prEN IEC 62351-14:2025

SLOVENSKI STANDARD
01-februar-2026
Upravljanje elektroenergetskih sistemov in z njim povezana izmenjava informacij -
Varnost podatkov in komunikacij - 14. del: Beleženje dogodkov kibernetske
varnosti
Power systems management and associated information exchange - Data and
communications security - Part 14: Cyber security event logging
Gestion des systèmes de puissance et échanges d'informations associés - Sécurité des
communications et des données - Partie 14: Journalisation des événements de cyber
sécurité
Ta slovenski standard je istoveten z: prEN IEC 62351-14:2025
ICS:
29.240.30 Krmilna oprema za Control equipment for electric
elektroenergetske sisteme power systems
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

57/2849/CDV
COMMITTEE DRAFT FOR VOTE (CDV)
PROJECT NUMBER:
IEC 62351-14 ED1
DATE OF CIRCULATION: CLOSING DATE FOR VOTING:
2025-12-05 2026-02-27
SUPERSEDES DOCUMENTS:
57/2741/NP, 57/2784A/RVN
IEC TC 57 : POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE
SECRETARIAT: SECRETARY:
Germany Mr Heiko Englert
OF INTEREST TO THE FOLLOWING COMMITTEES: HORIZONTAL FUNCTION(S):

ASPECTS CONCERNED:
Electricity transmission and distribution,Information security and data privacy
SUBMITTED FOR CENELEC PARALLEL VOTING NOT SUBMITTED FOR CENELEC PARALLEL VOTING
Attention IEC-CENELEC parallel voting
The attention of IEC National Committees, members of CENELEC,
is drawn to the fact that this Committee Draft for Vote (CDV) is
submitted for parallel voting.
The CENELEC members are invited to vote through the CENELEC
online voting system.
This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which t hey are aware
and to provide supporting documentation.
Recipients of this document are invited to submit, with their comments, notification of any relevant “In Some Countries” clau ses to be
included should this proposal proceed. Recipients are reminded that the CDV stage is the final stage for submitting ISC c lauses. (SEE
AC/22/2007 OR NEW GUIDANCE DOC).

TITLE:
Power systems management and associated information exchange – Data and communications security – Part
14: Cyber security event logging

PROPOSED STABILITY DATE: 2026
NOTE FROM TC/SC OFFICERS:
electronic file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions. You
may not copy or "mirror" the file or printed version of the document, or any part of it, for any other purpose without permission
in writing from IEC.
IEC CDV 62351-14 © IEC 2025
CONTENTS
FOREWORD . 6
INTRODUCTION . 8
1 Scope . 9
2 Normative references . 10
3 Terms and definitions . 12
3.1 Cyber security event . 12
3.2 Cyber security event log . 12
3.2.1 Log generation entity . 12
3.2.2 Log collection entity . 12
3.3 Event . 12
3.4 Entity . 12
3.5 Type . 12
3.6 Characters And Character Sets . 12
3.6.1 Named Characters . 13
3.6.2 Named Character Sets . 14
3.6.3 UTF-8 . 14
3.7 User . 15
3.8 Abbreviations and acronyms . 15
4 Structure for cyber security event . 15
4.1 Information structure for describing a cyber security event . 16
4.2 Information structure for logging a cyber security event . 19
4.3 Relation between [Table 1] and [Table 2] . 23
4.4 Cyber security event identifier numeric range allocation . 23
4.4.1 ID (Composite) . 24
4.4.2 Domain ID . 24
4.4.3 Event Group . 24
4.4.4 Event Number . 25
4.5 Dynamic parameter insertion . 25
5 Using electronic version to describe a cyber security event . 26
6 Cyber security event logging using Syslog RFC5424 . 26
6.1 Mapping to RFC 5424 Syslog HEADER. 26
6.2 Mapping to RFC 5424 STRUCTURED-DATA . 28
6.2.1 Mapping to SD-ELEMENT 62351-14@41912 (Mandatory) . 28
6.2.2 Mapping to SD-ELEMENT timeQuality (Optional) . 29
6.3 Mapping to RFC 5424 MSG . 30
6.4 Mapping to Syslog RFC 5424 PRI . 30
6.5 Secure and reliable transport of cyber security events using Syslog . 31
6.6 Raw storage of mapped information . 32
7 Cyber security event logging using XML . 32
7.1 IEC 62351-14 Security Event Definition XSD Schemas . 32
7.1.1 Basic Types Definition (SECEVT_BaseTypes.xsd) . 32
7.1.2 Events Definition Types (SECEVT_EventsDefinition.xsd) . 36
7.1.3 Events List Types (SECEVT_EventList.xsd) . 40
7.2 Rules for creating event definition and event text translations XML files. 44
st
8 A French translation of the 1 version would be named: IEC62351-
14_v1_fr.xmlMapping Syslog to SNMP . 45
IEC CDV 62351-14 © IEC 2025
9 Mapping SNMP to Syslog . 46
10 Storage recommendations of cyber security events . 46
11 Conformance . 46
Annex A (informative/normative) Generic cybersecurity events . 47
Annex B (informative/normative) IEC 62351 parts specific cybersecurity events . 57
Annex B.1 IEC 62351 specific cyber security events . 57
Annex B.1.1 IEC 62351-3 cybersecurity event logs . 57
Annex B.1.2 IEC 62351-4 cybersecurity event logs . 61
Annex B.1.3 IEC 62351-5 cybersecurity event logs . 73
Annex B.1.4 IEC 62351-6 cybersecurity event logs . 75
Annex B.1.5 IEC 62351-8 cybersecurity event logs . 76
Annex B.1.6 IEC 62351-9 cybersecurity event logs . 79
Annex B.1.7 IEC 62351-11 cybersecurity event logs . 82
Annex C (informative) Examples – Syslog (RFC 5424) based logging . 83
Annex C.1 Syslog (RFC 5424) based logging of a generic cybersecurity event . 83
Example 1 – Account Creation . 84
Example 2 – Nonzero SqNum Encoding . 88
Example 3 – Custom SD-ELEMENT . 91
Annex D (informative) IEC 62443-4-2 mapping with IEC 62351-14 event definition
attributes . 92

FIGURES
Figure 1 – Relationship between [Table 1] and [Table 2] . 23

TABLES
Table 1 – Abstract information structure for defining a cyber security event . 16
Table 2 – Abstract information structure for logging a cyber security event log . 19
Table 3 – Dynamic parameter example . 25
Table 4 – Mapping to Syslog [RFC 5424] HEADER . 27
Table 5 – Mapping to SD-ELEMENT 62351-14@41912 . 28
Table 6 – Mapping to SD-ELEMENT timeQuality . 30
Table 7 – Mapping of IEC 62351 severity attribute to Syslog RFC 5424 severity . 31
Table 9 – General cyber security events . 48
Table 10 – (IEC62351-3) TLS handshake cyber security events . 58
Table 11 – (IEC 62351-3) TLS certificate cyber security events . 59
Table 12 – (IEC 62351-4) E2E HandshakeReq cyber security events . 62
Table 13 –(IEC 62351-4) E2E HandshakeAcc cyber security events . 63
Table 14 – (IEC 62351-4) E2E ApplicationReject cyber security events . 64
Table 15 – (IEC 62351-4) E2E ApplicationSecReject cyber security events . 65
Table 16 – (IEC 62351-4) E2E HandshakeSecAbort cyber security events . 66
Table 17 – (IEC 62351-4) E2E DtSecAbort cyber security events . 67
Table 18 – (IEC 62351-4) E2E ApplAbort cyber security events . 68
Table 19 – (IEC 62351-4) E2E ClearTransfer cyber security events . 69
Table 20 – (IEC 62351-4) E2E EncrTransfer cyber security events . 70
IEC CDV 62351-14 © IEC 2025
Table 21 – (IEC 62351-4) E2E ReleaseReq cyber security events . 71
Table 22 – (IEC 62351-4) E2E ReleaseRsp cyber security events. 71
Table 23 – (IEC 62351-4) OSI operational environment cyber security events . 72
Table 24 – (IEC 62351-4) XMPP operational environment cyber security events . 73
Table 25 – (IEC 62351-5) secure communication cyber security events . 73
Table 26 – (IEC 62351-5) certificate cyber security events . 74
Table 27 – (IEC 62351-6) GOOSE cyber security events . 75
Table 28 – IEC 62351-6 SV cyber security events . 75
Table 29 – (IEC 62351-8) general access token cyber security events . 76
Table 30 – (IEC 62351-8) profile A, B and C cyber security events . 77
Table 31 – (IEC 62351-8) security events for backend interaction . 77
Table 32 – (IEC 62351-8) security events related to RBAC engineering and
maintenance . 77
Table 33 – (IEC 62351-9) credential transport and certificate enrolment cyber security
events . 79
Table 34 – (IEC62351-9) public-key certificate cyber security events . 80
Table 35 – (IEC62351-9) attribute certificate cyber security events . 81
Table 36 – (IEC62351-9) certificate revocation cyber security events. 81
Table 37 – (IEC62351-9) GDOI cyber security events . 81
Table 38 – IEC 62351-11 cyber security events . 82
Table 39 – Account creation (Event Field – Value) . 84
Table 40 – Account Creation (Logging Attributes) . 84
Table 41 – Account Creation (SYSLOG RFC 5424 HEADER Construction) . 85
Table 42 – Account Creation (SD-ELEMENT: 62351-14@41912) . 86
Table 43 – Account Creation (SD-ELEMENT: timeQuality) . 87
Table 44 – Nonzero SqNum Encoding (Event Field – Value) . 88
Table 45 – Nonzero SqNum Encoding (Logging Attributes) . 88
Table 46 – Nonzero SqNum Encoding (HEADER Construction) . 89
Table 47 – Nonzero SqNum Encoding (SD-ELEMENT: 62351-14@41912) . 90
Table 48 – Nonzero SqNum Encoding (SD-ELEMENT: timeQuality) . 90
Table 49 – Custom SD-ELEMENT . 91
Table 50 – IEC 62443-4-2 to IEC 62351-14 mapping . 92
IEC CDV 62351-14 © IEC 2025
REVISION
Name Document changes Date
nd
Arijit Kumar Drafted based on the feedback from IEC 62351 TC 57 WG15 02 August
Bose members and participants. 2024
th
Arijit Kumar Based on the resolutions of comments as received from National 16 June 2025
Bose Committees on the first draft. These resolutions were discussed
and approved within WG15.
Arijit Kumar Updated the header based on the input from WG15. 22nd June
Bose 2025
st
Arijit Kumar Aligned IEC 62351-8 list of cybersecurity events in accordance 21 July 2025
Bose with latest FDIS of IEC 62351-8.
th
Jean- Formulation of sections 5 and 7. 10 September
Sebastien 2025
Gagnon
nd
Arijit Kumar 1) Introduced sections 3.2.1 and 3.2.2. 22
Bose 2) Updated section 4.1 with note for “SupersededBy”. September
3) For section 4.1, introduced the conditional clause and a note 2025
for the attribute “Text”.
4) For section 4.2, iintroduced the conditional clause for the
attribute “P.label”.
5) For section 5, cross-referenced to section 7.
6) Introduced section 6.6 for handling “raw data”.
7) Based on 6), accordingly updated Table 8 of section 11.
8) Grouped all generic cybersecurity events inside Annex A.
9) Grouped all IEC 62351 parts specific cybersecurity events
inside Annex B.
10) Grouped all examples inside Annex C.
11) Grouped inside Annex D addressing “IEC 62443-4-2 event
attributes mapping to IEC 62351-14 event definition
attributes”.
IEC CDV 62351-14 © IEC 2025
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
DATA AND COMMUNICATION SECURITY –

Part 14: Cyber security event logging

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62351-14 has been prepared by IEC technical committee 57: Power
systems management and associated exchange.
The text of this International Standard is based on the following documents:
FDIS Report on voting
XX/XX/FDIS XX/XX/RVD
Full information on the voting for the approval of this International Standard can be found in the
report on voting indicated in the above table.
This document has been drafted in accordance with the ISO/IEC Directives, Part 2.
IEC CDV 62351-14 © IEC 2025
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to
the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
The National Committees are requested to note that for this document the stability date
is 20XX.
THIS TEXT IS INCLUDED FOR THE INFORMATION OF THE NATIONAL COMMITTEES AND WILL BE DELETED
AT THE PUBLICATION STAGE.
IEC CDV 62351-14 © IEC 2025
1 INTRODUCTION
2 The power system is becoming extremely complex and interconnected. Traditionally, an
3 electrical power system operated in an isolated environment, where the system owner used to
4 operate their utilities within their geographical area. There was also no remote connectivity for
5 the purpose of accessing power system data. However, this traditional trend is changing, where
6 the different electrical utilities are becoming increasingly interconnected with each other.
7 Remote connectivity in accessing a power system is also becoming useful for flexibility reasons.
8 While such digitalization shift in power system provides benefits such as flexibility in accessing
9 and performing any power system operation with an ability to visualize the power system state
10 from remote locations, it also induces cyber security threats to the power system. Such threats
11 can emerge from both internal and external communication networks of an electrical utility.
12 Therefore, for a secure and reliable operation of a power system, cyber security protection is
13 an important aspect. For a secure and reliable management of a power system, it is very
14 important to obtain its holistic cyber security situation. If a cyber security attack occurs, then it
15 is important to identify this as early as possible for taking proactive actions. This requires
16 logging and analysis of cyber security events across power system. The logging of such events
17 followed by analysis on them would help to detect quickly a possible cyber-attack and would
18 provide detailed insight into the cyber security situation and their root causes. This is extremely
19 useful for power system operators so that they can take possible preventive actions to mitigate
20 the risks associated with any cyber-attacks.
21 Technical issues identified after publication of the Internation Standard (IS) edition will be
22 handled through “Technical Issue Database, https://iec62351.tissue-db.com/default.mspx” to
23 keep correctness and interoperability. Approved technical issues will be published as INF
24 document and further handled in either an amendment, a revision, or a new edition of this
25 document.
IEC CDV 62351-14 © IEC 2025
26 DATA AND COMMUNICATION SECURITY –
28 Part 14: Cyber security event logging
30 1 Scope
31 This part of IEC 62351 series specifies technical specifications for power systems cyber
32 security event logging. Its scope includes.
33 1) An abstract information structure consisting of meta data i.e., multiple attributes for both
34 defining and logging a power system cyber security event.
35 2) Provides a list of standardized cyber security events in annexes described using this
36 abstraction. These events are useful for cyber security situation monitoring across power
37 system.
38 3) Describes a method to securely transfer such cyber security events using a secure
39 variant of Syslog.
40 The aspects that are outside its scope are
41 1) To define the method to use event logging protocols other than Syslog for logging cyber
42 security events in power system.
43 2) It does not address the technical specifications and methods to analyse a cyber
44 security event, and thus to deduce its root cause.
45 Note: However, it is imperative to analyse and derive root causes behind any cyber
46 security event followed by detection of any cyber-attack. Both needs first hand logging
47 of the respective cyber security event carrying useful meta data information.
48 This part of IEC 62351 thus provides only technical specifications on how to log a
49 cyber security event for an electrical power system. It also provides a list of
50 standardized cyber security events. Logging of such meta data information could
51 provide valuable insights into the cyber security posture of the electrical power
52 systems. Based on such logged in information, analysis of the logs can be performed
53 to identify any cyber-attacks and root causes behind such attacks.
54 This part of IEC 62351 addresses a harmonized and standardized cyber security event logging
55 specification across a power system for achieving interoperability in a heterogeneous
56 environment. This edition of the IEC 62351-14 provides a list of standardized cyber security
57 events such as events related to IEC 62351-3. However, as these referencing IEC 62351 parts
58 evolves over time, they will take the first precedence to describe the cyber security events
59 before describing them in IEC 62351-14. Referencing IEC 62351 standards shall provide the
60 table of cyber security events as informative annex.
61 In IEC 62351, there are two parts – IEC 62351-14 (i.e., this part) and IEC 62351-7 providing
62 monitoring information. This part of IEC 62351 focuses on providing a standardized way of
63 generating and monitoring of cyber security event logs in an electrical power system. In
64 contrast, IEC 62351-7 addresses the entire health monitoring of power system, of which cyber
65 security is one of the key aspects. Since IEC 62351-14 centralized based cyber security event
66 monitoring is based on Syslog [RFC 5424], it provides logging information into a centralized
67 repository. IEC 62351-7 is based on SNMP. It provides a real time situational awareness to the
68 system operator. Both are useful in their own ways, and hence it is recommended to deploy
69 both parts of IEC 62351 to obtain a comprehensive power system monitoring solution.
70 To further distinguish between the applicability of two standards from a cyber security point of
71 view, IEC 62351-14 provides the mechanism to log a cyber security event along with describing
72 the event. As an example, “certificate expired”, “certificate revoked”, etc. IEC 62351 -7 provides
73 a health status of the electrical power system by quantitatively monitoring the number of cyber
74 security events of a particular type. As an example, “number of expired certificates”, “number
75 of revoked certificates”, etc.
IEC CDV 62351-14 © IEC 2025
76 IEC 62351-90-3 scopes in to efficiently handle the fleet of information that shall originate with
77 the application of IEC 62351-7 and IEC 62351-14 at a centralized or distributed cyber security
78 operator workplace.
80 2 Normative references
81 The following documents are referred to in the text in such a way that some or all their content
82 constitutes requirements of this document. For dated references, only the edition cited appl y.
83 or undated references, the latest edition of the referenced document (including any
84 amendments) apply.
85 IEC 62351-1, Technical Specification (Edition 1.0), Power systems management and
86 associated information exchange - Data and communications security - Part 1: Introduction to
87 security issues
88 IEC 62351-2, Technical Specification (Edition 1.0), Power systems management and
89 associated information exchange - Data and communications security - Part 2: Glossary of
90 terms
91 IEC 62351-3, International Standard (Edition 2.0), Power systems management and associated
92 information exchange - Data and communications security - Part 3: Profiles including TCP/IP
93 IEC 62351-4, International Standard (Edition 1.1), Power systems management and associated
94 information exchange - Data and communications security - Part 4: Profiles including MMS and
95 derivatives
96 IEC 62351-5, International Standard (Edition 1.0), Power systems management and associated
97 information exchange - Data and communications security - Part 5: Security for IEC 60870-5
98 and derivatives
99 IEC 62351-6, International Standard (Edition 1.0), Power systems management and associated
100 information exchange - Data and communications security - Part 6: Security for IEC 61850
101 IEC 62351-7, International Standard (Edition 1.0), Power systems management and associated
102 information exchange - Data and communications security - Part 7: Network and system
103 management (NSM) data object models
104 IEC 62351-8, International Standard (Edition 1.0), Power systems management and associated
105 information exchange - Data and communications security - Part 8: Role-based access control
106 IEC 62351-9, International Standard (Edition 2.0), Power systems management and associated
107 information exchange - Data and communications security - Part 9: Cyber security key
108 management for power system equipment
109 IEC 62351-10, Technical Report (Edition 1.0), Power systems management and associated
110 information exchange - Data and communications security - Part 10: Security architecture
111 guidelines
112 IEC 62351-11, International Standard (Edition 1.0), Power systems management and
113 associated information exchange - Data and communications security - Part 11: Security for
114 XML documents
115 IEC 62351-12, Technical Report (Edition 1.0), Power systems management and associated
116 information exchange - Data and communications security - Part 12: Resilience and security
117 recommendations for power systems with distributed energy resources (DER) cyber -physical
118 systems
IEC CDV 62351-14 © IEC 2025
119 IEC 62351-13, Technical Report (Edition 1.0), Power systems management and associated
120 information exchange - Data and  communications security - Part 13: Guidelines on what
121 security topics should be covered in standards and specifications
122 IEC 62351-90-3, Technical Report (Edition 1.0), Power systems management and associated
123 information exchange - Data and communications security - Part 90-3: Guidelines for
124 network and system Management
125 IEC 62443, Network and system security for industrial-process measurement and control
126 IEC 62443-4-2, International Standard (Edition 1.0), Technical Security Requirements for
127 Industrial Automation and Control System (IACS) components
128 ISO/IEC 27001, International Standard (2022 edition), Information technology - Security
129 Techniques - Information security management systems — Requirements
130 RFC 5424, March 2009, The Syslog Protocol
131 RFC 3629, November 2003, UTF 8, a transformation format for ISO 10646
132 RFC 5246, August 2008, Transport Layer Security (TLS) Protocol Version 1.2
133 RFC 5425, March 2009, Transport Layer Security (TLS) Mapping for Syslog
134 RFC 3494, March 2003, Lightweight Directory Access Protocol
135 RFC 1035, November 1987, Domain names – Implementation and Specification
136 RFC 5675, October 2009, Mapping Simple Network Management Protocol (SNMP) Notifications
137 to Syslog messages
138 RFC 5676, October 2009, Definition of Managed Objects for Mapping Syslog Messages to
139 Simple Network Management Protocol (SNMP) Notifications
140 RFC 3647, November 2003, Internet X.509 Public Key Infrastructure, Certificate Policy and
141 Certification Practices Framework
142 ISO/IEC 9594-8:2020 | Rec. ITU-T X.509 (2019), The Directory: Public-key and attribute
143 certificate frameworks
144 RFC 791, September 1981, Internet Protocol Darpa Internet Program Protocol Specification
145 RFC 6335, August 2011, Internet Assigned Numbers Authority (IANA) Procedures for the
146 Management of the Service Name and Transport Protocol Port Number Registry
147 RFC 8446, August 2018, The Transport Layer Security (TLS) Protocol Version 1.3
148 RFC 1034, November 1987, DOMAIN NAMES - CONCEPTS AND FACILITIES
149 RFC 4291, February 2006, IP Version 6 Addressing Architecture
150 RFC 4632, August 2006, Classless Inter-domain Routing (CIDR): The Internet Address
151 Assignment and Aggregation Plan
IEC CDV 62351-14 © IEC 2025
152 IEEE 1686, 2022 and 2013 edition, IEEE Standard for Intelligent Electronic Devices Cyber
153 Security Capabilities
154 NERC-CIP, North American Electric Reliability Corporation Critical Infrastructure Protection
155 Standard
156 NERC-CIP-007-6, Cyber Security – System Security Management
157 3 Terms and definitions
158 For the purposes of this document, the following terms and definitions apply. ISO and IEC
159 maintain terminological databases for use in standardization at the following addresses:
160 • IEC electropedia: available at http://www.electropedia.org/
161 • ISO online browsing platform: available at http://www.iso.org/obp
162 3.1 Cyber security event
163 The events that have relationship with the cyber security aspect of an entity .
164 3.2 Cyber security event log
165 The cyber security event is logged i.e., stored in an entity.
166 3.2.1 Log generation entity
167 The entity responsible for the generation of cybersecurity event log(s). E.g. an embedded
168 device.
169 3.2.2 Log collection entity
170 The entity responsible for receiving the cybersecurity events from the “Log generation
171 entity(ies).
172 3.3 Event
173 Occurrence of a condition or an action. [SOURCE: IEC 61025:2006, 3.8]
174 3.4 Entity
175 Particular thing, such as a person, place, process, object, concept, association, or event .
176 [SOURCE: IEC 61158-6-14, ed. 3.0 (2014-08)]
177 3.5 Type
178 Defines the datatype and size limit of an attribute.
179 3.6 Characters And Character Sets
180 The following sub-sections provide a normative reference for several “named” ASCII characters
181 and character sets that are used within this document. In many cases, these names increase
182 the readability of areas in the document that refer to them (i.e., humans are not immediately
183 good at understanding hexadecimal character codes or code ranges).
184 Furthermore, for accuracy and completeness, the ABNF form is used to specify values and
185 ranges of values for characters and character sets respectively.
IEC CDV 62351-14 © IEC 2025
186 3.6.1 Named Characters
187 The following table provides a normative reference for several “named” ASCII characters that
188 are used within this document. In many cases, these character names increase the
189 readability of areas in the document that refer to them (i.e., humans are not immediately good
190 at understanding hexadecimal character codes).
Character Description Value
ASCII-SPACE The ASCII "space" character %x20
ASCII-PERCENT The ASCII "percent sign" character %x25
ASCII-UNDERSCORE The ASCII “underscore” character %x5F
ASCII-MINUS The ASCII “minus sign” or “hyphen” character %x2D
ASCII-PERIOD The ASCII “period”, “decimal point”, or “full stop” character %x2E
ASCII-EQUALS The ASCII “equals sign” character %x3D
ASCII-SQ-BRACKET-L The ASCII “left square bracket” character %x5B
ASCII-SQ-BRACKET-R The ASCII “right square bracket” character %x5D
ASCII-DOUBLE-QUOTE The ASCII “double quotation mark” character %x22
ASCII-SOLIDUS The ASCII “slash, forward-slash, virgule, solidus” character %x2F
ASCII-P The ASCII “upper-case P”, forward-slash, virgule, solidus” %x50
character
ASCII-X The ASCII “upper-case X”, forward-slash, virgule, solidus” %x58
character
IEC CDV 62351-14 © IEC 2025
205 3.6.2 Named Character Sets
206 The following table provides a normative reference for several “named” character sets that are
207 used within this document. In many cases, these character set names increase the
208 readability of areas in the document that refer to them (i.e., humans are not immediately good
209 at understanding ranges of hexadecimal character codes).
Character Set Description Range / Values
ASCII Any of the “common” or “7-bit” ASCII characters. %x00.7F
ASCII-PRINT Any of the “printable” ASCII characters. %x20.7E
[SOURCE: ISO/IEC 14165-414, ed 1.0 (2007-05)]
ASCII-PRINT-NSP Any of the characters in the ASCII-PRINT set, except ASCII- %x21.7E
SPACE.
ASCII-LOWER Any of the “lower-case” ASCII letters, e.g., “a to z” %x61.7A
ASCII-UPPER Any of the “upper-case” ASCII letters, e.g., “A to Z” %x41.5A
ASCII-DIGIT Any of the base-ten ASCII digit characters (e.g., “0 to 9”) %x30.39
ASCII-ALPHANUMERIC Any “lower-case”, “upper-case”, or “digit” character. ASCII-DIGIT /
ASCII-UPPER /
ASCII-LOWER
ASCII-HEXADECIMAL Any “digit” or character “a-f” or “A-F”. ASCII-DIGIT /
%x41.46 /
%x61.66
ASCII-HOSTNAME Any valid character that would appear in a device hostname. ASCII-DIGIT /
Source RFC 1034 - Domain names - concepts and facilities ASCII-UPPER /
(ietf.org) ASCII-LOWER /
ASCII-PERIOD /
ASCII-MINUS
ASCII-IPV4 Any valid character that would appear in an Internet Protocol, ASCII-DIGIT /
Version 4 address dotted-decimal representation. ASCII-PERIOD

Source RFC 1035 - Domain names - implementation and
specification (ietf.org)
ASCII-IPV6 Any valid character that would appear in an Internet Protocol, ASCII-ALPHANUMERIC /
Version 6 address representation. ASCII-COLON /
ASCII-SQ-BRACKET-L /
Source RFC 4291 - IP Version 6 Addressing Architecture ASCII-SQ-BRACKET-R /
(ietf.org) ASCII-PERCENT
ASCII-CIDR Any valid character that would appear in Internet Protocol ASCII-DIGIT /
CIDR address notation. ASCII-SOLIDUS

Source RFC 4632 - Classless Inter-domain Routing (CIDR):
The Internet Address Assignment and Aggregation Plan
(ietf.org)
211 3.6.3 UTF-8
212 Character set that is a transformation format of the character set defined by ISO 10646 (see
213 RFC 2279). [SOURCE: ISO/IEC 14165-521, ed. 1.0 (2009-01)]
215 Note – The word “character” inside this standard signifies a character encoded in UTF-8 format.
IEC CDV 62351-14 © IEC 2025
232 3.7 User
233 In the context of this standard, user is either a human being or non-human being such as
234 software application, device, etc.
235 3.8 Abbreviations and acronyms
Term Definition
DER Distributed Energy Resources
DNS Domain Name System
E2E End-to-End security
FQDN Fully Qualified Domain Name
IP Internet Protocol
IEC International Electrotechnical Commission
IS International Standard
LDAP Lightweight Directory Access Protocol
MMS Manufacturing Messaging Specification
OSI Open Systems Interconnection
SNMP Simple Network Management Protocol
SD STRUCTURED-DATA
TLS Transport Layer Security
TCP Transmission Control Protocol
TC Technical Committee
UTF Universal Character Set
UTC Coordinated Universal Time
238 Additional abbreviations and acronyms are defined in IEC 62351-2.
239 4 Structure for cyber security event
240 This section provides an information structure containing a list of attributes for both describing
241 and logging a cyber security event for power system. This information structure is formulated
242 agnostically of any event logging protocol format and independent of any communication
243 protocol for transferring the cyber security events. This abstraction provides the flexibility to
244 the end users of this part of IEC 62351 to log the cyber security event using any industry
245 standard event logging protocol by mapping this abstract information structure to the various
246 attributes of an event logging protocol. Additionally, this document provides a mapping of this
247 abstract information structure to Syslog [RFC 5424] and thereby provides the ability to
248 perform logging using Syslog [RFC 5424]. In addition, this document also provides a mapping
249 of IEC 62443-4-2 event definition attributes to a subset of attributes as stated in this
IEC CDV 62351-14 © IEC 2025
250 document for defining and logging a cyber security event. This mapping is described inside
251 Annex D. .
252 4.1 Information structure for describing a cyber security event
253 This section provides an abstract information structure to describe a cyber security event for
254 power system. The benefit of this is it provides the ability to describe a list of cyber security
255 events for power system to achieve interoperability in a heterogeneous power system
256 environment. Such a recommended list of cyber security events is further described in Annex A
257 and Annex B. This information structure is composed of a set of minimum attributes as indicated
258 in Table 1 that shall be required to describe a cyber security event.
259 Table 1 – Abstract information structure for defining a cyber security event
Attributes Definition and Type
(Clause)
IECversion Definition: This attribute shall be used to indicate the IS version of this part of IEC 62351 i.e., IEC
62351-14 that an entity’s cyber security event is conforming to. This part of IEC 62351 would undergo
changes in future, and therefore it is important to relate it’s IS version such as to which IS version of
(Mandatory)
IEC 62351-14 a cyber security event is conforming to.
Type: Monotonically increasing integer from 1 to 255.
The starting value for this edition of IEC 62351-14 is integer value 1.
As the standard would go through its update after the release of its first IS edition, this field shall be
used to indicate it’s IS edition number. As an example, for,
IS Ed 1, the IECversion is equal to 1,
IS Ed 1.1, the IECversion will be equal to 2,
...