This article takes a closer look at the security of the IEC 60870-5-104 protocol
IEC 60870-5-104 has become indispensable in the energy and industrial sectors. The protocol is robust, widely supported, and forms the backbone of countless SCADA and telemetry systems. However, it is also a protocol from a different era: before modern security requirements, OT/IT integration, and data-driven operations. Specifically, IEC 60870-5-104 remote access and security require a different approach today.
For many organizations, this leads to the same questions:
- How do I make remote access secure and manageable?
- How do I gain visibility into my IEC 60870-5-104 data without overhauling everything?
- How do I prevent a proliferation of ad-hoc solutions per location?
In this article, we explain exactly how we address these issues – using a combination of industrial hardware routers and controllers, our Remote Portal, and data monitoring.
Want to learn the technical background of the protocol first?
Then view our extensive documentation page: IEC 60870-5-104 protocol documentation
The practical challenges of IEC 60870-5-104 remote access
IEC 60870-5-104 is not “bad,” but it does not automatically align with the environment in which you work today. The main challenges we see in the field are:
1. Security and access require extra attention
IEC 60870-5-104 was not designed with modern security principles in mind. Typical situations include:
- direct connections to the internet or IT network
- separate VPNs per supplier or engineer
- limited segmentation between OT and IT domains
- minimal logging of who accessed what and when
This makes it difficult to meet security requirements and audits, and increases the risk of misconfigurations or incidents – especially regarding IEC 60870-5-104 remote access.
Want to dive deeper into the security risks?
Read our article: IEC 60870-5-104 security
2. You are not yet fully utilizing available data
The protocol provides a constant stream of measured values, status messages, and events. In practice, we often see:
- data remains “locked” in SCADA systems
- few central dashboards or overarching monitoring
- limited historical analysis and trend monitoring
- significant custom work required to move data to other systems
Yet this same IEC 60870-5-104 data can be valuable for asset management, maintenance optimization, or regulatory reporting.
Want to know more about what you can do with the data?
See: Reading and visualizing IEC 60870-5-104 data
3. Complex management of many dispersed locations
Organizations with dozens or hundreds of stations, substations, or remote sites will recognize this:
- every location is set up slightly differently
- different suppliers, hardware types, and configurations
- no uniform method for remote access and data collection
- significant time lost during malfunctions or changes
The combination of an old protocol, modern requirements, and a dispersed infrastructure makes management complex and prone to errors.
Our approach: from protocol challenge to manageable solution
We don’t just look at IEC 60870-5-104 as a protocol, but at your total OT architecture. The core of our approach consists of four building blocks that together address the challenges of IEC 60870-5-104 and make your remote access and data flows manageable.
1. A stable and secure foundation on-site: industrial hardware
The situation
Legacy or generic network equipment is often not built for industrial environments and provides limited support for OT-specific requirements. This makes security, segmentation, and protocol support difficult to manage effectively.
What we do
- Deploy industrial routers and gateways suitable for harsh environments and 24/7 operation
- Logical separation between:
- field devices (RTUs, IEDs, PLCs)
- local SCADA
- external connections (to data centers, Remote Portal, cloud)
- Implementation of:
- VPN tunnels
- firewall rules
- access control and logging
This hardware forms the standard “edge layer” for all your IEC 60870-5-104 locations. As a result, you don’t have to reinvent the wheel for every site; you work with a repeatable reference architecture for secure IEC 60870-5-104 remote access and data traffic.
2. One central gateway: Remote Portal
The situation
When everyone manages their own VPN and access method, you lose oversight:
- who can reach which location?
- which account belongs to which external party?
- which connections are permanently open?
- how do you demonstrate what happened during audits?
Our solution: Remote Portal
With our Remote Portal, you turn IEC 60870-5-104 remote access to locations into a centrally managed process, rather than a collection of separate solutions. Features include:
- Central authorization management
- determine which sites, devices, or services can be accessed per user and role
- Overview of all active connections
- Logging and audit trail
- who connected to which location and when?
- Integration with your industrial hardware
- the Portal communicates with the routers/gateways on-site, ensuring access always follows a controlled route
This prevents IEC 60870-5-104 connections from occurring “under the radar” and gives you control over your entire remote access landscape.
3. From raw IEC 60870-5-104 data to actionable insights
The situation
Without a proper data layer, IEC 60870-5-104 remains a “transport protocol” that only feeds your SCADA. The possibilities for analysis, reporting, and integration then remain limited.
Our solution: data monitoring and integration
We set up an infrastructure that allows you to:
- structurally collect IEC 60870-5-104 data
- events, measurements, statuses, alarms
- store this data in a suitable format and platform
- visualize the data in dashboards and overarching monitoring
- where necessary, create links to:
- central SCADA
- BI tools
- asset and maintenance systems
- other OT and IT platforms
You continue to use IEC 60870-5-104 where needed, but the data becomes available in a way that fits modern, data-driven business operations.
Want to see examples?
Also look at: Reading and visualizing IEC 60870-5-104 data
Who is this for?
Our approach to IEC 60870-5-104 and secure remote access is particularly suitable for:
- Grid operators / DSOs with many substations and remote assets
- Industrial end customers in sectors such as energy, water, infra, and process industry
- System integrators who need to integrate IEC 60870-5-104 into modern environments
- OT managers and security officers responsible for secure access and compliance
Do you recognize the challenges regarding security, remote access, or utilizing your IEC 60870-5-104 data? Then our solutions are likely a good fit.
Ready to optimize your IEC 60870-5-104 environment together?
Do you work with IEC 60870-5-104 and:
- are you concerned about the security of your remote connections?
- do you lack oversight and control over who can access what?
- do you want to do more with the data than is currently possible via SCADA?
Then we would be happy to show you in a short session how our hardware, Remote Portal, Remote Connect Control App, and data monitoring make IEC 60870-5-104 remote access secure and manageable in practice.
Schedule a demo or consultation via our contact page or contact us directly.
We are happy to help you find an IEC 60870-5-104 solution that fits your organization – now and in the future.
