IEC 62351 Compliance

IEC 62351 Compliance Using VA Substation Routers



Overview
Virtual Access’ cyber-security capabilities help power utilities to comply with the IEC 62351 standard for the TC 57 series of protocols including IEC 60870-5 and IEC 61850. The security objectives include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

IEC 62351 Compliance Mapping
The table shows a mapping of Virtual Access’ industrial routers features to IEC standards for TC 57 series of protocols. The wide range of Virtual Access routers, combined with Activator and Monitor deployment and management system, ensures lifecycle security and compliance readiness.

IEC 62351
Reference StandardDescriptionComplianceImplementation
IEC 62351-1Overview of the entire document IEC 62351 and introduction to IT security aspects for the operation of power supply systems.NANA
IEC 62351-2Glossary of terms and abbreviations.NANA
IEC 62351-3End-to-end data traffic protection of TCP/IP-based connections using TLS [RFC5246] with mandatory mutual authentication of client and server based on X.509 certificates.Yes
  • X.509 support
  • HTTPs support
  • IPSec
  • OpenVPN
IEC 62351-4Security measure for MMS-based protocols (e.g. IEC 60870-6, IEC 61850) by securing the transport layer according to IEC 62351-3 and definition of an authentication mechanism “SECURE” on the application layer for MMS associations using X.509 certificates.Yes
  • X.509 support
  • HTTPs support
  • IPSec
  • OpenVPN
  • SCEP
IEC 62351-5Security for IEC 60870-5 and derived protocols (e.g. IEC 60870-5-104/IEC 60870-5-101/DNP 3.0) on the application layer through the means of authorising the access to critical resources of a substation based on role-based access control (RBAC) and statistical recording of security relevant incidents.Yes
  • 802.1x support
  • RADIUS
  • TACACS
  • HTTPs
  • User management
  • Event manager
IEC 62351-6Security for IEC 61850 protocol by using VLAN marks and X.509 signatures on GOOSE and SMV telegrams.Yes
  • VLAN support
  • X.509
  • TLS
  • IPSec
  • SCEP
IEC 62351-7Security through the use of networking and system administration tools in order to enable monitoring of power grid infrastructure, i.e. using MIB definitions for IEDs, which provide relevant system information about the device and the communication lines via the SNMP protocol in a standardised wayYes
  • SNMP V1 V2 and V3
IEC 62351-8Definition of methods to process and to manage access rights for users and services based on a role-based access control (RBAC) scheme. The identity information, as well as the role name is stored in an access token (ASN.1 syntax), which is exchanged in a cryptographically secure way between the systems using different transport mechanisms, i.e. X.509 certificates, X.509 attribute certificates, software token. An LDAP system centrally manages the access tokens and enables the access (PUSH- / PULL-mechanism) to the identity information of the communication partner. Furthermore, predefined default roles are established and the access rights in the context of IEC 61850 are defined (e.g. listing of all objects within a “logical device”)Yes
  • HTTPs
  • X.509
  • 802.1x support
  • RADIUS
  • TACACS
  • HTTPs
  • User management
IEC 62351-9“Cyber security”, the key management for power supply systems, deals with the correct and safe usage of safety-critical parameters, e.g. passwords, encryption keys and the whole life-cycle of cryptographic information (enrollment, creation, distribution, installation, usage, storage and removal). For algorithms applying asymmetric cryptography, the handling of digital certificates (public/private key), the necessary infrastructure (PKI, X.509 certificates) and the mechanisms concerning different management aspects (e.g. certificate request (SCEP, CMP) certificate revocation (CRL, OCSP), are defined. A secure distribution mechanism based on GDOI [RFC6407] and the IKEv2 protocol [RFC7427] is presented for the usage of symmetric keys, e.g. session keys.Yes
  • IPSec
  • IKEv2
  • X.509
  • SCEP
IEC 62351-10The norm explains security architectures of the entire IT infrastructure, with additional focus on special security requirements in the field of power generation. Critical points of the communication architecture are identified (e.g. substation control centre, substation automation) and appropriate security mechanisms (e.g. data encryption, user authentication) are proposed. The application of the mechanisms from IEC 62351 and well-proven standards from the IT domain (e.g. VPN tunnel, secure FTP, HTTPS) are combined to cope with the security requirements.Yes
  • IPSec
  • OpenVPN
  • HTTPs
  • IKEv2
  • SSH
  • X.509
  • Firewall
  • IP filters

IEC 62351 Compliance

  • IEC 62351 standards for TC 57 series protocols
  • Only authenticated access
  • Prevention of eavesdropping
  • Prevention of playback and spoofing
  • Intrusion detection

Products

Key Benefits

  • SCADA protocol conversion
  • IEC 101, IEC 104, IEC 61850, DNP3, Modbus
  • Substation-hardened. IP-rated rugged device
  • Last GASP power with power failure message
  • High isolation options on the PSU and interfaces
  • Vibration and mechanical to EN standards
  • Resilient communication paths
  • Scalable to tens of thousands of devices
  • Outdoor enclosures for wired or wireless routers
Download as pdf