Skip to main content
Reference

IEC 62351-3

TLS profile for any TCP-based protocol in the IEC and DNP3 families. Wraps MMS, DNP3, and IEC 60870-5-104 sockets in mutually-authenticated TLS with constrained cipher suites.

Also: 62351-3, TLS profile for IEC

IEC 62351-3 is the part of the IEC 62351 family that profiles TLS for use under any TCP-based power-systems protocol — MMS, DNP3, IEC 60870-5-104, telnet for engineering access, and so on.

What “profile” means here

The standard does not invent its own crypto. It restricts the choice of TLS version, cipher suites, and certificate fields to what is acceptable in an OT context. Specifically:

  • TLS version — current editions require TLS 1.3 with backwards compatibility to TLS 1.2; older editions of -3 still allowed TLS 1.0 / 1.1 and the field hasn’t fully refreshed.
  • Cipher suites — restricted to AEAD constructions with forward secrecy. RC4, 3DES, RSA key exchange forbidden.
  • Mutual authentication — both ends present X.509 certificates; anonymous TLS is forbidden.
  • Certificate fields — extensions for asset identity (substation ID, IED identity) so that the certificate can be bound to the device, not just the hostname.

The intent is to remove configuration choice from the integrator: pick “62351-3 compliant” in the firmware and you get the right thing.

Where it sits in a substation design

62351-3 is the wrapping layer. It does not authenticate the protocol payload (that’s -4 for MMS, -5 for DNP3 SA); it authenticates the peer at the TCP layer and encrypts the channel.

Typical placements:

Conduit-3 role
Engineering laptop ↔ IED MMSTLS to authenticate the laptop and encrypt the session
RTU ↔ SCADA over IEC 60870-5-104TLS to bind the RTU’s identity and encrypt telecontrol
RTU ↔ SCADA over DNP3TLS and DNP3 SA — TLS authenticates the peer, SA authenticates the payload
Substation gateway ↔ vendor remote supportTLS as the only layer of trust, plus tight IP allow-listing

Why deployment is uneven

  • MMS over TLS has reasonable adoption in newer station-bus deployments.
  • IEC 60870-5-104 over TLS is patchy — many European TSO installations still rely on MPLS isolation as the compensating control.
  • DNP3 over TLS is rare in GB transmission and distribution; DNP3 SA without TLS is the more common path where any cryptographic protection exists at all.

Certificate lifecycle management — issuance, rotation, revocation, distribution — is the binding operational constraint. That’s the job of -9, and the maturity of -9 deployment is what gates the maturity of -3 deployment.