IEC TS 60870-5-7:2025

IEC TS 60870-5-7 ®
Edition 2.0 2025-03
TECHNICAL
SPECIFICATION
Telecontrol equipment and systems –
Part 5-7: Transmission protocols – Security extensions to IEC 60870-5-101 and
IEC 60870-5-104 protocols (applying IEC 62351)

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

IEC Secretariat Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform IEC Products & Services Portal - products.iec.ch
The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the
variety of criteria (reference number, text, technical publications previews, graphical symbols and the glossary.
committee, …). It also gives information on projects, replaced With a subscription you will always have access to up to date
and withdrawn publications. content tailored to your needs.

IEC Just Published - webstore.iec.ch/justpublished
Electropedia - www.electropedia.org
Stay up to date on all new IEC publications. Just Published
The world's leading online dictionary on electrotechnology,
details all new publications released. Available online and once
containing more than 22 500 terminological entries in English
a month by email.
and French, with equivalent terms in 25 additional languages.

Also known as the International Electrotechnical Vocabulary
IEC Customer Service Centre - webstore.iec.ch/csc
(IEV) online.
If you wish to give us your feedback on this publication or need

further assistance, please contact the Customer Service
Centre: sales@iec.ch.
IEC TS 60870-5-7 ®
Edition 2.0 2025-03
TECHNICAL
SPECIFICATION
Telecontrol equipment and systems –

Part 5-7: Transmission protocols – Security extensions to IEC 60870-5-101 and

IEC 60870-5-104 protocols (applying IEC 62351)

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 33.200  ISBN 978-2-8327-0275-8

– 2 – IEC TS 60870-5-7:2025 © IEC 2025
CONTENTS
FOREWORD . 4
1 Scope . 6
2 Normative references . 6
3 Terms, definitions and abbreviated terms . 7
3.1 Terms and definitions . 7
3.2 Abbreviated terms. 8
4 Overview of IEC 60870-5-7 profiles . 9
5 A-Profile: Implementation of IEC 62351-5 . 9
5.1 General . 9
5.2 Selected options . 9
5.2.1 Overview of clause . 9
5.2.2 MAC algorithms . 10
5.2.3 Encryption algorithms . 10
5.3 Implementation of procedures . 10
5.3.1 Overview of clause . 10
5.3.2 Detection of communication failures . 10
5.3.3 Algorithm selection for Update Keys derivation . 10
5.3.4 Session keys – Application and management . 10
5.3.5 Co-existence with non-secure implementations . 13
5.4 Implementation of messages. 13
5.4.1 Overview of clause . 13
5.4.2 Data definitions. 14
5.4.3 Application Service Data Units . 19
6 T-Profile Security: Implementation of IEC 62351-3 . 37
7 Security profiles for IEC 60870-5-101 and IEC 60870-5-104 . 38
7.1 General . 38
7.2 Security profiles for IEC 60870-5-101 . 38
7.3 Security profiles for IEC 60870-5-104 . 38
7.3.1 General. 38
7.3.2 Use with redundant channels . 38
8 Considerations for role-based access control (RBAC) . 39
8.1 General . 39
8.2 Permission definition . 40
8.3 Role-to-permission assignment . 41
9 Protocol Implementation Conformance Statement . 42
9.1 Overview of clause . 42
9.2 Algorithms for digital certificates. 42
9.2.1 Cryptographic curves for key pair generation . 42
9.2.2 Certificate signature algorithms . 42
9.3 MAC algorithms . 43
9.3.1 General. 43
9.3.2 MAC algorithms for serial links . 43
9.3.3 MAC algorithms for TCP/IP links . 43
9.4 Key wrap algorithms . 43
9.5 Data protection algorithms . 43
9.5.1 General. 43

9.5.2 Data protection algorithms for serial links . 43
9.5.3 Data protection algorithms for TCP/IP links . 44
9.6 Configurable parameters . 44
9.7 Configurable statistic thresholds and statistic information object addresses . 45
9.8 Security profile support . 46
Annex A (informative) Implementation of A-Profile security with IEC 60870-5-101 . 47
Annex B (informative) Devices with inaccurate clocks . 49
Bibliography . 50

Figure 1 – IEC 60870-5-7 Profiles . 9
Figure 2 – ASDU segmentation control . 15
Figure 3 – Segmenting extended ASDUs . 16
Figure 4 – Illustration of ASDU segment reception state machine . 19
Figure 5 – Example of a MAC calculation of a Secure Data message . 20
Figure 6 – ASDU: S_AQ_NA_1 Association Request . 21
Figure 7 – Association Request PRI field . 21
Figure 8 – ASDU: S_AP_NA_1 Association Response . 22
Figure 9 – ASDU: S_UH_NA_1 Update Key Change Request. 23
Figure 10 – ASDU: S_UP_NA_1 Update Key Change Response . 24
Figure 11 – ASDU: S_SI_NA_1 Session Initiation Request . 25
Figure 12 – ASDU: S_SQ_NA_1 Session Request . 27
Figure 13 – Session Request PRI field . 28
Figure 14 – ASDU: S_SP_NA_1 Session Response . 29
Figure 15 – ASDU: S_KH_NA_1 Session Key Change Request . 31
Figure 16 – Example of an initial Broadcast Session Key distribution . 33
Figure 17 – Examples of Broadcast Session Key update . 34
Figure 18 – ASDU: S_KP_NA_1 Session Key Change Response. 35
Figure 19 – Example of an AEAD calculation of a Secure Data message . 36
Figure 20 – ASDU: S_SD_NA_1 Secure Data . 37
Figure 21 – RBAC mapped to IEC 60870-5-101/-104. 39
Figure A.1 – Unbalanced transmission system . 47
Figure A.2 – Balanced transmission system . 48

Table 1 – Additional cause of transmission. 14
Table 2 – Additional type identifiers . 14
Table 3 – ASDU segment reception state machine . 18
Table 4 – Session Initiation Request: data Included in MAC calculation (in order) . 27
Table 5 – Session Response: data Included in MAC calculation (in order) . 30
Table 6 – Data Included in WKD for Broadcast Session Key change (in order) . 32
Table 7 – List of pre-defined permissions . 40
Table 8 – List of pre-defined role-to-permission assignments for IEC 60870-5-101/-104
(updated version from IEC 62351-5:2023) . 41
Table 9 – List of the configurable parameters . 44
Table 10 – Security statistic . 45

– 4 – IEC TS 60870-5-7:2025 © IEC 2025
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
TELECONTROL EQUIPMENT AND SYSTEMS –

Part 5-7: Transmission protocols – Security extensions to
IEC 60870-5-101 and IEC 60870-5-104 protocols
(applying IEC 62351)
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC Publication(s)"). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) IEC draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). IEC takes no position concerning the evidence, validity or applicability of any claimed patent rights in
respect thereof. As of the date of publication of this document, IEC had not received notice of (a) patent(s), which
may be required to implement this document. However, implementers are cautioned that this may not represent
the latest information, which may be obtained from the patent database available at https://patents.iec.ch. IEC
shall not be held responsible for identifying any or all such patent rights.
IEC TS 60870-5-7 has been prepared by IEC technical committee 57: Power systems
management and associated information exchange. It is a Technical Specification.
This second edition cancels and replaces the first edition published in 2013. This edition
constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous
edition:
a) This edition has been completely revised with respect to the previous edition;
b) Alignment with updated versions of IEC 62351-3:2023 and IEC 62351-5:2023;
c) Definition of specific profiles for application layer and transport layer;

d) Introduction of Session Initiation Request to handle situations in which the called station
reestablishes a connection;
e) Inclusion of multicast security for the unbalanced mode of IEC 60870-5-101 including key
management;
f) Consideration of RBAC based on IEC 62351-8.
This Technical Specification is to be used in conjunction with IEC 62351-5:2023 and IEC 60870-
5-104:2016.
The text of this Technical Specification is based on the following documents:
Draft Report on voting
57/2740/DTS 57/2762/RVDTS
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this Technical Specification is English.
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
described in greater detail at www.iec.ch/publications.
NOTE The following print types are used:
• Encoding in ASN.1: in courier new type.
A list of all the parts in the IEC 60870 series, published under the general title Telecontrol
equipment and systems, can be found on the IEC website.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under webstore.iec.ch in the data related to the
specific document. At this date, the document will be
• reconfirmed,
• withdrawn, or
• revised.
– 6 – IEC TS 60870-5-7:2025 © IEC 2025
TELECONTROL EQUIPMENT AND SYSTEMS –

Part 5-7: Transmission protocols – Security extensions to
IEC 60870-5-101 and IEC 60870-5-104 protocols
(applying IEC 62351)
1 Scope
This part of IEC 60870, which is a technical specification, describes messages and data formats
for implementing IEC 62351-5:2023 for secure communication as an extension to IEC 60870-
5-101 and IEC 60870-5-104.
The purpose of this document is to permit the receiver of any IEC 60870-5-101/-104 Application
Protocol Data Unit (APDU) to verify that the APDU was transmitted by an authorized user and
that the APDU was not modified in transit.
This document is also intended to be used, together with the definitions of IEC 62351-3:2023,
in conjunction with the IEC 60870-5-104 companion standard.
The state machines, message sequences, and procedures for exchanging these messages are
defined in IEC 62351-5:2023. This document describes only the message formats, selected
options, critical operations, addressing considerations and other adaptations required to
implement IEC 62351 in the IEC 60870-5-101 and IEC 60870-5-104 protocols.
NOTE The version handling is controlled by configuration and not dynamically changed, therefore unexpected /
unknown messages are neglected and not processed.
In addition to the previous edition, this new edition of this document also addresses role-based
access control, by utilizing the IEC 62351-8 RBAC approach and the already defined role to
permission mapping from IEC 62351-5:2023.
The scope of this document does not include security for IEC 60870-5-102 or IEC 60870-5-103.
IEC 60870-5-102 is in limited use only and will therefore not be addressed. Users of
IEC 60870-5-103 desiring a secure solution need to implement IEC 61850 using the security
measures from in IEC 62351 referenced in IEC 61850.
Management of keys, certificates or other cryptographic credentials within devices or on
communication links other than IEC 60870-5-101/104 is out of the scope of this document and
might be addressed by other IEC 62351 publications in the future.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies.
For undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 60870-5-101:2003, Telecontrol equipment and systems – Part 5-101: Transmission
protocols – Companion standard for basic telecontrol tasks
IEC 60870-5-104:2006, Telecontrol equipment and systems – Part 5-104: Transmission
protocols – Network access for IEC 60870-5-101 using standard transport profiles

IEC TS 62351-2, Power systems management and associated information exchange – Data and
communications security – Part 2: Glossary of terms
IEC 62351-3:2023, Power systems management and associated information exchange – Data
and communications security – Part 3: Communication network and system security – Profiles
including TCP/IP
IEC 62351-5:2023, Power systems management and associated information exchange – Data
and communications security – Part 5: Security for IEC 60870-5 and derivatives
IEC 62351-8, Power systems management and associated information exchange – Data and
communications security – Part 8: Role-based access control for power system management
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following
addresses:
• IEC Electropedia: available at https://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
NOTE Terms 3.1.1 to 3.1.7 are included here because they are specific to the IEC 60870-5 standard series and
can be useful for reading this document as an independent document. Terms 3.1.8 and 3.1.9 are included here
because they are specific to IEC 62351-5:2023.
3.1.1
A-Profile
application security profile described in IEC 62351-5:2023
3.1.2
T-Profile
transport security profile described in IEC 62351-3:2023
3.1.3
Application Protocol Data Unit
APDU
complete application layer message transmitted by a station
3.1.4
Application Service Data Unit
ASDU
application layer message submitted to lower layers for transmission
3.1.5
controlling station
device or application that initiates most of the communications and issues commands
3.1.6
controlled station
remote device that transmits data gathered in the field to the controlling station
3.1.7
control direction
data transmitted by the controlling station to the controlled station(s)

– 8 – IEC TS 60870-5-7:2025 © IEC 2025
3.1.8
Message Authentication Code
MAC
calculated value used by a transmitting and a receiving station to authenticate and ensure the
integrity of an Application Protocol Data Unit
3.1.9
Monitoring Direction
data transmitted by the controlled station to the controlling stations
3.2 Abbreviated terms
For the purposes of this document, the abbreviated terms given in IEC TS 62351-2, as well as
the following apply. Terms 3.2.2 to 3.2.4 are included here because they are specifically used
in the affected protocols and used in the discussion of this security mechanism.
3.2.1
AEAD
Authenticated encryption with authenticated data
3.2.2
APDU
Application Protocol Data Unit
3.2.3
ASDU
Application Service Data Unit
3.2.4
ASN
ASDU segment number
3.2.5
FIN
Final segment
3.2.6
FIR
First segment
3.2.7
HKDF
Key Derivation Function
3.2.8
MAC
Message Authentication Code
3.2.9
RBAC
Role-based access control
4 Overview of IEC 60870-5-7 profiles
This document specifies two different security profiles to protect IEC 60870-5-101 and
IEC 60870-5-104 communication, namely:
• A-Profile based on IEC 62351-5:2023, as described in Clause 5 of this document. This
profile targets the protection of IEC 60870-5-101 and IEC 60870-5-104 communications
at the application level.
• T-Profile based on IEC 62351-3:2023, as described in Clause 6 of this document. This
profile targets the protection only for IEC 60870-5-104 communication, at transport
(TCP/IP) level.
Figure 1 illustrates the protocol stack for IEC 60870-5-101 and IEC 60870-5-104 and how the
different security profiles or their combination defined in this document relate to these protocol
stacks.
Figure 1 – IEC 60870-5-7 Profiles
Note that the A-Profile as well as the T-Profile security allow mutual authentication in
combination with or without RBAC. In addition, protection with integrity only or integrity
combined with confidentiality is possible.
5 A-Profile: Implementation of IEC 62351-5
5.1 General
This clause specifies the application of A-Profile security, which provides security as part of the
application layer. A-Profile security relies on specification of messages and procedures as
described in IEC 62351-5:2023 and outlined in 5.2. 5.3 and 5.4 and in Annex A.
If the A-Profile is used in conjunction with RBAC, the procedure defined in IEC 62351-5:2023,
8.3.12.2, shall be followed.
5.2 Selected options
5.2.1 Overview of clause
This clause describes which of the options specified in IEC 62351-5:2023 shall be implemented
in IEC 60870-5-101 and IEC 60870-5-104.

– 10 – IEC TS 60870-5-7:2025 © IEC 2025
5.2.2 MAC algorithms
IEC 60870-5 stations shall implement all the mandatory MAC algorithms listed in
IEC 62351-5:2023, and may implement any of the optional MAC algorithms listed there.
5.2.3 Encryption algorithms
IEC 60870-5 stations shall implement all the mandatory encryption algorithms listed in
IEC 62351-5:2023 and may implement any of the optional encryption algorithms listed there.
5.3 Implementation of procedures
5.3.1 Overview of clause
Stations implementing this document for security of IEC 60870-5-101/IEC 60870-5-104 shall
implement the procedures and state machines described in Clause 8 of IEC 62351-5:2023.
They shall also implement the additional procedures described in the remainder of this clause.
5.3.2 Detection of communication failures
IEC 60870-5-2:1992 describes the serial link transmission procedures allowing the detection of
connection failures when using IEC 60870-5-101 communication.
IEC 60870-5-104:2006 describes network transmission procedures using TCP/IP, which also
allow detection of connection failures.
In case a communication failure is detected, the implementation of the security mechanism
described in this document shall stop sending of any further messages and stop all related
timers except the Session Key Usage Timer (as defined in IEC 62351-5:2023).
5.3.3 Algorithm selection for Update Keys derivation
During the Station Association procedure, the Update Keys shall be derived as described in
8.3.10 of IEC 62351-5:2023.
The hash function to be used in both HKDF extract and expand steps shall be the same hash
function used in the MAC algorithm selected by the controlling station in the Update Key Change
message.
5.3.4 Session keys – Application and management
5.3.4.1 General
If this security mechanism is applied to IEC 60870-5-104, the Control Direction Session Key
shall be used to authenticate Secure Data messages in control direction with any common
address value, including the broadcast common address.
If this security mechanism is applied to IEC 60870-5-101, the Control Direction Session Key
shall be used to protect Secure Data messages in control direction with unicast common
address value only. If broadcast common address ASDUs are supported in control direction,
Secure Data messages with this common address value shall be protected with a different
Session Key, as described in 5.3.4.2.
This security mechanism requires the controlling station to support the option of executing the
Session Key Change procedure also when it is solicited by the controlled station, as described
in 5.3.4.3.
5.3.4.2 Session key to authenticate broadcast ASDU in IEC 60870-5-101
5.3.4.2.1 General
If this security mechanism is applied to IEC 60870-5-101 and broadcast common address ASDU
in control direction are supported, the Secure Data messages with broadcast common address
shall be authenticated using a separate Broadcast Session Key.
The Broadcast Session Key is unique and has the same value for all the stations (controlling
and controlled) connected. The controlling station shall create Broadcast Session Key and
distribute it to each controlled station connected by performing the Session Key Change
procedure described in IEC 62351-5:2023, 8.4. Subclause 5.4.3.11 of this document describes
the data to be included in the Session Key Change Request message when this procedure is
used to initialize or change the Broadcast Session Key.
According to IEC 62351-5:2023, 8.4.2.4.5, the length of the Broadcast Session Key shall be
256 bits.
The Broadcast Session Key has its own independent usage timer (the Broadcast Session Key
Usage Timer) and usage counter (the Broadcast Session Key Usage Counter) as well as the
corresponding configurable parameters (Max Broadcast Session Key Usage Time and Max
Broadcast Session Key Usage Count) in both controlling and controlled stations as described
in 9.6. It is recommended to set duration of the Max Broadcast Session Key Usage Time greater
than is set for the Max Session Key Usage Time, considering the frequency of use of broadcast
messages.
As with the Monitor Direction and Control Direction Session Keys, the Broadcast Session Key
shall be managed as described in IEC 62351-5:2023, 8.4.5. When the Broadcast Session Key
Change Usage Timer expires, or the Broadcast Session Key Usage Count has exceeded, the
controlling station shall perform the Session Key Change procedure for Broadcast Session Key
to each controlled station connected. Figure 16 describes the initial procedure to distribute the
Broadcast Session Key whereas the update procedure is described in Figure 17.
If the Session Key Change procedure has to be performed for all Session Keys (Monitor
Direction, Control Direction and Broadcast Session Keys) at the same time, priority shall be
given to the Session Key Change procedure for Monitor Direction and Control Direction Session
Keys. The Session Key Change procedure for the Broadcast Session Key shall be executed
whenever the Session Key Change procedure for Monitor Direction and Control Direction
Session Keys has been successfully completed or has failed.
5.3.4.2.2 Broadcast Session Key management on controlling station
When a new Broadcast Session Key to is distributed to all the controlled stations connected by
performing the Session Key Change procedure, the controlling station shall maintain the current
Broadcast Session Key still valid, and shall continue to use it to protect Broadcast Secure Data
messages, until the Session Key Change procedure has been completed for all the controlled
station connected. The Broadcast Session Key distribution is considered completed even if the
Session Key Change procedure has failed for one or more controlled station.
During the Broadcast Session Key update procedure both the Current Broadcast Session Key
and the New Broadcast Session Key are sent to each controlled station. When the Broadcast
Session Key distribution is completed, the controlling station shall use the New Broadcast
Session Key to protect all subsequent secure data messages with the broadcast address.
The controlled stations, which could not be updated, will use the Session Initiation Request to
establish the current Session Keys and the Current Broadcast Session Key, and, if necessary,
the New Broadcast Session Key.

– 12 – IEC TS 60870-5-7:2025 © IEC 2025
5.3.4.2.3 Broadcast Session Key management on controlled station
When the controlled station is provisioned with a new Broadcast Session Key, by performing
the Session Key Change procedure (initiated by the controlling station), the controlled station
shall maintain both the new and the current Broadcast Session Keys. Either key may be valid
to authenticate Broadcast Secure Data messages received during the key distribution period.
When the controlled station receives the first Secure Data message (see 5.4.3.13) with the
broadcast address, that is protected with the new Broadcast Session Key provisioned, the
controlled station shall invalidate the current Broadcast Session Key and apply the new
Broadcast Session Key to all subsequent Broadcast Secure Data messages received.
5.3.4.3 Session Key Change procedure solicited by controlled station
5.3.4.3.1 General
As described in IEC 62351-5:2023, 8.4.2.6, the controlled station may optionally solicit the
controlling station to initiate the Session Key Change procedure by sending a Session Initiation
Request message. The affected protocol referencing standards may define the Session
Initiation Request message and its management.
This document makes use of the Session Initiation Request when controlled station has
reinitialized because in this condition the controlled station Session Keys shall be considered
not valid and its Data Sequence Number (DSQ, described in IEC 62351-5:2023, 8.5.2.2.4) is
reset.
Applying the security mechanism defined in IEC 62351-5:2023 to IEC 60870-5-101 and
IEC 60870-5-104 protocols, devices claiming conformance to this document shall support the
Session Initiation Request message, defined in 5.4.3.8 as well as the additional Session Keys
management described in 5.3.4.3.2 and 5.3.4.3.3 for each association established.
5.3.4.3.2 Session Keys management on controlled station
On controlled station, the current session keys shall be stored in a way that will be retained
over a restart of the device. This shall occur when they are initialized and each time they are
changed (i.e., when the Session Key Change procedure is successfully executed).
After reinitialization of the controlled station, if the Session Keys are available, the controlled
station shall mark the Session Keys invalid. The initial session key establishment is described
in IEC 62351-5:2023, 8.4.
The existing Session Key is used after restart to secure the Session Initiation Message.
If the Session Keys are marked invalid while Session Key Change state machine is in Session
Idle State, the controlled station shall perform the following actions:
a) Send the Session Initiation Requests to the controlling station
b) Start the Request Timer
If the Request Timer expires, the controlled station shall repeat the actions above.
If the controlled station receives a valid Session Request, it shall stop the Request Timer and
execute the Session Key Change procedure described in IEC 62351-5:2023, 8.4.4.
5.3.4.3.3 Session Keys management on controlling station
On the controlling station, the current session keys shall be stored in a way that will be retained
over a restart of the device. This shall occur when they are initialized and each time they are
changed (i.e. when the Session Key Change procedure is successfully executed).

After reinitialization of the controlling station, if the Session Keys are available, the controlling
station shall perform the following actions:
a) Mark the Session Keys invalid
b) Initiate the Session Key Change procedure at the earliest opportunity.
The initial session key establishment is described in IEC 62351-5:2023, 8.4.
If the controlling station Session Key Change state machine is in the Key Management Idle
state, it shall accept a valid Session Initiation Request sent by the controlled station and shall
perform the following actions:
a) Mark the Session Keys invalid.
b) Initiate the Session Key Change procedure at the earliest opportunity.
If this security mechanism is applied to IEC 60870-5-101 and broadcast common address
messages are used, the Session Key Change procedure for the Broadcast Session Key shall
be also executed immediately after the Session Key Change procedure for Monitor and Control
Direction Session Keys.
If the controlling station Session Key Change state machine is in the Key Management Idle
state and it receives an invalid Session Initiation Request message, it shall perform the
following actions:
a) Discard the message.
b) Increment the Discarded Messages statistic.
c) If MAC is invalid, increment the Key Authentication Failures statistic.
If the controlling station Session Key Change state machine is not in the Key Management Idle
state and it receives a Session Initiation Request sent by the controlled station, it shall perform
the following actions.
a) Increment the Unexpected Messages statistic.
b) Discard the message.
c) Increment the Discarded Messages statistic.
5.3.5 Co-existence with non-secure implementations
It shall be configurable at the controlling station whether to apply this specification on a per-
connection and per data link address basis. This will permit secure and non-secure controlled
station implementations to communicate with the same controlling station at the same time.
Controlled stations may be configurable to permit secure and non-secure communication with
controlling station.
All stations shall deny unsecured communication when configured to use secured
communication for that connection.
5.4 Implementation of messages
5.4.1 Overview of clause
This clause describes how the secure authentication messages described in IEC 62351-5:2023
are implemented in IEC 60870-5-101 and IEC 60870-5-104.

– 14 – IEC TS 60870-5-7:2025 © IEC 2025
5.4.2 Data definitions
5.4.2.1 Causes of transmission
Stations implementing secure authentication shall use the causes of transmission listed in
Table 1 in addition to those described in 7.2.3 of IEC 60870-5-101:2003.
Table 1 – Additional cause of transmission
Cause := UI6[1.6]<14.17>
<14> := application data authentication
:= maintenance of session key
<15>
:= maintenance of association and update key
<16>
1)
<17> :=
operation not authorized
1)
This cause of transmission is used by the controlled station only and shall be managed by the application.
If the controlled station receives a request from the controlling station, which the controlling station is not
authorized to perform, the controlled station shall respond with a negative acknowledge containing cause of
transmission <17>.
5.4.2.2 Type identifiers
Stations implementing secure authentication shall use the Type Identifications listed in Table 2
in addition to those described in 7.2.1 of IEC 60870-5-101:2003 and Clause 6 of
IEC 60870-5-104:2006. This range of Type Identifications was previously allocated for system
information in the monitor direction. Some ASDUs identified by these types may be transmitted
in the control direction.
Table 2 – Additional type identifiers
TYPE IDENTIFICATION :=
UI8[1.8]<81.91>
:= Association request S_AQ_NA_1
<81>
<82> := Association response S_AP_NA_1
:= Update key change request S_UH_NA_1
<83>
:= Update key change response S_UP_NA_1
<84>
<85> := Session initiation request S_SI_NA_1
:= Session request S_SQ_NA_1
<86>
:= Session response S_SP_NA_1
<87>
:= Session key change request S_KH_NA_1
<88>
:= Session key change response S_KP_NA_1
<89>
:= Secure data S_SD_NA_1
<91>
5.4.2.3 Security statistics
Stations implementing secure authentication shall use the ASDU Type 37: Integrated totals with
time tag CP56Time2a, defined in 7.3.1.29 of IEC 60870-5-101, to report the values of the
security statistics described in 7.5 of IEC 62351-5:2023. The Information Object Address of
each security statistic shall be recorded in the Protocol Implementation Conformance Statement
for each station as described in 9.7.
The procedures used by the controlled station to report the security statistics shall be the same
as for the existing integrated totals, as described in 7.4.8 of IEC 60870-5-101:2003, particularly
including the ability for these totals to be reported using spontaneous transmission.

It is recommended to report all security statistics in a single integrated totals group. The value
of each BCR field is in the range between 0 and 231-1.
5.4.2.4 Information object address
The Information Object Address (IOA) does not apply to the ASDUs described in IEC
TS 60870-5-7 and is not included in these ASDUs. It is replaced by the ASDU Segmentation
Control octet specified in 5.4.2.5.
5.4.2.5 Transmitting extended ASDUs using segmentation
Several of the messages defined in IEC 62351-5:2023 are longer than the maximum length of
an IEC 60870-5 data link or APCI frame. Figure 2 defines a field that shall be used to control
reassembly when an IEC 60870-5-7 ASDU is transmitted in a series of several segments such
that each segment will fit in a data link or APCI frame.
The ASDU segmentation described here is a frame transport feature. Security is applied to
ASDU before segmentation. Therefore, the segmentation field is not included in the protected
data.
The transmitting station shall add the MAC value into or encrypt application data in the ASDU
prior to applying ASDU segmentation and transmission. Symmetrically, the receiving station
shall reassemble the entire ASDU, from the ASDU segments received, prior to verify MAC value
or decrypt the application data.
Bit 8 7 6 5 4 3 2 1
ASDU
5 0
FIN FIR ASN
2 2 SEGMENTATION
CONTROL
ASDU SEGMENTATION CONTROL:= CP8{FIN, FIR, ASN}
ASN := UI6[1.6]<0.63>
FIR := BS[7]<0.1>
<0> := This is not the first segment of an ASDU
<1> := This is the first segment of an ASDU
FIN := BS[8]<0.1>
<0> := This is not the final segment of an ASDU
<1> := This is the final segment of an ASDU
Figure 2 – ASDU segmentation control
If an ASDU is too long to fit in a lower-level data link or APCI frame, the excess application
layer data shall be divided into segments as illustrated in Figure 3. The Data Unit Identifier
fields of the ASDU (Type Id, VSQ, COT, CASDU, and ASDU SEGMENTATION CONTROL) shall
be prepended to each segment so the receiving station can recognize the type, address and
disposition of each segment. The station shall transmit the segments in sequence as if they
were separate ASDUs, but without any data of a different Type ID interspersed.

-------------
...