IEC 62351-8-2020 PDF

Full title and description

St IEC 62351-8-2020 — Power systems management and associated information exchange — Data and communications security — Part 8: Role-based access control for power system management. This standard defines a role-based access control (RBAC) model, role definitions, access-token formats and distribution profiles to enable interoperable authorization for human users, automated agents and software components in power system environments.

Abstract

IEC 62351-8:2020 provides a standardized framework to assign subjects (people, automated systems, applications) to roles and to restrict their access to power-system objects and functions according to least-privilege principles. It specifies mandatory and extensible role definitions, access-token formats (including X.509-based and JWT profiles), PUSH and PULL credential distribution models, transport/profile considerations and verification/lifecycle rules to support secure local and remote access. The objective is to enable interoperable RBAC across devices, substations, DERs and control-center applications.

General information

• Status: Current international standard (replaced the 2011 technical specification).
• Publication date: 28 April 2020 (IEC publication date).
• Publisher: International Electrotechnical Commission (IEC), Technical Committee TC 57 — Power systems management and associated information exchange.
• ICS / categories: 33.200 (information security and data privacy for power systems).
• Edition / version: Edition 1.0 (2020).
• Number of pages: Varies by national publication/format; commonly published editions report around 80–166 pages (examples: national/adopted PDFs and commercial listings report page counts in this range).

Scope

This part of IEC 62351 facilitates role-based access control for power system management. It covers definition of RBAC process models (subjects, roles, permissions), mandatory and custom role encoding, access-token formats and fields, PUSH and PULL credential distribution models, transport/profile guidance for delivering and protecting tokens, and verification and revocation checks needed for interoperable authorization in both local and remote access scenarios (including IEDs, HMIs, substations, distributed energy resources and control-centre applications). Administrative and organizational tasks not directly related to role/token definition and distribution are out of scope.

Key topics and requirements

• RBAC process model: separation of authentication and authorization; subjects, roles, permissions and evaluation context.
• Mandatory roles and extensibility: required role sets plus formats/mechanisms to define custom roles.
• Access token formats and profiles: standardized profiles including X.509 certificate/attribute certificate profiles, JSON Web Token (JWT) profiles and RADIUS-style tokens.
• Credential distribution models: PUSH and PULL mechanisms for distributing role credentials and integration with repositories (LDAP, RADIUS, JWT identity providers, etc.).
• Transport and protection guidance: recommended use of secure transports (e.g., TLS) and recommendations for use over TCP-based and non‑Ethernet protocols.
• Token lifecycle and verification: fields for issuer, validity, role identifiers, sequence/revision numbers, revocation support and verification procedures to ensure tokens are current and authorized.
• Conformity and interoperability rules: requirements for token content, formats and repository interactions to achieve interoperable RBAC across vendors.

Typical use and users

Primary users include utility security architects, control-center and substation engineers, device and firmware vendors, system integrators, asset owners/operators, and test/laboratory teams validating RBAC implementations. The standard is used to design and implement role-based authorization for IEDs, HMIs, SCADA/EMS applications, DER controllers and cross-domain access where least-privilege access and interoperable token handling are required.

Related standards

IEC 62351-8 is part of the IEC 62351 family addressing data and communications security for power systems and references other parts and complementary documents such as IEC 62351-3, IEC 62351-5, IEC 62351-6, IEC 62351-14 and related profiles and RFCs used for certificates, TLS, JWT and RADIUS. The 2020 edition replaced IEC/TS 62351-8:2011. National and regional adoptions (EN/IEC, BS EN, etc.) may publish identical or endorsed versions.

Keywords

IEC 62351-8, RBAC, role-based access control, power systems security, access token, JWT, X.509 attribute certificate, credential distribution, PUSH model, PULL model, TC57.

FAQ

Q: What is this standard?

A: IEC 62351-8:2020 specifies role-based access control practices, token formats and distribution profiles to enable interoperable authorization for power system management devices and applications.

Q: What does it cover?

A: It covers RBAC process models, mandatory and custom role definitions, access-token profiles (e.g., X.509 and JWT), PUSH and PULL credential distribution, transport protection guidance, token verification and lifecycle rules needed for secure local and remote access to power-system objects.

Q: Who typically uses it?

A: Utility engineers, system integrators, device vendors, cybersecurity teams and conformity assessors use it to design and validate authorization mechanisms in substations, control centers, DER interfaces and other OT components in the electricity sector.

Q: Is it current or superseded?

A: IEC 62351-8:2020 is the current international standard published in April 2020. It superseded IEC/TS 62351-8:2011.

Q: Is it part of a series?

A: Yes — it is Part 8 of the IEC 62351 series (data and communications security for power systems). The series contains multiple parts addressing encryption, authentication, secure profiles, and operational security for power-system communications.

Q: What are the key keywords?

A: RBAC, role, access token, credential distribution, PUSH/PULL model, JWT, X.509, power system security, IEC 62351.