The relay supports one predefined user with user number 1 and username Common.
This user has predefined OPERATOR access rights so the user can perform all
the supported IEC 60870-5-104 protocol requests. The Update Key for this user
must be predefined by Account Management in PCM600 using 'Configure Secure
Communication'. The key length can be selected as 128 or 256 bits in the tool. When
updating session keys for this user, only the MAC algorithm SHA256 / 16OCTET is
supported.
When enabling secure communication in the relay, it is important to
understand the expiration principles defined by the security standards!
E.g. TLS certificate expiration, and user/key expiration + refreshing
must be taken into account while designing the system and it's upkeep/
maintenance, to keep communication live in the long run.
3.7.1.1 TCP port
The TCP port number 19998 is recommended by the security standard. The
instance's default TCP port number does not change automatically into this value
so it can be set with parameter
TCP Port
under Configuration> Communication>
Protocols> IEC 60870-5-101> 104 (n).
After enabling security and writing the Predefined Update Key, reboot of
the relay is required to start secure communication. PCM600 performs
this reboot automatically.
3.7.2 TLS encryption
TLS (Transport Layer Security) is used for end-to-end cryptographic authentication
at the application layer and is also supported by the IEC 60870-5-104 secure
communication. TLS encryption for the IEC 60870-5-104 TCP communication can
be enabled in the relay in several steps.
1. Importing of a public key certificate to the relay, which should be signed by a
trusted certification authority (CA).
2. Configuring the IEC 60870-5-104 master to use TLS. A public key certificate
must be signed by the same CA.
3. Setting the parameter
Protocol Sec Mode
to "TLS and appl. authentication" via
Configuration> Communication> Protocols> Secure IEC 104 (n)> General.
See the cyber security deployment guideline for more information.
3.7.3 Relay user and key management (IEC 60870-5-104 client)
Only one predefined user is supported so it is not possible to add or modify the
users in the relay. The predefined user Common has an Update Key with its bit
length preset in PCM600 (128 or 256 bits). The IEC 60870-5-104 master can initialize
the IEC 60870-5-104 communication for the Common user in two steps.
• Setting the matching Update Key in its User database for user Common/1
• Starting a Session Key Update sequence for the user in the client
If Session Key Update is successful, the relay responds with a SUCCESS status. If the
configuration prevents the update of Session Key, the relay gives an error response
and the relay’s internal error diagnostic counters are incremented. Counters should
be checked to troubleshoot the problem.
2NGA001859 A
Vendor-specific implementation
REX615
IEC 60870-5-104 Communication Protocol Manual
23
To Next Page
Loading...
