IEC 62351 is a comprehensive technical security standard developed by the International Electrotechnical Commission to harden communication protocols used in power system operations. It defines end-to-end security mechanisms—including transport layer security, digital signatures, and role-based access control—specifically tailored for the unique real-time performance constraints of operational technology protocols like IEC 61850, DNP3, and ICCP.
Glossary
IEC 62351

What is IEC 62351?
IEC 62351 is the international standard defining security requirements for power system communication protocols, including authentication, encryption, and key management, to protect IEC 61850 and other operational technology networks from cyber threats.
The standard addresses critical vulnerabilities in substation automation by specifying authentication for GOOSE and Sampled Values messages, which traditionally lacked built-in security. IEC 62351 also establishes key management frameworks and cryptographic profiles that ensure confidentiality and integrity without violating the strict sub-millisecond latency requirements essential for protection schemes and time-critical control functions.
Key Features of IEC 62351
IEC 62351 defines a comprehensive set of security requirements for power system communication protocols, ensuring the confidentiality, integrity, and availability of operational technology networks. These key features address the unique challenges of securing real-time industrial control systems.
Role-Based Access Control (RBAC)
IEC 62351-8 defines a granular role-based access control model specifically tailored for power systems. It maps organizational roles—such as operator, engineer, and auditor—to specific permissions for interacting with substation devices.
- Subject-to-Role Mapping: Associates authenticated users with predefined roles.
- Role-to-Rights Mapping: Defines exactly which data objects and control actions each role can access.
- Operational Context: Ensures that only authorized personnel can issue critical commands like Select Before Operate (SBO) sequences.
End-to-End Encryption
IEC 62351-3 mandates TLS encryption for TCP/IP-based protocols like IEC 61850 MMS, ensuring confidentiality and integrity between clients and servers. This prevents eavesdropping and man-in-the-middle attacks on operational communication.
- Mutual Authentication: Both client and server verify each other's identity using X.509 certificates.
- Data Integrity: Message Authentication Codes (MACs) guarantee that commands have not been tampered with in transit.
- Confidentiality: Encrypts sensitive payloads such as real-time measurement data and control commands.
Message Authentication for GOOSE/SV
IEC 62351-6 addresses the unique challenge of securing multicast GOOSE and Sampled Values messages, which require ultra-low latency. Traditional encryption is too slow, so the standard specifies a digital signature mechanism.
- Zero Recovery Time: Uses RSA signatures appended to the message to verify integrity without adding handshake latency.
- Replay Protection: Includes sequence numbers and timestamps to prevent attackers from capturing and retransmitting valid commands.
- Computational Offload: Allows for hardware-accelerated signature verification in Intelligent Electronic Devices (IEDs).
Centralized Key Management
IEC 62351-9 defines a framework for managing the cryptographic keys and digital certificates used across the entire substation network. This centralized approach is critical for maintaining security posture at scale.
- Certificate Lifecycle: Automates the issuance, renewal, and revocation of X.509 certificates for IEDs and engineering workstations.
- Group Keys: Distributes symmetric keys for efficient multicast communication, reducing the overhead of individual key exchanges.
- Security Event Logging: Tracks all key management operations for forensic auditing and compliance reporting.
Network and System Monitoring
IEC 62351-7 provides a data model for network and system management (NSM) that monitors the health and security of the communication infrastructure itself. It generates structured logs for integration with Intrusion Detection Systems (IDS) and SIEM platforms.
- Security Event Logging: Captures failed authentication attempts, certificate errors, and protocol violations.
- Performance Metrics: Monitors network latency and packet loss that could indicate a denial-of-service attack.
- Compliance Auditing: Provides the raw data necessary to demonstrate adherence to NERC CIP and other regulatory frameworks.
Security for Serial Protocols
IEC 62351-5 secures legacy serial communication channels, such as those used by DNP3 and IEC 60870-5, which are common in SCADA systems. It provides a bump-in-the-wire solution that adds authentication without replacing existing infrastructure.
- Challenge-Response Mechanism: Prevents replay attacks by requiring a unique, unpredictable challenge for each command.
- Data Integrity: Appends a cryptographic hash to ensure that telemetry data has not been modified during transmission.
- Bump-in-the-Wire: Can be implemented via external hardware modules, preserving investment in legacy Remote Terminal Units (RTUs).
Frequently Asked Questions
Clear, technical answers to the most common questions about the IEC 62351 standard, which defines cybersecurity requirements for power system communication protocols like IEC 61850, DNP3, and ICCP.
IEC 62351 is an international standard defining security requirements for power system communication protocols, including authentication, encryption, and key management, to protect operational technology networks from cyber threats. It was developed by IEC TC57 WG15 specifically to address the unique constraints of industrial control systems—where millisecond latency matters and patching is infrequent. The standard is critical because legacy protocols like IEC 61850, DNP3, and ICCP (TASE.2) were designed for reliability, not security, assuming physically isolated networks. With the convergence of IT and OT networks, these protocols became exposed to man-in-the-middle attacks, replay attacks, and unauthorized command injection. IEC 62351 provides a layered defense: Part 3 secures TCP/IP profiles with TLS, Part 4 secures MMS with application-layer authentication, Part 5 secures IEC 60870-5 (DNP3), Part 6 secures IEC 61850 GOOSE and Sampled Values, and Part 9 handles key management. Without it, a compromised substation IED could issue malicious trip commands, causing cascading blackouts.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core security standards and protocols that define the implementation of authentication, encryption, and key management within IEC 61850 and other operational technology networks.
IEC 62351-3: TLS for TCP/IP Profiles
Defines the mandatory use of Transport Layer Security (TLS) to secure TCP/IP-based communication profiles, such as IEC 61850 MMS. This part specifies cipher suite selection, certificate handling, and session resumption to ensure confidentiality and integrity between SCADA clients and IEDs. It mandates mutual authentication to prevent man-in-the-middle attacks on control center communications.
IEC 62351-5: Security for IEC 60870-5
Specifies secure communication mechanisms for the widely deployed IEC 60870-5-101 and 104 serial and TCP/IP protocols. Unlike TLS, it defines an application-layer challenge-response authentication mechanism that is lightweight enough for legacy serial links. It prevents replay attacks and unauthorized commands by injecting unique session keys without requiring a full TCP/IP stack on older RTUs.
IEC 62351-6: Security for GOOSE & SV
Addresses the unique challenge of securing real-time Layer 2 multicast messages (GOOSE and Sampled Values). Because these messages require sub-4ms latency, traditional encryption is too slow. This part mandates digital signatures using asymmetric cryptography to ensure authenticity and integrity without encrypting the payload, allowing receiving IEDs to verify the sender is authorized.
IEC 62351-9: Key Management
Defines the lifecycle management of cryptographic keys and digital certificates across the power system. It specifies Group Domain of Interpretation (GDOI) for distributing symmetric keys to multiple IEDs efficiently, and Certificate Management Protocol (CMP) for automated enrollment and renewal of X.509 certificates, ensuring that expired credentials do not cause unexpected authentication failures.
IEC 62351-11: XML Security
Secures the exchange of Substation Configuration Language (SCL) files and other XML-based engineering data. It applies XML Signature and XML Encryption standards to protect the integrity and confidentiality of configuration files during transfer between engineering workstations and IEDs, preventing malicious modification of protection settings or network topologies.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us