Cybersecurity in energy systems is no longer optional. IEC 62351 is the standard series that defines how to secure communications across power systems — including smart metering networks. Here is a complete guide to what it covers and why it matters.
What is IEC 62351?
IEC 62351 is a multi-part international standard published by IEC Technical Committee 57 (TC57) for security of power systems management and associated information exchange. It covers authentication, encryption, role-based access control, and key management for protocols used in power system operations — including DLMS/COSEM, IEC 61850, IEC 60870-5, and DNP3.
IEC 62351 Series Structure
| Part | Title | Key Content |
|---|---|---|
| 62351-1 | Communication network and system security — Introduction | Overview, threat model, security objectives. The starting point for understanding the series. |
| 62351-2 | Glossary of terms | Definitions used across all parts |
| 62351-3 | Security for profiles including TCP/IP | TLS 1.2/1.3 profiles for SCADA and metering communications over IP. Cipher suite requirements, certificate profiles. |
| 62351-4 | Security for MMS and ACSI (IEC 61850) | Application-layer security for IEC 61850 Manufacturing Message Specification |
| 62351-5 | Security for IEC 60870-5 and derivatives | Securing DNP3 and IEC 60870-5-101/104 SCADA protocols |
| 62351-6 | Security for IEC 61850 peer-to-peer profiles | GOOSE and Sampled Values security — critical for substation protection |
| 62351-7 | Network and system management (NSM) data object models | Security monitoring objects — how to expose security status via SNMP and IEC 61850 |
| 62351-8 | Role-based access control for power systems | RBAC model: roles, permissions, attributes, token-based access. Directly relevant to DLMS association management. |
| 62351-9 | Cyber security key management for power systems | Key lifecycle: generation, distribution, rotation, revocation. PKI architecture for power systems. |
| 62351-10 | Security architecture guidelines | How to apply security controls across a complete power system architecture |
| 62351-11 | Security for XML documents | XML signature and encryption for configuration and data exchange files |
| 62351-12 | Resilience and security recommendations for power systems | Resilience requirements at system level |
| 62351-13 | Guidelines on cybersecurity for power systems — what needs to be standardized | Research agenda — identifies gaps and future work |
| 62351-14 | Cyber security event logging | Standardised event log format for security incidents in power systems |
How IEC 62351 Relates to DLMS/COSEM
DLMS/COSEM (IEC 62056) has its own application-layer security suite defined in IEC 62056-8-1 (AES-128 GCM). IEC 62351 adds to this at the transport layer and the key management layer:
- 62351-3 defines TLS requirements for DLMS over TCP/IP — adding transport-layer security on top of DLMS application-layer encryption for defence in depth
- 62351-8 provides the RBAC framework that maps to DLMS association management and access rights
- 62351-9 defines key management procedures that complement the DLMS key agreement mechanism (ECDH key exchange in DLMS security suite 1)
The DLMS Security Suites
IEC 62056-8-1 defines three security suites that align with 62351 principles:
| Suite | Algorithm | Key Exchange | Status |
|---|---|---|---|
| Suite 0 | AES-128 GCM | Pre-shared keys | Current standard — widely deployed |
| Suite 1 | AES-128 GCM | ECDH (P-256) | Next-generation — forward secrecy |
| Suite 2 | AES-256 GCM | ECDH (P-384) | High-security environments |
Threats the Standards Address
Man-in-the-Middle (MitM)
An attacker intercepts meter communications to read or modify data. DLMS AES-128 GCM with authentication tags prevents modification. TLS per 62351-3 prevents eavesdropping.
Replay Attacks
An attacker captures a valid command (e.g. disconnect) and replays it. DLMS uses a frame counter (monotonically increasing) inside the ciphertext — replayed frames have an old counter and are rejected.
Unauthorised Access
An attacker connects to the meter’s DLMS TCP port and issues commands. DLMS associations require authentication (password or public key). RBAC per 62351-8 limits what each authenticated entity can do.
Firmware Compromise
Malicious firmware pushed via FOTA. DLMS Image Transfer (Class 18) requires the firmware image to be signed. The meter verifies the signature before activating.
Practical Recommendations for Utilities
- Require DLMS Security Suite 0 as a minimum in all meter procurement — reject meters that support Mode 0 (no encryption) only
- Audit key management procedures: who holds the DLMS global encryption key, how is it rotated, what happens when a meter is decommissioned?
- Enable TLS 1.2+ on HES-to-meter TCP connections (62351-3) for defence in depth
- Implement RBAC so field technicians cannot issue disconnect commands — only the billing system can
- Monitor frame counters — a sudden reset to zero may indicate a meter firmware attack
- Require a published SBOM (Software Bill of Materials) from meter vendors to identify vulnerable open-source components
Further Reading
- IEC 62351 series — available from webstore.iec.ch
- ENISA Smart Grid Security: enisa.europa.eu
- NIST IR 7628 — Guidelines for Smart Grid Cybersecurity
- NERC CIP standards (North America) — critical infrastructure protection