IEC 104 - encrypted communication

The communication protocol Transport Layout Security (TLS) by IEC standard 608070-5-7 chapter 9 can be enabled to allow a secure communication with the IEC 104 driver. For encryption the Public Key cryptography or asymmetric encryption is used. Therefore, each participant in the system (IEC client or server) needs a certificate and a private key.

The supported protocol in IEC 60870-5-104 with TLS is based on X.509 certificates.

Configuration

Operating mode

Server mode

Define a secure server port via config entry tlsServerPort if the driver shall be operated as server. This port is 0 by default which means that the server mode is deactivated and no client can connect.

The config entry tcpServerPort allows to define a server port for insecure connections. Setting a nonzero number for tlsServerPort and tcpServerPort allows secure and insecure connections in parallel. tcpServerPort = 0 (default) means that no insecure connections are possible.

Client mode

There is an internal data point _IecConnection for every connection the driver establishes as a client to another server. The data point element _IecConnection.Config.Flags defines if the connection must be encrypted.

If encryption is activated, the client establishes a TLS connection and encrypts all IEC communication accordingly.

Cipher suites

You can define the available cipher suites for each driver via config entry iecTlsCipherSuite. The cipher suites available for server and client are compared during connection establishment. The server selects the first matching cipher suite. If there is no common cipher suite for client and server, the connection cannot be established.

Certificate

There must be one certificate for every driver. The driver uses this certificate for all connections to different servers. The PEM format is used for certificates and private key files.

The IEC driver only supports file-based certificate handling. Windows Certificate Store is not supported.

WinCC OA provides default certificates which allow immediate communication between one IEC driver in client and one IEC driver in server mode. The default location of the certificate directory is <project>/data/iec104/PKI. This directory can be changed via config entry iecTlsCertStore. There must be a PKI folder with the following subfolders in the defined directory:

  • /certs - contains all certificates

  • /private - contains private keys

  • /crl - contains the revocation list

The certificate and the private key must be located in the PKI folder of the defined directory.

WinCC OA allows to create root and application certificates (see WinCC OA - Overview of Certificates and Create SSL Certificates) which can be assigned to the IEC driver.

Always use an application certificate as certificate for the IEC driver (config entry iecTlsCert). Communication is not possible if you use a root certificate. The application certificate must be generated without a password since entering a password is not possible at driver runtime.

Trusting certificates

The IEC driver can also use valid certificates generated by other tools. In this case the respective certificate must be included in the trust list of the IEC driver. The config entry iecTlsCertCA allows to define the file which contains all trusted certificates.

Redundancy

The certificate directory must be setup properly on both redundant hosts. There is no automatic synchronisation. It is not possible to mix encrypted and unencrypted connections within a redundant IEC 104 connection group.