IEC TS 62351-1:2007

TECHNICAL IEC
SPECIFICATION TS 62351-1
First edition
2007-05
Power systems management and
associated information exchange –
Data and communications security
Part 1:
Communication network and system security –
Introduction to security issues

Reference number
IEC/TS 62351-1:2007(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email:
csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
TECHNICAL IEC
SPECIFICATION TS 62351-1
First edition
2007-05
Power systems management and
associated information exchange –
Data and communications security
Part 1:
Communication network and system security –
Introduction to security issues

PRICE CODE
Commission Electrotechnique Internationale V

International Electrotechnical Commission
МеждународнаяЭлектротехническаяКомиссия
For price, see current catalogue

– 2 – TS 62351-1 © IEC:2007(E)
CONTENTS
FOREWORD.4

1 Scope and object.6
1.1 Scope.6
1.2 Object .6
2 Normative references .7
3 Terms, definitions and abbreviations .7
4 Background for information security standards .7
4.1 Rationale for addressing information security in power system operations.7
4.2 IEC TC 57 data communications protocols .8
4.3 History of the Development of these Security Standards .8
5 Security issues for the IEC 62351 series .9
5.1 General information on security.9
5.2 Types of security threats .9
5.3 Security requirements, threats, vulnerabilities, attacks, and countermeasures.12
5.4 Importance of security policies .19
5.5 Security risk assessment.20
5.6 Understanding the security requirements and impact of security measures on
power system operations.20
5.7 Five-step security process.21
5.8 Applying security to power system operations .23
6 Overview of the IEC 62351 series.24
6.1 Scope of the IEC 62351 series .24
6.2 Authentication as key security requirement.24
6.3 Objectives of the IEC 62351 series.24
6.4 Relationships between the IEC 62351 parts and IEC protocols.25
6.5 IEC 62351-1: Introduction.26
6.6 IEC 62351-2: Glossary of terms.26
6.7 IEC 62351-3: Profiles including TCP/IP .26
6.8 IEC 62351-4: Security for profiles that include MMS .28
6.9 IEC 62351-5: Security for IEC 60870-5 and derivatives .28
6.10 IEC 62351-6: Security for IEC 61850 Profiles .29
6.11 IEC 62351-7: Security through network and system management.31
7 Conclusions.34

Bibliography.35

Figure 1 – Security requirements, threats, and possible attacks.14
Figure 2 – Security categories, typical attacks, and common countermeasures.14
Figure 3 – Confidentiality security countermeasures .16
Figure 4 – Integrity security countermeasures.16
Figure 5 – Availability security countermeasures.17
Figure 6 – Non-repudiation security countermeasures.17
Figure 7 – Overall security: security requirements, threats, countermeasures, and
management.18

TS 62351-1 © IEC:2007(E) – 3 –
Figure 8 – General security process – continuous cycle.22
Figure 9 – Correlation between the IEC 62351 series and IEC TC 57 profile standards.26
Figure 10 – Authentication security measure in GOOSE/SMV .31
Figure 11 – NSM object models are the information infrastructure equivalent to the CIM
and IEC 61850 object models of the power system infrastructure.32
Figure 12 – Power system operations systems, illustrating the security monitoring
architecture.33

Table 1 – Characteristics of the three multicast IEC 61850 protocols .30
Table 2 – Security measures for the three multicast IEC 61850 protocols .30

– 4 – TS 62351-1 © IEC:2007(E)
INTERNATIONAL ELECTROTECHNICAL COMMISSION
_____________________
POWER SYSTEMS MANAGEMENT AND ASSOCIATED
INFORMATION EXCHANGE –
DATA AND COMMUNICATIONS SECURITY

Part 1: Communication network and system security –
Introduction to security issues

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. In
exceptional circumstances, a technical committee may propose the publication of a technical
specification when
• the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts, or
• The subject is still under technical development or where, for any other reason, there is
the future but no immediate possibility of an agreement on an International Standard.
Technical specifications are subject to review within three years of publication to decide
whether they can be transformed into International Standards.

TS 62351-1 © IEC:2007(E) – 5 –
IEC 62351-1, which is a technical specification, has been prepared by IEC technical
committee 57: Power systems management and associated information exchange.
The text of this technical specification is based on the following documents:
Enquiry draft Report on voting
57/802/DTS 57/850/RVC
Full information on the voting for the approval of this technical specification can be found in
the report on voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts of the IEC 62351 series, under the general title Power systems management
and associated information exchange – Data and communications security, can be found on
the IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in the
data related to the specific publication. At this date, the publication will be
• transformed into an International standard,
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual edition of this document may be issued at a later date.

– 6 – TS 62351-1 © IEC:2007(E)
POWER SYSTEMS MANAGEMENT AND ASSOCIATED
INFORMATION EXCHANGE –
DATA AND COMMUNICATIONS SECURITY

Part 1: Communication network and system security –
Introduction to security issues

1 Scope and object
1.1 Scope
The scope of the IEC 62351 series is information security for power system control
operations. The primary objective is to “Undertake the development of standards for security
of the communication protocols defined by IEC TC 57, specifically the IEC 60870-5 series, the
IEC 60870-6 series, the IEC 61850 series, the IEC 61970 series, and the IEC 61968 series.
Undertake the development of standards and/or technical reports on end-to-end security
issues.”
1.2 Object
Specific objectives include:
• IEC 62351-1 provides an introduction to the remaining parts of the standard, primarily to
introduce the reader to various aspects of information security as applied to power
system operations.
• IEC 62351-3 to IEC 62351-6 specify security standards for the IEC TC 57
communication protocols. These can be used to provide various levels of protocol
security, depending upon the protocol and the parameters selected for a specific
implementation. They have also been design for backward compatibility and phased
implementations.
• IEC 62351-7 addresses one area among many possible areas of end-to-end information
security, namely the enhancement of overall management of the communications
networks supporting power system operations.
• Other parts are expected to follow to address more areas of information security.
The justification for developing these information security standards is that safety, security,
and reliability have always been important issues in the design and operation of systems in
the power industry, and information security is becoming increasingly important in this
industry as it relies more and more on an information infrastructure. The deregulated market
has imposed new threats as knowledge of assets of a competitor and the operation of his
system can be beneficial and acquisition of such information is a possible reality. In addition,
inadvertent actions (e.g. carelessness and natural disasters) can be as damaging as
deliberate actions. Recently, the additional threat of terrorism has become more visible.
Although many definitions of “end-to-end” security exist, one (multi-statement) standard
definition is “1. Safeguarding information in a secure telecommunication system by
cryptographic or protected distribution system means from point of origin to point of
destination. 2. Safeguarding information in an information system from point of origin to point
of destination” . Using this definition as a basis, the first four standards address the security
enhancements for IEC TC 57 communication profiles, since these were identified as the
obvious first steps in securing power system control operations. However, these security
enhancements can only address the security requirements between two systems, but does not
address true “end-to-end” security that covers internal security requirements, including
___________
ATIS: an expansion of FS-1037C which is the US Federal Government standard glossary for
telecommunications terms.
TS 62351-1 © IEC:2007(E) – 7 –
security policies, security enforcement, intrusion detection, internal system and application
health, and all the broader security needs.
Therefore, the final sentence in the scope/purpose statement is very important: it is
recognized that the addition of firewalls or just the simple use of encryption in protocols, for
instance by adding “bump-in-the-wire” encryption boxes or even virtual private network (VPN)
technologies would not be adequate for many situations. Security truly is an “end-to-end”
requirement to ensure authenticated access to sensitive power system equipment, authorized
access to sensitive market data, reliable and timely information on equipment functioning and
failures, backup of critical systems, and audit capabilities that permit detection and
reconstruction of crucial events.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute
provisions of this part of the IEC 62351 standard series.
IEC 60870-5 (all parts), Telecontrol equipment and systems – Part 5: Transmission protocols
IEC 60870-6 (all parts), Telecontrol equipment and systems – Part 6: Telecontrol protocols
compatible with ISO standards and ITU-T recommendations
IEC 61850 (all parts), Communication networks and systems in substations
3 Terms, definitions and abbreviations
For the purposes of this part of IEC 62351, the terms and definitions given in IEC 62351-2
apply.
4 Background for information security standards
4.1 Rationale for addressing information security in power system operations
Communication protocols are one of the most critical parts of power system operations,
responsible for retrieving information from field equipment and, vice versa, for sending control
commands. Despite their key function, to date, these communication protocols have rarely
incorporated any security measures, including security against inadvertent errors, power
system equipment malfunctions, communications equipment failures, or deliberate sabotage.
Since these protocols were very specialized, “Security by Obscurity” has been the primary
approach. After all, only operators are allowed to control breakers from highly protected
control centres. Who could possibly care about the megawatts on a line, or have the
knowledge of how to read the idiosyncratic bits and bytes of the appropriate one-out-of-a-
hundred communication protocols. And why would anyone want to disrupt power systems?
However, security by obscurity is no longer a valid concept. In particular, the electricity
market is pressuring market participants to gain any edge they can. A tiny amount of
information can turn a losing bid into a winning bid – or withholding that information from your
competitor can make their winning bid into a losing bid. And the desire to disrupt power
___________
Also known as Inter-Control Centre Communications Protocol (ICCP) allows for data exchange over Wide Area
Networks (WANs) between a utility control centre and other control centres, other utilities, power pools, regional
control centres, and Non-Utility Generators.
IEC 61850 which is used for protective relaying, substation automation, distribution automation, power quality,
distributed energy resources, substation to control centre, and other power industry operational functions. It
includes profiles to meet the ultra fast response times of protective relaying and for the sampling of measured
values, as well as profiles focused on the monitoring and control of substation and field equipment.

– 8 – TS 62351-1 © IEC:2007(E)
system operations can stem from simple teenager bravado to competitive game-playing in the
electrical marketplace to actual terrorism.
It is not only the market forces that are making security crucial. The sheer complexity of
operating a power system has increased over the years, making equipment failures and
operational mistakes more likely and their impact greater in scope and cost. In addition, the
older, “obscure” communications protocols are being replaced by standardized, well-
documented protocols that are more susceptible to hackers and industrial spies.
As the power industry relies increasingly on information to operate the power system, two
infrastructures now have to be managed: not only the Power System Infrastructure, but also
the Information Infrastructure. The management of the power system infrastructure has
become reliant on the information infrastructure as automation continues to replace manual
operations, as market forces demand more accurate and timely information, and as the power
system equipment ages. Therefore, the reliability of the power system is increasingly affected
by any problems that the information infrastructure might suffer.
4.2 IEC TC 57 data communications protocols
The International Electrotechnical Commission (IEC) Technical Committee (TC) 57 Power
Systems Management and Associated Information Exchange is responsible for developing
international standards for power system data communications protocols. Its scope is “To
prepare international standards for power systems control equipment and systems including
EMS (Energy Management Systems), SCADA (Supervisory Control and Data Acquisition),
distribution automation, teleprotection, and associated information exchange for real-time and
non-real-time information, used in the planning, operation and maintenance of power systems.
Power systems management comprises control within control centres, substations, and
individual pieces of primary equipment including telecontrol and interfaces to equipment,
systems, and databases, which may be outside the scope of TC 57. The special conditions in
a high voltage environment have to be taken into consideration.”
IEC TC 57 has developed three widely accepted protocol standards, and has been the source
of a fourth protocol. The three protocols are:
• IEC 60870-5 which is widely used in Europe and other non-US countries for SCADA
system to RTU data communications. It is used both in serial links (IEC 60870-5-101) and
over networks (IEC 60870-5-104). DNP3 was derived from IEC 60870-5 for use in the USA
and now is widely used in many other countries as well, primarily for SCADA system to
RTU data communications.
• IEC 60870-6 (also known as TASE.2 or ICCP) which is used internationally for
communications between control centres and often for communications between SCADA
systems and other engineering systems within control centres.
• IEC 61850 which is used for protective relaying, substation automation, distribution
automation, power quality, distributed energy resources, substation to control centre, and
other power industry operational functions. It includes profiles to meet the ultra fast
response times of protective relaying and for the sampling of measured values, as well as
profiles focused on the monitoring and control of substation and field equipment.
These protocols are now widely used in the electric power industry. However, they were
developed before information security became a major issue for the industry, so no security
measures were included in the original standards.
4.3 History of the Development of these Security Standards
By 1997, IEC TC 57 recognized that security would be necessary for these protocols. It
therefore first established a temporary group to study the issues of security. This group
published a IEC/TR 62210 on the security requirements. One of the recommendations of

TS 62351-1 © IEC:2007(E) – 9 –
IEC/TR 62210 was to form a Working Group to develop security standards for the IEC TC 57
protocols and their derivatives.
The International Standards Organization (ISO) Common Criteria were originally selected as
the method for determining the security requirements. This approach uses the concept of a
Target of Evaluation (TOE) as the focus of a security analysis. However, determining what the
characteristics of the TOE to protect became very cumbersome, given the multiplicity of
different power system environments and the varying security needs, so ultimately it was not
used. Threat-mitigation analysis (determining the most common threats and then developing
security countermeasures for those threats) was used instead.
Therefore, IEC TC 57 WG 15 was formed in 1999, and has undertaken this work. The WG 15
title is “Power system control and associated communications – Data and communication
security” and its scope and purpose are to “Undertake the development of standards for
security of the communication protocols defined by the IEC TC 57, specifically the IEC 60870-
5 series, the IEC 60870-6 series, the IEC 61850 series, the IEC 61970 series, and the IEC
61968 series. Undertake the development of standards and/or technical reports on end-to-end
security issues.”
The justification was that safety, security, and reliability have always been important issues in
the design and operation of systems in the power industry, and cyber security is becoming
increasingly important in this industry as it relies more and more on an information
infrastructure. The deregulated market has imposed new threats as knowledge of assets of a
competitor and the operation of his system can be beneficial and acquisition of such
information is a possible reality. Recently, the additional threat of terrorism has become more
visible.
The final sentence in the scope/purpose statement is very important: it was recognized that
the addition of just simple encryption of the data, for instance by adding “bump-in-the-wire”
encryption boxes or even virtual private network (VPN) technologies would not be adequate
for many situations. Security truly is an “end-to-end” requirement to ensure authenticated
access to sensitive power system equipment, reliable and timely information on equipment
functioning and failures, backup of critical systems, and audit capabilities that permit
reconstruction of crucial events.
5 Security issues for the IEC 62351 series
5.1 General information on security
This informative clause provides additional information on security issues that are not
explicitly covered by these normative standards, but may be useful for understanding the
context and scope of the normative standards.
5.2 Types of security threats
5.2.1 General
Security threats are generally viewed as the potential for attacks against assets. These assets
can be physical equipment, computer hardware, buildings, and even people. However, in the
cyber world, assets also include information, databases, and software applications. Therefore
countermeasures to security threats should include protection against both physical attacks
as well as cyber attacks.
Security threats to assets can result from inadvertent events as well as deliberate attacks. In
fact, often more actual damage can result from safety breakdowns, equipment failures,
carelessness, and natural disasters than from deliberate attacks. However, the reactions to
successful deliberate attacks can have tremendous legal, social, and financial consequences
that could far exceed the physical damage.

– 10 – TS 62351-1 © IEC:2007(E)
Utilities are accustomed to worrying about equipment failures and safety-related
carelessness. Natural disasters are taken into consideration, particularly for utilities that
commonly experience hurricanes, earthquakes, cyclones, ice storms, etc., even though these
are looked upon as beyond the control of the utility. What is changing is the importance of
protecting information which is becoming an increasingly important aspect of safe, reliable,
and efficient power system operations.
Security risk assessment is vital in determining exactly what needs to be secured against
what threats and to which degree of security. The key is determining the cost-benefit: “one
size does not fit all” (substations), layers of security are better than a single solution, and
ultimately no protection against attacks can ever be completely absolute. Nonetheless, there
is a significant space between the extremes from doing nothing to doing everything, to provide
the level of security needed for modern utility operations.
The benefits also can flow the other way. If additional security is implemented against
possible deliberate attacks, this monitoring can be used to improve safety, minimize
carelessness, and improve the efficiency of equipment maintenance.
The following Subclauses discuss some of the most important threats to understand and to
protect against. Most of these are covered by the IEC 62351 series, at least at the monitoring
level.
5.2.2 Inadvertent threats
5.2.2.1 Safety failures
Safety has always been a primary concern for electric power utilities, particularly for those
field crews working in the high voltage environments of substations. Meticulous procedures
have been developed and refined over and over again to improve safety. Although these
procedures are the most important component of a safety program, monitoring of the status of
key equipment and the logging/alarming of compliance to the safety procedures through
electronic means can enhance safety to a significant degree, and can benefit other purposes
as well.
In particular, although access measures which permit only authorized personnel into
substations have been implemented primarily for safety reasons, electronic monitoring of
these safety measures can also help to prevent some deliberate attacks, such as vandalism
and theft.
5.2.2.2 Equipment failures
Equipment failures are the most common and expected threats to the reliable operation of the
power system. Significant work has been undertaken over the years to monitor the status of
substation equipment, such as oil temperature, cooling systems, frequency deviations, voltage
levels, and current overloads. This part of IEC 62351 does not focus on these types of
monitoring except where the additional information can provide additional physical security.
However, often the monitoring of the physical status of equipment can also benefit
maintenance efficiency, possible prevention of certain types of equipment failures, real-time
detection of failures not previously monitored, and forensic analysis of equipment failure
processes and impacts. Therefore, the total cost-benefit of some monitoring of physical
security can be improved by taking these additional consequences into account.
___________
In the sense that one single solution cannot be used for all situations, so multiple solutions should be allowed.

TS 62351-1 © IEC:2007(E) – 11 –
5.2.2.3 Carelessness
Carelessness is one of the “threats” to protecting assets in substations, whether it is
permitting tailgating into a substation or not locking doors or inadvertently allowing
unauthorized personnel to access passwords, keys, and other security safeguards. Often this
carelessness is due to complacency (“no one has ever harmed any equipment in a substation
yet”) or laziness (“why bother to lock this door for the few moments I am going into the other
area”) or irritation (“these security measures are impacting my ability to do my job”).
5.2.2.4 Natural disasters
Natural disasters, such as storms, hurricanes, and earthquakes, can lead to widespread
power system failures, safety breaches, and opportunities for theft, vandalism, and terrorism.
Monitoring of the physical and informational status of field facilities and equipment in real-time
can provide utilities with the “eyes and ears” to understand what is taking place and to take
ameliorating actions to minimize the impact of these natural disasters on power system
operations.
5.2.3 Deliberate threats
5.2.3.1 General
Deliberate threats can cause more focused damage to facilities and equipment in substations
than the inadvertent threats. The incentives for these deliberate threats are increasing as the
results from successful attacks can have increasingly economic and/or “socio/political”
benefits to the attackers. Sophisticated monitoring of facilities and equipment can help
prevent some of these threats, while ameliorating the impact of successful attacks through
real-time notifications and forensic trails.
5.2.3.2 Disgruntled employee
Disgruntled employees are one of the primary threats for attacks on power system assets.
Unhappy employees who have the knowledge to do harm can cause significantly more
damage than a non-employee, particularly in the power system industry where many of the
systems and equipment are very unique to the industry.
5.2.3.3 Industrial espionage
Industrial espionage in the power system industry is becoming more of a threat as
deregulation and competition involving millions of dollars provide growing incentives for
unauthorized access to information – and the possible damaging of equipment for nefarious
purposes. In addition to financial gains, some attackers could gain “socio/political” benefits
through “exposing” the incompetence or unreliability of competitors.
5.2.3.4 Vandalism
Vandalism can damage facilities and equipment with no specific gain to the attackers other
than the act of doing it, and the proof to themselves and others that they can do it. Often, the
vandals are unaware of or do not care about the possible consequences of their actions.
Monitoring the access to locked facilities and alarming any access anomalies in real-time can
help prevent most vandalism. However, some vandalism, such as shooting equipment in the
yard from outside the substation, or turning off equipment and software applications, would
require additional types of monitoring.
5.2.3.5 Cyber hackers
Hackers are people who seek to breach cyber security for gain. This gain may be directly
monetary, industrial knowledge, political, social, or just an individual challenge to see if the

– 12 – TS 62351-1 © IEC:2007(E)
hacker can gain access. Most hackers use the Internet as their primary gateway to entry, and
therefore most utilities use a variety of firewalls, isolation techniques, and other
countermeasures to separate power system operation systems from the Internet.
In the public’s eye, cyber security is often seen only as protection against hackers and their
associated problems, computer viruses and worms. With the computer systems for power
operations presumably kept isolated from the Internet, many utility personnel do not see any
reason for adding security measures to these systems. However, as clearly seen from these
Subclauses, this may not be true anymore as networking becomes more prevalent and
additional information access requirements grow (e.g. vendor remote access, maintenance
laptop access, protective relay engineer access for retrieving special data, etc.).
5.2.3.6 Viruses and worms
Like hackers, viruses and worms typically attack via the Internet. However, some viruses and
worms can be embedded in software that is loaded into systems that have been isolated from
the Internet, or could possibly be transmitted over secure communications from some
insecure laptop or other system. They could include man-in-the-middle viruses, spyware for
capturing power system data, and other Trojan horses.
5.2.3.7 Theft
Theft has a straightforward purpose – the attackers take something (equipment, data, or
knowledge) that they are not authorized to take. Generally, the purpose has financial gain as
the motive, although other motives are possible as well.
Again, monitoring access to locked facilities and alarming anomalies in the physical status
and health of equipment (e.g. not responding or disconnected) are the primary methods for
alerting personnel that theft is possibly being committed.
5.2.3.8 Terrorism
Terrorism is the least likely threat but the one with possibly the largest consequences since
the primary purpose of terrorism is to inflict the greatest degree of physical, financial, and
socio/political damage.
Monitoring and alarming anomalies to access (including physical proximity) to substation
facilities is possibly the most effective means to alert personnel to potential terrorist acts,
such as physically blowing up a substation or other facility. However, terrorists could become
more sophisticated in their actions, and seek to damage specific equipment or render critical
equipment inoperative in ways that could potentially do more harm to the power system at
large than just blowing up one substation. Therefore, additional types of monitoring are
critical, including the status and health of equipment.
5.3 Security requirements, threats, vulnerabilities, attacks, and countermeasures
5.3.1 Security requirements
Users, whether they are people or software applications, have zero or more of four basic
security requirements, which protect them from four basic threats. In each case, authorization
requires authentication of the users as a basic premise:
• Confidentiality – preventing the unauthorized access to information
• Integrity – preventing the unauthorized modification or theft of information
• Availability – preventing the denial of service and ensuring authorized access to
information
TS 62351-1 © IEC:2007(E) – 13 –
• Non-repudiation or accountability – preventing the denial of an action that took place or
the claim of an action that did not take place.
5.3.2 Security threats
In general, there are four types of cyber security threats:
• Unauthorized access to information.
• Unauthorized modification or theft of information.
• Denial of service.
• Repudiation/unaccountability.
There are, however, many different types of vulnerabilities and methods of attacks against
these vulnerabilities by which these threats might be successful. Security countermeasures
shall take into account these different types of vulnerabilities and attack methods.
5.3.3 Security vulnerabilities
Cyber security vulnerabilities refer to weaknesses or other opening in a system that could
permit deliberate or inadvertent unauthorized actions to realize a threat. Vulnerabilities may
result from bugs or design flaws in the system, but can also result from equipment failures
and physical actions. A vulnerability can exist either only in theory, or could have a known
exploit.
5.3.4 Security attacks
The threats can be realized by many different types of attacks, some of which are illustrated
in Figure 1. As can be seen, the same type of attack can often be involved in different security
threats. This web of potential attacks means that there is not just one method of meeting a
particular security requirement: each of the types of attacks that present a specific threat
needs to be countered.
In addition, a “chain of attacks” in which a sequence of attacks, possibly involving different
assets and possibly taking place over time, can also realize a given threat.

– 14 – TS 62351-1 © IEC:2007(E)
ReReququiremiremeenntsts
CCoonnffidideenntialtialityity IIntnteeggrityrity AAvvailabailabiilitylity NNoonn-Re-Reppuuddiatiatioionn
UUnnauautthhororizized ed UnUnauautthhooririzzeedd DDeenniiaall of of S Seerrvvice ice oorr AAcccouncounttaabilitbilityy;; D Deenniialal o off A Accttiionon
AAcceccess tss too MMoodifdifiicatcationion or or TThheefftt PPrrevevenenttiioonn of of tthhaatt t tooookk plac place, ore, or C Cllaiaimm o off
IInnffoormarmattiioonn ooff Inf Infoorrmmaattioionn AuAutthhoorriizzeedd A Accesccesss AAccttiionon t thhaatt di did nd noott t taakkee p pllaaccee
LiListsteenniinngg
InInttereractactiioonnss
PPllantanteedd i inn S Syystemstem AAfftteerr--ththee--FactFact
EEaveavesdrsdrooppppiinngg
MasquerMasqueraadede
ViViruruss//WoWorrmmss
DDeenniiaall of of AAcctitionon
TTrraffaffiic Ac Annalyalyssiiss
BByyppaassissingng
TrTroojjaan Hn Hoorrssee
ClClaaiimm o off AAccttiioonn
CControntroollss
EMEM//RRFF
SSttoollenen//AAlltterereded
TTrraapdoorpdoor
InIntteerrcceepptiotionn
AAuuthorthoriizzatiatioonn
ViVioollaattiioonn
ReReppuuddiiaattiioonn
SeServrviiccee S Sppooooffiinngg
InInddiiscscrerettiionsons
by Pby Peerrssononnneell
PPhhysiysiccaall
InInttrrususiioonn
MediMediaa
SSccaavenvengiginngg
MaMann--iinn-the-M-the-Miiddddllee
DeDenniiaall o off SSeerrvviiccee
InIntteegrgriittyy V Viioollaattioionn
RReessoouurrcece E Exxhauhausstitionon
MMMooodididifffiiicacacatititiononon
TheftTheft
EEqquuiippmmeent Fant Faililuurree
IIInnnterterterccceeepppt/t/t/AAAlllterterter
ReReppllaayy
SoSoffttwwaarere Fa Faiilluurree
ReReRepppuuudddiiiaaatttiiiooonnn
IEC  608/07
Figure 1 – Security requirements, threats, and possible attacks
5.3.5 Security Categories
From one perspective on security, cyber security can be categorized into four areas (see
Figure 2). These categories are illustrated below:
CounteCounterrmemeaassureuress
CCyybberer S Secuecurriittyy Categ Categoorriieses TTyyppiiccalal S Secuecuririttyy AAtttackstacks
MMasquasquereraade, Bde, Byyppass ass CCoonnttrrooll,, HumHumaann Rol Rolee-b-baseased d anand d
HumHumaann--MMachiachinne e
ThThefeft, Cart, Careleselessnsneess, ss, IInnddiivividudual Authal Authentienticaticatioonn an and d
InterInterffaceace
RReeppuuddiiaattioionn,, P Phhyyssicaicall InInttrruussiioonn AutAuthhororiizzaattiionon
MMasquasquereraade, Bde, Byyppass ass CCoonnttrrooll,, SoftwSoftwarare Ae Auuththenenttiicacatitioonn,,
SoftwSoftwarare Appe Applliicaticatioonsns
TrTrojaojann Hor Horse,se, VViirruuseses, s, AuthAuthoorriizzaattiioonn,, Te Teststiing,ng, PPaatctch h
iinn Com Comppuutterer S Syyssttememss
MMaalflfuunnctictioonnss, B, Buuggss MMaanagnageemmeentnt
EavEaveesdsdroroppppinging,, M Maasqsquueerradadee,, EEnncrcryypptitioonn,, Tr Tranansmsmiississioonn
CCoommmmuunnicaicatiotionnss
MMaan-in-inn--tthhee-M-Miiddlddlee,, Re Replplaayy,, AAuutthhenenttiicacatition,on, Acc Access ess
TrTransanspoporrtt P Prrototocolocolss
ResoResoururce Ece Exxhahaustiustionon CCoontrntrooll,, Di Digigittaall Si Siggnnataturureses
ResoResoururce Ece Exxhahaustiustioonn,, PPaatthh RestrRestriicctteded A Accccess,ess, C Cooddiing ng
CCoommmmuunnicaicatiotionnss
FaiFaillurure,e, TrTrafaffificc A Annalalyyssiiss,, E EMM//RRF F EncrEncryypptitioonn,, Re Redudundndaanntt
MeMeddiiaa
IInntertercceptieptionon,, EM EM//RRF F IInnterterffererenencece MMessageessagess,, Re Redudundndaanntt PPaaththss

IEC  609/07
Figure 2 – Security categories, typical attacks, and common countermeasures
AttacAttackkss ThreaThreatsts
TS 62351-1 © IEC:2007(E) – 15 –
Usually all four of these categories need to have security measures applied in order to
achieve “end-to-end” security. Just securing one category will typically not be adequate. For
instance, just implementing a Virtual Private Network (VPN) only handles threats to the
communications transport protocols, and does not prevent one person masquerading as
another person, nor does it prevent a malicious s
...