IEC TS 60870-5-7:2013
(Main)Telecontrol equipment and systems - Part 5-7: Transmission protocols - Security extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols (applying IEC 62351)
Telecontrol equipment and systems - Part 5-7: Transmission protocols - Security extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols (applying IEC 62351)
IEC/TS 60870-5-7:2013(E) describes messages and data formats for implementing IEC/TS 62351-5 for secure authentication as an extension to IEC 60870-5-101 and IEC 60870-5-104. The purpose of this base standard is to permit the receiver of any IEC 60870-5-101/104 Application Protocol Data Unit (APDU) to verify that the APDU was transmitted by an authorized user and that the APDU was not modified in transit. It provides methods to authenticate not only the device which originated the APDU but also the individual human user if that capability is supported by the rest of the telecontrol system. This specification is also intended to be used, together with the definitions of IEC/TS 62351-3, in conjunction with the IEC 60870-5-104 companion standard.
General Information
Relations
Standards Content (Sample)
IEC/TS 60870-5-7 ®
Edition 1.0 2013-07
TECHNICAL
SPECIFICATION
colour
inside
Telecontrol equipment and systems –
Part 5-7: Transmission protocols – Security extensions to IEC 60870-5-101 and
IEC 60870-5-104 protocols (applying IEC 62351)
IEC/TS 60870-5-7:2013(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.
IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.
IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.
IEC/TS 60870-5-7 ®
Edition 1.0 2013-07
TECHNICAL
SPECIFICATION
colour
inside
Telecontrol equipment and systems –
Part 5-7: Transmission protocols – Security extensions to IEC 60870-5-101 and
IEC 60870-5-104 protocols (applying IEC 62351)
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
X
ICS 33.200 ISBN 978-2-8322-0919-6
– 2 – TS 60870-5-7 © IEC:2013(E)
CONTENTS
FOREWORD . 5
1 Scope . 7
2 Normative references . 7
3 Terms, definitions and abbreviations . 8
3.1 Terms and definitions . 8
3.2 Abbreviated terms . 9
4 Selected options . 9
4.1 Overview of clause . 9
4.2 MAC algorithms . 9
4.3 Encryption algorithms . 9
4.4 Maximum error count . 9
4.5 Use of aggressive mode . 9
5 Operations considered critical . 9
6 Addressing information . 10
7 Implementation of messages . 10
7.1 Overview of clause . 10
7.2 Data definitions . 10
7.2.1 Causes of transmission . 10
7.2.2 Type identifiers . 10
7.2.3 Security statistics . 11
7.2.4 Variable length data . 11
7.2.5 Information object address . 12
7.2.6 Transmitting extended ASDUs using segmentation . 12
7.3 Application Service Data Units . 16
7.3.1 TYPE IDENT 81: S_CH_NA_1 Authentication challenge . 16
7.3.2 TYPE IDENT 82: S_RP_NA_1 Authentication Reply . 17
7.3.3 TYPE IDENT 83: S_AR_NA_1 Aggressive mode authentication
request . 18
7.3.4 TYPE IDENT 84: S_KR_NA_1 Session key status request. 19
7.3.5 TYPE IDENT 85: S_KS_NA_1 Session key status . 20
7.3.6 TYPE IDENT 86: S_KC_NA_1 Session key change . 21
7.3.7 TYPE IDENT 87: S_ER_NA_1 Authentication error . 22
7.3.8 TYPE IDENT 88: S_UC_NA_1 User certificate . 23
7.3.9 TYPE IDENT 90: S_US_NA_1 User status change . 24
7.3.10 TYPE IDENT 91: S_UQ_NA_1 Update key change request . 25
7.3.11 TYPE IDENT 92: S_UR_NA_1 Update key change reply . 26
7.3.12 TYPE IDENT 93: S_UK_NA_1 Update key change − symmetric . 27
7.3.13 TYPE IDENT 94: S_UA_NA_1 Update key change − asymmetric . 28
7.3.14 TYPE IDENT 95: S_UC_NA_1 Update key change confirmation . 29
7.3.15 TYPE IDENT 41: S_IT_TC_1 Integrated totals containing time-
tagged security statistics . 30
8 Implementation of procedures. 31
8.1 Overview of clause . 31
8.2 Initialization of aggressive mode. 31
8.3 Refreshing challenge data . 34
8.4 Co-existence with non-secure implementations . 34
TS 60870-5-7 © IEC:2013(E) – 3 –
9 Implementation of IEC/TS 62351-3 using IEC 60870-5-104 . 34
9.1 Overview of clause . 34
9.2 Deprecation of non-encrypting cipher suites . 34
9.3 Mandatory cipher suite . 34
9.4 Recommended cipher suites . 34
9.5 Negotiation of versions . 35
9.6 Cipher renegotiation . 35
9.7 Message authentication code . 35
9.8 Certificate support . 35
9.8.1 Overview of clause . 35
9.8.2 Multiple Certificate Authorities (CAs) . 36
9.8.3 Certificate size . 36
9.8.4 Certificate exchange . 36
9.8.5 Certificate comparison . 36
9.9 Co-existence with non-secure protocol traffic . 37
9.10 Use with redundant channels . 37
10 Protocol Implementation Conformance Statement. 38
10.1 Overview of clause . 38
10.2 Required algorithms . 38
10.3 MAC algorithms . 38
10.4 Key wrap algorithms . 38
10.5 Use of error messages . 38
10.6 Update key change methods . 38
10.7 User status change . 39
10.8 Configurable parameters . 39
10.9 Configurable statistic thresholds and statistic information object addresses . 40
10.10 Critical functions . 40
Bibliography . 44
Figure 1 – ASDU segmentation control . 12
Figure 2 – Segmenting extended ASDUs . 12
Figure 3 – Illustration of ASDU segment reception state machine . 15
Figure 4 – ASDU: S_CH_NA_1 Authentication challenge . 16
Figure 5 – ASDU: S_RP_NA_1 Authentication Reply . 17
Figure 6 – ASDU: S_AR_NA_1 Aggressive Mode Authentication Request . 18
Figure 7 – ASDU: S_KR_NA_1 Session key status request . 19
Figure 8 – ASDU: S_KS_NA_1 Session key status . 20
Figure 9 – ASDU: S_KC_NA_1 Session key change . 21
Figure 10 – ASDU: S_ER_NA_1 Authentication error . 22
Figure 11 – ASDU: S_UC_NA_1 User certificate . 23
Figure 12 – ASDU: S_US_NA_1 User status change . 24
Figure 13 – ASDU: S_UQ_NA_1 Update key change request . 25
Figure 14 – ASDU: S_UR_NA_1 Update key change reply . 26
Figure 15 – ASDU: S_UK_NA_1 Update key change – symmetric . 27
Figure 16 – ASDU: S_UA_NA_1 Update key change – asymmetric . 28
Figure 17 – ASDU: S_UC_NA_1 Update key change confirmation . 29
– 4 – TS 60870-5-7 © IEC:2013(E)
Figure 18 – ASDU: S_IT_TC_1 Integrated totals containing time-tagged security
statistics . 30
Figure 19 – Example of successful initialization of challenge data . 33
Table 1 – Additional cause of transmission . 10
Table 2 – Additional type identifiers . 10
Table 3 – Maximum lengths of variable length data . 11
Table 4 – ASDU segment reception state machine . 14
Table 5 – Recommended cipher suite combinations . 35
TS 60870-5-7 © IEC:2013(E) – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
TELECONTROL EQUIPMENT AND SYSTEMS –
Part 5-7: Transmission protocols – Security extensions to
IEC 60870-5-101 and IEC 60870-5-104 protocols
(applying IEC 62351)
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. In
exceptional circumstances, a technical committee may propose the publication of a technical
specification when
• the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts, or
• the subject is still under technical development or where, for any other reason, there is the
future but no immediate possibility of an agreement on an International Standard.
Technical specifications are subject to review within three years of publication to decide
whether they can be transformed into International Standards.
IEC 60870-5-7, which is a technical specification, has been prepared by IEC technical
committee 57: Power systems management and associated information exchange.
– 6 – TS 60870-5-7 © IEC:2013(E)
The text of this technical specification is based on the following documents:
Enquiry draft Report on voting
57/1308/DTS 57/1339/RVC
Full information on the voting for the approval of this technical specification can be found in
the report on voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
In this publication the following print types are used:
Clause 10: Direct quotations from IEC/TS 62351-3:2007: in italic type.
A list of all the parts in the IEC 60870 series, published under the general title Telecontrol
equipment and systems, can be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• transformed into an International Standard,
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
TS 60870-5-7 © IEC:2013(E) – 7 –
TELECONTROL EQUIPMENT AND SYSTEMS –
Part 5-7: Transmission protocols – Security extensions to
IEC 60870-5-101 and IEC 60870-5-104 protocols
(applying IEC 62351)
1 Scope
This part of IEC 60870 describes messages and data formats for implementing IEC/TS 62351-
5 for secure authentication as an extension to IEC 60870-5-101 and IEC 60870-5-104.
The purpose of this base standard is to permit the receiver of any IEC 60870-5-101/104
Application Protocol Data Unit (APDU) to verify that the APDU was transmitted by an
authorized user and that the APDU was not modified in transit. It provides methods to
authenticate not only the device which originated the APDU but also the individual human
user if that capability is supported by the rest of the telecontrol system.
This specification is also intended to be used, together with the definitions of IEC/TS 62351-3,
in conjunction with the IEC 60870-5-104 companion standard.
The state machines, message sequences, and procedures for exchanging these messages
are defined in the IEC/TS 62351-5 specification. This base standard describes only the
message formats, selected options, critical operations, addressing considerations and other
adaptations required to implement IEC/TS 62351 in the IEC 60870-5-101 and 104 protocols.
The scope of this specification does not include security for IEC 60870-5-102 or
IEC 60870-5-103. IEC 60870-5-102 is in limited use only and will therefore not be addressed.
Users of IEC 60870-5-103 desiring a secure solution should implement IEC 61850 using the
security measures from in IEC/TS 62351 referenced in IEC 61850.
Management of keys, certificates or other cryptographic credentials within devices or on
communication links other than IEC 60870-5-101/104 is out of the scope of this specification
and may be addressed by other IEC/TS 62351 specifications in the future.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 60870-5-101:2003, Telecontrol equipment and systems – Part 5-101:Transmission
protocols – Companion standard for basic telecontrol tasks
IEC 60870-5-104:2006, Telecontrol equipment and systems – Part 5-104:Transmission
protocols – Network access for IEC 60870-5-101 – Using standard transport profiles
IEC/TS 62351-3:2007, Power systems management and associated information exchange –
Data and communications security – Part 3: Communication network and system security –
Profiles including TCP/IP
IEC/TS 62351-5:2013, Power systems management and associated information exchange –
Data and communications security – Part 5: Security for IEC 60870-5 and derivatives
– 8 – TS 60870-5-7 © IEC:2013(E)
IEC/TS 62351-8, Power systems management and associated information exchange – Data
and communications security – Part 8: Role-based access control
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE Terms 3.1.1 to 3.1. 7 are included here because they are specific to the IEC 60870-5 standards and may
be useful for reading this specification as an independent document. Terms 3.1.8 to 3.1.9 are included here
because they are specific to IEC/TS 62351-5.
3.1.1
Application Protocol Data Unit
complete application layer message transmitted by a station
3.1.2
Application Service Data Unit
application layer message submitted to lower layers for transmission
3.1.3
Controlling Station
device or application that initiates most of the communications and issues commands
Note 1 to entry: Commonly called a “master” in some protocol specifications.
3.1.4
Controlled Station
remote device that transmits data gathered in the field to the controlling station
Note 1 to entry: Commonly called the “outstation” or “slave” in some protocols.
3.1.5
Control Direction
data transmitted by the controlling station to the controlled station(s)
3.1.6
Message Authentication Code
calculated value used by a receiving station to authenticate and check the integrity of an
Application Protocol Data Unit
3.1.7
Monitoring Direction
data transmitted by the controlled station to the controlling stations
3.1.8
Challenger
station that issues authentication challenges. May be either a controlled or controlling station.
3.1.9
Responder
station that responds or reacts to authentication challenges. May be either a controlled or
controlling station.
TS 60870-5-7 © IEC:2013(E) – 9 –
3.2 Abbreviated terms
Refer to IEC/TS 62351-2 for a list of applicable abbreviated terms. Terms 3.2.1 to 3.2.3 are
included here because they are specifically used in the affected protocols and used in the
discussion of this authentication mechanism.
3.2.1
ASDU
Application Service Data Unit
3.2.2
APDU
Application Protocol Data Unit
3.2.3
MAC
Message Authentication Code
4 Selected options
4.1 Overview of clause
This clause describes which of the options specified in IEC/TS 62351-5 shall be implemented
in IEC 60870-5-101 and IEC 60870-5-104.
4.2 MAC algorithms
IEC 60870-5 stations shall implement all the mandatory MAC algorithms listed in
IEC/TS 62351-5, and may implement any of the optional MAC algorithms listed there.
4.3 Encryption algorithms
IEC 60870-5 stations shall implement all the mandatory encryption algorithms listed in
IEC/TS 62351-5, and may implement any of the optional encryption algorithms listed there.
4.4 Maximum error count
IEC 60870-5 stations may implement a maximum error count in the range specified in
IEC/TS 62351-5.
4.5 Use of aggressive mode
IEC 60870-5 stations shall implement IEC/TS 62351-5 aggressive mode. Aggressive mode
shall be the normal method of authentication for stations implementing this specification.
However, IEC 60870-5 stations shall also permit it to be configured as disabled. A station
with aggressive mode disabled shall not transmit any S_AR_NA_1 Aggressive Mode Request
ASDUs and shall reply to any such ASDUs with S_ER_NA_1 Authentication Error ASDUs,
subject to the limitations on Error messages described in IEC/TS 62351-5.
Regardless of whether aggressive mode is disabled, IEC 60870-5 stations shall initialize the
challenge data in both directions when establishing communications, as described in 8.2.
5 Operations considered critical
IEC 60870-5-101 and IEC 60870-5-104 ASDUs identified as “M” (for “Mandatory”) in the “M/O”
(“Mandatory or Optional”) column in 10.10 shall be considered critical operations. Stations
complying with this standard shall require the sender to authenticate those ASDUs. Any
station may optionally require authentication of any other ASDUs.
– 10 – TS 60870-5-7 © IEC:2013(E)
Devices complying with this standard shall provide information along with the Interoperability
Tables identifying which ASDUs the device/station considers critical, requiring authentication.
Refer to 10.10. If an ASDU is identified as critical, the ACT or DEACT cause of transmission
is shall be considered mandatory critical, but not ACTCON or ACT_TERM.
IEC/TS 62351-5 states that any device may arbitrarily decide that an ASDU is critical and can
therefore initiate a challenge for any reason. However, IEC 60870-5 shall not enforce this
rule. ASDUs that are considered critical at any time by an IEC 60870-5 station shall always
be considered critical by that station unless the station is reconfigured.
Any ASDUs capable of changing security configuration parameters, now or in the future, shall
be considered critical.
6 Addressing information
Each IEC 60870-5-101 station shall include in its MAC calculations the destination station
address from the IEC 60870-5 data link layer in the “Addressing Information” portion of the
calculation. The octets of the address when included in the calculation shall be as transmitted.
7 Implementation of messages
7.1 Overview of clause
This clause describes how the secure authentication messages described in IEC/TS 62351-5
are implemented in IEC 60870-5-101 and IEC 60870-5-104.
7.2 Data definitions
7.2.1 Causes of transmission
Stations implementing secure authentication shall use the causes of transmission listed in
Table 1 in addition to those described in 7.2.3 of IEC 60870-5-101:2003.
Table 1 – Additional cause of transmission
Cause := UI6[1.6]<14.16>
<14> := authentication
<15> := maintenance of authentication session key
<16> := maintenance of user role and update key
7.2.2 Type identifiers
Stations implementing secure authentication shall use the Type Identifications listed in Table
2 in addition to those described in 7.2.1 of IEC 60870-5-101:2003 and Clause 6 of
IEC 60870-5-104:2006. This range of Type Identifications was previously allocated for
system information in the monitor direction. The ASDUs identified by these types may be
transmitted in either the control or monitor direction.
Table 2 – Additional type identifiers
TYPE IDENTIFICATION := UI8[1.8]<81.87>
<41> := integrated totals containing time tagged
security statistics S_IT_TC_1
<81> := authentication challenge S_CH_NA_1
<82> := authentication reply S_RP_NA_1
<83> := aggressive mode authentication request S_AR_NA_1
<84> := session key status request S_KR_NA_1
TS 60870-5-7 © IEC:2013(E) – 11 –
<85> := session key status S_KS_NA_1
<86> := session key change S_KC_NA_1
<87> := authentication error S_ER_NA_1
<90> := user status change S_US_NA_1
<91> := update key change request S_UQ_NA_1
<92> := update key change reply S_UR_NA_1
<93> := update key change symmetric S_UK_NA_1
<94> := update key change asymmetric S_UA_NA_1
<95> := update key change confirmation S_UC_NA_1
7.2.3 Security statistics
Stations implementing secure authentication shall use the ASDU Type 41: Integrated totals
containing time-tagged security statistics to report the values of the security statistics
described in 7.3.2 of IEC/TS 62351-5:2013. This ASDU type is defined in 7.3.15. The
Information Object Address of each security statistic shall be recorded in the Protocol
Implementation Conformance Statement for each station as described in 10.9.
The procedures used by the outstation to report the security statistics shall be the same as for
the existing integrated totals, as described in 7.4.8 of IEC 60870-5-101:2003, particularly
including the ability for these totals to be reported using spontaneous transmission.
All security statistics shall be placed reported in a single integrated totals group.
7.2.4 Variable length data
IEC/TS 62351-5 allocates two octets in each message for the length field of variable length
data, permitting the variable length data to be up to 62 335 octets long. In all cases, this is
much larger than necessary. To conserve buffer space and reduce the probability of buffer
overflow attacks, the maximum value of these length fields shall be limited as defined in
Table 3.
Table 3 – Maximum lengths of variable length data
Abbrev. Name Subclause in Message name Maximum length
IEC 60870-5- for IEC/TS
7:2013 60870-5-7 (octets)
CLN 7.3.1 Challenge
Challenge data length 7.3.4 Key Status 64
7.3.11 Update Key Change Reply
HLN MAC length 7.3.2 Reply 64
WKL Wrapped key data length 7.3.6 Session Key Change 1 024
ELN Error length 7.3.7 Error 128
UNL 7.3.9 User Status Change
User name length 256
7.3.10 Update Key Change Request
UKL User public key length 7.3.9 User Status Change 6 144
CDL
7.3.8 User Certificate 8 192
Certification Data Length
7.3.9 User Status Change 1 024
CCL Controlling station
7.3.10 Update Key Change Request 64
challenge data length
EUL
7.3.12 Update Key Change – sym
Encrypted update key
8 192
length
7.3.13 Update Key Change − asym
– 12 – TS 60870-5-7 © IEC:2013(E)
7.2.5 Information object address
The Information Object Address (IOA) does not apply to the ASDUs described in
IEC/TS 60870-5-7 and is not included in these ASDUs. It is replaced by the ASDU
Segmentation Control octet specified in 7.2.6.
7.2.6 Transmitting extended ASDUs using segmentation
Several of the messages defined in IEC/TS 62351-5 are longer than the maximum length of
an IEC 60870-5 data link or APCI frame. Figure 1 defines a field that shall be used to control
reassembly when an IEC 60870-5-7 ASDU is transmitted in a series of several segments such
that each segment will fit in a data link or APCI frame.
Bit 8 7 6 5 4 3 2 1
ASDU
5 0
FIN FIR 2 ASN 2 SEGMENTATION
CONTROL
ASDU SEGMENTATION CONTROL:= CP8{FIN, FIR, ASN}
ASN := UI6[1.6]<0.63>
FIR := BS[7]<0.1>
<0> := This is not the first segment of an ASDU
<1> := This is the first segment of an ASDU
FIN := BS[8]<0.1>
<0> := This is not the final segment of an ASDU
<1> := This is the final segment of an ASDU
Figure 1 – ASDU segmentation control
If an ASDU is too long to fit in a lower-level data link or APCI frame, the excess application
layer data shall be divided into segments as illustrated in Figure 2. The Data Unit Identifier
fields of the ASDU(Type Id, VSQ, COT, CASDU, and ASDU SEGMENTATION CONTROL)
shall be prepended to each segment so the receiving station can recognize the type, address
and disposition of each segment. The station shall transmit the segments in sequence as if
they were separate ASDUs, but without any data of a different Type ID interspersed.
Max Frame Length
Original ASDU: DUI ASC IOs
DUI ASC IOs
First Segment:
FIN=0 FIR=1
DUI ASC IOs
Second Segment:
FIN=0 FIR=0
DUI ASC IOs
Third Segment:
FIN=1 FIR=0
DUI = DATA UNIT IDENTIFIER (all the same)
IOs = INFORMATION OBJECTS
ASC = ASDU SEGMENTATION CONTROL
Figure 2 – Segmenting extended ASDUs
TS 60870-5-7 © IEC:2013(E) – 13 –
The ASN (ASDU Segment Sequence Number) shall be used to verify that segments are
received in the correct order and shall help detect duplicated or missing segments. The ASN
shall increment by one, modulo 64. After sequence number 63, the next sequence number
value shall be 0.
The following rules shall apply when segmenting ASDUs:
1) A segment series shall begin with a segment having the FIR bit set.
2) A segment series shall end with a segment having the FIN bit set.
3) When no segment series is in progress, the receiving station shall discard any segment
received without the FIR bit set.
4) A segment with the FIR bit set may have any sequence number from 0 to 63 without
regard to prior history.
5) After a segment series has been started:
a) Each subsequent segment shall have an ASN that is incremented by one (modulo 64)
from the preceding segment. A received segment that meets this requirement shall
become the next member of the segment series. The station shall treat all the data
following the ASDU SEGMENTATION CONTROL field as if it was appended to the end
of the previous data in the series.
b) If a station receives a segment having the FIR bit set, it shall discard the entire, in-
progress segment series and start a new segment series with the newly received
segment as its first member.
c) If a station receives a segment that is octet-for-octet identical to the preceding
segment it shall discard the segment.
d) If a station receives a segment having the FIR bit cleared and a sequence number
other than the expected incremental number, that is not octet-for-octet identical to the
preceding segment, the station shall discard the segment and the entire in-progress
segment series and terminate the series.
6) A segment series may consist of a single segment having both FIR and FIN bits set.
7) When a receiving station receives a segment with the FIN bit set and therefore assembles
a complete segment series, only then may the station evaluate the complete ASDU.
8) If a station receives a segment in which the Type ID, VSQ, CASDU, or COT does not
match that of the first ASDU in the sequence, the station shall discard the segment and
the entire series.
It is recommended that transmitting stations make each segment as large as possible for
maximum efficiency of transmission. However, this is not a requirement and receiving stations
shall accept varying segment lengths within the same series.
The state machine described in Table 4 defines how the station shall reassemble ASDUs from
segments. This state machine assumes the reception software uses an ASDU buffer in which
application data from the received segments are temporarily stored before presenting the
completed ASDU to the application layer process.
There are two states:
• Idle state: The station is idle waiting for a segment to arrive with the FIR bit set.
• Assembly state: The ASDU buffer holds application data from at least one segment.
While in this state, the station is awaiting additional segments to complete the ASDU.
The terminology used in Table 4 is defined as follows:
• X means “don’t care”
• SAME means the ASN is identical to the ASN in the segment immediately preceding this
segment
– 14 – TS 60870-5-7 © IEC:2013(E)
• +1 means the ASN is incremented by one count, modulo 64, from the sequence number in
the segment immediately preceding this segment
• +M, 1 < M < 64 means the sequence number is incremented by more than one count and
fewer than 64 counts from the sequence number in the segment immediately preceding
this segment
Table 4 – ASDU segment reception state machine
Current Event that triggers an action and possible Transition
Action
state transition to state
A B C D E
And a segment with
If the
these fields is received and go to
software The meaning is then perform this action
this state
state is
FIR FIN ASN
0 X X Not a first segment Discard segment. Idle 1
Clear the ASDU buffer,
place segment’s Information
Entire ASDU fits within the
1 1 X Object data into the ASDU Idle 2
segment
buffer and pass ASDU buffer
Idle
to application layer.
Clear the ASDU buffer and
place segment’s Information
1 0 X First of multiple segments Assembly 3
Object data into the ASDU
buffer.
IF segment is octet-for-
0 X SAME octet identical to previous, Discard segment. Assembly 4
it is a duplicate
IF segment is NOT octet-
Discard segment and the
for-octet identical to
0 X SAME entire, in-progress segment- Idle 5
previous, it may be from
series.
another series
Expected segment Append segment’s
0 0 +1 received, more segments Information Object data to Assembly 6
are expected contents of ASDU buffer.
Append segment’s
Information Object data to
Expected segment
0 1 +1 contents of ASDU buffer and Idle 7
received, final segment
pass ASDU buffer to
Assembly
application layer.
Discard segment and the
+M
0 X ASN is out of order entire, in-progress segment- Idle 8
1 < M < 64
series.
Clear contents of ASDU
buffer and place segment’s
1 0 X First of multiple segments Assembly 9
Information Object data into
the ASDU buffer.
Clear contents of ASDU
buffer, place segment’s
Entire ASDU fits within the Information Object data into
1 1 X Idle 10
segment. the ASDU buffer and pass
ASDU buffer to Application
Layer.
IF segment is not the first
of multiple segments and Discard segment and the
0 X X the Type ID, VSQ, CASDU, entire, in-progress segment- Idle 11
or COT does not match series.
the first segment
TS 60870-5-7 © IEC:2013(E) – 15 –
Figure 3 illustrates the same state machine described in Table 4. If the two differ, Table 4
shall be considered correct.
FIR=0,
FIN=X,
SEQ=X
Discard segment
Idle
State
FIR=1,
FIN=1,
SEQ=X
FIR=1,
FIN=0,
SEQ=X
Clear contents
of ASDU buffer
Pass ASDU buffer Clear contents
to application layer of ASDU buffer
Discard segment &
Place segment’s
entire series
data into ASDU
buffer
Place segment’s
Append segment to
FIR=0,
data into ASDU
ASDU buffer
FIN=X,
buffer
SEQ=SAME
Segment not
Pass ASDU buffer
identical to
to application layer
preceding OR
FIR=1,
Initial fields
FIN=0,
FIR=0,
do not match
SEQ=X
FIN=X,
first segment
SEQ=+M,
FIR=0,
1
FIN=1,
FIN=1,
SEQ=+1
SEQ=X
Assembly
State
Append segment to
ASDU buffer
FIR=0,
Discard segment FIN=0,
Segment octet
SEQ=+1
for octet
identical to
preceding
Figure 3 – Illustration of ASDU segment reception state machine
– 16 – TS 60870-5-7 © IEC:2013(E)
7.3 Application Service Data Units
7.3.1 TYPE IDENT 81: S_CH_NA_1
Authentication challenge
The structure of this ASDU is defined in Figure 4.
Single information object (SQ=0)
TYPE IDENTIFICATION
0 1 0 1 0 0 0 1
DATA UNIT
VARIABLE STRUCTURE QUALIFIER
0 0 0 0 0 0 0 1
IDENTIFIER
Defined in 7.1 of
Defined in 7.2.3 of IEC 60870-5-
CAUSE OF TRANSMISSION
IEC 60870-5-
101:2003
101:2003
Defined in 7.2.4 of IEC 60870-5-
COMMON ADDRESS OF ASDU
101:2003
ASDU Segmentation Control, defined in
FIN FIR ASN
7.2.5
Value
CSQ = Challenge sequence number,
Value
defined in 7.2.2.2 of IEC/TS 62351-
5:2013
Value
Value
USR = User Number, defined in 7.2.2.3 of
Value
IEC/TS 62351-5:2013
Value
INFORMATION
MAL = MAC algorithm, defined in 7.2.2.4 of
OBJECT
Enumerated value
IEC/TS 62351-5:2013
RSC = Reason for challenge, defined in
Enumerated value
7.2.2.5 of IEC/TS 62351-5:2013
CLN = Challenge data length, defined in
Value
7.2.2.6 of IEC/TS 62351-5:2013
Value
Number of octets specified in CLN Pseudo-random challenge data, defined in
7.2.27 of IEC/TS 62351-5:2013
Figure 4 – ASDU: S_CH_NA_1 Authentication challenge
S_CH_NA_1:= CP{Data unit identifier, CSQ, USR, HAL, RSC, CLN, Challenge Data }
CAUSES OF TRANSMISSION used with
TYPE IDENT 81:= S_CH_NA_1
CAUSE OF TRANSMISSION
In control direction:
<14>:= authentication
In monitor direction:
<14>:= authentication
<44>:= unknown type identification
<45>:= unknown cause of transmission
<46>:= unknown common address of ASDU
TS 60870-5-7 © IEC:2013(E) – 17 –
7.3.2 TYPE IDENT 82: S_RP_NA_1
Authentication Reply
The structure of this ASDU is defined in Figure 5. In the calculation of the MAC value, the
following rules apply:
a) The MAC value shall be calculated over the entire S_CH ASDU 81, not just the
Information Object contained within that ASDU.
b) No lower-layer addressing information shall be included in the MAC calculation.
Single information object (SQ=0)
TYPE IDENTIFICATION
0 1 0 1 0 0 1 0
DATA UNIT
VARIABLE STRUCTURE QUALIFIER
0 0 0 0 0 0 0 1
IDENTIFIER
Defined in 7.1 of
Defined in 7.2.3 of IEC 60870-5-
CAUSE OF TRANSMISSION
IEC 60870-5-
101:2003
101:2003
Defined in 7.2.4 of IEC 60870-5-
COMMON ADDRESS OF ASDU
101:2003
ASDU Segmentation Control, defined in
FIN FIR ASN
7.2.5
Value
CSQ = Challenge sequence number,
Value
defined in 7.2.3.2 of IEC/TS 62351-
5:2013
Value
Value
USR = User Number, defined in 7.2.3.3 of INFORMATION
Value
IEC/TS 62351-5:2013
OBJECT
Value
HLN = MAC length, defined in 7.2.3.4 of
Value
IEC/TS 62351-5:2013
Value
Number of octets specified in HLN MAC value, defined in 7.2.3.5 of
IEC/TS 62351-5:2013 and including the
clarifying rules noted in this clause.
Figure 5 – ASDU: S_RP_NA_1 Authentication Reply
S_RP_NA_1:= CP{Data unit identifier, CSQ, USR, HLN, MAC Value }
CAUSES OF TRANSMISSION used with
TYPE IDENT 82:= S_RP_NA_1
CAUSE OF TRANSMISSION
In control direction:
<14>:= authentication
In monitor direction:
<14>:= authentication
<44>:= unknown type identification
<45>:= unknown cause of transmission
<46>:= unknown common add
...
IEC/TS 60870-5-7 ®
Edition 1.0 2013-07
TECHNICAL
SPECIFICATION
colour
inside
Telecontrol equipment and systems –
Part 5-7: Transmission protocols – Security extensions to IEC 60870-5-101 and
IEC 60870-5-104 protocols (applying IEC 62351)
IEC/TS 60870-5-7:2013(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.
IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.
IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.
IEC/TS 60870-5-7 ®
Edition 1.0 2013-07
TECHNICAL
SPECIFICATION
colour
inside
Telecontrol equipment and systems –
Part 5-7: Transmission protocols – Security extensions to IEC 60870-5-101 and
IEC 60870-5-104 protocols (applying IEC 62351)
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
X
ICS 33.200 ISBN 978-2-8322-0919-6
– 2 – TS 60870-5-7 © IEC:2013(E)
CONTENTS
FOREWORD . 5
1 Scope . 7
2 Normative references . 7
3 Terms, definitions and abbreviations . 8
3.1 Terms and definitions . 8
3.2 Abbreviated terms . 9
4 Selected options . 9
4.1 Overview of clause . 9
4.2 MAC algorithms . 9
4.3 Encryption algorithms . 9
4.4 Maximum error count . 9
4.5 Use of aggressive mode . 9
5 Operations considered critical . 9
6 Addressing information . 10
7 Implementation of messages . 10
7.1 Overview of clause . 10
7.2 Data definitions . 10
7.2.1 Causes of transmission . 10
7.2.2 Type identifiers . 10
7.2.3 Security statistics . 11
7.2.4 Variable length data . 11
7.2.5 Information object address . 12
7.2.6 Transmitting extended ASDUs using segmentation . 12
7.3 Application Service Data Units . 16
7.3.1 TYPE IDENT 81: S_CH_NA_1 Authentication challenge . 16
7.3.2 TYPE IDENT 82: S_RP_NA_1 Authentication Reply . 17
7.3.3 TYPE IDENT 83: S_AR_NA_1 Aggressive mode authentication
request . 18
7.3.4 TYPE IDENT 84: S_KR_NA_1 Session key status request. 19
7.3.5 TYPE IDENT 85: S_KS_NA_1 Session key status . 20
7.3.6 TYPE IDENT 86: S_KC_NA_1 Session key change . 21
7.3.7 TYPE IDENT 87: S_ER_NA_1 Authentication error . 22
7.3.8 TYPE IDENT 88: S_UC_NA_1 User certificate . 23
7.3.9 TYPE IDENT 90: S_US_NA_1 User status change . 24
7.3.10 TYPE IDENT 91: S_UQ_NA_1 Update key change request . 25
7.3.11 TYPE IDENT 92: S_UR_NA_1 Update key change reply . 26
7.3.12 TYPE IDENT 93: S_UK_NA_1 Update key change − symmetric . 27
7.3.13 TYPE IDENT 94: S_UA_NA_1 Update key change − asymmetric . 28
7.3.14 TYPE IDENT 95: S_UC_NA_1 Update key change confirmation . 29
7.3.15 TYPE IDENT 41: S_IT_TC_1 Integrated totals containing time-
tagged security statistics . 30
8 Implementation of procedures. 31
8.1 Overview of clause . 31
8.2 Initialization of aggressive mode. 31
8.3 Refreshing challenge data . 34
8.4 Co-existence with non-secure implementations . 34
TS 60870-5-7 © IEC:2013(E) – 3 –
9 Implementation of IEC/TS 62351-3 using IEC 60870-5-104 . 34
9.1 Overview of clause . 34
9.2 Deprecation of non-encrypting cipher suites . 34
9.3 Mandatory cipher suite . 34
9.4 Recommended cipher suites . 34
9.5 Negotiation of versions . 35
9.6 Cipher renegotiation . 35
9.7 Message authentication code . 35
9.8 Certificate support . 35
9.8.1 Overview of clause . 35
9.8.2 Multiple Certificate Authorities (CAs) . 36
9.8.3 Certificate size . 36
9.8.4 Certificate exchange . 36
9.8.5 Certificate comparison . 36
9.9 Co-existence with non-secure protocol traffic . 37
9.10 Use with redundant channels . 37
10 Protocol Implementation Conformance Statement. 38
10.1 Overview of clause . 38
10.2 Required algorithms . 38
10.3 MAC algorithms . 38
10.4 Key wrap algorithms . 38
10.5 Use of error messages . 38
10.6 Update key change methods . 38
10.7 User status change . 39
10.8 Configurable parameters . 39
10.9 Configurable statistic thresholds and statistic information object addresses . 40
10.10 Critical functions . 40
Bibliography . 44
Figure 1 – ASDU segmentation control . 12
Figure 2 – Segmenting extended ASDUs . 12
Figure 3 – Illustration of ASDU segment reception state machine . 15
Figure 4 – ASDU: S_CH_NA_1 Authentication challenge . 16
Figure 5 – ASDU: S_RP_NA_1 Authentication Reply . 17
Figure 6 – ASDU: S_AR_NA_1 Aggressive Mode Authentication Request . 18
Figure 7 – ASDU: S_KR_NA_1 Session key status request . 19
Figure 8 – ASDU: S_KS_NA_1 Session key status . 20
Figure 9 – ASDU: S_KC_NA_1 Session key change . 21
Figure 10 – ASDU: S_ER_NA_1 Authentication error . 22
Figure 11 – ASDU: S_UC_NA_1 User certificate . 23
Figure 12 – ASDU: S_US_NA_1 User status change . 24
Figure 13 – ASDU: S_UQ_NA_1 Update key change request . 25
Figure 14 – ASDU: S_UR_NA_1 Update key change reply . 26
Figure 15 – ASDU: S_UK_NA_1 Update key change – symmetric . 27
Figure 16 – ASDU: S_UA_NA_1 Update key change – asymmetric . 28
Figure 17 – ASDU: S_UC_NA_1 Update key change confirmation . 29
– 4 – TS 60870-5-7 © IEC:2013(E)
Figure 18 – ASDU: S_IT_TC_1 Integrated totals containing time-tagged security
statistics . 30
Figure 19 – Example of successful initialization of challenge data . 33
Table 1 – Additional cause of transmission . 10
Table 2 – Additional type identifiers . 10
Table 3 – Maximum lengths of variable length data . 11
Table 4 – ASDU segment reception state machine . 14
Table 5 – Recommended cipher suite combinations . 35
TS 60870-5-7 © IEC:2013(E) – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
TELECONTROL EQUIPMENT AND SYSTEMS –
Part 5-7: Transmission protocols – Security extensions to
IEC 60870-5-101 and IEC 60870-5-104 protocols
(applying IEC 62351)
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. In
exceptional circumstances, a technical committee may propose the publication of a technical
specification when
• the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts, or
• the subject is still under technical development or where, for any other reason, there is the
future but no immediate possibility of an agreement on an International Standard.
Technical specifications are subject to review within three years of publication to decide
whether they can be transformed into International Standards.
IEC 60870-5-7, which is a technical specification, has been prepared by IEC technical
committee 57: Power systems management and associated information exchange.
– 6 – TS 60870-5-7 © IEC:2013(E)
The text of this technical specification is based on the following documents:
Enquiry draft Report on voting
57/1308/DTS 57/1339/RVC
Full information on the voting for the approval of this technical specification can be found in
the report on voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
In this publication the following print types are used:
Clause 10: Direct quotations from IEC/TS 62351-3:2007: in italic type.
A list of all the parts in the IEC 60870 series, published under the general title Telecontrol
equipment and systems, can be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• transformed into an International Standard,
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
TS 60870-5-7 © IEC:2013(E) – 7 –
TELECONTROL EQUIPMENT AND SYSTEMS –
Part 5-7: Transmission protocols – Security extensions to
IEC 60870-5-101 and IEC 60870-5-104 protocols
(applying IEC 62351)
1 Scope
This part of IEC 60870 describes messages and data formats for implementing IEC/TS 62351-
5 for secure authentication as an extension to IEC 60870-5-101 and IEC 60870-5-104.
The purpose of this base standard is to permit the receiver of any IEC 60870-5-101/104
Application Protocol Data Unit (APDU) to verify that the APDU was transmitted by an
authorized user and that the APDU was not modified in transit. It provides methods to
authenticate not only the device which originated the APDU but also the individual human
user if that capability is supported by the rest of the telecontrol system.
This specification is also intended to be used, together with the definitions of IEC/TS 62351-3,
in conjunction with the IEC 60870-5-104 companion standard.
The state machines, message sequences, and procedures for exchanging these messages
are defined in the IEC/TS 62351-5 specification. This base standard describes only the
message formats, selected options, critical operations, addressing considerations and other
adaptations required to implement IEC/TS 62351 in the IEC 60870-5-101 and 104 protocols.
The scope of this specification does not include security for IEC 60870-5-102 or
IEC 60870-5-103. IEC 60870-5-102 is in limited use only and will therefore not be addressed.
Users of IEC 60870-5-103 desiring a secure solution should implement IEC 61850 using the
security measures from in IEC/TS 62351 referenced in IEC 61850.
Management of keys, certificates or other cryptographic credentials within devices or on
communication links other than IEC 60870-5-101/104 is out of the scope of this specification
and may be addressed by other IEC/TS 62351 specifications in the future.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 60870-5-101:2003, Telecontrol equipment and systems – Part 5-101:Transmission
protocols – Companion standard for basic telecontrol tasks
IEC 60870-5-104:2006, Telecontrol equipment and systems – Part 5-104:Transmission
protocols – Network access for IEC 60870-5-101 – Using standard transport profiles
IEC/TS 62351-3:2007, Power systems management and associated information exchange –
Data and communications security – Part 3: Communication network and system security –
Profiles including TCP/IP
IEC/TS 62351-5:2013, Power systems management and associated information exchange –
Data and communications security – Part 5: Security for IEC 60870-5 and derivatives
– 8 – TS 60870-5-7 © IEC:2013(E)
IEC/TS 62351-8, Power systems management and associated information exchange – Data
and communications security – Part 8: Role-based access control
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE Terms 3.1.1 to 3.1. 7 are included here because they are specific to the IEC 60870-5 standards and may
be useful for reading this specification as an independent document. Terms 3.1.8 to 3.1.9 are included here
because they are specific to IEC/TS 62351-5.
3.1.1
Application Protocol Data Unit
complete application layer message transmitted by a station
3.1.2
Application Service Data Unit
application layer message submitted to lower layers for transmission
3.1.3
Controlling Station
device or application that initiates most of the communications and issues commands
Note 1 to entry: Commonly called a “master” in some protocol specifications.
3.1.4
Controlled Station
remote device that transmits data gathered in the field to the controlling station
Note 1 to entry: Commonly called the “outstation” or “slave” in some protocols.
3.1.5
Control Direction
data transmitted by the controlling station to the controlled station(s)
3.1.6
Message Authentication Code
calculated value used by a receiving station to authenticate and check the integrity of an
Application Protocol Data Unit
3.1.7
Monitoring Direction
data transmitted by the controlled station to the controlling stations
3.1.8
Challenger
station that issues authentication challenges. May be either a controlled or controlling station.
3.1.9
Responder
station that responds or reacts to authentication challenges. May be either a controlled or
controlling station.
TS 60870-5-7 © IEC:2013(E) – 9 –
3.2 Abbreviated terms
Refer to IEC/TS 62351-2 for a list of applicable abbreviated terms. Terms 3.2.1 to 3.2.3 are
included here because they are specifically used in the affected protocols and used in the
discussion of this authentication mechanism.
3.2.1
ASDU
Application Service Data Unit
3.2.2
APDU
Application Protocol Data Unit
3.2.3
MAC
Message Authentication Code
4 Selected options
4.1 Overview of clause
This clause describes which of the options specified in IEC/TS 62351-5 shall be implemented
in IEC 60870-5-101 and IEC 60870-5-104.
4.2 MAC algorithms
IEC 60870-5 stations shall implement all the mandatory MAC algorithms listed in
IEC/TS 62351-5, and may implement any of the optional MAC algorithms listed there.
4.3 Encryption algorithms
IEC 60870-5 stations shall implement all the mandatory encryption algorithms listed in
IEC/TS 62351-5, and may implement any of the optional encryption algorithms listed there.
4.4 Maximum error count
IEC 60870-5 stations may implement a maximum error count in the range specified in
IEC/TS 62351-5.
4.5 Use of aggressive mode
IEC 60870-5 stations shall implement IEC/TS 62351-5 aggressive mode. Aggressive mode
shall be the normal method of authentication for stations implementing this specification.
However, IEC 60870-5 stations shall also permit it to be configured as disabled. A station
with aggressive mode disabled shall not transmit any S_AR_NA_1 Aggressive Mode Request
ASDUs and shall reply to any such ASDUs with S_ER_NA_1 Authentication Error ASDUs,
subject to the limitations on Error messages described in IEC/TS 62351-5.
Regardless of whether aggressive mode is disabled, IEC 60870-5 stations shall initialize the
challenge data in both directions when establishing communications, as described in 8.2.
5 Operations considered critical
IEC 60870-5-101 and IEC 60870-5-104 ASDUs identified as “M” (for “Mandatory”) in the “M/O”
(“Mandatory or Optional”) column in 10.10 shall be considered critical operations. Stations
complying with this standard shall require the sender to authenticate those ASDUs. Any
station may optionally require authentication of any other ASDUs.
– 10 – TS 60870-5-7 © IEC:2013(E)
Devices complying with this standard shall provide information along with the Interoperability
Tables identifying which ASDUs the device/station considers critical, requiring authentication.
Refer to 10.10. If an ASDU is identified as critical, the ACT or DEACT cause of transmission
is shall be considered mandatory critical, but not ACTCON or ACT_TERM.
IEC/TS 62351-5 states that any device may arbitrarily decide that an ASDU is critical and can
therefore initiate a challenge for any reason. However, IEC 60870-5 shall not enforce this
rule. ASDUs that are considered critical at any time by an IEC 60870-5 station shall always
be considered critical by that station unless the station is reconfigured.
Any ASDUs capable of changing security configuration parameters, now or in the future, shall
be considered critical.
6 Addressing information
Each IEC 60870-5-101 station shall include in its MAC calculations the destination station
address from the IEC 60870-5 data link layer in the “Addressing Information” portion of the
calculation. The octets of the address when included in the calculation shall be as transmitted.
7 Implementation of messages
7.1 Overview of clause
This clause describes how the secure authentication messages described in IEC/TS 62351-5
are implemented in IEC 60870-5-101 and IEC 60870-5-104.
7.2 Data definitions
7.2.1 Causes of transmission
Stations implementing secure authentication shall use the causes of transmission listed in
Table 1 in addition to those described in 7.2.3 of IEC 60870-5-101:2003.
Table 1 – Additional cause of transmission
Cause := UI6[1.6]<14.16>
<14> := authentication
<15> := maintenance of authentication session key
<16> := maintenance of user role and update key
7.2.2 Type identifiers
Stations implementing secure authentication shall use the Type Identifications listed in Table
2 in addition to those described in 7.2.1 of IEC 60870-5-101:2003 and Clause 6 of
IEC 60870-5-104:2006. This range of Type Identifications was previously allocated for
system information in the monitor direction. The ASDUs identified by these types may be
transmitted in either the control or monitor direction.
Table 2 – Additional type identifiers
TYPE IDENTIFICATION := UI8[1.8]<81.87>
<41> := integrated totals containing time tagged
security statistics S_IT_TC_1
<81> := authentication challenge S_CH_NA_1
<82> := authentication reply S_RP_NA_1
<83> := aggressive mode authentication request S_AR_NA_1
<84> := session key status request S_KR_NA_1
TS 60870-5-7 © IEC:2013(E) – 11 –
<85> := session key status S_KS_NA_1
<86> := session key change S_KC_NA_1
<87> := authentication error S_ER_NA_1
<90> := user status change S_US_NA_1
<91> := update key change request S_UQ_NA_1
<92> := update key change reply S_UR_NA_1
<93> := update key change symmetric S_UK_NA_1
<94> := update key change asymmetric S_UA_NA_1
<95> := update key change confirmation S_UC_NA_1
7.2.3 Security statistics
Stations implementing secure authentication shall use the ASDU Type 41: Integrated totals
containing time-tagged security statistics to report the values of the security statistics
described in 7.3.2 of IEC/TS 62351-5:2013. This ASDU type is defined in 7.3.15. The
Information Object Address of each security statistic shall be recorded in the Protocol
Implementation Conformance Statement for each station as described in 10.9.
The procedures used by the outstation to report the security statistics shall be the same as for
the existing integrated totals, as described in 7.4.8 of IEC 60870-5-101:2003, particularly
including the ability for these totals to be reported using spontaneous transmission.
All security statistics shall be placed reported in a single integrated totals group.
7.2.4 Variable length data
IEC/TS 62351-5 allocates two octets in each message for the length field of variable length
data, permitting the variable length data to be up to 62 335 octets long. In all cases, this is
much larger than necessary. To conserve buffer space and reduce the probability of buffer
overflow attacks, the maximum value of these length fields shall be limited as defined in
Table 3.
Table 3 – Maximum lengths of variable length data
Abbrev. Name Subclause in Message name Maximum length
IEC 60870-5- for IEC/TS
7:2013 60870-5-7 (octets)
CLN 7.3.1 Challenge
Challenge data length 7.3.4 Key Status 64
7.3.11 Update Key Change Reply
HLN MAC length 7.3.2 Reply 64
WKL Wrapped key data length 7.3.6 Session Key Change 1 024
ELN Error length 7.3.7 Error 128
UNL 7.3.9 User Status Change
User name length 256
7.3.10 Update Key Change Request
UKL User public key length 7.3.9 User Status Change 6 144
CDL
7.3.8 User Certificate 8 192
Certification Data Length
7.3.9 User Status Change 1 024
CCL Controlling station
7.3.10 Update Key Change Request 64
challenge data length
EUL
7.3.12 Update Key Change – sym
Encrypted update key
8 192
length
7.3.13 Update Key Change − asym
– 12 – TS 60870-5-7 © IEC:2013(E)
7.2.5 Information object address
The Information Object Address (IOA) does not apply to the ASDUs described in
IEC/TS 60870-5-7 and is not included in these ASDUs. It is replaced by the ASDU
Segmentation Control octet specified in 7.2.6.
7.2.6 Transmitting extended ASDUs using segmentation
Several of the messages defined in IEC/TS 62351-5 are longer than the maximum length of
an IEC 60870-5 data link or APCI frame. Figure 1 defines a field that shall be used to control
reassembly when an IEC 60870-5-7 ASDU is transmitted in a series of several segments such
that each segment will fit in a data link or APCI frame.
Bit 8 7 6 5 4 3 2 1
ASDU
5 0
FIN FIR 2 ASN 2 SEGMENTATION
CONTROL
ASDU SEGMENTATION CONTROL:= CP8{FIN, FIR, ASN}
ASN := UI6[1.6]<0.63>
FIR := BS[7]<0.1>
<0> := This is not the first segment of an ASDU
<1> := This is the first segment of an ASDU
FIN := BS[8]<0.1>
<0> := This is not the final segment of an ASDU
<1> := This is the final segment of an ASDU
Figure 1 – ASDU segmentation control
If an ASDU is too long to fit in a lower-level data link or APCI frame, the excess application
layer data shall be divided into segments as illustrated in Figure 2. The Data Unit Identifier
fields of the ASDU(Type Id, VSQ, COT, CASDU, and ASDU SEGMENTATION CONTROL)
shall be prepended to each segment so the receiving station can recognize the type, address
and disposition of each segment. The station shall transmit the segments in sequence as if
they were separate ASDUs, but without any data of a different Type ID interspersed.
Max Frame Length
Original ASDU: DUI ASC IOs
DUI ASC IOs
First Segment:
FIN=0 FIR=1
DUI ASC IOs
Second Segment:
FIN=0 FIR=0
DUI ASC IOs
Third Segment:
FIN=1 FIR=0
DUI = DATA UNIT IDENTIFIER (all the same)
IOs = INFORMATION OBJECTS
ASC = ASDU SEGMENTATION CONTROL
Figure 2 – Segmenting extended ASDUs
TS 60870-5-7 © IEC:2013(E) – 13 –
The ASN (ASDU Segment Sequence Number) shall be used to verify that segments are
received in the correct order and shall help detect duplicated or missing segments. The ASN
shall increment by one, modulo 64. After sequence number 63, the next sequence number
value shall be 0.
The following rules shall apply when segmenting ASDUs:
1) A segment series shall begin with a segment having the FIR bit set.
2) A segment series shall end with a segment having the FIN bit set.
3) When no segment series is in progress, the receiving station shall discard any segment
received without the FIR bit set.
4) A segment with the FIR bit set may have any sequence number from 0 to 63 without
regard to prior history.
5) After a segment series has been started:
a) Each subsequent segment shall have an ASN that is incremented by one (modulo 64)
from the preceding segment. A received segment that meets this requirement shall
become the next member of the segment series. The station shall treat all the data
following the ASDU SEGMENTATION CONTROL field as if it was appended to the end
of the previous data in the series.
b) If a station receives a segment having the FIR bit set, it shall discard the entire, in-
progress segment series and start a new segment series with the newly received
segment as its first member.
c) If a station receives a segment that is octet-for-octet identical to the preceding
segment it shall discard the segment.
d) If a station receives a segment having the FIR bit cleared and a sequence number
other than the expected incremental number, that is not octet-for-octet identical to the
preceding segment, the station shall discard the segment and the entire in-progress
segment series and terminate the series.
6) A segment series may consist of a single segment having both FIR and FIN bits set.
7) When a receiving station receives a segment with the FIN bit set and therefore assembles
a complete segment series, only then may the station evaluate the complete ASDU.
8) If a station receives a segment in which the Type ID, VSQ, CASDU, or COT does not
match that of the first ASDU in the sequence, the station shall discard the segment and
the entire series.
It is recommended that transmitting stations make each segment as large as possible for
maximum efficiency of transmission. However, this is not a requirement and receiving stations
shall accept varying segment lengths within the same series.
The state machine described in Table 4 defines how the station shall reassemble ASDUs from
segments. This state machine assumes the reception software uses an ASDU buffer in which
application data from the received segments are temporarily stored before presenting the
completed ASDU to the application layer process.
There are two states:
• Idle state: The station is idle waiting for a segment to arrive with the FIR bit set.
• Assembly state: The ASDU buffer holds application data from at least one segment.
While in this state, the station is awaiting additional segments to complete the ASDU.
The terminology used in Table 4 is defined as follows:
• X means “don’t care”
• SAME means the ASN is identical to the ASN in the segment immediately preceding this
segment
– 14 – TS 60870-5-7 © IEC:2013(E)
• +1 means the ASN is incremented by one count, modulo 64, from the sequence number in
the segment immediately preceding this segment
• +M, 1 < M < 64 means the sequence number is incremented by more than one count and
fewer than 64 counts from the sequence number in the segment immediately preceding
this segment
Table 4 – ASDU segment reception state machine
Current Event that triggers an action and possible Transition
Action
state transition to state
A B C D E
And a segment with
If the
these fields is received and go to
software The meaning is then perform this action
this state
state is
FIR FIN ASN
0 X X Not a first segment Discard segment. Idle 1
Clear the ASDU buffer,
place segment’s Information
Entire ASDU fits within the
1 1 X Object data into the ASDU Idle 2
segment
buffer and pass ASDU buffer
Idle
to application layer.
Clear the ASDU buffer and
place segment’s Information
1 0 X First of multiple segments Assembly 3
Object data into the ASDU
buffer.
IF segment is octet-for-
0 X SAME octet identical to previous, Discard segment. Assembly 4
it is a duplicate
IF segment is NOT octet-
Discard segment and the
for-octet identical to
0 X SAME entire, in-progress segment- Idle 5
previous, it may be from
series.
another series
Expected segment Append segment’s
0 0 +1 received, more segments Information Object data to Assembly 6
are expected contents of ASDU buffer.
Append segment’s
Information Object data to
Expected segment
0 1 +1 contents of ASDU buffer and Idle 7
received, final segment
pass ASDU buffer to
Assembly
application layer.
Discard segment and the
+M
0 X ASN is out of order entire, in-progress segment- Idle 8
1 < M < 64
series.
Clear contents of ASDU
buffer and place segment’s
1 0 X First of multiple segments Assembly 9
Information Object data into
the ASDU buffer.
Clear contents of ASDU
buffer, place segment’s
Entire ASDU fits within the Information Object data into
1 1 X Idle 10
segment. the ASDU buffer and pass
ASDU buffer to Application
Layer.
IF segment is not the first
of multiple segments and Discard segment and the
0 X X the Type ID, VSQ, CASDU, entire, in-progress segment- Idle 11
or COT does not match series.
the first segment
TS 60870-5-7 © IEC:2013(E) – 15 –
Figure 3 illustrates the same state machine described in Table 4. If the two differ, Table 4
shall be considered correct.
FIR=0,
FIN=X,
SEQ=X
Discard segment
Idle
State
FIR=1,
FIN=1,
SEQ=X
FIR=1,
FIN=0,
SEQ=X
Clear contents
of ASDU buffer
Pass ASDU buffer Clear contents
to application layer of ASDU buffer
Discard segment &
Place segment’s
entire series
data into ASDU
buffer
Place segment’s
Append segment to
FIR=0,
data into ASDU
ASDU buffer
FIN=X,
buffer
SEQ=SAME
Segment not
Pass ASDU buffer
identical to
to application layer
preceding OR
FIR=1,
Initial fields
FIN=0,
FIR=0,
do not match
SEQ=X
FIN=X,
first segment
SEQ=+M,
FIR=0,
1
FIN=1,
FIN=1,
SEQ=+1
SEQ=X
Assembly
State
Append segment to
ASDU buffer
FIR=0,
Discard segment FIN=0,
Segment octet
SEQ=+1
for octet
identical to
preceding
Figure 3 – Illustration of ASDU segment reception state machine
– 16 – TS 60870-5-7 © IEC:2013(E)
7.3 Application Service Data Units
7.3.1 TYPE IDENT 81: S_CH_NA_1
Authentication challenge
The structure of this ASDU is defined in Figure 4.
Single information object (SQ=0)
TYPE IDENTIFICATION
0 1 0 1 0 0 0 1
DATA UNIT
VARIABLE STRUCTURE QUALIFIER
0 0 0 0 0 0 0 1
IDENTIFIER
Defined in 7.1 of
Defined in 7.2.3 of IEC 60870-5-
CAUSE OF TRANSMISSION
IEC 60870-5-
101:2003
101:2003
Defined in 7.2.4 of IEC 60870-5-
COMMON ADDRESS OF ASDU
101:2003
ASDU Segmentation Control, defined in
FIN FIR ASN
7.2.5
Value
CSQ = Challenge sequence number,
Value
defined in 7.2.2.2 of IEC/TS 62351-
5:2013
Value
Value
USR = User Number, defined in 7.2.2.3 of
Value
IEC/TS 62351-5:2013
Value
INFORMATION
MAL = MAC algorithm, defined in 7.2.2.4 of
OBJECT
Enumerated value
IEC/TS 62351-5:2013
RSC = Reason for challenge, defined in
Enumerated value
7.2.2.5 of IEC/TS 62351-5:2013
CLN = Challenge data length, defined in
Value
7.2.2.6 of IEC/TS 62351-5:2013
Value
Number of octets specified in CLN Pseudo-random challenge data, defined in
7.2.27 of IEC/TS 62351-5:2013
Figure 4 – ASDU: S_CH_NA_1 Authentication challenge
S_CH_NA_1:= CP{Data unit identifier, CSQ, USR, HAL, RSC, CLN, Challenge Data }
CAUSES OF TRANSMISSION used with
TYPE IDENT 81:= S_CH_NA_1
CAUSE OF TRANSMISSION
In control direction:
<14>:= authentication
In monitor direction:
<14>:= authentication
<44>:= unknown type identification
<45>:= unknown cause of transmission
<46>:= unknown common address of ASDU
TS 60870-5-7 © IEC:2013(E) – 17 –
7.3.2 TYPE IDENT 82: S_RP_NA_1
Authentication Reply
The structure of this ASDU is defined in Figure 5. In the calculation of the MAC value, the
following rules apply:
a) The MAC value shall be calculated over the entire S_CH ASDU 81, not just the
Information Object contained within that ASDU.
b) No lower-layer addressing information shall be included in the MAC calculation.
Single information object (SQ=0)
TYPE IDENTIFICATION
0 1 0 1 0 0 1 0
DATA UNIT
VARIABLE STRUCTURE QUALIFIER
0 0 0 0 0 0 0 1
IDENTIFIER
Defined in 7.1 of
Defined in 7.2.3 of IEC 60870-5-
CAUSE OF TRANSMISSION
IEC 60870-5-
101:2003
101:2003
Defined in 7.2.4 of IEC 60870-5-
COMMON ADDRESS OF ASDU
101:2003
ASDU Segmentation Control, defined in
FIN FIR ASN
7.2.5
Value
CSQ = Challenge sequence number,
Value
defined in 7.2.3.2 of IEC/TS 62351-
5:2013
Value
Value
USR = User Number, defined in 7.2.3.3 of INFORMATION
Value
IEC/TS 62351-5:2013
OBJECT
Value
HLN = MAC length, defined in 7.2.3.4 of
Value
IEC/TS 62351-5:2013
Value
Number of octets specified in HLN MAC value, defined in 7.2.3.5 of
IEC/TS 62351-5:2013 and including the
clarifying rules noted in this clause.
Figure 5 – ASDU: S_RP_NA_1 Authentication Reply
S_RP_NA_1:= CP{Data unit identifier, CSQ, USR, HLN, MAC Value }
CAUSES OF TRANSMISSION used with
TYPE IDENT 82:= S_RP_NA_1
CAUSE OF TRANSMISSION
In control direction:
<14>:= authentication
In monitor direction:
<14>:= authentication
<44>:= unknown type identification
<45>:= unknown cause of transmission
<46>:= unknown common add
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...