IEC 62351
The protocol-specific cyber-security complement to IEC 62443 — TLS profiles, embedded HMACs, RBAC vocabularies, and key management for the IEC and DNP3 protocols used in power-systems automation.
Also: 62351, IEC TC57 WG15
IEC 62351 is the IEC TC57 family that supplies the on-the-wire mechanisms for cyber-security in power-systems automation. It is the protocol-specific complement to IEC 62443: where 62443 says what protection is required, 62351 says how the underlying protocol carries that protection.
How the parts split
| Part | Scope |
|---|---|
| 62351-1 | Introduction, threat model, glossary. |
| 62351-3 | TLS profiles for any TCP-based protocol. The wrapping layer. |
| 62351-4 | Application-layer security for MMS and derivatives, including IEC 61850 station-bus traffic. |
| 62351-5 | Security for IEC 60870-5 and derivatives — i.e. DNP3 Secure Authentication. |
| 62351-6 | Security for GOOSE and Sampled Values. Embedded HMAC, not TLS. |
| 62351-7 | Network and System Management — log/event objects for monitoring substation equipment. |
| 62351-8 | Role-based access control vocabulary for power-system roles. |
| 62351-9 | Key management — certificates, lifecycles, distribution. |
Parts -2, -10, -11, -12, -13, -14 exist with various scopes (key distribution, XML object models, monitoring); the seven above are what an integrator typically reaches for first.
Why a separate standard from 62443
The split is deliberate. 62443 is technology-neutral — it says “FR3 requires authenticated control commands” without specifying how a DNP3 outstation authenticates one. 62351 is protocol-aware — it says “DNP3 SA HMAC over the message body using session key K”. One tells you the goal, the other tells you the mechanism.
The same SL-T number on different conduits demands different 62351 mechanisms:
| Conduit | 62443 says | 62351 supplies |
|---|---|---|
| MMS over TCP | FR3 integrity | -3 (TLS) + -4 (application auth) |
| GOOSE multicast | FR3 integrity | -6 (embedded HMAC, AES-GMAC for the latency budget) |
| SV multicast | FR3 integrity | -6 (embedded HMAC) |
| DNP3 over TCP | FR3 + FR4 | -5 (DNP3 SA) optionally over -3 (TLS) |
| RBAC enforcement | FR1 + FR2 | -8 (role vocabulary) |
| Certificate lifecycle | crosses everything | -9 (key management) |
Where deployment actually sits
The pattern repeats across most of the family:
- The standard exists.
- The mechanism is sound.
- Implementations exist in current vendor firmware.
- The installed base is older than the standard.
- Operators run compensating controls (network isolation, IP pinning, monitoring) until firmware refresh catches up.
This is the de facto status for -5 (DNP3 SA), -6 (GOOSE/SV HMAC), -8 (RBAC), and to a lesser extent -3/-4 (MMS TLS, which has reasonable adoption in newer station-bus deployments).
What 62351 does not do
It does not design your zone-and-conduit architecture. It does not assign Security Levels. It does not write your security programme. Those jobs belong to IEC 62443. 62351 is the toolbox you reach for once 62443 has told you what controls a given conduit needs.