IEC 62351 – Security for IEC 61850

IEC 62351 is a standard developed to provide additional security of  a series of protocols including the IEC 60870-5 series, IEC 60870-6 series, IEC 61850 series, IEC 61970 series & IEC 61968 series.

The various security objectives include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

Xelas Energy has implemented 62351-4 for MMS security, and 62351-6 for GOOSE/SV security.

IEC 62351-4: Security for any profiles including MMS ( ICCP-based IEC 60870-6, IEC 61850) contains the following sections:

  • Authentication for MMS.
  • TLS (RFC 2246) is inserted between RFC 1006 & RFC 793 to provide transport layer security.
    • TLS stands for Transport Layer Security and defines encryption algorithms.
    • RFC1006 is the standard which defines OSI on top of TCP/IP. The RFC1006 stack is completely developed and maintained by Xelas Energy Software.
    • RFC 793 is the standard which defines TCP/IP.

IEC 62351-6: GOOSE / SV Security

This security module is available for both the regular GOOSE/SV protocols as well as the R-GOOSE/R-SV protocols.

Integration with Xelas Energy Management Products

IEC-62351-4 and IEC-62351-6 security is integrated with the IEC 61850 client development and embedded server/client development products as an optional plugin.

62351-4 MMS Integration

In this picture on the left the ‘client’ is described and on the right the ‘server’ side is described.

The client consists out of IEC 61850/61400 MMS based adapters, a database, a Web GUI and services on top of the database. This runs on top of the RFC 1006 stack.

The IEC 61850 server also runs on top of the RFC 1006 stack, and is configured with a SCL/ICD file, a configuration file used during bootup.

The IEC 62351 adapter plugin is available for both client and server, as described in the picture above.

It provides the following functions:

  • Authentication for MMS: This is performed during association establishment in ACSE layer (one of the OSI layers). The client passes an authentication string, which is verified by the server. The server can define the authentication in the SCL/ICD file
  • TLS Encryption: On the client side, in the database/GUI IEC 62351 or RFC 1006 can be configured as a profile. Within process management the IEC 62351 client adapter can be started and stopped. On the server side (or server simulator) a IEC 62351 server adapter (or task on embedded platform such as VxWorks) can be configured as well. These adapters facilitate the TLS encryption.

The solution is backwards compatible. If a server does not support IEC 62351, on the client side RFC1006 can be configured as a profile. This defines regular OSI on top of TCP/IP protocol.

62351-6 GOOSE/SV Integration

The 62351-6 security module has the following features:

  • Authentication security
    • HMAC algorithm SHA-256 (256, 128 or 80 bit)
  • Encryption
    • AES-128 or AES-256
  • Configurable per IEC 61850 dataset for GOOSE or SV Control block
  • Available for IEC 61850 and 61850-5 (Routed GOOSE and SV)

The solution is backwards compatible. If a server does not support IEC 62351, on the client side RFC1006 can be configured as a profile. This defines regular OSI on top of TCP/IP protocol.

Java configuration Tool

Both security implementations make use of JAVA based GUI configuration tool. The configuration tool takes care of importing and distribution of the X.509 certificates.

Download the IEC 62351 Security Datasheet.

To request an evaluation package or get more information about the IEC 61850 products with IEC 62351 security please email: info@xelasenergy.com