Inferensys

Glossary

IEC 62351

IEC 62351 is an international standard defining security requirements for power system communication protocols, including authentication, encryption, and key management, to protect IEC 61850 and other operational technology networks from cyber threats.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
POWER SYSTEM CYBERSECURITY STANDARD

What is IEC 62351?

IEC 62351 is the international standard defining security requirements for power system communication protocols, including authentication, encryption, and key management, to protect IEC 61850 and other operational technology networks from cyber threats.

IEC 62351 is a comprehensive technical security standard developed by the International Electrotechnical Commission to harden communication protocols used in power system operations. It defines end-to-end security mechanisms—including transport layer security, digital signatures, and role-based access control—specifically tailored for the unique real-time performance constraints of operational technology protocols like IEC 61850, DNP3, and ICCP.

The standard addresses critical vulnerabilities in substation automation by specifying authentication for GOOSE and Sampled Values messages, which traditionally lacked built-in security. IEC 62351 also establishes key management frameworks and cryptographic profiles that ensure confidentiality and integrity without violating the strict sub-millisecond latency requirements essential for protection schemes and time-critical control functions.

POWER SYSTEM CYBERSECURITY

Key Features of IEC 62351

IEC 62351 defines a comprehensive set of security requirements for power system communication protocols, ensuring the confidentiality, integrity, and availability of operational technology networks. These key features address the unique challenges of securing real-time industrial control systems.

01

Role-Based Access Control (RBAC)

IEC 62351-8 defines a granular role-based access control model specifically tailored for power systems. It maps organizational roles—such as operator, engineer, and auditor—to specific permissions for interacting with substation devices.

  • Subject-to-Role Mapping: Associates authenticated users with predefined roles.
  • Role-to-Rights Mapping: Defines exactly which data objects and control actions each role can access.
  • Operational Context: Ensures that only authorized personnel can issue critical commands like Select Before Operate (SBO) sequences.
IEC 62351-8
Defining Standard Part
02

End-to-End Encryption

IEC 62351-3 mandates TLS encryption for TCP/IP-based protocols like IEC 61850 MMS, ensuring confidentiality and integrity between clients and servers. This prevents eavesdropping and man-in-the-middle attacks on operational communication.

  • Mutual Authentication: Both client and server verify each other's identity using X.509 certificates.
  • Data Integrity: Message Authentication Codes (MACs) guarantee that commands have not been tampered with in transit.
  • Confidentiality: Encrypts sensitive payloads such as real-time measurement data and control commands.
TLS 1.2+
Minimum Protocol Version
03

Message Authentication for GOOSE/SV

IEC 62351-6 addresses the unique challenge of securing multicast GOOSE and Sampled Values messages, which require ultra-low latency. Traditional encryption is too slow, so the standard specifies a digital signature mechanism.

  • Zero Recovery Time: Uses RSA signatures appended to the message to verify integrity without adding handshake latency.
  • Replay Protection: Includes sequence numbers and timestamps to prevent attackers from capturing and retransmitting valid commands.
  • Computational Offload: Allows for hardware-accelerated signature verification in Intelligent Electronic Devices (IEDs).
< 3 ms
Max Added Latency
04

Centralized Key Management

IEC 62351-9 defines a framework for managing the cryptographic keys and digital certificates used across the entire substation network. This centralized approach is critical for maintaining security posture at scale.

  • Certificate Lifecycle: Automates the issuance, renewal, and revocation of X.509 certificates for IEDs and engineering workstations.
  • Group Keys: Distributes symmetric keys for efficient multicast communication, reducing the overhead of individual key exchanges.
  • Security Event Logging: Tracks all key management operations for forensic auditing and compliance reporting.
IEC 62351-9
Defining Standard Part
05

Network and System Monitoring

IEC 62351-7 provides a data model for network and system management (NSM) that monitors the health and security of the communication infrastructure itself. It generates structured logs for integration with Intrusion Detection Systems (IDS) and SIEM platforms.

  • Security Event Logging: Captures failed authentication attempts, certificate errors, and protocol violations.
  • Performance Metrics: Monitors network latency and packet loss that could indicate a denial-of-service attack.
  • Compliance Auditing: Provides the raw data necessary to demonstrate adherence to NERC CIP and other regulatory frameworks.
IEC 62351-7
Defining Standard Part
06

Security for Serial Protocols

IEC 62351-5 secures legacy serial communication channels, such as those used by DNP3 and IEC 60870-5, which are common in SCADA systems. It provides a bump-in-the-wire solution that adds authentication without replacing existing infrastructure.

  • Challenge-Response Mechanism: Prevents replay attacks by requiring a unique, unpredictable challenge for each command.
  • Data Integrity: Appends a cryptographic hash to ensure that telemetry data has not been modified during transmission.
  • Bump-in-the-Wire: Can be implemented via external hardware modules, preserving investment in legacy Remote Terminal Units (RTUs).
IEC 62351-5
Defining Standard Part
IEC 62351 SECURITY STANDARD

Frequently Asked Questions

Clear, technical answers to the most common questions about the IEC 62351 standard, which defines cybersecurity requirements for power system communication protocols like IEC 61850, DNP3, and ICCP.

IEC 62351 is an international standard defining security requirements for power system communication protocols, including authentication, encryption, and key management, to protect operational technology networks from cyber threats. It was developed by IEC TC57 WG15 specifically to address the unique constraints of industrial control systems—where millisecond latency matters and patching is infrequent. The standard is critical because legacy protocols like IEC 61850, DNP3, and ICCP (TASE.2) were designed for reliability, not security, assuming physically isolated networks. With the convergence of IT and OT networks, these protocols became exposed to man-in-the-middle attacks, replay attacks, and unauthorized command injection. IEC 62351 provides a layered defense: Part 3 secures TCP/IP profiles with TLS, Part 4 secures MMS with application-layer authentication, Part 5 secures IEC 60870-5 (DNP3), Part 6 secures IEC 61850 GOOSE and Sampled Values, and Part 9 handles key management. Without it, a compromised substation IED could issue malicious trip commands, causing cascading blackouts.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.