IEC 62351-5-2023 PDF

Full title and description

St IEC 62351-5:2023 — Power systems management and associated information exchange — Data and communications security — Part 5: Security for IEC 60870-5 and derivatives. This International Standard defines an application profile (A‑profile) secure communication mechanism (messages, procedures and algorithms) to secure protocols based on or derived from IEC 60870‑5 (telecontrol transmission protocols). It is intended primarily for developers of products that implement those protocols and for standards writers who will reference these measures.

Abstract

IEC 62351-5:2023 specifies an A‑profile for authenticating and protecting IEC 60870‑5 based communications. The document replaces the 2013 technical specification and updates the secure communication model (per controller/controlled association), removes certain legacy user-management and challenge/response mechanisms, strengthens cryptographic guidance (including authenticated encryption of application data), updates permitted algorithms, refines sequence-number rules, and adds event monitoring and logging requirements. The standard is bilingual (English/French) and provides normative interoperability requirements for implementers.

General information

• Status: International Standard (published).
• Publication date: 13 January 2023.
• Publisher: International Electrotechnical Commission (IEC).
• ICS / categories: 33.200 (Telecontrol / Telemetering).
• Edition / version: Edition 1.0 (ed. 1.0).
• Number of pages: 263 (bilingual English/French edition).

Publication and bibliographic details confirmed from the IEC publication record and official distributors.

Scope

This part of IEC 62351 defines the application authentication and secure communication profile (A‑profile) for protocols based on or derived from IEC 60870‑5 (Telecontrol Equipment and Systems — Transmission Protocols). It specifies the messages, procedures and algorithms required to secure the operation of those protocols and sets interoperability requirements that protocol specifications should reference where the measures are to be applied. Organizational responses to events and error conditions are left to implementers' security policies and are out of scope.

Key topics and requirements

• Definition of an A‑profile secure communication mechanism to be referenced by IEC 60870‑5 derived protocols.
• Per controlling‑station/controlled‑station association security model (association‑level security).
• Updated cryptographic algorithm guidance and a permitted algorithm list (including authenticated encryption for application data).
• Removal or revision of legacy mechanisms: user management additions/changes/deletions removed, symmetric Update Key change method removed, challenge/reply and aggressive mode concepts removed.
• Revised asymmetric procedures for key update and reviewed key management concepts.
• Rules for message sequence number calculation and tighter interoperability requirements for secure message exchange.
• Requirements for event monitoring and logging to support security operations and for referencing by protocol specifications.

Typical use and users

Primary users are protocol and product developers implementing IEC 60870‑5 and its derivatives (telecontrol equipment vendors, embedded device designers, software library authors). Secondary users include system integrators, utility security architects, test labs, and standards committees that reference A‑profile requirements when updating protocol specifications. The standard guides implementation of secure sessions, key management behavior, and logging/monitoring expectations for telecontrol systems.

Related standards

IEC 62351‑5:2023 is part of the IEC 62351 series (security for power systems information and communications). It specifically addresses IEC 60870‑5 derived protocols and should be used alongside the relevant IEC 60870‑5 protocol specifications. Other related 62351 parts (e.g., parts addressing IEC 61850, IEC 60870‑6, and transport/security profiles) provide complementary security profiles for different protocol families. Implementers will typically reference the broader IEC 62351 series and the underlying IEC 60870‑5 documentation.

Keywords

IEC 62351, IEC 60870-5, telecontrol, A-profile, secure communication, authenticated encryption, key management, message sequence numbers, event logging, power systems security, TC 57.

FAQ

Q: What is this standard?

A: IEC 62351‑5:2023 is an International Standard that defines a security application profile (A‑profile) for securing IEC 60870‑5 and derivative telecontrol protocols, covering messages, procedures and algorithms for secure operation.

Q: What does it cover?

A: It covers authentication and secure communication mechanisms at the association level between controlling and controlled stations, permitted cryptographic algorithms (including authenticated encryption), key update procedures, sequence number rules, interoperability requirements, and event monitoring/logging expectations. Organizational incident responses are out of scope.

Q: Who typically uses it?

A: Protocol and product developers for IEC 60870‑5 based telecontrol systems, system integrators, utilities implementing telecontrol security, test laboratories, and standards writers referencing A‑profile security measures.

Q: Is it current or superseded?

A: IEC 62351‑5:2023 is the current published International Standard (edition 1.0) issued 13 January 2023. It cancels and replaces IEC TS 62351‑5 published in 2013; stability information in the IEC record indicates the document’s bibliographic stability through 2026.

Q: Is it part of a series?

A: Yes — it is one part of the IEC 62351 series covering data and communications security for power systems management and associated information exchange; other parts provide security guidance for different protocol families and transport layers.

Q: What are the key keywords?

A: Telecontrol security, IEC 60870‑5 derivatives, A‑profile, authenticated encryption, key management, sequence numbers, event logging, IEC 62351.