IEC 62351-9-2023 PDF

Full title and description

Power systems management and associated information exchange — Data and communications security — Part 9: Cyber security key management for power system equipment. This international standard (IEC 62351-9:2023, Edition 2) defines interoperable cryptographic key management techniques and requirements (primarily for long‑term asymmetric keys and certificates, plus group key management considerations) to support secure communications and services across power-system devices and infrastructures.

Abstract

IEC 62351-9:2023 specifies cryptographic key management for power system equipment, focusing on long‑term keys (public/private key pairs and certificates) while also addressing symmetric session and group keys where relevant (for example via GDOI for group communications). The second edition (2023) is a technical revision of the 2017 edition and adds certificate component verification, updates and operational guidance for GDOI (including PTP/IEEE 1588 support for IEC/IEEE 61850‑9‑3 Power Profile), and introduces cyber‑security event logging mapped to IEC 62351‑14.

General information

• Status: Published / Valid.
• Publication date: 6 June 2023 (Edition 2, 2023‑06).
• Publisher: International Electrotechnical Commission (IEC) — published as IEC 62351‑9:2023 (also adopted as EN/UNE/other national variants).
• ICS / categories: 33.200 — Telecontrol; telemetering / power systems management and associated information exchange.
• Edition / version: Edition 2.0 (2023), cancels and replaces IEC 62351‑9:2017.
• Number of pages: 296 (bilingual English/French IEC edition; number of pages shown by national bodies and distributors varies by format).

Scope

This part of IEC 62351 establishes requirements and recommended techniques for managing cryptographic keys used by power‑system equipment and supporting infrastructure. It covers lifecycle aspects (generation, distribution, installation, renewal, revocation, storage, and destruction) of long‑term asymmetric keys and certificates, defines group key management usage (notably GDOI for multicast/group traffic such as GOOSE and SV), and describes security event types for key‑management related conditions. The standard assumes an organizational security policy defines algorithm selection and operational responses; actions following detected events are out of scope.

Key topics and requirements

• Public‑key infrastructure (PKI) elements: certificate components, enrolment, verification, trust anchors, revocation handling and lifecycle management.
• Key management lifecycle for devices: provisioning, key rollover/renewal, secure storage, backup, and secure destruction.
• Group key management using GDOI: protocol updates, operational considerations, and support for group protection of GOOSE, SV and PTP (IEEE 1588) traffic.
• Interoperability constraints and recommended profiles to ensure consistent implementations across vendors and systems.
• Security event logging related to key management and mappings to IEC 62351‑14 for event reporting and auditing.
• Considerations for future migration to post‑quantum algorithms (awareness and limited guidance; no mandatory PQC measures mandated in this edition).

Typical use and users

Primary users include power‑system equipment manufacturers, substation and control‑system vendors, utility cybersecurity architects, system integrators, PKI and security‑operations teams in transmission and distribution operators, and testing/interoperability labs. The standard is used to design device firmware and system management tools, define supplier requirements, and compose operational procedures for certificate and key lifecycle management in electrical substations and control centers.

Related standards

IEC 62351‑9 is part of the IEC 62351 family and is intended to be used with other parts of the series (for example IEC 62351‑3 for TLS profiles, IEC 62351‑4 for application‑layer security, IEC 62351‑6 for group communication security, and IEC 62351‑14 for cyber security event logging). It also references and profiles external specifications such as relevant IETF RFCs (certificate enrolment and GDOI), ISO/IEC directory and certificate framework standards, and IEC/IEEE 61850‑9‑3 (Power Profile for IEEE 1588) where timing and group protection interplay with key management.

Keywords

key management; PKI; certificates; GDOI; group key management; GOOSE; SV; PTP; IEC 62351; power systems security; certificate enrolment; cryptographic lifecycle; cyber‑security event logging.

FAQ

Q: What is this standard?

A: IEC 62351‑9:2023 is the IEC standard that specifies cyber‑security key management requirements and profiles for power‑system equipment, focusing on certificate‑based key management and group key techniques for secure communications.

Q: What does it cover?

A: It covers key lifecycle processes (generation, enrolment, installation, renewal, revocation, storage, destruction), certificate components and verification, group key management (GDOI) for multicast protocols (GOOSE, SV) and PTP considerations, interoperability constraints, and definitions of key‑management related security events.

Q: Who typically uses it?

A: Equipment vendors, utilities (OT/IT security teams), system integrators, PKI operators, and test laboratories use this standard to implement interoperable key management and to define procurement and operational practices for secure power‑system communications.

Q: Is it current or superseded?

A: Current. This is Edition 2, published in 2023; it cancels and replaces IEC 62351‑9:2017. National adoptions (EN/UNE/other) followed in 2023.

Q: Is it part of a series?

A: Yes — it is Part 9 of the IEC 62351 series (Data and communications security for power systems), intended to be applied together with other parts of IEC 62351 and with standards such as IEC/IEEE 61850 where relevant.

Q: What are the key keywords?

A: PKI, certificates, key management, GDOI, group keys, GOOSE, SV, PTP, cryptographic lifecycle, cyber security event logging, IEC 62351.