Standards Development

Scope

This part of IEC 62351 specifies technical specifications for power system cyber security event logging. Its scope includesAn abstract information structure consisting of meta data i.e. multiple attributes for both defining and logging a power system cyber security event. Provides a list of standardized cyber security events in annex described using this abstraction. These events are useful for cyber security situation monitoring across power system. Describes a method to perform a secured transfer of such cyber security events using a secure variant of Syslog.The aspects that are outside its scope areTo define the method to use event logging protocols other than Syslog for logging cyber security events in power system. It does not address the technical specifications and methods to analyse a cyber security event, and thus to deduce its root cause. Note: However, it is imperative that to analyse and derive root causes behind any cyber security event followed by detection of any cyber-attack needs first hand logging of the respective cyber security event carrying useful information. It thus provides only technical specifications for logging a cyber security event for power system. The part of this IEC 62351 is to address a harmonized and standardized cyber security event logging specification across power system for achieving interoperability in a heterogeneous environment. This edition of the IEC 62351-14 provides a list of standardized cyber security events such as events related to IEC 62351-3. However, as these referencing IEC 62351 parts evolves over time, those will take the precedence first to describe the security events followed by their description in IEC 62351-14.In IEC 62351, there are two parts – IEC 62351-14 (i.e. this part) and IEC 62351-7. This part of IEC 62351 focus on providing a standardized way of generation and monitoring of cyber security event logs in power system. In contrast, IEC 62351-7 addresses the entire health monitoring of power system of which cyber security is one of the aspects. Since IEC 62351-14 centralized based cyber security event monitoring is based on Syslog [RFC 5424], it provides logging information into a centralized repository. Whereas, since IEC 62351-7 is based on SNMP, it provides a real time situational awareness to the system operator. Both are useful in their own ways, and hence it is recommended to deploy both parts of IEC 62351 to obtain a comprehensive power system monitoring solution.