Two Standards, One Goal: Making Substations Secure with IEC 62351 and IEC 62443

Modern substations are increasingly digital and remotely managed, but also more exposed. Real-world cyber incidents like the Ukraine blackout and growing regulations like NIS2 have made clear that security and compliance are non-negotiable.

Two standards dominate this space:

• IEC 62351 secures communication protocols like MMS, GOOSE, and DNP3.
• IEC 62443 secures devices, systems, and architectures.

They are complementary. This article shows how to apply both in practice and how Moxa helps you secure your network effectively and auditable.

 

What the Standards Cover and Who’s Responsible

 

IEC 62351 focuses on securing protocol traffic: encryption (TLS), authentication, digital signatures, and certificate handling, but assumes the devices using those protocols are already secure.

IEC 62443 focuses on securing the infrastructure: device hardening, network segmentation, system availability, monitoring, and secure development.

	IEC 62351	IEC 62443
Focus	Communication protocols	Devices, systems, architecture
Applies to	MMS, GOOSE, DNP3, SNMP	Switches, routers, SCADA, firewalls
Responsibility	Protocol implementers	Vendors, integrators, asset owners

 

Together, they define what to secure (the data) and how to build the secure environment around it.

 

What Only IEDs and SCADA Can Secure

 

Some IEC 62351 protections can only be applied by the devices themselves:

• Digital signing of GOOSE/SV: IEDs
• TLS for MMS or DNP3: IEDs, gateways
• Certificate handling: SCADA and secure devices

Routers and switches can’t compensate for these gaps. But once you have this part right, you still need to limit the exposure and support auditability. That’s where Moxa comes in.

 

Securing the Rest of the Network with IEC 62443

 

IEC 62351 lays out how to protect protocol-level communication, but protocols don’t secure themselves. They rely on a trustworthy, segmented, monitored, and hardened environment and that’s precisely what IEC 62443 helps create.

Moxa’s portfolio supports both device-level and system-level protections defined by IEC 62443, which together establish the secure context IEC 62351 depends on to be enforceable and auditable:

Device-level (IEC 62443-4-2):

• EDR-G9010: SL2-certified secure router with DPI
• EDF-G1002-BP: Compact firewall with IEC 61850 MMS DPI
• EDS-4000/G4000: Managed switches with port lockdown, VLANs, SNMPv3

System-level (IEC 62443-3-3):

• MXview One: Central monitoring, log management, configuration backup
• MXsecurity: Role-based access control and policy enforcement
• NTP, syslog, and event tracking: Built into Moxa devices

These components don’t replace the protocol-level protections mandated by IEC 62351 but they protect the infrastructure those protocols rely on. By hardening the environment, segmenting traffic, and enabling auditability, IEC 62443 ensures that protocol-level security measures are not undermined, even in networks with full 62351 support.

 

When to Use Certified Products and When You Don’t Need To

 

Use certified devices when:

• They sit at security boundaries (e.g., internet gateway, zone router)
• They enforce critical policies (e.g., firewall, NMS)

Use well-configured, standards-aligned products when:

• Devices are deep in trusted zones
• They’re protected by upstream certified elements

Examples:

• EDR-G9010 and MXsecurity are ideal for certified control points
• EDF-G1002-BP and EDS switches offer strong security when paired with architecture-based protections

This approach meets both security and audit goals without unnecessary cost or replacement.

 

How Moxa Supports IEC 62443-3-3 — and Helps Fulfill IEC 62351

 

62443-3-3 SR	Function	Moxa Support	IEC 62351 Benefit
SR 2.1	Network segmentation	VLANs, ACLs on EDS switches, EDR-G9010	Trusted paths
SR 2.2	Firewalling and protocol filtering	EDR-G9010, EDF-G1002-BP	Control protocol access
SR 3.1	Event logging	MXview, Syslog, SNMP traps	62351-7 compliance
SR 3.4	Time synchronization	NTP integrity, log correlation	Log consistency
SR 6.1	Continuous monitoring	MXview config tracking, alerts	Operational auditability

 

MXview One also enables backup/restore of device configurations, supporting fast recovery and resilience, essential for audit readiness and IEC 62443-3-3 SR 7.1/7.2, even if not covered by IEC 62351 directly.

 

Conclusion: IEC 62443 Enables Practical IEC 62351 Compliance

 

IEC 62351 protects protocols, but only when the endpoint supports it. IEC 62443 secures everything else: the devices, the architecture, the monitoring.

Moxa helps DSOs:

• Secure the network zones on which IEC 62351 relies
• Audit and monitor system behavior
• Enforce segmentation and control
• Use certified devices only where necessary and well-secured ones everywhere else

By following a robust, standards-aligned framework, Moxa intrinsically enhances the security of your network infrastructure, allowing DSOs to focus on a smaller, more manageable scope of responsibilities while achieving full compliance and resilience.