[ IEC 62351 ] is a series of standards to bring cyber security technologies to some telecontrol protocols.
On the IEC website there is a detailed introduction into [ IEC 62351 ]. Summarized:
You can get the standard documents from different standard organization, e.g. from [ IEC Webstore ].
Here we give a brief overview about the standards IEC 62351-3 and IEC 62351-5 and what and how they are implemented in COMPROTware:Testtool.
By default there is no authentication nor encryption with telecontrol protocols. To fix this for IEC 60870-5-104, DNP3/IEEE 1815 over LAN/WAN and MODBUS TCP/IP (all three are widely used IP-based telecontrol protocols), TLS-secured connections are used to bring authentication and encryption to these protocols. The idea with IEC 62351-3 is to keep the telecontrol protocol as it is, but to put the telecontrol communication inside a secured connection. TLS-secured connections are well known from the https protocol in web browsers. Basically TLS-secured connections for telecontrol protocols are the same as https connections in the web browser. But with https only the web server is authenticated. With TLS-secured connections for telecontrol protocols the authentication of the client is added to the TLS protocol.
For client and server authentication X.509 certificates are used. For encryption of the telecontrol communication the (steadily evolving) cryptography defined in TLS is used.
Details for TLS-secured connections for IEC 60870-5-104 are laid out in IEC 60870-5-7, for DNP3/DNP3/IEEE 1815 over LAN/WAN in DNP3 SAv5.
These are the standard TCP/IP resp. UDP/IP ports for TLS-secured connections:
For the use of IEC 62351-3 with COMPROTware:Testtool we prepared two documents: Short introduction to TLS/ceritificates as PDF (approx. 120K) and Example with two certificate sets as PDF (approx. 90K) provide a brief introduction to TLS and describe the use of the demo certificates.
In COMPROTware:Library (abbrev. CPLB) all Master and Slave implementations of our TCP/IP-based protocol stacks support TLS-secured connections according to IEC 62351-3.
The standard IEC 62351-3 uses TLS to secure (authenticate and encrypt) the communication between a Controlling Station and a Controlled Station. In contrast to IEC 62351-3, with IEC 62351-5 the protocol itself is changed. IEC 62351-5 adds user management and authentication on Type
Identification/Function code level.
The standard IEC 62351-3 is limited to network-based protocols, whereas IEC 62351-5 is independant of the physical layer. So IEC 62351-5 is suitable for IEC 60870-5-104 and DNP3 over LAN/WAN but also suitable for IEC 60870-5-101 and DNP3 serial.
For IEC 60870-5-101 and -104 in IEC 60870-5-7 the following additional Type Identifications are introduced:
For DNP3 serial and DNP3 over LAN/WAN in DNP3 SAv5 the following Function Codes are added:
And these new Object Groups are introduced:
It is noteworthy that with IEC 62351-5 statistical data about the secured connection is also transmitted using the protocol.
Currently Real Thoughts is working to add IEC 62351-5 to COMPROTware:Testtool. Are you intested in joining our work in progress? Send us an e-mail: e-mail cptt@realthoughts.de
Currently Real Thoughts is working to add IEC 62351-5 to COMPROTware:Library. (abbrev. CPLB) Are you intested in joining our work in progress? Send us an e-mail: e-mail cplb@realthoughts.de