Securing IEC 60870-5-101 and IEC 60870-5-104
A Technical Exploration of Threats, Countermeasures, and IEC 62351-5 Implementation for Telecontrol Protocols
Abstract
IEC 60870-5-101 and IEC 60870-5-104 are foundational telecontrol protocols used extensively in power system SCADA environments. Originally designed in an era with limited cybersecurity awareness, these protocols rely on open serial and IP-based communication, making them highly susceptible to a range of cyber threats including message injection, spoofing, replay, and denial-of-service (DoS) attacks.
This article provides a comprehensive examination of the cybersecurity challenges associated with IEC 60870-5-101 and 104. It delves into the structure and operation of both protocols, outlines their inherent vulnerabilities, and introduces the security architecture defined in IEC 62351-5. We explore the cryptographic mechanisms, authentication models, replay protection, implementation recommendations, and performance considerations in depth, offering practical recommendations for enhancing protocol-level security in real-world SCADA systems.
Introduction
In many national and regional grid infrastructures, IEC 60870-5-101 (serial) and IEC 60870-5-104 (TCP/IP) continue to serve as critical communication standards for telemetry and remote control. Their longevity, simplicity, and interoperability have made them a favored choice in Europe, Asia, and parts of the Middle East.
However, this operational ubiquity has also become a cybersecurity liability. Neither protocol was designed with built-in security—no encryption, no authentication, and no integrity checks. This lack of protection enables attackers with access to the network (or even to serial lines in substations) to intercept or manipulate traffic, falsify commands, or disrupt operations.
To address these gaps, IEC 62351-5 was created as a security extension primarily targeting the IEC 60870-5-101/104 protocol family, but its mechanisms have also been adopted by other protocols, most notably DNP3, which references it and provides protocol-specific adaptations for secure authentication. It defines mechanisms for ensuring message integrity, origin authentication, and optional confidentiality features. These enhancements are designed to be retrofitted into existing deployments or natively supported by compliant devices.
Protocol Overview and Security Deficiencies
IEC 60870-5-101: Serial Telecontrol Communication
IEC 60870-5-101 operates over serial links (RS-232, RS-485), using a structured frame format for transmitting process information such as analog values, binary inputs, and control commands. While reliable in isolated environments, it lacks any mechanism for:
- Detecting modification or tampering
- Preventing eavesdropping
- Defending against replay or injection
Attackers with physical access to cabling or serial terminal servers can inject control commands, disrupt remote terminal unit (RTU) responses, or spoof legitimate devices.
IEC 60870-5-104: TCP/IP-Based Communication
IEC 60870-5-104 transports the same Application Protocol Data Units (APDUs) over TCP/IP, enabling wide-area communication via Ethernet and IP networks. This increases exposure to modern cyberattack techniques such as:
- Man-in-the-Middle (MITM) attacks via ARP spoofing or DNS hijacking
- TCP session hijacking or injection
- Reconnaissance and fingerprinting of RTUs and master stations
- Unencrypted credentials for user-level authentication in some extensions
Without encryption or message-level protection, all traffic, including critical controls, is susceptible to interception and manipulation.
Security Enhancements in IEC 62351-5
IEC 62351-5 introduces a security layer for 101/104 based on cryptographic Message Authentication Codes (MACs), replay detection, and optional confidentiality features. These enhancements are designed to be retrofitted into existing deployments or natively supported by compliant devices.
Secure Frame Format
IEC 62351-5 defines a secure APDU format that wraps the original 101/104 message in a security envelope. This envelope includes:
- Security Header: Identifies the sender and includes a security control field
- MAC Field: Contains a cryptographic checksum calculated over the message and header using a shared secret or certificate-based key
- Optional Encryption: Symmetric encryption may be applied to the entire payload using AES (Advanced Encryption Standard), depending on use case
Message Integrity and Origin Authentication
Each message is cryptographically signed using a MAC algorithm such as HMAC-SHA256, ensuring that any tampering or forgery will be detected by the recipient. Origin authentication is achieved because only trusted peers possess the keys needed to compute valid MACs.
Replay Protection via Sequence Numbers
Replay attacks are mitigated using a monotonic counter fields embedded in the security header. Each valid message must have a higher sequence number than the last accepted message. Implementations must persist these counters across reboots to avoid reuse of old messages.
Key Management and Cryptographic Agility
IEC 62351-5 supports multiple key management models:
- Static shared secrets: Suitable for small deployments with manual provisioning
- X.509 Certificates and PKI: Recommended for scalable and secure deployments
A-Profile and T-Profile Security: TLS vs Application Layer Authentication
The security framework for IEC 60870-5-101/104 is formally defined by two complementary standards:
- IEC 62351-5, which specifies generic message authentication using HMAC and session keys
- IEC 60870-5-7, which details protocol-specific adaptations (e.g., ASDU types and message segmentation)
Security mechanisms can be grouped into two profiles:
- T-profile security refers to the use of TLS (Transport Layer Security), defined in IEC 62351-3, to secure CS 104 at the transport layer
- A-profile security refers to application layer message authentication, as standardized in IEC 60870-5-7 and supported in IEC 62351-5
T-profile provides confidentiality and authentication at the transport level (TCP/IP), while A-profile secures individual IEC messages (ASDUs), making it applicable to both CS 101 and CS 104, even in serial or hybrid environments.
Message Authentication and HMAC Usage
A-profile security uses HMAC (Hash-based Message Authentication Codes) to ensure message authenticity and integrity. The HMAC is calculated over critical application data using a secret session key shared between the sender and receiver. This ensures that only trusted endpoints can validate and accept critical messages (e.g., control commands).
Key features:
- Different session keys are used per direction (monitoring vs control)
- Session keys are updated periodically and exchanged over the same channel using a symmetric update key
- Non-critical messages may remain unauthenticated for performance reasons
Challenge/Reply and Aggressive Mode Authentication
A-profile supports two authentication modes:
- Challenge/Reply (two-pass): Used when a device needs to verify a received critical message. The device issues a challenge, and the sender replies with an HMAC based on the message and challenge data.
- Aggressive Mode (one-pass): Faster unilateral method that appends an HMAC directly to the message. It requires an initial challenge/reply exchange to initialize shared challenge data.
Both modes aim to minimize bandwidth while maintaining trust, with Aggressive Mode favored in time-sensitive environments like CS 101-based control loops. Under normal circumstances communication goes into aggressive mode after the first challenge/reply cycle. The challenge/reply cycle has to be done immediately after a session key change.
IEC 60870-5-7: Protocol Adaptation and ASDU Mapping
IEC 60870-5-7 provides the protocol-specific mappings required to implement A-profile security in CS 101 and 104:
- Defines new security ASDUs (e.g., S_CH_NA_1 for Challenge, S_AR_NA_1 for Aggressive Reply)
- Introduces segmentation fields for security messages exceeding maximum ASDU size
- Maps security states and transitions into the IEC 60870-5 finite state model
These definitions allow security messages to coexist with legacy protocols without breaking interoperability.
Edition Differences: 2013 vs 2023/2025
Two editions of A-profile security are currently recognized:
- Edition 1 (2013):
- Introduced basic HMAC authenticationSupports multi-user sessions with individual keys
- Optional RBAC via session-based user identities
- Edition 2 (2023/2025) (Draft):
- Adds optional encryption of application dataEnforces single-user sessions for stricter controlIncorporates RBAC from IEC 62351-8 with defined role-permission mappingsIncompatible ASDU types vs Edition 1 (non-interoperable)
- Multicast support for CS 101 unbalanced modes
Deployment Considerations and Performance Impact
Retrofits vs Native Support
Legacy RTUs and IEDs often lack the computational power or memory to process cryptographic functions. To mitigate this:
- Security proxies or bump-in-the-wire devices can be used to offload security processing
- Gateway appliances can act as secure concentrators, handling key management and enforcing policies
New devices should ideally support native 62351-5 capabilities, including MAC generation/verification, counter persistence, and cryptographic configuration.
Real-Time Constraints
The introduction of cryptographic operations must not violate the real-time characteristics of SCADA systems. IEC 62351-5 therefore emphasizes:
- Low-latency MAC algorithms (e.g., HMAC with hardware acceleration)
- Deterministic execution times
- Offloading security processing to non-blocking threads or hardware modules
Compatibility and Interoperability
All security mechanisms are optional and must be negotiated between peers. Backward compatibility with unsecured devices must be explicitly managed:
- Security Profiles define which features are enabled for each connection
- Systems may operate in mixed mode, allowing secure and non-secure peers to coexist
Integration with TLS and Network Layer Security
While IEC 62351-5 provides application-layer protection, IEC 62351-3 complements it by specifying TLS as the preferred transport layer security mechanism for IEC 60870-5-104. Key integration points include:
- TLS Mutual Authentication using certificates
- Encrypted TCP channels
- Fallback modes for non-TLS peers
TLS ensures confidentiality and connection integrity, while IEC 62351-5 ensures message-level authenticity and replay protection. For maximum security, both should be implemented in tandem.
Testing, Validation, and Compliance
IEC 62351-5-compliant systems must be rigorously tested for:
- MAC validation and rejection of forged frames
- Replay detection under attack conditions
- Key rollover and certificate revocation support
- Latency and jitter impact on SCADA timing
- Interoperability between vendors
Certification programs and third-party security evaluations are encouraged to ensure robustness across heterogeneous deployments.
Summary and Best Practices
Securing IEC 60870-5-101/104 is a critical priority for utilities relying on legacy telecontrol infrastructure. IEC 62351-5 provides a flexible yet rigorous framework for message integrity, origin authentication, and replay protection. Key recommendations include:
- Use TLS where possible for 104-based communication
- Deploy MAC-based authentication and replay counters as per 62351-5
- Implement gateway-based security when end devices cannot support cryptography
- Use certificate-based key management for scalable trust models
- Regularly update security policies and validate implementation conformance
Conclusion
IEC 62351-5 bridges the gap between legacy telecontrol protocols and modern cybersecurity requirements. Through its well-defined message authentication, replay protection, and key management frameworks, it offers a path to secure even the most entrenched SCADA systems. By embracing these standards, utilities can significantly reduce the attack surface of their operational networks while maintaining real-time performance and compatibility.
Looking forward
In the next part of this series, we will explore Security for IEC 61850/MMS, a client-server protocol at the heart of digital substations, and how IEC 62351-4 brings critical protections to the foundation of substation automation.