Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
⚡ IEC 60870 Telecontrol Protocols: From Serial 101 to TCP/IP 104 — SCADA Architecture, Engineering Design, and Cybersecurity
In modern power systems, the data communication channel between control centers and remote substations forms the central nervous system of grid operations. The IEC 60870 family of standards provides the backbone for this mission-critical communication — it is by far the most widely deployed telecontrol protocol suite in the global electric power industry. From China’s State Grid dispatch data network to Europe’s transmission system operators, from fossil-fuel plant DCS integration to distribution automation feeder terminal units (FTUs), IEC 60870 is everywhere. Unlike Modbus or other general-purpose industrial protocols, IEC 60870 is purpose-built for power system telecontrol, featuring a rigorous state machine and a rich vocabulary of data types specifically engineered for electrical grid applications.
📚 Standard Family Overview: IEC 60870 is organized into six major parts — Part 1: General principles and terminology; Part 2: Operating conditions (environmental and EMC); Part 3: Interface electrical characteristics; Part 4: Performance requirements; Part 5: Transmission protocols (the technical core of the entire family); and Part 6: Telecontrol protocols compatible with ISO/ITU-T recommendations (TASE.2/ICCP for inter-control-center communication). The four companion standards most relevant to practicing engineers are: 101 (serial telecontrol), 102 (transmission of integrated totals), 103 (protection equipment communication), and 104 (network access via TCP/IP).
🛠 1. IEC 60870-5 Protocol Architecture: EPA Model and Core Mechanisms
The design philosophy of IEC 60870-5 intentionally diverges from the familiar OSI seven-layer model. It adopts an Enhanced Performance Architecture (EPA) — a streamlined three-layer model retaining only the physical layer, link layer, and application layer, deliberately discarding the network and transport layers. This “lean stack” design is driven by the hard real-time constraints of telecontrol: on a 9600 bps serial channel, every additional layer of encapsulation adds measurable delay. When you are transmitting a circuit breaker trip signal, an extra 20 milliseconds can be the difference between a contained fault and a cascading blackout.
1.1 Physical Layer: From V.24/RS-232 to TCP/IP
The physical layer choices across IEC 60870-5 variants reflect pragmatic engineering evolution. The 101 protocol operates over serial asynchronous communication links based on ITU-T V.24/V.28 (RS-232) or RS-485, with typical data rates of 9600 bps or 19.2 kbps, using dedicated leased lines, power line carrier (PLC), or dial-up modems. The 104 protocol represents a decisive leap into the IP era — it maps the 101 application layer directly onto TCP/IP, using TCP port 2404 by default, achieving a seamless transition from serial to networked communication without redefining the application semantics.
1.2 Link Layer: FT1.2 Frame Format and Transmission Modes
The link layer of IEC 60870-5 employs the FT1.2 (Frame Type 1.2) format — one of the protocol family’s signature design elements. FT1.2 supports three frame lengths: fixed-length frames (for control functions such as acknowledgments and link status requests), variable-length frames (carrying ASDU payloads), and single-control-byte frames. Variable-length frames can carry up to 255 bytes of user data, with transmission integrity ensured by a carefully designed frame envelope: start character 0x68, a repeated length field, end character 0x16, and a checksum.
A critical architectural decision in IEC 60870-5 is the choice between unbalanced and balanced transmission modes. In unbalanced mode, only the master station (control center) is permitted to initiate data transfers — the slave (RTU) must wait to be polled. This is classic master-slave architecture, suitable for star-topology centralized monitoring. In balanced mode, master and slave have equal link-layer access rights; either party may initiate transmission autonomously, dramatically reducing event-reporting latency. Protocol 101 supports both modes, while 102 and 103 only support unbalanced mode.
| Feature | IEC 60870-5-101 | IEC 60870-5-102 | IEC 60870-5-103 | IEC 60870-5-104 |
|---|---|---|---|---|
| Application Domain | General telecontrol: analogs, digitals, commands, setpoints | Transmission of integrated totals (metered energy values) | Protection equipment data exchange | Networked 101: TCP/IP transport for telecontrol |
| Physical/Transport Layer | Serial RS-232/RS-485; leased line, dial-up, PLC | Serial (same physical layer as 101) | Serial RS-232/RS-485 or fiber optic | TCP/IP (default port 2404) |
| Link Layer | FT1.2, balanced or unbalanced mode | FT1.2, unbalanced only | FT1.2, unbalanced only | None (TCP guarantees reliable delivery) |
| Transmission Direction | Bidirectional: monitor + control directions | Predominantly monitor direction (metered data upload) | Predominantly monitor direction (protection event upload) | Bidirectional full-duplex TCP connection |
| Typical Data Types | Single/double-point, measured values, integrated totals, commands, setpoints, step position | Integrated totals, periodic/aperiodic freeze, tariff switching | Protection events, settings, disturbance records, self-check info | Same as 101, plus file transfer and enhanced clock synchronization |
| ASDU Address Width | 1 or 2 bytes (Common Address of ASDU) | 1 or 2 bytes | 1 byte | 2 bytes (Common Address of ASDU) |
| Governing Standard | IEC 60870-5-101:2003 | IEC 60870-5-102:1996 | IEC 60870-5-103:1997 | IEC 60870-5-104:2006 |
⚠️ Understanding the Balanced vs. Unbalanced Mode Nuance: In unbalanced mode, the master station issues periodic link-status requests (PRM=1) and the slave can only respond (PRM=0). In balanced mode, both ends can initiate transmission with PRM=1. A common field pitfall: configuring balanced-mode link timeout parameters (t0, t1, t2, t3) on an RTU that is statically set to unbalanced mode — this mismatch causes the link layer to reset repeatedly and prevents any application-layer data exchange. Always verify the transmission mode at both ends before tuning timer values.
1.3 Application Layer: ASDU and COT — The Language Core of IEC 60870
The application layer design of IEC 60870-5 is its most important technical legacy. Two concepts — ASDU (Application Service Data Unit) and COT (Cause of Transmission) — form the “grammar” and “semantics” of the protocol family.
ASDU structure consists of: Type Identification (Type ID, defining one of over 50 data types including single-point, double-point, measured values, commands, setpoints, and parameters), Variable Structure Qualifier (VSQ, defining the number of information objects and their addressing mode — sequential or single), Cause of Transmission (COT), Common Address of ASDU, and Information Objects. Each information object in turn contains an Information Object Address (IOA), information elements, and optionally a time tag. This rigorously layered structure enables IEC 60870-5 to carry everything from a simple binary status change to a complex protection setting group within a unified framework.
COT (Cause of Transmission) is one of the key differentiators that sets IEC 60870 apart from most industrial protocols. Every message carries a 6-bit COT code that precisely describes why the data is being sent — is it periodic/cyclic (COT=1)? background scan (COT=2)? spontaneous (COT=3)? general interrogation (COT=20)? request or requested (COT=5/6)? This design means the receiver gains not only the measurement value but also its operational context — critical metadata that enables advanced applications such as Sequence of Events (SOE) analysis and post-disturbance review.
✅ Engineering Insight: When troubleshooting interoperability issues between RTUs from different vendors, inconsistent COT usage is one of the most common root causes. For example, one manufacturer may use COT=21 for a station-specific interrogation response, while another uses COT=22. According to IEC 60870-5-101:2003, COT=20 is reserved for general interrogation (GI), COT=21 for group interrogation 1, and COT=22 through 36 for other group interrogations. During the engineering phase, always cross-reference each vendor’s PICS (Protocol Implementation Conformance Statement) to verify the COT mapping table — this is a critical step that can prevent extensive rework during commissioning.
🔎 2. IEC 61850 vs. DNP3: The Three Titans of SCADA Communication
The global power automation landscape features three dominant SCADA communication protocol families — IEC 60870-5 (represented by 101/104), DNP3 (Distributed Network Protocol, IEEE 1815), and IEC 61850 (Communication Networks and Systems in Substations). Understanding the technical positioning and evolutionary trajectory of each is essential knowledge for any power system communications engineer.
2.1 IEC 60870-5 vs. DNP3: Common DNA, Divergent Markets
IEC 60870-5 and DNP3 share deep technical ancestry — DNP3’s foundational frame structure was directly inspired by the FT1.2 format of IEC 60870-5, and both use the ASDU concept. However, their market development paths diverged significantly:
DNP3 was developed by Harris Corporation (later evolved through GE) in the early 1990s, with native IP networking support built in from the start. It dominates the power markets of the United States and Australia. A notable technical advantage of DNP3 is its built-in Secure Authentication (SAv5/SAv6) mechanism, which provides challenge-response authentication at the protocol layer.
IEC 60870-5-101/104 has achieved broader global deployment, particularly across Europe, China, the Middle East, and Asia. The IEC’s normative framework offers stronger inter-vendor compatibility on paper — every manufacturer must provide PICS and PIXIT documentation, creating a more rigorous theoretical basis for multi-vendor interoperability. However, native IEC 60870-5-101/104 has no security mechanisms whatsoever — all telegrams are transmitted in cleartext. This remains its single greatest design limitation (see Section 3).
A concise summary: if DNP3 is “an American standard with built-in security locks,” then IEC 60870-5 is “a European standard that relies on external perimeter walls for protection.”
2.2 IEC 60870-5 vs. IEC 61850: From Signal Lists to Object Models
IEC 61850 represents a fundamentally higher dimension of substation communication. IEC 60870-5-101/104 is essentially a signal-oriented protocol — its design philosophy encodes physical signals (switch position, voltage, current) as individually addressed data points. IEC 61850, by contrast, is an object-oriented modeling framework — it organizes the entire substation’s primary equipment and protection functions into standardized object models (Logical Nodes), communicating through MMS, GOOSE, and Sampled Values (SV) across the station bus, process bus, and bay level.
The relationship between the two is not one of replacement but of belonging to different automation layers: IEC 60870-5-101/104 primarily handles telecontrol communication between substations and control centers; IEC 61850 primarily handles communication between devices within the substation. The most common real-world architecture is: IEC 61850 inside the substation, with the gateway/RTU communicating externally to the control center via IEC 60870-5-101 or 104. This “IEC 61850 internally + IEC 60870-5 externally” hybrid architecture is expected to persist for the next 10 to 15 years.
| Comparison Axis | IEC 60870-5-101 | IEC 60870-5-104 | DNP3 | IEC 61850 |
|---|---|---|---|---|
| Communication Model | Signal-oriented (flat point list) | Signal-oriented | Signal-oriented | Object-oriented (Logical Nodes, hierarchical model) |
| Transport Layer | Serial link (RS-232/RS-485) | TCP/IP (port 2404) | Serial or TCP/IP (port 20000) | TCP/IP + Ethernet (MMS: port 102, GOOSE/SV: L2 multicast) |
| Data Organization | ASDU + Information Object Address (IOA) | ASDU + IOA | Object Group + Variation | LD/LN/DO/DA (Logical Device/Node/Data Object/Data Attribute) |
| Real-time Performance | Seconds range (serial bandwidth limit) | Hundreds of milliseconds | Hundreds of milliseconds | GOOSE < 3 ms, Sampled Values < 10 micro;s |
| Native Security | None (relies on external encryptors/firewalls) | None (relies on TLS/firewalls) | SAv5 Secure Authentication (IEC 62351-5 certified) | None native (relies on external/IEC 62351) |
| Primary Markets | Europe, China, Middle East, Asia | Global (universal) | North America, South America, Australia, South Africa | Global new-build digital substations |
| Typical Deployment | RTU-to-control-center; legacy brownfield sites | Telecontrol gateway-to-dispatch data network | RTU-to-SCADA master; North American distribution automation | Smart substation station/process/bay bus |
📚 Technology Trend to Watch: IEC Technical Committee 57 has been advancing security enhancement standards for 101/104 through IEC 62351-3 and 62351-5, mandating TLS encryption layers atop 104 TCP connections and challenge-response authentication on 101 serial links. However, the vast installed base of legacy RTUs cannot support these enhancements, creating a persistent tension between security requirements and the reality of depreciated field assets — arguably the single greatest operational headache facing today’s grid operators.
🛡 2. SCADA Protocol Cybersecurity: The Achilles’ Heel of IEC 60870-5
IEC 60870-5 was born in the 1990s — an era when grid communications operated over isolated, dedicated leased lines and cybersecurity was hardly a design consideration. When these same protocols entered the wide-area interconnected world of TCP/IP (via 104) on dispatch data networks, three fundamental “birth defects” — the absence of authentication, encryption, and integrity protection — were dramatically amplified.
2.1 Three Fatal Native Deficiencies
- No Authentication: Any device that can reach TCP port 2404 can theoretically impersonate a legitimate control center and issue remote control commands to RTUs. In the 2015 Ukrainian grid cyberattack, adversaries exploited precisely this authentication gap, sending legitimate-protocol-format circuit breaker trip commands across the SCADA network to trigger a mass blackout.
- No Encryption: All telemetry, telesignalization, and telecommand messages — including critical operational parameters of primary substation equipment — are transmitted in cleartext. An attacker deploying a passive packet sniffer at any network node can reconstruct a complete real-time operational picture of the power grid.
- No Integrity Protection (beyond the link checksum): The FT1.2 link-layer checksum can only detect random transmission errors; it provides zero defense against deliberate tampering. An attacker can intercept a legitimate message, modify a key data field (e.g., changing “close command” to “trip command”), recompute the checksum, and inject the modified packet — for the 104 protocol over TCP/IP, the barrier to such a man-in-the-middle (MITM) attack is extremely low.
🚨 Real-World Security Warning: Multiple APT campaigns targeting power SCADA systems since 2020 have demonstrated that attackers no longer depend on zero-day vulnerabilities — they exploit the protocol’s design-level deficiencies directly. A representative attack chain: initial access via phishing or VPN vulnerability into the corporate office network → lateral movement to the SCADA data network boundary → deployment of traffic replay/tampering tools at 104 protocol forwarding nodes → injection of forged A_ACTCON (command confirmation) telegrams to RTUs → forced circuit breaker misoperation. Until IEC 62351 security hardening is universally deployed, defense-in-depth is the only viable protection strategy.
3.2 Defense-in-Depth: Multi-Layer Security Practices
Given that protocol-layer security enhancements cannot cover the legacy installed base, engineers must construct multiple defensive layers at the network architecture and operational levels:
- Layer 1 — Physical/Network Isolation: 101 serial links inherently possess an “air gap” advantage. For 104 TCP/IP channels, strict segregation between the SCADA data network and corporate IT networks must be enforced, following frameworks such as NERC CIP (North America) or the “security partitioning, network specialization, horizontal isolation, vertical authentication” principle mandated by China’s power monitoring system security regulations.
- Layer 2 — VPN/IPSec Encrypted Tunnels: Encapsulating 104 protocol TCP connections within IPSec or SSL VPN tunnels provides transport-layer encryption and endpoint authentication, compensating for the protocol’s native security gaps. This is the most practical security enhancement for the existing installed base.
- Layer 3 — Protocol Deep Packet Inspection (DPI): Deploy industrial firewalls and IDS appliances at SCADA network boundaries that support IEC 60870-5-104 protocol parsing. These systems can detect anomalous ASDU types (e.g., a surge of remote control commands outside operational hours), illegal COT combinations (e.g., a GI response carrying a time-tag mismatch), and accesses to IOA addresses outside the normal range.
- Layer 4 — Operational Security Regime: Enforce two-factor authentication, mandatory switching-order procedures, application-layer interlocking logic verification at both the RTU and master station ends (interlocking should never rely on a single device), and comprehensive audit logging of all control operations.
✅ Engineer’s Pre-Commissioning Security Checklist: For any substation using IEC 60870-5-104, verify the following before energizing the communication channel: (1) Is TCP port 2404 only exposed to dispatch data network IP addresses — not the entire network segment? (2) Do firewall rules restrict TCP connections to only allow the control center IP addresses as initiating clients? (3) Are critical controllable objects (circuit breakers, isolators) configured for the Select-Before-Operate (SBO) sequence at the RTU level, with an SBO timeout window not exceeding 30 seconds? (4) Is the RTU logging and generating alarms for accesses to illegal IOA addresses?
🔧 3. Telecontrol System Engineering: From Debugging Hell to Reliable Operation
3.1 Interoperability and PICS/PIXIT
IEC 60870-5 defines an extremely large set of optional features — over 50 Type Identifications, more than 40 Causes of Transmission, two transmission modes (balanced/unbalanced), and a wide range of timing parameters. This “menu-style standardization,” while providing flexibility, also means that two devices both claiming “IEC 60870-5-101 compliant” may be completely unable to communicate. The solution lies in requiring every vendor to provide PICS (Protocol Implementation Conformance Statement) and PIXIT (Protocol Implementation eXtra Information for Testing) documents. PICS is the vendor’s “feature menu checklist”; PIXIT specifies the actual parameter values and constraints.
In engineering practice, it is strongly advisable to mandate PICS/PIXIT submission during the equipment tendering phase — rather than discovering during on-site commissioning that the two vendors have incompatible interpretations of, for example, “support for ASDU Type 31 (Double-point information with time tag CP56Time2a).”
3.2 Clock Synchronization and SOE Precision
Power system Sequence of Events (SOE) recording requires cross-substation event timestamp precision on the order of 1 millisecond. IEC 60870-5 uses the CP56Time2a format — a 56-bit timestamp counting milliseconds from January 1, 1980, at 00:00:00 UTC. However, the transmission delay inherent in serial 101 protocol (typically tens to hundreds of milliseconds from RTU transmission to master station reception) would severely compromise SOE accuracy if timestamps were applied at the receiving end. The engineering solution: all RTUs must be synchronized to a GPS/BeiDou time source, and messages must carry timestamps applied at the information object source (the RTU itself), never relying on the master station’s reception time. For 104 protocol, NTP-based network clock synchronization must be properly configured to ensure clock deviations among RTUs, gateways, and front-end servers do not exceed 1 millisecond.
3.3 Common Commissioning Fault Diagnostic Table
The table below summarizes the most frequently encountered failure modes during IEC 60870-5 field commissioning, with diagnostic approaches and recommended solutions:
| Symptom | Probable Cause | Diagnostic Method | Recommended Solution |
|---|---|---|---|
| Link repeatedly resets; stable connection cannot be established | Link timeout parameters (t0/t1/t2/t3) mismatch; master polling interval too short in unbalanced mode | Capture serial traffic (e.g., Wireshark with IEC 60870-5-101 dissector) and analyze link-layer state transitions | Align t0 (connection timeout), t1 (response timeout), t2 (idle timeout), and t3 (acknowledgment timeout) at both ends |
| 104 connection establishes but immediately drops | Wrong TCP port (not 2404); firewall blocking; APDU length exceeds 255 bytes | Use telnet/nc to verify TCP connectivity; check firewall logs; validate ASDU fits within APDU length constraints | Verify StartDT/StopDT message sequence; ensure APDU length does not exceed I-frame max K (typically K=12) |
| GI data received but values mismatch local indications | ASDU IOA address mapping tables inconsistent between master and RTU; Type Identification (TI) mismatch | Point-by-point comparison of master database configuration against RTU IOA mapping table | Use PICS/PIXIT as the authoritative reference; build a standardized IOA allocation spreadsheet and perform point-by-point verification |
| Remote control fails (Select succeeds, Execute fails) | SBO timeout interval too short; incorrect COT in Execute phase | Measure SBO Select-Execute interval; verify it falls within RTU’s permitted timeout window | Increase SBO timeout (typically 10-30 seconds); confirm Execute message uses COT=6 (Activation), not COT=7 (Activation Confirmation) |
| Master receives a flood of duplicate events (SOE storm) | RTU re-powered after failure causing buffer backlog; or SQ bit incorrectly set | Check ASDU SQ bit (single/sequence) against actual information object count | Set SQ bit correctly; enable event filtering and deduplication in RTU configuration |
❓ Frequently Asked Questions
Q1: Our existing RTU only supports IEC 60870-5-101 serial communication, but the control center now requires 104 over TCP/IP. How should we handle the transition?
A: The recommended approach is a protocol conversion gateway. Deploy a communications processor or telecontrol gateway at the substation that serves as a 101-to-104 bridge — on the RTU side, it polls data via serial 101; on the dispatch data network side, it communicates with the control center as a 104 TCP client or server. The gateway must handle three conversions: link layer translation (FT1.2 to/from TCP/IP), ASDU address mapping (maintaining IOA consistency), and timing parameter adaptation. During device selection, ensure the gateway supports both balanced and unbalanced 101 modes, and can sustain the data throughput for at least 2,000 IOA points. Do not overlook the gateway’s own clock synchronization (NTP client or IRIG-B interface).
Q2: How should the K and W values for IEC 60870-5-104 be configured? What happens if they are set incorrectly?
A: K and W are the core flow control parameters of the 104 protocol. The K value defines the maximum number of I-format APDUs the sender may transmit before receiving an acknowledgment (default K=12). The W value defines the maximum number of I-format APDUs the receiver will accept before sending an acknowledgment (default W=8). Both must be less than or equal to the peer’s corresponding limit. Setting K too high risks receiver buffer overflow and message loss; setting K too low causes excessive acknowledgment traffic that wastes bandwidth and adds latency. The W value essentially means “among the latest W received frames, at most K remain unacknowledged.” For a typical dispatch automation channel (2 Mbps, ~2,000 telemetry points), K=12, W=8 aligned with the standard defaults is recommended. For bandwidth-constrained scenarios (e.g., GPRS wireless), reduce K to 6-8.
Q3: We are seeing a puzzling issue with IEC 60870-5-104 — the circuit breaker status change timestamp on the master station is nearly 1 second later than the actual event. Is this a protocol-inherent delay?
A: Almost certainly not a protocol-inherent delay. Under normal network conditions, the end-to-end transit delay for IEC 60870-5-104 is typically under 50 ms. The ~1-second delay you are seeing likely has one of these causes: (1) RTU clock deviation — if the RTU clock and GPS/master clock are off by seconds, check the RTU time synchronization mechanism (consider SNTP or direct IRIG-B sync); (2) RTU event buffer processing delay — some RTUs queue events internally during an SOE storm, meaning the timestamp itself is accurate but the message is delayed in the transmit queue — verify that the RTU assigns highest processing priority to SOE events; (3) communication middleware/front-end buffering delay — investigate whether the delay originates in the master station’s front-end server processing rather than in the communication link itself.
Q4: If we upgrade a 10-year-old substation from 101 to 104, do the secondary circuits need any modification? What is the impact on the SCADA system?
A: Secondary circuits need zero modification, but the SCADA side requires a coordinated upgrade. The migration from 101 to 104 affects only the communication layer — the RTU’s AC sampling inputs (CT/PT secondary circuits), binary input contacts, and control output relays all remain untouched. What you need to focus on: (1) whether the RTU itself supports a 104 communication interface — legacy RTUs may need a communication module replacement or an external protocol gateway; (2) the SCADA master station must be upgraded with a 104 protocol driver (including front-end software and database reconfiguration); (3) the point list (IOA mapping table) must be migrated in its entirety — recommend point-by-point verification, as any deviation between vendors’ definitions of the same point can cause data misalignment after the cutover; (4) plan a transition strategy — typically a “dual-protocol parallel operation” approach, running 101 and 104 simultaneously for a defined period, and retiring the 101 channel only after 104 operation is proven stable.
