EN IEC 62351-6:2020

SLOVENSKI STANDARD
01-februar-2021
Upravljanje elektroenergetskega sistema in pripadajoča izmenjava informacij -
Varnost podatkov in komunikacij - 6. del: Varnost za IEC 61850
Power systems management and associated information exchange - Data and
communications security - Part 6: Security for IEC 61850
Ta slovenski standard je istoveten z: EN IEC 62351-6:2020
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN IEC 62351-6

NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2020
ICS 33.200
English Version
Power systems management and associated information
exchange - Data and communications security - Part 6: Security
for IEC 61850
(IEC 62351-6:2020)
Gestion des systèmes de puissance et échanges Energiemanagementsysteme und zugehöriger
d'informations associés - Sécurité des communications et Datenaustausch - IT-Sicherheit für Daten und
des données - Partie 6: Sécurité pour l'IEC 61850 Kommunikation - Teil 6: Sicherheit für IEC 61850
(IEC 62351-6:2020) (IEC 62351-6:2020)
This European Standard was approved by CENELEC on 2020-11-24. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2020 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62351-6:2020 E

European foreword
The text of document 57/2234/FDIS, future edition 1 of IEC 62351-6, prepared by IEC/TC 57 "Power
systems management and associated information exchange" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN IEC 62351-6:2020.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2021-08-24
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2023-11-24
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Endorsement notice
The text of the International Standard IEC 62351-6:2020 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following note has to be added for the standard indicated:
IEC 62351-3 NOTE Harmonized as EN 62351-3
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 61850-6 - Communication networks and systems for EN 61850-6 -
power utility automation - Part 6:
Configuration description language for
communication in electrical substations
related to IEDs
IEC 61850-7-3 - Communication networks and systems for EN 61850-7-3 -
power utility automation - Part 7-3: Basic
communication structure - Common data
classes
IEC 61850-8-1 - Communication networks and systems for EN 61850-8-1 -
power utility automation - Part 8-1:
Specific communication service mapping
(SCSM) - Mappings to MMS (ISO 9506-1
and ISO 9506-2) and to ISO/IEC 8802-3
IEC 61850-8-2 - Communication networks and systems for EN IEC 61850-8-2 -
power utility automation - Part 8-2:
Specific communication service mapping
(SCSM) - Mapping to Extensible
Messaging Presence Protocol (XMPP)
IEC 61850-9-2 - Communication networks and systems for EN 61850-9-2 -
power utility automation - Part 9-2:
Specific communication service mapping
(SCSM) - Sampled values over ISO/IEC
8802-3
IEC/TS 62351-1 - Power systems management and - -
associated information exchange - Data
and communications security - Part 1:
Communication network and system
security - Introduction to security issues
Publication Year Title EN/HD Year
IEC/TS 62351-2 - Power systems management and - -
associated information exchange - Data
and communications security - Part 2:
Glossary of terms
IEC 62351-4 2020 Power systems management and - -
associated information exchange - Data
and communications security - Part 4:
Profiles including MMS and derivatives
IEC 62351-9 - Power systems management and EN 62351-9 -
associated information exchange - Data
and communications security - Part 9:
Cyber security key management for
power system equipment
ISO/IEC 13239 - Information technology - - -
Telecommunications and information
exchange between systems - High-level
data link control (HDLC) procedures
ISO/IEC 9594-8 | - Information technology - Open Systems - -
Rec. ITU-T X.509 Interconnection - The Directory - Part 8:
Public-key and attribute certificate
frameworks
RFC 2104 - HMAC: Keyed-Hashing for Message - -
Authentication
RFC 5905 - Network Time Protocol Version 4: - -
Protocol and Algorithms Specification
RFC 8052 - Group Domain of Interpretation (GDOI) - -
Protocol Support for IEC 62351 Security
Services
NIST SP 800-38D - Recommendation for Block Cipher Modes - -
of Operation - Galois/Counter Mode
(GCM) and GMAC
Restricted to SNTP profile only.
IEC 62351-6 ®
Edition 1.0 2020-10
INTERNATIONAL
STANDARD
colour
inside
Power systems management and associated information exchange –

Data and communication security –

Part 6: Security for IEC 61850

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 33.200 ISBN 978-2-8322-8766-8

– 2 – IEC 62351-6:2020 © IEC 2020
CONTENTS
FOREWORD . 4
1 Scope and object . 6
1.1 Scope . 6
1.2 Namespace name and version . 6
1.3 Code Component distribution . 7
2 Normative references . 7
3 Terms, definitions and abbreviated terms . 8
3.1 Terms and definitions . 8
3.2 Abbreviated terms . 8
4 Security issues addressed by this document . 9
4.1 Operational issues affecting choice of security options . 9
4.2 Security threats countered . 9
4.3 Attack methods countered . 9
5 Correlation of IEC 61850 parts and IEC 62351 parts . 9
5.1 General . 9
5.2 IEC 61850-8-1 Profile for Client/Server communications . 10
5.2.1 General . 10
5.2.2 Control centre to substation . 11
5.2.3 Substation communications . 11
5.3 IEC 61850 security for profiles using VLAN IDs . 11
5.4 IEC 61850-8-2 for Client/Server communications . 11
5.5 Using OriginatorID for Client/Server Services. 11
6 Multicast Association Protocols . 12
6.1 General . 12
6.2 Replay Protection . 12
6.2.1 GOOSE replay protection . 12
6.2.2 Sampled Value replay protection . 16
7 Security for SNTP . 19
8 Layer 2 security for profiles for IEC 61850-8-1 GOOSE and IEC 61850-9-2
Sampled Value . 20
8.1 Overview of Ethertype (informative) . 20
8.2 Extended PDU . 20
8.2.1 General format of extended PDU . 20
8.2.2 Format of extension octets . 21
9 Substation configuration language extensions . 25
9.1 Service capability . 25
9.1.1 Access Point support security for GOOSE Publisher . 25
9.1.2 Access Point support security for SV Publisher . 25
9.1.3 Acces Point support security for GOOSE and SMV subscriber . 25
9.1.4 Server Access Point support security for TPAA . 26
9.1.5 Client Access Point support security for TPAA . 26
9.2 Publish with security enabled . 26
9.2.1 GOOSE . 26
9.2.2 SMV . 26
9.2.3 Key Policy and Management . 27
9.3 Use of Simulation . 27

IEC 62351-6:2020 © IEC 2020 – 3 –
10 Extension of LGOS and LSVS . 27
11 Conformance . 27
11.1 General conformance . 27
11.2 Conformance for implementations claiming IEC 61850-8-1 ISO 9506 profile
security . 28
11.2.1 General . 28
11.2.2 IEC 62351-4 TLS Conformity for ISO-9506 Client/Server Profile using

ACSE Authentication . 29
11.3 Conformance for implementations claiming VLAN profile security . 29
11.4 Conformance for implementations claiming SNTP profile security . 32
Bibliography . 33

Figure 1 – MMS Security Profiles . 10
Figure 2 – Replay Protection State Machine for GOOSE . 13
Figure 3 – Replay Protection State Machine for SV . 17
Figure 4 – General format of extended PDU . 20
Figure 5 – Definition of Reserved 1 . 20
Figure 6 – Calculated MAC Domain . 22
Figure 7 – AES-GCM application on the example of a L2 GOOSE/SV packet. . 23

Table 1 – Scope of application to standards . 6
Table 2 – Extract from IEC 61850-9-2 (Informative) . 16
Table 3 – Extension of the LGOS class . 27
Table 4 – Extension of the LSVS class . 27
Table 5 – Conformance table . 28
Table 6 – PICS for IEC 61850-8-1 ISO 9506 profile . 28
Table 7 – PICS for TLS IEC 61850-8-1 Client/Server using ACSE Authentication . 29
Table 8 – PICS for VLAN profiles . 30
Table 9 – IEC 61850-8-1 L2 GOOSE Security . 30
Table 10 – IEC 61850-9-2 L2 SMV Security . 31
Table 11 – IEC 61850-8-1 Routable GOOSE . 31
Table 12 – IEC 61850-9-2 Routable SMV . 32
Table 13 – PICS for SNTP profiles . 32

– 4 – IEC 62351-6:2020 © IEC 2020
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION
EXCHANGE – DATA AND COMMUNICATION SECURITY –

Part 6: Security for IEC 61850

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62351-6 has been prepared by IEC technical committee 57: Power
systems management and associated information exchange.
The text of this International Standard is based on the following documents:
FDIS Report on voting
57/2234/FDIS 57/2258/RVD
Full information on the voting for the approval of this International Standard can be found in the
report on voting indicated in the above table.
This document has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts of the IEC 62351 series, published under the general title Power systems
management and associated information exchange – Data and communications security, can
be found on the IEC website.
IEC 62351-6:2020 © IEC 2020 – 5 –
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to
the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this document using a colour printer.

– 6 – IEC 62351-6:2020 © IEC 2020
POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION
EXCHANGE – DATA AND COMMUNICATION SECURITY –

Part 6: Security for IEC 61850

1 Scope and object
1.1 Scope
This part of IEC 62351 specifies messages, procedures, and algorithms for securing the
operation of all protocols based on or derived from the IEC 61850 series. This document applies
to at least those protocols listed in Table 1.
Table 1 – Scope of application to standards
Number Name
IEC 61850-8-1 Communication networks and systems for power utility automation – Part 8-1: Specific
communication service mapping (SCSM) – Mappings to MMS (ISO/IEC 9506-1 and
ISO/IEC 9506-2) and to ISO/IEC 8802-3
IEC 61850-8-2 Communication networks and systems for power utility automation – Part 8-2: Specific
communication service mapping (SCSM) – Mapping to Extensible Messaging Presence
Protocol (XMPP)
IEC 61850-9-2 Communication networks and systems for power utility automation – Part 9-2: Specific
communication service mapping (SCSM) – Sampled values over ISO/IEC 8802-3
IEC 61850-6 Communication networks and systems for power utility automation – Part 6: Configuration
description language for communication in power utility automation systems related to
IEDs
The initial audience for this document is intended to be the members of the working groups
developing or making use of the protocols listed in Table 1. For the measures described in this
specification to take effect, they must be accepted and referenced by the specifications for the
protocols themselves. This document is written to enable that process.
The subsequent audience for this document is intended to be the developers of products that
implement these protocols.
Portions of this document may also be of use to managers and executives in order to understand
the purpose and requirements of the work.
1.2 Namespace name and version
This new clause is mandatory for any IEC 61850 namespace (as defined by part 7-1 of
IEC 61850 Edition 2).
The parameters which identify this new release of this namespace are:
• Namespace version: 2020
• Namespace revision: A
• Namespace name: “IEC 62351-6:2020A”
• Namespace release: 1
The table below provides an overview of all published versions of this namespace.

IEC 62351-6:2020 © IEC 2020 – 7 –
Edition Publication date Webstore Namespace
Edition 1.0 2020-? IEC 62351-6:2020 IEC 62351-6:2020

1.3 Code Component distribution
There is currently no code component scheduled for the code component downloading area.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies.
For undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 61850-6, Communication networks and systems for power utility automation – Part 6:
Configuration description language for communication in electrical substations related to IEDs
IEC 61850-7-3, Communication networks and systems for power utility automation – Part 7-3:
Basic communication structure – Common data classes
IEC 61850-8-1, Communication networks and systems for power utility automation –
Part 8-1: Specific communication service mapping (SCSM) – Mappings to MMS (ISO 9506-1
and ISO 9506-2) and to ISO/IEC 8802-3
IEC 61850-8-2, Communication networks and systems for power utility automation – Part 8-2:
Specific communication service mapping (SCSM) – Mapping to Extensible Messaging Presence
Protocol (XMPP)
IEC 61850-9-2, Communication networks and systems for power utility automation – Part 9-2:
Specific communication service mapping (SCSM) – Sampled values over ISO/IEC 8802-3
IEC TS 62351-1, Power systems management and associated information exchange – Data
and communications security – Part 1: Communication network and system security –
Introduction to security issues
IEC TS 62351-2, Power systems management and associated information exchange – Data
and communications security – Part 2: Glossary of terms
IEC 62351-4:2020, Power systems management and associated information exchange – Data
and communications security – Part 4: Profiles including MMS and derivatives
IEC 62351-9, Power systems management and associated information exchange – Data and
communications security – Part 9: Cyber security key management for power system equipment
ISO/IEC 13239, Information technology – Telecommunications and information exchange
between systems – High-level data link control (HDLC) procedures
ISO/IEC 9594-8 | Rec. ITU-T X.509: Information technology – Open Systems Interconnection –
The Directory: Public-key and attribute certificate frameworks
RFC 2104, HMAC: Keyed-Hashing for Message Authentication

– 8 – IEC 62351-6:2020 © IEC 2020
RFC 5905, Network Time Protocol Version 4: Protocol and Algorithms Specification
RFC 8052, Group Domain of Interpretation (GDOI) Protocol Support for IEC 62351 Security
Services
NIST Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation
Galois/Counter Mode (GCM and GMAC)
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC TS 62351-2 and
IEC 61850-2 apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
3.1.1
electronic security perimeter
logical border surrounding a network interconnecting critical cyber assets
3.1.2
client
functional unit that establishes an association and issues requests and receives services from
a server.
3.1.3
server
functional unit that receives an association from a Client and provides services requested by
the Client
3.2 Abbreviated terms
ACSE Association Control Service Element
APDU Application Protocol Data Unit
ASDU Application Service Data Unit
ASN.1 Abstract Syntax Notation One
ESP Electronic Security Perimeter
GDOI Group Domain of Interpretation
GMAC Galois Message Authentication Code
GOOSE Generic Object Oriented Substation Event
GSE Generic Substation Events
HMAC Hashed Message Authentication Code
ICT IED Configuration Tool
IED Intelligent Electronic Device
KFA Key Delivery Assurance
KDC Key Distribution Centre
___________
Restricted to SNTP profile only.

IEC 62351-6:2020 © IEC 2020 – 9 –
MAC Message Authentication Code
SMV Sampled Measured Values
SCL Substation Configuration Language
SV Sampled Value
4 Security issues addressed by this document
4.1 Operational issues affecting choice of security options
For applications using Layer 2 IEC 61850-8-1 GOOSE and Layer 2 IEC 61850-9-2 Sampled
Value and requiring 3 ms response times, multicast configurations and low CPU overhead,
encryption is not recommended. Instead, the communication path selection process (e.g. the
fact that Layer 2 GOOSE and SV are supposed to be restricted to a logical substation LAN)
shall be used to provide confidentiality for information exchanges. However, this document does
define a mechanism for allowing confidentiality for applications where the 3 ms delivery criterion
is not a concern.
NOTE The actual performance characteristics of an implementation claiming conformance to this technical
specification is outside the scope of this document.
With the exception of confidentiality, this document sets forth a mechanism that allows co-
existence of secure and non-secure PDUs.
4.2 Security threats countered
See IEC TS 62351-1 for a discussion of security threats and attack methods.
If encryption is not employed, then the specific threats countered in this clause include:
• unauthorized modification (tampering) of information through message level authentication
of the messages.
If encryption is employed, then the specific threats countered in this clause include:
• unauthorized access to information through message level authentication and encryption of
the messages;
• unauthorized modification (tampering) or theft of information through message level
authentication and encryption of the messages.
• information disclosure is countered.
4.3 Attack methods countered
The following security attack methods are intended to be countered through the appropriate
implementation of the specifications/recommendations found within this document:
• man-in-the-middle: this threat will be countered through the use of a Message Authentication
Code mechanism specified within this document;
• tamper detection/message integrity: These threats will be countered through the algorithm
used to create the authentication mechanism as specified within this document;
• replay: this threat will be countered through the use of specialized processing state
machines specified within IEC 62351-4 and this document.
5 Correlation of IEC 61850 parts and IEC 62351 parts
5.1 General
There are four levels of interaction between the parts of the IEC 62351 series and parts of the
IEC 61850 series. This part is concerned with the:

– 10 – IEC 62351-6:2020 © IEC 2020
• Communication profile security regarding:
– IEC 61850-8-1 Application Profile for Client/Server communications.
– IEC 61850-8-2 Application Profile for Client/Server communications.
– IEC 61850-8-1 Layer 2 T-Profile for GOOSE/GSE
– IEC 61850-8-1 Layer 2 T-Profile for Multicast Sampled Values
– IEC 61850-8-1 Layer 3 Routable GOOSE and Sampled Values
• Configuration extensions required for configuration of the Application and Transport
communication profiles of concern. These extensions would impact IEC 61850-6.
• Object definitions, regarding security and identification, that are exposed at run-time as part
of the IEC 61850-8-1 and IEC 61850-8-2 object mappings.
• The binding of Originator ID values to authenticated peers for Client/Server services.
The scope of this document provides security specifications for use within an Electronic Security
Perimeter (ESP) and between ESPs.
5.2 IEC 61850-8-1 Profile for Client/Server communications
5.2.1 General
IEC 61850 implementations claiming conformance to this specification and declaring support
for the IEC 61850-8-1 profile utilizing TCP/IP and ISO 9506 (MMS) shall implement Clauses 5
and 6 of IEC 62351-4:2020.
IEC 61850-8-1 specifies the use of MMS within a substation. However, the scope of this
specification provides security specifications for use within the substation and external to the
substation (e.g. Control Centre to Substation).

Figure 1 – MMS Security Profiles
Figure 1 shows the security profiles for IEC 61850 Client/Server associations based upon
ISO/IEC 9506:
• Non-Secure: Implementations claiming conformance to this clause and Client/Server
capability shall support the ability to be configured without securing connections per
IEC 62351-4.
IEC 62351-6:2020 © IEC 2020 – 11 –
• TLS-Only: The use of TLS only is out-of-scope of this document. This profile may not provide
the ability to provide user level Role Based Access Control (RBAC) for all use cases.
• Compatibility (per IEC 62351-4): Client implementations claiming conformance shall support
the configuration and exchange of information utilizing ACSE Authentication per IEC 62351-
4 and TLS. The use of TLS is mandatory.
• End-to-End: The support for this security profile is optional. However, in future editions of
this standard, it is intended to make the support of this profile mandatory.
See Table 6 for a formal conformance statement.
5.2.2 Control centre to substation
IEC 62351-4 shall be used without any other additions.
5.2.3 Substation communications
The mandatory cipher suites are found in IEC 62351-4.
5.3 IEC 61850 security for profiles using VLAN IDs
For the IEC 61850 profiles specified that make use of VLAN IDs (e.g. IEC 61850-8-1 GOOSE,
and IEC 61850-9-2) profile security shall be provided as specified in Clause 8.
5.4 IEC 61850-8-2 for Client/Server communications
IEC 61850 implementations claiming conformance to this document and declaring support for
the IEC 61850-8-2 A-Profile for Client/Server communications shall implement the End-to-End
security mechanism as specified by IEC 62351-4.
IEC 61850-8-2 does not support ACSE therefore, the IEC 62351-4 security mechanism of ACSE
authentication (A-Profile) are not implemented or supported.
Additionally, IEC 61850-8-2 utilizes a T-Profile consisting of XMPP, which in turn controls TLS.
Therefore, the TLS security mechanisms, and cipher suites, specified in IEC 62351-4 are out-
of-scope for IEC 61850-8-2.
5.5 Using OriginatorID for Client/Server Services
There are several Common Data Classes (CDCs) defined in IEC 61850-7-3 and service tracking
functions that explicitly define the ability to provide information about the originator of the
control or service. The actual value representing the initiating entity in both IEC 61850-8-1 and
IEC 61850-8-2 is originatorID and is a 64-octet octetstring.
The use of certificate-based authentication and security provides a mechanism for providing
authoritative information regarding the originator. However, the size restriction of originatorID
is not large enough to provide exposure of the Issuer and Serial Number. Therefore,
implementations claiming conformance to this standard shall implement the optional
DataAttribute certIssuer in the instance to the IEC 61850-7-3 CDCs of: CST, BTS, UTS, LTS,
GTS, MTS, NTS, and STS.
The use of the value of the certIssuer Data Attribute follows:
• The value shall be a concatenation of the sequence of name values that may be present in
the Issuer field. If there is more than one name in the sequence, the concatenation token
shall be the “\” character, i.e. have a zero(0) length value if the client association is not
authenticated.
• Have the value of the X.509 Issuer Name for a client association that is authenticated.

– 12 – IEC 62351-6:2020 © IEC 2020
• If the concatenated value is greater than 255 characters, the value shall be truncated to 255
characters.
• If the client association was not authenticated through the use of certificates, the length of
the certIssuer shall be zero(0) and therefore the value shall be NULL. All octets in the value
shall be initialized to 0.
Implementations claiming conformance to this standard shall also utilize the originatorID Data
Attribute as follows:
• If the certIssuer value is not NULL, the value of the X.509 certificate serial number shall be
used for the value for clients associations that have been authenticated by use of a
certificate. A certificate serial number is an encoded positive integer value. The encoded
value shall be copied into the originatorID value, not including the tag or length.
• If the certIssuer value is NULL, the value of the originatorID may be “unknown” with “u”
being the most significant octet of the value. Other values are a local issue.
6 Multicast Association Protocols
6.1 General
IEC 61850-8-1 and IEC 61850-9-2 specify two different application protocols that utilize the
IEC 61850 Multicast Association model. These are GSE (e.g. GOOSE) and Multicast Sampled
Values. These application protocols are mapped over two different T-Profile mappings.
The T-Profiles specified provide a Layer 2 and a Routable mapping of the application protocol.
The combination of the A-Profiles and T-Profiles are commonly referred to as as Layer 2 or
Routable (e.g. Layer 2 GOOSE or Routable GOOSE). This document specifies security
behaviours that are common regardless of the T-Profile and specific security protocol
extensions for the Layer 2 T-Profiles.
This clause specifies the expected behaviours for replay protection for both GOOSE and
Multicast Sampled Values regardless of the T-Profile utilized.
6.2 Replay Protection
Replay protection can be implemented for GOOSE and Sampled Value A-Profiles with or without
security extensions. The replay protection algorithms specified in the following clauses are for
subscribers claiming conformance to this part and therefore replay protection is to be
implemented regardless if the published GOOSE or Sampled Value APDU has security. The
replay protection algorithm is implemented by the subscriber
6.2.1 GOOSE replay protection
6.2.1.1 General
The normal GOOSE subscriber state machine in IEC 61850-8-1 does not detail how to transition
out-of-order state numbers (stNum) or sequence numbers (sqNum) should be received.
Implementations claiming conformance to this standard shall implement the state machine
shown in Figure 2. Additional security and replay checks may be implemented. For this clause,
the Application is defined as the GOOSE Subscriber function and not the actual process that
utilizes GOOSEData (per IEC 61850-7-2) in order to perform protection, etc.

IEC 62351-6:2020 © IEC 2020 – 13 –

Figure 2 – Replay Protection State Machine for GOOSE
Figure 2 is relevant for GOOSE messages for which the subscriber has an active subscription
shall be configured through the use of SCL and an ICT. Other configuration mechanisms are
out-of-scope. Implementations claiming conformance to this clause shall maintain at least the
following internal state machine variables: last received stNum (lastRcvStNum); last received
sqNum (lastRcvSqNum); last received state change timestamp (lastRcvT); and an internal Time
Allowed to Live (intTAL) value. The states and their transitions are defined as follows:
1) The Non-Existent state represents the state when there is no GOOSE subscription.
2) Upon activating the subscription (e.g. power-up or subscription configuration), the state
machine will internally set the lastRcvStNum , lastRcvSqNum, lastRcvT, and intTAL to
invalid since no GOOSE message has been received and the state machine transitions to
the Wait for GOOSE Message state.
Upon receiving the subscribed GOOSE message, the subscriber shall transition to the
Security Checks state (State 3).
3) The processing in the Security Checks state is described in 6.2.1.2.
If the Subscriber has never received a key from the KDC, it shall pass the security check
for non-encrypted packets and perform a GROUP-PULL as defined by IEC 62351-9.
Subscribers receiving an encrypted GOOSE messages, and not having the key for the ID
conveyed in the GOOSE message shall transition to Security Check Failure and shall
perform a GROUP-PULL as defined by IEC 62351-9.
If the subscriber has been unable to receive keys prior to the expiration of the last key
delivered, it shall report an alarm indicating that key delivery has failed and that expired
keys are being assumed. It shall process packets whose keyID is the last key delivered.

– 14 – IEC 62351-6:2020 © IEC 2020
Upon delivery of an unknown keyID, while using an expired key, the subscriber shall
immediately perform a GROUP-PULL in order to synchronize keys.
If the security tests pass, the state machine shall transition to checking for replayed packets
(State 4).
If the security checks fail, the state machine shall transition to the Security Check Failure
Supervision Update state (State 9).
4) The Check for Replay state shall perform the procession in 6.2.1.3.
If no replay is detected, a transition to the Application Update State (State 5) shall occur.
If replay is detected, a transition to the Replayed Packet Supervision Update state (State
10) shall occur.
5) The “To Application” state shall decode the GOOSE packet. The decoded information shall
be delivered to the Application if decoded stNum is not equal to lastRcvStNum. It is a local
issue if a change of sqNum shall cause information to be delivered to the Application.
The values of lastRcvStNum and lastRcvSqNum shall be updated to the values decoded
from the GOOSE packet.
The state shall transition to State 6.
6) The intTAL value shall be set to a value related to the decoded Time Allowed to Live (TAL)
value. The Association Loss timeout shall also be reset to a locally determined value.
7) The supervision information shall be updated based upon the new packet information
received. See 6.2.1.4 for processing requirements.
Once the supervision information has been updated, a transition to State 8.
8) The value of intTAL shall be used to detect packet loss. The state shall start an expiration
time based upon the current value of intTAL.
If the value of intTAL is zero (e.g. expired), a transition to State 11 shall occur.
If subscribed for GOOSE packet is received, the state shall transition to State 3.
9) The supervision information shall be updated based upon the security check failure
information received. See 6.2.1.4 for processing requirements.
Once the supervision information has been updated, a transition to State 8. No reset or
setting of intTAL shall be performed.
10) The supervision information shall be updated based upon the replay detection information.
See 6.2.1.4 for processing requirements.
Once the supervision information has been updated, a transition to State 8. No reset or
setting of intTAL shall be performed.
11) This state is used to determine when a subscription is no longer active. It differs from the
packet loss detection in that it is a local issue.
Once it is decided that the subscription is no longer active, the state transitions to State 12.
12) The application shall be updated
...