Home
N2OS Configuration
The N2OS Configuration - Reference Guide.
Decryption
IEC 60870-5-7 / 62351-3/5 encrypted links
IEC TC57 (POWER SYSTEMS management and associated information exchange) develops the standards 60870 and 62351. IEC 60870 part 5 (by WG3) describes systems used for telecontrol. IEC 62351 (by WG15) handles the security of TC 57 series.

N2OS Configuration
The N2OS Configuration - Reference Guide.
- Features
- Edit sensor configuration
- Basic rules
- Garbage Collector
- Alerts
- Incidents
- Nodes
- Assets
- Links
- Variables
- Protocols
- Vulnerability assessment
- Smart Polling
- Discovery
- Monitored subnets
- Customize node identifier generation
- Decryption
  - Protocol passive decryption
    Nozomi Networks offers tools to decrypt network protocols and apply standard deep packet inspection (DPI) to the decrypted communication. Depending on the specific protocol, different constraints and configuration steps are applicable.
  - IEC 60870-5-7 / 62351-3/5 encrypted links
    IEC TC57 (POWER SYSTEMS management and associated information exchange) develops the standards 60870 and 62351. IEC 60870 part 5 (by WG3) describes systems used for telecontrol. IEC 62351 (by WG15) handles the security of TC 57 series.
  - Configure IEC-62351-3
- Trace
- Time Machine
- Retention
- Bandwidth throttling
- Synchronization
- Slow updates
- Session hijacking
- Passwords
- Sandbox
- Miscellaneous

IEC 60870-5-7 / 62351-3/5 encrypted links

IEC TC57 (POWER SYSTEMS management and associated information exchange) develops the standards 60870 and 62351. IEC 60870 part 5 (by WG3) describes systems used for telecontrol. IEC 62351 (by WG15) handles the security of TC 57 series.

IEC TC57 WG15 recommends the combination of IEC 62351-3 and 5 to secure IEC 60870-5-104 links:

IEC 62351-3 is a TLS profile to secure power systems related communication.
IEC 62351-5 is an application security protocol applicable to IEC 60870-5-101, 104, and derivatives. Its implementation in terms of ASDUs (i.e., real encapsulation) is outlined in IEC 60870-5-7.

In order to decrypt IEC 62351-3 (TLS) traffic, you must meet these conditions:

The private key for each TLS server (e.g. RTU, PLC) must be available; it is used to derive session keys.
All the equipment where decryption is needed must operate using the TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f) cipher suite. Often, this step is accomplished by forcing either the client or the server to confine itself to that specific cipher suite.