An Overview of Standards, Threats, and Architecture
A Strategic Introduction to IEC 62351 and the Security Foundations of Modern Power System Communication
Abstract
As digitalization transforms electric power systems, communication protocols such as IEC 61850, IEC 60870-5-104, TASE.2/ICCP, and others are increasingly relied upon to ensure interoperable, real-time, and automated control within substations and across grid infrastructure. While these protocols have advanced the efficiency and flexibility of power system automation, they were not originally designed with cyber threats in mind. In response to growing risks—including targeted attacks, supply chain vulnerabilities, and nation-state intrusions—the IEC 62351 standard series has been developed to address cybersecurity requirements across these widely deployed communication stacks.
Part 1 of MZ automation’s multi-part series introduces the cybersecurity landscape for IEC protocols and provides a comprehensive overview of the IEC 62351 series. It describes the threat model relevant to energy automation systems, delineates the purpose and structure of each part of IEC 62351, and outlines the architectural principles of secure integration. This article also serves as the launching point for a detailed series on cybersecurity for each protocol family, providing technical and strategic insight for system architects, engineers, integrators, and asset owners.
Introduction: Cybersecurity in Energy Automation
Modern energy systems are increasingly dependent on digital communication for automation, protection, and grid coordination. Protocols such as IEC 61850, IEC 60870-5-104, and ICCP/TASE.2 provide the foundation for substation and inter-control center communication, enabling everything from relay coordination to load shedding and SCADA monitoring. However, the cyber threat landscape has grown in parallel with this digital transformation.
High-profile incidents—such as the 2015 and 2016 Ukrainian power grid attacks, the TRITON malware campaign against industrial safety systems, and supply chain compromises like SolarWinds—demonstrate that attackers can exploit protocol weaknesses to manipulate control systems, disrupt operations, or gain long-term persistence in critical infrastructure.
Historically, IEC protocols were developed with a focus on performance, determinism, and interoperability—not security. Many legacy systems continue to operate over insecure channels, lack authentication, and provide little to no protection against spoofing, replay, or denial-of-service attacks. Recognizing this, the IEC Technical Committee 57 developed the IEC 62351 series to introduce cybersecurity capabilities for existing and emerging standards in the electric power domain.
This article establishes the technical foundation for understanding cybersecurity across IEC-based systems and serves as the prologue to more in-depth articles that will explore protocol-specific security concerns and countermeasures.
Threat Landscape and Cybersecurity Requirements
The electric utility sector faces a unique combination of threat vectors, including:
- State-Sponsored Intrusions: Targeting grid infrastructure to enable future disruption or geopolitical leverage.
- Cybercriminal Exploitation: Ransomware groups seeking financial gain by halting operations or extorting critical service providers.
- Insider Threats: Malicious or negligent actors with access to control systems or privileged credentials.
- Supply Chain Attacks: Compromising trusted vendors or software dependencies to infiltrate power networks.
- Advanced Persistent Threats (APTs): Conducting multi-phase attacks, often remaining undetected for extended periods.
Security Objectives in the Energy Sector
To counter these threats, IEC 62351 emphasizes the following security objectives, aligned with classical information security principles:
- Confidentiality: Prevent unauthorized access to data in transit.
- Integrity: Ensure that transmitted messages are not altered.
- Authentication: Verify the identity of devices, users, and systems.
- Authorization: Enforce access rights based on roles or policies.
- Availability: Maintain communication and services despite attacks.
- Non-repudiation: Provide verifiable evidence of message origination.
Due to the real-time and safety-critical nature of power systems, these objectives must be met without compromising system performance or deterministic behavior—a balance that requires careful engineering and standardization.
Realtime Interface (RTI) project
A recent initiative from the Netherlands, known as the Realtime Interface (RTI) project, underscores the system-wide risks posed by insufficiently secured distributed energy resource (DER) interfaces. According to a 2025 CIRED paper authored by several Dutch DSOs, researchers, and MZ Automation, coordinated cyberattacks targeting 400 customer endpoints—each with just 5–10 MW of controllable generation—could destabilize the Dutch grid by exceeding the 3 GW frequency containment reserve (FCR) threshold, potentially impacting the entire Central European electricity system. This quantitative risk model clearly demonstrates how cyber threats against widely deployed IEC 61850 MMS endpoints can escalate from local disruption to cross-border system-wide instability. As such, this case reinforces the importance of securing MMS communication with robust cryptographic protections such as TLS as defined in IEC 62351-3 and -4.
Overview of the IEC 62351 Standard Series
IEC 62351 is a multipart standard designed to secure communication profiles and protocols defined by IEC TC 57. It spans physical transport protection, authentication schemes, certificate management, and access control. The series is structured as follows:
| Part | Title | Scope |
| 62351-1 | Introduction | Terminology, scope, and definitions |
| 62351-2 | Glossary | Security terms and concepts used across the series |
| 62351-3 | Profiles Including TCP/IP | Use of TLS for securing TCP/IP transport (e.g., 104, MMS) |
| 62351-4 | Profiles Including MMS | Security for MMS (Manufacturing Message Specification) based protocols (IEC 61850/MMS, TASE.2/ICCP) |
| 62351-5 | Security for IEC 60870-5 and derivatives | Security extensions for the IEC 60870-5 companion standards 101 and 104. Also applicable for DNP3. |
| 62351-6 | Security for IEC 61850 | Security profiles for IEC 61850 (MMS, GOOSE, and Sampled Values) |
| 62351-7 | Network and System Monitoring | Security logging and monitoring recommendations |
| 62351-8 | Role-Based Access Control (RBAC) | Role definitions and enforcement across systems |
| 62351-9 | Key and Certificate Management | Specification for public key infrastructure (PKI) and key exchange protocol (GDOI) for (R-)GOOSE and (R-)Sampled Values |
| 62351-10 | Security Architecture | Architectural security guidelines and models |
| 62351-11 | XML Configuration Protection | Security for CIM and XML-based data exchanges |
Together, these parts form a modular and extensible framework that allows protocol developers and system integrators to embed security directly into new and legacy systems. In addition to the published parts listed above, the IEC 62351 working group is actively developing several new parts and updates to address emerging cybersecurity challenges. For instance, IEC 62351-14 (in draft) aims to define security event logs and standardized formats for substation incident reporting. Similarly, updates to 62351-9 are under consideration to support post-quantum cryptography and enhanced group key management for multicast protocols like GOOSE and Sampled Values. Although final publication timelines may vary, these upcoming parts are expected to align closely with evolving regulatory requirements such as the EU NIS2 Directive and IEC 62443-4-2 component certification. Monitoring these drafts is strongly recommended for utilities and OEMs planning long-term cybersecurity strategies.
Protocols Covered in this Series
This article series will investigate the cybersecurity posture of each key protocol in the IEC ecosystem, guided by their associated IEC 62351 components:
IEC 60870-5-101/104
These protocols are widely used in telecontrol and SCADA systems, especially in Europe and Asia. Their historical reliance on cleartext serial or IP-based communication necessitates the application of IEC 62351-5 for encryption, authentication, and frame-level protection.
IEC 61850
IEC 61850, used in substation and process automation, includes multiple communication profiles:
- MMS (client-server model): Secured using IEC 62351-4 over TLS.
- GOOSE/Sampled Values (high-speed, multicast, peer-to-peer): Secured via IEC 62351-6 and emerging additions for multicast and layer-2 security.
TASE.2/ICCP
Enables inter-utility and regional control center communications. Due to its cross-organizational scope, secure transport and mutual authentication are critical. As it is based on TCP/IP and MMS IEC 62351-3 and IEC 62351-4 can be applied.
Role-Based Access and Key Management
RBAC is necessary for managing operational security, especially as utilities adopt centralized user directories and device-level authorization. PKI under IEC 62351-9 supports secure identity binding and cryptographic trust.
Integration with IEC 62443 and Broader Cybersecurity Frameworks
While IEC 62351 targets protocol-specific controls, it can be viewed as complementary to system-level standards like IEC 62443, NERC CIP, and ISO/IEC 27001. These standards emphasize asset management, zone segmentation, defense-in-depth, and organizational policies.
IEC 62351 enables compliance with many technical requirements in IEC 62443-3-3, such as secure communication channels (SR 1.1), user authentication (SR 1.2), and session integrity (SR 2.1). Effective security integration requires aligning IEC 62351 implementation with organizational governance, risk management, and system design principles.
Outlook and Future Directions
The IEC 62351 series continues to evolve, incorporating cryptographic algorithm agility, improved multicast protection, and expanded support for IEC CIM models in wide-area energy management systems. Ongoing initiatives focus on:
- Post-quantum Cryptography: Preparing for emerging cryptographic threats.
- Zero Trust Architectures: Reducing reliance on static network boundaries.
- Security for DER and Edge Devices: Applying IEC 62351 to distributed energy resources.
Each of the following articles in this series will explore one of the key protocol families or cross-protocol topics like key management in detail, analyzing their original security limitations, how IEC 62351 addresses those limitations, and how practical deployment can be achieved with minimal disruption.
Conclusion
IEC 62351 represents a decisive shift in the standardization of cybersecurity for power system communication. It introduces cryptographic safeguards, authentication mechanisms, access control models, and key management tools that are essential for protecting modern digital substations and control networks.
This introductory article has outlined the motivation, structure, and scope of the IEC 62351 series, as well as the threats and requirements driving its adoption. In the next installments, we will examine each major protocol in detail—starting with IEC 60870-5-101/104—to understand how security can be effectively applied across the automation landscape.