IEC 62351 Compliance Using VA Substation Routers
Virtual Access’ cyber-security capabilities help power utilities to comply with the IEC 62351 standard for the TC 57 series of protocols including IEC 60870-5 and IEC 61850. The security objectives include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.
IEC 62351 Compliance Mapping
The table shows a mapping of Virtual Access’ industrial routers features to IEC standards for TC 57 series of protocols. The wide range of Virtual Access routers, combined with Activator and Monitor deployment and management system, ensures lifecycle security and compliance readiness.
|IEC 62351-1||Overview of the entire document IEC 62351 and introduction to IT security aspects for the operation of power supply systems.||NA||NA|
|IEC 62351-2||Glossary of terms and abbreviations.||NA||NA|
|IEC 62351-3||End-to-end data traffic protection of TCP/IP-based connections using TLS [RFC5246] with mandatory mutual authentication of client and server based on X.509 certificates.||Yes|
|IEC 62351-4||Security measure for MMS-based protocols (e.g. IEC 60870-6, IEC 61850) by securing the transport layer according to IEC 62351-3 and definition of an authentication mechanism “SECURE” on the application layer for MMS associations using X.509 certificates.||Yes|
|IEC 62351-5||Security for IEC 60870-5 and derived protocols (e.g. IEC 60870-5-104/IEC 60870-5-101/DNP 3.0) on the application layer through the means of authorising the access to critical resources of a substation based on role-based access control (RBAC) and statistical recording of security relevant incidents.||Yes|
|IEC 62351-6||Security for IEC 61850 protocol by using VLAN marks and X.509 signatures on GOOSE and SMV telegrams.||Yes|
|IEC 62351-7||Security through the use of networking and system administration tools in order to enable monitoring of power grid infrastructure, i.e. using MIB definitions for IEDs, which provide relevant system information about the device and the communication lines via the SNMP protocol in a standardised way||Yes|
|IEC 62351-8||Definition of methods to process and to manage access rights for users and services based on a role-based access control (RBAC) scheme. The identity information, as well as the role name is stored in an access token (ASN.1 syntax), which is exchanged in a cryptographically secure way between the systems using different transport mechanisms, i.e. X.509 certificates, X.509 attribute certificates, software token. An LDAP system centrally manages the access tokens and enables the access (PUSH- / PULL-mechanism) to the identity information of the communication partner. Furthermore, predefined default roles are established and the access rights in the context of IEC 61850 are defined (e.g. listing of all objects within a “logical device”)||Yes|
|IEC 62351-9||“Cyber security”, the key management for power supply systems, deals with the correct and safe usage of safety-critical parameters, e.g. passwords, encryption keys and the whole life-cycle of cryptographic information (enrollment, creation, distribution, installation, usage, storage and removal). For algorithms applying asymmetric cryptography, the handling of digital certificates (public/private key), the necessary infrastructure (PKI, X.509 certificates) and the mechanisms concerning different management aspects (e.g. certificate request (SCEP, CMP) certificate revocation (CRL, OCSP), are defined. A secure distribution mechanism based on GDOI [RFC6407] and the IKEv2 protocol [RFC7427] is presented for the usage of symmetric keys, e.g. session keys.||Yes|
|IEC 62351-10||The norm explains security architectures of the entire IT infrastructure, with additional focus on special security requirements in the field of power generation. Critical points of the communication architecture are identified (e.g. substation control centre, substation automation) and appropriate security mechanisms (e.g. data encryption, user authentication) are proposed. The application of the mechanisms from IEC 62351 and well-proven standards from the IT domain (e.g. VPN tunnel, secure FTP, HTTPS) are combined to cope with the security requirements.||Yes|
IEC 62351 Compliance