IEC 62351 - Security for IEC 61850

IEC 62351 is a standard developed by WG15 of IEC TC57 for handling the security of TC 57 series of protocols including IEC 60870-5 series, IEC 60870-6 series, IEC 61850 series, IEC 61970 series & IEC 61968 series.

The various security objectives include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

In this overview the integration of IEC 62351-4 with the IEC 61850 Xelas Energy Management products is described.

IEC 62351-4: Security for any profiles including MMS ( ICCP-based IEC 60870-6, IEC 61850, etc.) contains the following sections:

  • Authentication for MMS.
  • TLS (RFC 2246) is inserted between RFC 1006 & RFC 793 to provide transport layer security.
    • TLS stands for Transport Layer Security and defines encryption algorithms.
    • RFC1006 is the standard which defines OSI on top of TCP/IP. The RFC1006 stack is completely developed and maintained by Xelas Energy Software.
    • RFC 793 is the standard which defines TCP/IP.

Integration with Xelas Energy Management (XEM) Products

IEC-62351-4 is integrated with the IEC 61850 client and server products as an optional plugin. The plugin can be configured in the IEC 61850 client database as an additional profile.

Example Integration

In this picture on the left the ‘client’ is described and on the right the ‘server’ side is described.

The client consists out of IEC 61850/61400 MMS based adapters, a database, a Web GUI and services on top of the database. This runs on top of the RFC 1006 stack.

The IEC 61850 server also runs on top of the RFC 1006 stack, and is configured with a SCL/ICD file, a configuration file used during bootup.

The IEC 62351 adapter plugin is available for both client and server, as described in the picture above.

It provides the following functions:

  • Authentication for MMS: This is performed during association establishment in ACSE layer (one of the OSI layers). The client passes an authentication string, which is verified by the server. The server can define the authentication in the SCL/ICD file
  • TLS Encryption: On the client side, in the database/GUI IEC 62351 or RFC 1006 can be configured as a profile. Within process management the IEC 62351 client adapter can be started and stopped. On the server side (or server simulator) a IEC 62351 server adapter (or task on embedded platform such as VxWorks) can be configured as well. These adapters facilitate the TLS encryption.

The solution is backwards compatible. If a server does not support IEC 62351, on the client side RFC1006 can be configured as a profile. This defines regular OSI on top of TCP/IP protocol.

Download the IEC 62351 Security Datasheet.

To order an evaluation package or get more information about the IEC 61850 products with IEC 62351 security please email: