Skip to main content
Reference

IEC 62351-6

Security for IEC 61850 GOOSE and Sampled Values. Embedded HMAC and signature fields inside the protocol PDU itself, because TLS isn't usable at the latencies involved.

Also: GOOSE security, SV security, 62351-6

IEC 62351-6 secures the layer-2 multicast protocols on the substation process bus — GOOSE and Sampled Values. Both protocols operate at machine timescales (sub-millisecond for trip GOOSE, microseconds per frame for SV), which makes TLS unworkable: there’s no session to handshake into, no per-pair connection, no time budget for asymmetric crypto on the receive path.

What 62351-6 does instead is define an authentication field inside the PDU.

Two mechanisms

  • Symmetric authentication tag. HMAC-SHA256, or in the 2020 edition AES-GMAC, computed over the frame contents. Cheap to compute (especially GMAC, added specifically for this latency-sensitive context). Requires every receiving IED to share the key.
  • Digital signature. RSA or ECDSA, allowing per-sender attribution. Heavier signing operation, and the verification cost on every receiver adds up at high frame rates.

In practice, HMAC is what gets enabled when 62351-6 is deployed at all — the latency budget is the binding constraint.

Sample rates and the per-frame budget

Sampled Values run at 4,000 samples per second on a 50 Hz protection bus (80 samples per cycle), or 12,800 samples per second for metering (256 samples per cycle). The HMAC computation has to fit inside the frame interval. AES-GMAC with hardware AES instructions is fast enough; software-only HMAC-SHA256 on a low-end IED CPU often isn’t.

What it closes in 62443 terms

A forged GOOSE message can fire a circuit breaker. That’s not a confidentiality problem — the data itself isn’t sensitive — it’s an integrity-and-authenticity problem of the highest order. SL-3 territory in IEC 62443 terms. 62351-6 HMAC is what closes the FR3 (System Integrity) gap on the process bus.

Why deployment is rougher than for 62351-5

62351-6 needs every IED on the bus to share a key, which means key distribution at the device level — see IEC 62351-9. Many process-bus deployments today rely on physical isolation of the bus (a dedicated LAN inside the substation cabinet) as the compensating control, and skip the cryptographic authentication entirely. Whether that’s defensible depends on the threat model: physical isolation works against remote attackers but not against an insider with cabinet access.