This part of IEC 60870 describes messages and data formats for implementing IEC/TS 62351- 5 for secure authentication as an extension to IEC 60870-5-101 and IEC 60870-5-104.
The purpose of this base standard is to permit the receiver of any IEC 60870-5-101/104 Application Protocol Data Unit (APDU) to verify that the APDU was transmitted by an authorized user and that the APDU was not modified in transit. It provides methods to authenticate not only the device which originated the APDU but also the individual human user if that capability is supported by the rest of the telecontrol system.
This specification is also intended to be used, together with the definitions of IEC/TS 62351-3, in conjunction with the IEC 60870-5-104 companion standard.
The state machines, message sequences, and procedures for exchanging these messages are defined in the IEC/TS 62351-5 specification. This base standard describes only the message formats, selected options, critical operations, addressing considerations and other adaptations required to implement IEC/TS 62351 in the IEC 60870-5-101 and 104 protocols.
The scope of this specification does not include security for IEC 60870-5-102 or IEC 60870-5-103. IEC 60870-5-102 is in limited use only and will therefore not be addressed. Users of IEC 60870-5-103 desiring a secure solution should implement IEC 61850 using the security measures from in IEC/TS 62351 referenced in IEC 61850.
Management of keys, certificates or other cryptographic credentials within devices or on communication links other than IEC 60870-5-101/104 is out of the scope of this specification and may be addressed by other IEC/TS 62351 specifications in the future.