What is IEC 62351? 

IEC 62351 is the current standard for security in energy management systems an associated data exchange. It describes measures to comply with the four major requirements for secure data communications/data processing: confidentiality, data integrity, authentication and non-repudiation.

IEC 62351 represents the work of IEC TC 57/WG 15, an expert group of ICS operators, SCADA engineers, security specialists and networking engineers from more than 20 countries, spread over four continents.

In essence, IEC 62351 gives detailed advice on protecting energy management systems and on the secure exchange of energy-related data. The series addresses system architecture and identifies a series of effective countermeasures that can be applied to commonly used protocols to protect the confidentiality, integrity and availability of data.

IEC 62351 shows users how to implement a risk management process that not only identifies and assesses potential security threats and vulnerabilities but also describes countermeasures to mitigate or eliminate those risks. The standard stresses the crucial importance of pervasive monitoring of the system and provides practical guidance. Systems must be subject to continuous testing during their life cycle not least because cyber threats are in constant evolution.

How is the IEC 62351 structure?

IEC 62351 includes the following individual standards:

  • IEC 62351-1 provides an overview of the entire IEC 62351 document and introduces IT security considerations for operating power supply systems.
  • IEC 62351-2 presents a glossary of terms and abbreviations used throughout the document.
  • IEC 62351-3 focuses on protecting end-to-end data traffic over TCP/IP connections using TLS, with mandatory mutual authentication of clients and servers via X.509 certificates.
  • IEC 62351-4 outlines security measures for MMS-based protocols, securing the transport layer per IEC 62351-3 and defining an authentication mechanism for MMS associations using X.509 certificates.
  • IEC 62351-5 addresses security for IEC 60870-5 and related protocols on the application layer, utilizing role-based access control and recording security incidents.
  • IEC 62351-6 discusses security for the IEC 61850 protocol through VLAN marks and X.509 signatures on specific telegrams.
  • IEC 62351-7 focuses on security via networking and system administration tools, enabling monitoring of power grid infrastructure using SNMP protocol and MIB definitions.
  • IEC 62351-8 defines methods for processing and managing access rights based on role-based access control, utilizing access tokens exchanged securely between systems and managed centrally by an LDAP system.
    • IEC 62351-9 covers key management for power supply systems, addressing safe usage of parameters like passwords and encryption keys, along with the lifecycle of cryptographic information.
    • IEC 62351-10 explains security architectures for the IT infrastructure, emphasizing special requirements in power generation and proposing appropriate security mechanisms.
    • IEC 62351-11 addresses security for XML files, embedding original content into containers for optional encryption, X.509 signatures, date issuance, and access control.

    The following illustration shows the mapping of the different IEC 62351 parts to standardized protocols in the domain of energy management:

      Properly implemented, IEC 62351 enables the immediate detection of any power supply failure caused by a cyber-attack. It can enhance the protection of power stations and reduce the need for costly upgrades and enhancements during their operating life.