Standards Development

Scope

This part of IEC 62351 series specifies technical specifications for power systems cyber security event logging. Its scope includes.

1)      An abstract information structure consisting of meta data i.e., multiple attributes for both defining and logging a power system cyber security event.

2)      Provides a list of standardized cyber security events in annexes described using this abstraction. These events are useful for cyber security situation monitoring across power system.

3)      Describes a method to securely transfer such cyber security events using a secure variant of Syslog.

The aspects that are outside its scope are

1)      To define the method to use event logging protocols other than Syslog for logging cyber security events in power system.

2)      It does not address the technical specifications and methods to analyse a cyber security event, and thus to deduce its root cause.

Note: However, it is imperative to analyse and derive root causes behind any cyber security event followed by detection of any cyber-attack. Both needs first hand logging of the respective cyber security event carrying useful meta data information. This part of IEC 62351 thus provides only technical specifications on how to log a cyber security event for an electrical power system. It also provides a list of standardized cyber security events. Logging of such meta data information could provide valuable insights into the cyber security posture of the electrical power systems. Based on such logged in information, analysis of the logs can be performed to identify any cyber-attacks and root causes behind such attacks.

This part of IEC 62351 addresses a harmonized and standardized cyber security event logging specification across a power system for achieving interoperability in a heterogeneous environment. This edition of the IEC 62351-14 provides a list of standardized cyber security events such as events related to IEC 62351-3. However, as these referencing IEC 62351 parts evolves over time, they will take the first precedence to describe the cyber security events before describing them in IEC 62351-14. Referencing IEC 62351 standards shall provide the table of cyber security events as informative annex.

In IEC 62351, there are two parts – IEC 62351-14 (i.e., this part) and IEC 62351-7 providing monitoring information. This part of IEC 62351 focuses on providing a standardized way of generating and monitoring of cyber security event logs in an electrical power system. In contrast, IEC 62351-7 addresses the entire health monitoring of power system, of which cyber security is one of the key aspects. Since IEC 62351-14 centralized based cyber security event monitoring is based on Syslog [RFC 5424], it provides logging information into a centralized repository. IEC 62351-7 is based on SNMP. It provides a real time situational awareness to the system operator. Both are useful in their own ways, and hence it is recommended to deploy both parts of IEC 62351 to obtain a comprehensive power system monitoring solution.

To further distinguish between the applicability of two standards from a cyber security point of view, IEC 62351-14 provides the mechanism to log a cyber security event along with describing the event. As an example, “certificate expired”, “certificate revoked”, etc. IEC 62351-7 provides a health status of the electrical power system by quantitatively monitoring the number of cyber security events of a particular type. As an example, “number of expired certificates”, “number of revoked certificates”, etc.

IEC 62351-90-3 scopes in to efficiently handle the fleet of information that shall originate with the application of IEC 62351-7 and IEC 62351-14 at a centralized or distributed cyber security operator workplace.