Skip to main content
Reference

IEC 62351-4

Application-layer security for MMS and IEC 61850 station-bus traffic. Adds end-to-end authentication above the TLS layer that 62351-3 supplies underneath.

Also: 62351-4, MMS security, IEC 61850 application security

IEC 62351-4 is the part of the IEC 62351 family that secures MMS and the IEC 61850 station-bus traffic that runs on top of it. It sits above IEC 62351-3 — TLS handles the channel; -4 handles the application session.

What -4 adds on top of -3 TLS

A pure TLS channel proves “I am talking to something whose certificate chains to a trusted CA”. For the substation context that’s not enough: the IED needs to know which engineering identity is asking it to change a protection setting, and the answer has to be available at the application layer for logging and authorisation.

-4 adds:

  • Application-layer authentication tokens carried in the MMS association establishment, distinct from the TLS peer cert.
  • End-to-end signing of high-impact MMS messages (file writes, setting-group switches) so that the integrity guarantee survives a TLS-terminating proxy in the path.
  • Profile alignment with the RBAC vocabulary so that an authenticated principal can be authorised against a role.

The 2018 edition refactored this substantially — the older edition’s mechanism (ACSE authentication exchange) was hard to deploy, and current vendor implementations track the newer profile.

Where it lands in a 62443 design

For an MMS station-bus conduit between an engineering workstation zone and a protection-zone IED, a 62443 SL-T of 2 across FR1 (IAC), FR2 (UC), FR3 (SI), and FR4 (DC) typically requires both:

  • 62351-3 TLS for FR4 (channel confidentiality) and partial FR1.
  • 62351-4 application auth for full FR1, FR2 enforcement via -8 RBAC binding, and FR3 signing of high-impact writes.

Skipping -4 and relying on -3 alone is a common shortcut that leaves an audit gap: the certificate proves the device but not the user, and FR1 / FR2 are about the user.

Deployment status

Of all the 62351 parts, -4 is the one that has changed most across editions, and the gap between “vendor advertises 62351-4 support” and “the specific profile you wrote in the procurement spec is implemented” is the widest. Procurement teams writing new station-bus tenders should pin the edition explicitly (e.g. “62351-4:2018 or later”) and require a conformance statement listing which application-layer features are implemented.