IEC TS 62351-5:2013

IEC/TS 62351-5 ®
Edition 2.0 2013-04
TECHNICAL
SPECIFICATION
Power systems management and associated information exchange – Data and
communications security –
Part 5: Security for IEC 60870-5 and derivatives

IEC/TS 62351-5:2013(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.

IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.

IEC/TS 62351-5 ®
Edition 2.0 2013-04
TECHNICAL
SPECIFICATION
Power systems management and associated information exchange – Data and

communications security –
Part 5: Security for IEC 60870-5 and derivatives

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
XE
ICS 33.200 ISBN 978-2-83220-732-1

– 2 – TS 62351-5 © IEC:2013(E)
CONTENTS
FOREWORD . 6
1 Scope and object . 8
2 Normative references . 9
3 Terms and definitions . 10
4 Abbreviated terms . 11
5 Problem description (informative) . 11
5.1 Overview of clause . 11
5.2 Specific threats addressed . 11
5.3 Design issues . 11
5.3.1 Overview of subclause . 11
5.3.2 Asymmetric communications . 11
5.3.3 Message-oriented . 12
5.3.4 Poor sequence numbers or no sequence numbers . 12
5.3.5 Limited processing power . 12
5.3.6 Limited bandwidth. 12
5.3.7 No access to authentication server . 12
5.3.8 Limited frame length . 13
5.3.9 Limited checksum . 13
5.3.10 Radio systems . 13
5.3.11 Dial-up systems . 13
5.3.12 Variety of protocols affected . 13
5.3.13 Differing data link layers . 14
5.3.14 Long upgrade intervals . 14
5.3.15 Remote sites . 14
5.3.16 Multiple users . 14
5.3.17 Unreliable media . 14
5.4 General principles . 14
5.4.1 Overview of subclause . 14
5.4.2 Authentication only . 14
5.4.3 Application layer only . 15
5.4.4 Generic definition mapped onto different protocols . 15
5.4.5 Bi-directional . 15
5.4.6 Challenge-response. 15
5.4.7 Pre-shared keys as default option. 15
5.4.8 Backwards tolerance . 15
5.4.9 Upgradeable . 16
5.4.10 Perfect forward secrecy . 16
5.4.11 Multiple users and auditing . 16
6 Theory of operation (informative) . 16
6.1 Overview of clause . 16
6.2 Narrative description . 16
6.2.1 Basic concepts . 16
6.2.2 Initiating the challenge . 17
6.2.3 Replying to the challenge . 17
6.2.4 Authenticating . 18
6.2.5 Authentication failure . 18

TS 62351-5 © IEC:2013(E) – 3 –
6.2.6 Aggressive mode . 18
6.2.7 Changing keys . 18
6.2.8 Security statistics . 22
6.3 Example message sequences . 22
6.3.1 Overview of subclause . 22
6.3.2 Challenge of a Critical ASDU . 23
6.3.3 Aggressive Mode . 24
6.3.4 Initializing and changing Session Keys . 24
6.4 State machine overview . 28
7 Formal specification . 32
7.1 Overview of clause . 32
7.2 Message definitions . 32
7.2.1 Distinction between messages and ASDUs . 32
7.2.2 Challenge message . 33
7.2.3 Reply message . 35
7.2.4 Aggressive Mode Request message . 36
7.2.5 MAC := OS8i[1.8i]; i:=specified by MALKey Status Request
message . 38
7.2.6 Key Status message . 38
7.2.7 Session Key Change message . 41
7.2.8 Error message . 43
7.2.9 User Status Change message . 45
7.2.10 Update Key Change Request message . 49
7.2.11 Update Key Change Reply message . 51
7.2.12 Update Key Change message . 52
7.2.13 Update Key Change Signature message . 53
7.2.14 Update Key Change Confirmation message . 54
7.3 Formal procedures . 55
7.3.1 Overview of subclause . 55
7.3.2 Security statistics . 56
7.3.3 Challenger procedures . 58
7.3.4 Responder procedures . 74
7.3.5 Controlling station procedures . 75
7.3.6 Controlled station procedures . 88
8 Interoperability requirements . 90
8.1 Overview of clause . 90
8.2 Minimum requirements . 90
8.2.1 Overview of subclause . 90
8.2.2 MAC algorithms . 90
8.2.3 Key wrap / transport algorithms . 91
8.2.4 Fixed values . 91
8.2.5 Configurable values . 91
8.3 Options . 96
8.3.1 Overview of subclause . 96
8.3.2 MAC algorithms . 96
8.3.3 Encryption algorithms . 98
8.3.4 Key wrap / transport algorithms . 98
8.3.5 Configurable values . 98
9 Special Applications . 99

– 4 – TS 62351-5 © IEC:2013(E)
9.1 Overview of clause . 99
9.2 Use with TCP/IP . 99
9.3 Use with redundant channels. 99
9.4 Use with external link encryptors . 99
10 Requirements for referencing this specification. 99
10.1 Overview of clause . 99
10.2 Selected options . 99
10.3 Operations considered critical . 100
10.4 Addressing information . 100
10.5 Message format mapping . 100
10.6 Reference to procedures . 100
11 Protocol implementation conformance statement . 101
11.1 Overview of clause . 101
11.2 Required algorithms . 101
11.3 MAC algorithms . 101
11.4 Key wrap algorithms . 101
11.5 Maximum Error messages sent. 101
11.6 Use of Error messages . 101
11.7 Update Key Change Methods . 102
11.8 User Status Change . 102
Annex A (informative) Compliance with ISO/IEC 11770 . 103
Bibliography . 109

Figure 1 – Overview of interaction between Authority and stations . 22
Figure 2 – Example of successful Challenge of Critical ASDU . 23
Figure 3 – Example of failed Challenge of Critical ASDU . 23
Figure 4 – Example of a successful Aggressive Mode Request . 24
Figure 5 – Example of a failed Aggressive Mode Request . 24
Figure 6 – Example of Session Key initialization and periodic update. 25
Figure 7 – Example of communications failure followed by Session Key change . 26
Figure 8 – Example of successful User Status and Update Key Change . 27
Figure 9 – User changes controlling stations . 28
Figure 10 – Major state transitions for controlling station authentication. 29
Figure 11 – Major state transitions for controlled station authentication . 30
Figure 12 – Major state transitions for controlling station Update Key change . 31
Figure 13 – Major state transitions for controlled station Update Key change . 32
Figure 14 – Example Use of Challenge Sequence Numbers . 60

Table 1 – Scope of application to standards . 8
Table 2 – Summary of symmetric keys used . 18
Table 3 – Summary of asymmetric keys used (optional) . 19
Table 4 – Challenge message . 33
Table 5 – Reply message . 35
Table 6 – Data Included in the MAC Value calculation . 36
Table 7 – Aggressive Mode Request message . 36

TS 62351-5 © IEC:2013(E) – 5 –
Table 8 – Data Included in the MAC Value calculation in Aggressive Mode . 37
Table 9 – Key Status Request Message . 38
Table 10 – Use of Default Session Keys . 38
Table 11 – Key Status Message . 39
Table 12 – Data Included in the MAC Value Calculation for Key Status . 41
Table 13 – Key Change message. 41
Table 14 – Data Included in the key wrap (in order) . 42
Table 15 – Example of key order. 42
Table 16 – Example of Wrapped Key Data . 43
Table 17 – Error message . 43
Table 18 – Creation of Certification Data . 46
Table 19 – User Status Change message . 46
Table 20 – Update Key Change Request message. 50
Table 21 – Update Key Change Reply message. 51
Table 22 – Update Key Change message . 52
Table 23 – Encrypted Update Key Data . 53
Table 24 – Update Key Change Signature message . 53
Table 25 – Data included in the Digital Signature . 54
Table 26 – Update Key Change Confirmation message . 54
Table 27 – Data included in the MAC calculation . 55
Table 28 – States used in the state machine descriptions . 55
Table 29 –Security statistics . 57
Table 30 – Challenger state machine . 63
Table 31 – User roles . 77
Table 32 – Controlling Station State Machine – Changing Session Keys . 80
Table 33 – Controlling Station State Machine – Changing Update Keys . 84
Table 34 – Special Statistic Event Thresholds. 92
Table 35 – Algorithms and Messages used for each Update Key Change Method . 94
Table 36 – Size of Challenge Data . 94
Table 37 – Configuration of Cryptographic Information . 95
Table 38 – Legend for configuration of cryptographic information. 96
Table 39 – Construction of AES-GMAC initialization vector . 96
Table 40 – Source of initialization vector components in each message . 97
Table A.1 – Cryptographic Notation . 105
Table A.2 – Compliance with ISO/IEC 11770 . 107

– 6 – TS 62351-5 © IEC:2013(E)
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
POWER SYSTEMS MANAGEMENT
AND ASSOCIATED INFORMATION EXCHANGE –
DATA AND COMMUNICATIONS SECURITY –

Part 5: Security for IEC 60870-5 and derivatives

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. In
exceptional circumstances, a technical committee may propose the publication of a technical
specification when
• the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts, or
• the subject is still under technical development or where, for any other reason, there is the
future but no immediate possibility of an agreement on an International Standard.
Technical specifications are subject to review within three years of publication to decide
whether they can be transformed into International Standards.
IEC/TS 62351-5, which is a technical specification, has been prepared by IEC technical
committee 57: Power systems management and associated information exchange.

TS 62351-5 © IEC:2013(E) – 7 –
This second edition cancels and replaces the first edition published in 2009. It constitutes a
technical revision. The primary changes in the second edition are:
• adds the capability to change Update Keys remotely;
• adds security statistics to aid in detecting attacks;
• adds measures to avoid being forced to change session keys too often;
• discards unexpected messages more often as possible attacks;
• adds to the list of permitted security algorithms;
• adds new rules for calculating challenge sequence numbers.
The text of this technical specification is based on the following documents:
Enquiry draft Report on voting
57/1204/DTS 57/1282/RVC
Full information on the voting for the approval of this technical specification can be found in
the report on voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
Capitalization has been used in the text of this specification to formally identify the most
important components of the described security mechanism. These components include: 1)
data items e.g. Update Keys, Session Keys; 2) message names, e.g. Challenge, Reply,
Aggressive Mode Request; 3) event names e.g. Reply Timeout, Rx Invalid Reply; 4) state
names, e.g. Security Idle, Wait for Reply; and 5) statistics e.g. Authentication Failures,
Unexpected Messages.
A list of all the parts in the IEC 62351 series, published under the general title Power systems
management and associated information exchange – Data and communications security, can
be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• transformed into an International standard,
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.

– 8 – TS 62351-5 © IEC:2013(E)
POWER SYSTEMS MANAGEMENT
AND ASSOCIATED INFORMATION EXCHANGE –
DATA AND COMMUNICATIONS SECURITY –

Part 5: Security for IEC 60870-5 and derivatives

1 Scope and object
This part of IEC 62351 specifies messages, procedures and algorithms for securing the
operation of all protocols based on or derived from IEC 60870-5: Telecontrol equipment and
systems – Transmission protocols. This Technical Specification applies to at least those
protocols listed in Table 1.
Table 1 – Scope of application to standards
Number Name
IEC 60870-5-101 Companion standard for basic telecontrol tasks
IEC 60870-5-102 Companion standard for the transmission of integrated totals in electric power systems
IEC 60870-5-103 Companion standard for the informative interface of protection equipment
IEC 60870-5-104 Network access for IEC 60870-5-101 using standard transport profiles
Distributed Network Protocol (based on IEC 60870-1 through IEC 60870-5 and controlled
DNP3
by the DNP Users Group)
The initial audience for this Technical Specification is intended to be the members of the
working groups developing the protocols listed in Table 1. For the measures described in this
specification to take effect, they must be accepted and referenced by the specifications for the
protocols themselves. This document is written to enable that process.
The subsequent audience for this specification is intended to be the developers of products
that implement these protocols.
Portions of this specification may also be of use to managers and executives in order to
understand the purpose and requirements of the work.
This part of IEC/TS 62351 focuses only on application layer authentication and security issues
arising from such authentication. Other security concerns – in particular, protection from
eavesdropping or man-in-the-middle attacks through the use of encryption – are considered to
be outside the scope. Encryption may be added through the use of this specification with
other specifications.
This document is organized working from the general to the specific, as follows:
• Clauses 2 through 4 provide background terms, definitions, and references.
• Clause 5 describes the problems this specification is intended to address.
• Clause 6 describes the mechanism generically without reference to a specific protocol.
• Clauses 7 and 8 describe the mechanism more precisely and are the primary normative
part of this specification.
• Clause 9 describes a few particular implementation issues that are special cases.
• Clause 10 describes the requirements for other standards referencing this specification.

TS 62351-5 © IEC:2013(E) – 9 –
• Clause 11 describes the Protocol Implementation Conformance Statement (PICS) for this
mechanism.
Unless specifically labelled as informative or optional, all clauses of this specification are
normative.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 60870-5 (all parts), Telecontrol equipment and systems – Transmission protocols
IEC/TS 62351-1, Power systems management and associated information exchange – Data
and communications security – Part 1: Communication network and system security –
Introduction to security issues
IEC/TS 62351-2, Power systems management and associated information exchange – Data
and communications security – Part 2: Glossary of terms
IEC/TS 62351-3, Power systems management and associated information exchange – Data
and communications security – Part 3: Communication network and system security – Profiles
including TCP/IP
IEC/TS 62351-8, Power systems management and associated information exchange – Data
and communications security – Part 8: Role-based access control
ISO/IEC 9798-4, Information technology – Security techniques – Entity authentication –
Part 4: Mechanisms using a cryptographic check function
ISO/IEC 11770-2:2008, Information technology – Security techniques – Key management –
Part 2: Mechanisms using symmetric techniques
ISO/IEC 11770-3:2008, Information technology – Security techniques – Key management –
Part 3: Mechanisms using asymmetric techniques
FIPS 180-2, Secure Hash Standard (includes SHA-1, SHA-224, SHA-256, SHA-384 and SHA-
512). USA NIST
FIPS 186-2, Digital Signature Standard (DSS), USA NIST, February 2000 including Change
Notice #1, October 2001. Used for the random number generation algorithms in the Appendix
FIPS 186-3, Digital Signature Standard (DSS), USA NIST, June 2009. Used for digital
signature algorithms when asymmetric Update Key change is implemented
RFC 2104, HMAC: Keyed-Hashing for Message Authentication
RFC 3394, Advanced Encryption Standard (AES) Key Wrap Algorithm
RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1
RFC 3629, UTF-8, a transformation format of ISO 10646

– 10 – TS 62351-5 © IEC:2013(E)
RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List
(CRL) Profile
NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter
Mode (GCM) and GMAC
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC/TS 62351-2 and the
following apply.
3.1
challenger
station that issues authentication challenges
Note 1 to entry: It may be either a controlled or controlling station.
3.2
control direction
direction of transmission from the controlling station to a controlled station
[SOURCE: IEC 60870-5-101:2003, 3.3]
3.3
controlled station
station which is monitored, or commanded and monitored by a master (controlling) station
Note 1 to entry: It is commonly called an “outstation” or “slave” in some specifications.
[SOURCE: IEC 60870-1-3:1997]
3.4
controlling station
station which performs the telecontrol of outstations
Note 1 to entry: It is commonly called a “master” or “master station” in some specifications.
[SOURCE: IEC 60870-1-3:1997]
3.5
monitor direction
direction of transmission from a controlled station to a controlling station
[SOURCE: IEC 60870-5-101:2003, 3.4]
3.6
responder
station that responds or reacts to authentication challenges
Note 1 to entry: It may be either a controlled or controlling station.
3.7
telecontrol
control of operational equipment at a distance using the transmission of information by
telecommunication techniques
Note 1 to entry: Telecontrol may comprise any combination of command, alarm, indication, metering, protection
and tripping facilities, without any use of speech messages.

TS 62351-5 © IEC:2013(E) – 11 –
[SOURCE: IEC 60870-1-3:1997]
3.8
application service data unit
ASDU
application layer message submitted to lower layers for transmission
4 Abbreviated terms
Refer to IEC/TS 62351-2 for a list of applicable abbreviated terms. The following term is
included here because it is specifically used in the affected protocols and used in the
discussion of this authentication mechanism.
ASDU application service data unit. The application layer message submitted to
lower layers for transmission.
5 Problem description (informative)
5.1 Overview of clause
Clause 5 describes:
• the security threats that this specification is intended to address;
• the unique design problems in implementing authentication for IEC 60870-5 and derived
protocols;
• the resulting design principles behind the mechanism.
5.2 Specific threats addressed
This specification shall address only the following security threats, as defined in
IEC/TS 62351-2:
• spoofing;
• modification;
• replay;
• eavesdropping – on exchanges of cryptographic keys only, not on other data.
5.3 Design issues
5.3.1 Overview of subclause
Subclause 5.3 describes the challenges faced in developing an authentication proposal that
can be applied to all the IEC 60870-5 and derivative protocols. Subclause 5.3 is supplied for
the benefit of security experts reviewing this document who may not be familiar with the
electrical utility protocol environment.
5.3.2 Asymmetric communications
All the protocols affected by this specification share the concept of inequality between the
communication stations. In each of these protocols there is a designated controlling station
and a designated controlled station, each having different roles, responsibilities, procedures
and message formats. In particular, the controlling station is in many cases responsible for
flow control and media access control.
The existence of a definite controlled/controlling station designation has two impacts on the
design of this authentication mechanism:

– 12 – TS 62351-5 © IEC:2013(E)
• the format of messages in each direction will differ, even if the functions are the same;
• key distribution is simplified because they will always be issued by the controlling station.
5.3.3 Message-oriented
All of the affected protocols are message-oriented. This means that authentication must be
performed on a message-by-message basis, rather than authenticating only at the beginning
of a data stream and occasionally thereafter, as some connection-oriented protocols do.
5.3.4 Poor sequence numbers or no sequence numbers
A common security technique to address the threat of replay is to include in the message a
sequence number. Combined with tests for message integrity, the sequence number makes it
harder for an attacker to simulate a legitimate user by just copying an existing message,
because the messages must be transmitted in a particular order.
Unfortunately, none of the affected protocols includes a sequence number that would provide
adequate protection. Those sequence numbers that do exist have very low maximum values,
permitting an attacker to attempt a replay after gathering only a small number of messages.
Therefore, the design of this specification must include its own sequence numbers and other
time-varying data to protect against replay.
5.3.5 Limited processing power
The lack of processing power available on many power utility devices has been a major
design concern for the affected protocols since their creation. This design requirement
necessarily affects the authentication mechanism also. The concern is heightened by the fact
that many of these devices are single-processor machines; a denial-of-service attack would
affect not only the communications capability of such devices but their function as an
electrical control, protection, or monitoring device also.
Therefore, the use of security measures requiring extremely high processing power, such as
public-key encryption and very large key sizes, has been avoided as much as possible.
5.3.6 Limited bandwidth
The limited amount of bandwidth available in utility networks has been the prime design
concern (after message integrity) of the affected protocols. Links of 1 200 bits per second and
lower are still a reality for many applications of these protocols. Some communications links
also charge costs per octet transmitted.
Therefore the authentication mechanism must not add very much overhead (i.e. few octets) to
the affected protocols. The size of the challenge and authentication data has therefore been
limited and truncated as much as possible while retaining an adequate level of security. Other
measures may be taken in the implementations in each protocol.
5.3.7 No access to authentication server
The nature of the utility networks in which the affected protocols are deployed is that the
controlling station is often the only device with which the controlled station can communicate.
If there is any access to other networks, it is often achieved through the device implementing
the controlling station.
The impact of this fact on the authentication mechanism is that any system requiring on-line
verification of the controlling station’s security credentials by a third party is not practical.

TS 62351-5 © IEC:2013(E) – 13 –
5.3.8 Limited frame length
Because of the restrictions on bandwidth and message integrity, the affected protocols are
designed to send data in small frames of 255 octets or less. Some derivative protocols permit
“chaining” frames together to create larger application layer messages.
However, in general, the authentication mechanism cannot assume the transmission of large
data units between the stations.
5.3.9 Limited checksum
Message integrity was a high priority in the design of the affected protocols. However, the
integrity measures chosen for these protocols were designed to protect against random noise,
and not a concerted attack, as discussed below.
• The serial IEC 60870-5 protocols use Frame Type FT1.2, which uses parity bits and a
single-octet checksum to protect against bit errors. A single octet is not large enough to
provide a secure message authentication code (MAC).
• The IEC 60870-5-104 protocol depends on the integrity measures of lower layers.
Because this specification discusses an application layer mechanism only, it cannot
depend on such measures. In any case, doing so would provide a solution for only one of
the affected protocols.
• The DNP3 protocol uses the IEC 60870-5 FT3 frame, with a two-octet cyclic redundancy
check every 16 octets or fewer. This provides considerable integrity for security purposes,
except that there is no check for the entire frame.
Therefore, the authentication mechanism described in this specification cannot make use of
the existing protocol integrity mechanisms to provide message integrity for security purposes.
5.3.10 Radio systems
The affected protocols are often used over radio systems which may or may not provide
security measures of their own. Many existing utility radio networks provide no security at all.
Therefore, the mechanism described in this specification must assume a hostile and
physically insecure transmission environment.
5.3.11 Dial-up systems
The affected protocols are often used over dial-up telephone networks which require several
seconds to re-establish communications before each frame transmitted. Similarly, many radio
systems require long “keying” times before each frame.
Therefore, the authentication mechanism provides an option, known as “aggressive mode”
that reduces the number of extra frames of data to b
...