This part of IEC 60870, which is a technical specification, describes messages and data formats for implementing IEC 62351‑5:2023 for secure communication as an extension to IEC 60870‑5‑101 and IEC 60870‑5‑104.

The purpose of this document is to permit the receiver of any IEC 60870‑5‑101/-104 Application Protocol Data Unit (APDU) to verify that the APDU was transmitted by an authorized user and that the APDU was not modified in transit.

This document is also intended to be used, together with the definitions of IEC 62351‑3:2023, in conjunction with the IEC 60870‑5‑104 companion standard.

The state machines, message sequences, and procedures for exchanging these messages are defined in IEC 62351‑5:2023. This document describes only the message formats, selected options, critical operations, addressing considerations and other adaptations required to implement IEC 62351 in the IEC 60870‑5‑101 and IEC 60870‑5‑104 protocols.

In addition to the previous edition, this new edition of this document also addresses role-based access control, by utilizing the IEC 62351‑8RBAC approach and the already defined role to permission mapping from IEC 62351‑5:2023.

The scope of this document does not include security for IEC 60870‑5‑102 or IEC 60870‑5‑103. IEC 60870‑5‑102 is in limited use only and will therefore not be addressed. Users of IEC 60870‑5‑103 desiring a secure solution need to implement IEC 61850 using the security measures from in IEC 62351 referenced in IEC 61850.

Management of keys, certificates or other cryptographic credentials within devices or on communication links other than IEC 60870‑5‑101/104 is out of the scope of this document and might be addressed by other IEC 62351 publications in the future.