The US generally does not pay enough attention to the IEC efforts. I certainly plead guilty, but the main reason is it is hard or relatively expensive to get the documents. This does not mean there isn’t a lot of interesting work there.

I just received a good paper from Frances Cleveland that covers the structure of IEC 62351, and the paper is available free of charge on her site. The meat of document is towards the back where Frances describes the seven parts of the draft document. They are:

• Part 1: Introduction
• Part 2: Glossary of Terms
• Part 3: Profiles Including TCP/IP
• Part 4: Profiles Including MMS (note - MMS is an integral part of ICCP)
• Part 5: Security for IEC 60870 and Derivatives (note - DNP3 is a derivative)
• Part 6: Security for IEC 61850 Profiles
• Part 7: MIB Requirements for End-to-End Network Management

Unfortunately the plan for securing all the TCP/IP protocols is to use TLS (aka SSL). I agree this is the most expedient solution, but it is far from the best solution. In fact, if any group was starting from scratch to design the appropriate protocol, I would wager it would look completely different than TLS. On top of this, TLS has bloat and is likely to lead to even more devices deploying web servers and all their vulnerabilities.

Should a standards group really be looking for the quickest path? Why couldn’t we just say use TLS until the appropriate security standard is completed?