Subscribe to Blog Updates

IEC 62351: Secure communication in the energy industry

Back in 2017, headlines reported that hackers had shut down monitoring systems for oil and gas pipelines across the United States. Alarmingly, insecure third-party systems in SCADA platforms were to blame. How can the energy industry prevent further attacks like this? I’d like to explain the importance of end-to-end secure communications in the energy sector and the need for the IEC 62351 standard.

    

When things go wrong

Unfortunately, the attacks on oil and gas pipelines case isn’t a rare example. The following year, cybercriminals also gained access to the United Kingdom's electricity system. The group phished its way into energy systems using a phony word document CV for a man called ‘Jacob Morrison’. Once infiltrated, the group took screenshots of the system, leading experts to believe the hackers were spying to learn how every aspect of the system works.

Attacks like this continue to be a huge concern for the energy sector, particularly if the hacker manipulates data. For example, a cybercriminal could hack a business’s energy controller and change the threshold values of a reaction, or worse. They could maliciously lower the perceived voltage measurement of an energy customer, so the controller thinks the voltage is lower than what it really is. The controller would then increase the voltage at the customer site, exceeding tolerances and destroying power supplies.

Where there is high risk, there needs to be high levels of protection.

 

Time for change

Many of the energy meters, switches and controls in power plants and substations were designed years ago and as such, only have basic password protection. Criminals know this, so the industry needs to react.

Despite such high-profile attacks, energy security is a shockingly new topic for many in the sector. Even when LAN based technologies such as IEC 60870-5-104 or DNP3 TCP came into play in the late 1990s, concerns about data hacks or data protection were not prevalent.

Today, these older communication protocols are out of date and must be retrofitted with security features that can prevent modern security threats.

To make security even more challenging, the energy grid is no longer confined to its physical structure. The ever-developing smart grid takes energy systems into the cyber-physical world. With data sent trough and stored in the cloud, energy data could become even more vulnerable if security standards are not updated.

 

Enter, IEC 62351

IEC 62351 is the current standard for security in energy management systems and the exchange of energy-related data. It focuses on the major requirements for secure data communication and processing, including confidentiality, data integrity and authentication.

The arrival of the IEC 62351 filled a huge void for energy security, bringing the existing non-secure communication protocols up to speed. The standard was defined by the IEC TC 57, the technical committee responsible for the development of standards for information exchange.

By applying the IEC 62351 security standard to protocols 60870-5-101/-104, DNP3 and IEC 61850 among others, it is possible to achieve end-to-end security for energy data systems. The standard series dictates the need for encryption and access control through authentication and authorization. For example, Transport Layer Security (TLS) encryption is defined by IEC 62351-3.

However, applying IEC 62351 is not a one-time task. Once implemented, the security mechanisms need to be maintained and updated continuously, in line with changing security threats.

 

Building readiness

Engineers can now create energy automation applications in accordance with IEC 62351, using the zenon software platform for energy automation. COPA-DATA is continuously implementing the standard step by step in its software, and it is already possible to harden the communication by TLS.

Improved security doesn’t change the user experience of the fully secured zenon application, although additional password changes and certificate renewal will be required — a small price to pay for optimal security.