EC 60870-5-104 security is a challenge if you want to manage remote installations. The protocol was designed at a time when OT networks were closed and security hardly played a role. Nowadays, everything is connected to IP networks and the internet, and remote access is almost always expected of you.

How do you ensure a secure, encrypted connection without drastically modifying your existing IEC 60870-5-104 installations? In this article, we will guide you step by step.

What is IEC 60870-5-104 and why is security a problem?

If you are going to work with IEC 60870-5-104 security, it is important to first understand how the protocol works and where the weak spots are.

IEC 60870-5-104 is a telecontrol protocol for communication between:

  • field equipment (RTUs, gateways, IEDs)
  • and central systems (SCADA, dispatching centers)

-> You can find a comprehensive technical description of the IEC 60870-5-104 protocol in our IEC 60870-5-104 documentation.

The ‘-104’ variant runs on top of TCP/IP. That is useful for integration with modern networks, but it immediately brings an important disadvantage:

  • IEC 60870-5-104 itself has no built-in encryption.
    There is no standard TLS, no integral authentication or integrity control as you know it from modern IT protocols.

Consequence:
As soon as you bring 104 communication outside a strictly shielded internal network (for example, to the cloud or over the internet), you must add extra security layers yourself.

Threats surrounding IEC 60870-5-104

Without additional security, you run these risks, among others, with IEC 60870-5-104:

  1. Listening (sniffing)
    Traffic is plain text. An attacker who can intercept network traffic can read measured values, commands, and sometimes even configuration data.
  2. Man-in-the-middle attacks
    Traffic can be manipulated and forwarded, while both sides think they are talking to a legitimate party.
  3. Spoofing and unauthorized commands
    Without strong authentication, it is possible for an attacker to impersonate a remote station or control center.
  4. DoS/DDoS attacks
    IEC 60870-5-104 devices are often not designed to handle large amounts of malicious traffic. Availability can therefore easily be compromised.
  5. Lateral movement in the OT network
    Once an attacker enters through a weak spot, they can sometimes move freely to other critical systems.

Therefore, IEC 60870-5-104 security is not just a matter of “encrypting something”, but of a complete security architecture.

Security principles for IEC 60870-5-104

Before we move on to concrete solutions, it is important to name the basic principles:

  1. Defense in depth
    Do not rely on a single security layer (e.g. only a firewall), but combine multiple lines of defense.
  2. Segmentation of OT and IT
    Keep control networks separate from office and internet networks, for example with VLANs, firewalls and a DMZ.
  3. Least privilege & need-to-know
    Only give access to those systems and functions that are really necessary for the task.
  4. Zero trust approach
    Do not assume that traffic within the “internal network” is automatically reliable; actively check identity and rights.
  5. Monitoring and logging
    Ensure that you can detect and investigate deviations in IEC 60870-5-104 traffic and in login activities.

Options for an encrypted connection

Because IEC 60870-5-104 itself does not have encryption, the encrypted connection must be realized outside the protocol. The two most used approaches:

1. VPN tunnel around IEC 60870-5-104

A commonly used solution is to send IEC 60870-5-104 traffic through a VPN tunnel, for example with IPsec or OpenVPN/WireGuard.

How it works in brief:

  • Place an industrial router/gateway with VPN function on the field side.
  • A VPN concentrator / gateway is located on the central side (data center or cloud).
  • An encrypted tunnel (site-to-site or client-to-site) is set up between the two.
  • “Normal” IEC 60870-5-104 traffic runs within that tunnel.

Advantages:

  • Strong encryption (depending on the chosen VPN technology).
  • Existing IEC 60870-5-104 equipment often does not need to be adjusted.
  • Scalable: multiple stations can be accessed via one central VPN termination.

Points of attention:

  • Management of certificates and keys is crucial.
  • Ensure clear segmentation within the VPN (so not: “everything in one flat VPN layer”).
  • Set precise firewall rules: which IP may communicate with which station and on which ports?

2. End-to-end encryption via gateways (e.g. TLS)

Another approach is to place a security gateway at the edge of the OT network that:

  • speaks IEC 60870-5-104 on the field side;
  • communicates encrypted on the other side (for example via TLS or another secure protocol) towards SCADA or cloud.

Advantages:

  • You create a clear separation between “unsecured internal 104” and “secured external traffic”.
  • Integration with modern IT or cloud solutions becomes easier, because they often understand TLS by default.

Points of attention:

  • The gateway becomes a crucial security component; high reliability and good management are required.
  • Pay attention to performance: encryption costs computing power.

Network architecture: how to limit the risk

IEC 60870-5-104 security is not only technology in the connection, but also how you build the network.

Segmentation and DMZ

A frequently used pattern:

  1. OT network
    This is where the IEC 60870-5-104 devices (RTUs, stations, etc.) are located. This network is strictly shielded.
  2. DMZ (demilitarized zone)
    Here you place, among other things:

    • VPN termination
    • Security gateways
    • Historian/collectors that transfer data to the IT world
  3. IT network / office / cloud
    Users, dashboards, reports, etc.

Between these zones are strictly configured firewalls with:

  • only necessary ports open (such as TCP port 2404 for 104, if necessary);
  • whitelisting of IP addresses where possible;
  • inspection and logging.

Authentication and access management

  • Use strong authentication for remote operators and engineers (preferably 2FA).
  • Ensure role-based access (operator, engineer, administrator) with clear rights.
  • Document who has access to which installation and via which route.

Step-by-step plan: IEC 60870-5-104 security in practice

  1. Inventory your environment
    • Which IEC 60870-5-104 devices do you have?
    • Where are they located (locations, networks)?
    • How does the communication currently run (paths, routers, firewalls)?
  2. Determine the desired use cases for remote access
    • Only monitoring?
    • Also control (commands)?
    • Maintenance by external parties?
  3. Choose your security architecture
    • VPN tunnel + segmentation
    • Security gateways with encrypted uplink
    • Or a combination
  4. Implement encryption and segmentation
    • Set up VPN or TLS connections.
    • Separate OT, DMZ and IT networks with firewalls.
    • Set strict rules for who is allowed to talk to whom.
  5. Test with a limited number of installations
    • Validate performance (latency, bandwidth).
    • Verify that all necessary functions (alarming, commands, time synchronization) continue to work.
  6. Roll out in phases and ensure management
    • Patch management for gateways and routers.
    • Certificate management and rotation of keys.
    • Set up monitoring and logging.

Common mistakes in IEC 60870-5-104 security

Some pitfalls that you should avoid:

  • Publishing IEC 60870-5-104 directly on the internet
    For example, by simply forwarding port 2404 to an RTU. This is extremely risky.
  • No separation between OT and IT
    One large flat network makes it very easy for an attacker to move laterally.
  • Seeing VPN as the only security
    A VPN without good segmentation, logging and access management is only a partial solution.
  • No attention to management
    Expired certificates, never updated firmware and unknown configuration changes are a major risk in the long term.

Conclusion: IEC 60870-5-104 security is achievable, provided it is well thought out

IEC 60870-5-104 security requires a combination of:

  • encrypted connections (for example via VPN or TLS gateways);
  • network segmentation and firewalls between OT, DMZ and IT;
  • strict access management and monitoring.

The good news:
In many cases you can continue to use your existing IEC 60870-5-104 installations and organize the security around them. This is how you make remote access safe, without completely replacing your field equipment.

Do you want to:

  • Have your own environment assessed?
    Request a (free) IEC 60870-5-104 security quick scan.
  • See how we solve this for other customers?
    Read our cases about OT and IEC 60870-5-104 projects.
  • Want to know more about us first?
    Get to know our team and our background on the About us page.

Choose what suits you best now; you are not tied to anything.

In this article

More Articles from Remote

Subscribe to the Newsletter