of terms and abbreviations
  • IEC 62351-3
    End-to-end data traffic protection of TCP/IP-based connections using TLS [RFC5246] with mandatory mutual authentication of client and server based on X.509 certificates
  • IEC 62351-4
    Security measure for MMS-based protocols (e.g. IEC 60870-6, IEC 61850) by securing the transport layer according to IEC 62351-3 and definition of an authentication mechanism "SECURE" on the application layer for MMS associations using X.509 certificates
  • IEC 62351-5
    Security for IEC 60870-5 and derived protocols (e.g. IEC 60870-5-104 / IEC 60870-5-101 / DNP 3.0) on the application layer through the means of authorizing the access to cricital resources of a substation based on role-based access control (RBAC) and statistical recording of security relevant incidents
  • IEC 62351-6
    Security for IEC 61850 protocol by using VLAN marks and X.509 signatures on GOOSE and SMV telegrams
  • IEC 62351-7
    Security through the use of networking and system administration tools in order to enable monitoring of power grid infrastructure, i.e. using MIB definitions for IEDs, which provide relevant system information about the device and the communication lines via the SNMP protocol in a standardized way
  • IEC 62351-8
    Definition of methods to process and to manage access rights for users and services based on a role based access control (RBAC) scheme. The identity information, as wells as the role name is stored in an access token (ASN.1 syntax), which is exchanged in a cryptographically secure way between the systems using different transport mechanisms, i.e. X.509 certificates, X.509 attribute certificates, software token. An LDAP system centrally manages the access tokens and enables the access (PUSH- / PULL-mechanism) to the identity information of the communication partner. Furthermore, predefined default roles are established (see table below) and the access rights in the context of IEC 61850 are defined (e.g. listing of all objects within a "logical device").
    predefined role profiles
    table: predefined role profiles
  • IEC 62351-9
    "Cyber security", the key management for power supply systems, deals with the correct and safe usage of safety-critical parameters, e.g. passwords, encryption keys and the whole life cycle of cryptographic information (enrollment, creation, distribution, installation, usage, storage and removal). For algorithms applying asymmetric cryptography, the handling of digital certificates (public / private key), the necessary infrastructure (PKI, X.509 certificates) and the mechanisms concerning different management aspects (e.g. certificate request (SCEP, CMP) certificate revocation (CRL, OCSP), are defined. A secure distribution mechanism based on GDOI [RFC6407] and the IKEv2 protocol [RFC7427] is presented for the usage of symmetric keys, e.g. session keys.
  • IEC 62351-10
    The norm explains security architectures of the entire IT infrastructure, with additional focus on special security requirements in the field of power generation. Critical points of the communication architecture are identified (e.g. substation control center, substation automation) and appropriate security mechanisms (e.g. data encryption, user authentication) are proposed. The application of the mechanisms from IEC 62351 and well-proven standards from the IT domain (e.g. VPN tunnel, secure FTP, HTTPS) are combined to cope with the security requirements.
  • IEC 62351-11
    Security for XML files through embedding of the original XML content into an XML container, which enables optional data encryption, X.509 signature for authenticity of XML data, date of issue and access control of XML data.

The following illustration shows the mapping of the different IEC 62351 parts to standardized protocols in the domain of energy management:

relevance of the IEC 62351 parts to protocols of the IEC TC 57 working group
figure: relevance of the IEC 62351 parts to protocols of the IEC TC 57 working group

ISO/OSI Model

7 Application Layer IEC62351-11
IEC62351-9 (X.509 certificates)
6 Presentation Layer n/a
5 Session Layer IEC62351-5
IEC62351-6 (signatures)
IEC62351-8 (LDAP accesses)
IEC62351-9 (SCEP)
4 Transport Layer IEC62351-3 (TLS)
IEC62351-4 (TLS and MSS authentication)
3 Network Layer n/a
2 Link Layer IEC62351-6 (VLAN)
1 Physical Layer n/a

Implemented Protocol Stacks

DNP V3.00, MasterDNP V3.00, Slave
IEC 60870-5-104, MasterIEC 60870-5-104, Slave
IEC 61850, ClientIEC 61850, Server

Applicable Products

ipConvipConvUniversal protocol converter for highest degree of flexibility
Details...
product/ipConv/en/ipConv_en.pdf

References

Project CFEProject CFE
Details...
MexicoipConv Conitel-2020, Slave / DNP V3.00, Slave / DNP V3.00, Master / Harris-5000/6000, Slave / Recon, Slave / Indactic 33/41, 2033, Slave / Fuji, Slave / XMAT, Master /
ELIAELIA
Details...
BelgiumipConv Modbus TCP/IP, Master / IEC 60870-5-104, Slave / Telegyr 065, Master / Telegyr 102, Master / Telegyr 809, Master / Tracec 32, 62, 92, 92P, 122, 130 & 142 Master /
Storebælt, DenmarkStorebælt, Denmark
Details...
DenmarkipConv IEC 60870-5-104, Master / IEC 60870-5-104, Slave / Simatic TDC, Master / Modbus TCP/IP, Master /
SEC SVC, Saudi ArabiaSEC SVC, Saudi Arabia
Details...
Saudi ArabiaipConv IEC 60870-5-101, Slave / IEC 60870-5-104, Slave / IEC 61850, Client / Simatic TDC, Master /
HVDC New ZealandHVDC New Zealand
Details...
New ZealandipConv ipConvLite DNP V3.00, Slave / DNP V3.00, Master / TASE.2, Server / TASE.2, Client / Modbus, Master / Simatic TDC, Master /
BLS Lötschbergtunnel II, SwitzerlandBLS Lötschbergtunnel II, Switzerland
Details...
SwitzerlandipConv ipRoute IEC 60870-5-104, Master / IEC 60870-5-104, Slave / SNMP, Client /
BLS AlpTransit - LötschbergtunnelBLS AlpTransit - Lötschbergtunnel
Details...
SwitzerlandipConv ipRoute OPC DA 3.0, Server / IEC 60870-5-104, Slave / IEC 60870-5-101, Master / IEC 60870-5-104, Master / SNMP, Client /
BASSLINK HVDC Victoria / TasmaniaBASSLINK HVDC Victoria / Tasmania
Details...
AustraliaipConv DNP V3.00, Slave / Simatic TDC, Master /
© 2004-2017 IPCOMM GmbH