ICCP Security: Hardening TASE.2 Links With IEC 62351

By | July 16, 2026

An ICCP link is a standing, months-long connection between two organizations, carrying real-time grid data and — where block 5 is enabled — live control of primary equipment. It crosses an organizational boundary by definition: the other end is somebody else’s network, somebody else’s patching discipline, somebody else’s incident. That makes it one of the most security-relevant connections a utility operates, and it was designed in an era that assumed none of this mattered.

This article lays out what ICCP protects natively (very little), what the current standards did about it, where IEC 62351 fits, and what to actually require when specifying a new link. The protocol details are verified against IEC 60870-6-503 and IEC 60870-6-702.

What native ICCP actually gives you

Start with an honest inventory. A base ICCP link, as deployed for most of the protocol’s life, provides:

Authorization, per partner, enforced. The bilateral table is a genuinely good access-control model: the server validates every association and every operation against a per-partner list of granted objects and permitted operations, with rate limits and control scoping. The bilateral tables article covers the mechanics.

Identity claims, unverified. The association check compares the presented AP-title and AE-qualifier against the table. Nothing proves the claim. Anyone who can reach TCP port 102 and knows (or captures) the expected identifiers can present them.

No confidentiality, no integrity. Base ICCP has no encryption and no message authentication. Every value, every point name, every control is plaintext ASN.1 on the wire — as the Wireshark guide demonstrates in practice. A man-in-the-middle on the WAN path can read everything and, in principle, alter it.

So the base protocol authorizes well and authenticates nothing. Every real security property of a classic ICCP deployment comes from the network around it: private circuits, MPLS VPNs, firewalls scoped to the peer addresses, and the general obscurity of OSI upper layers. That architecture has held up better than it deserves to, but “the WAN is private” is an assumption, not a control.

What the current editions hardened

Before adding any cryptography, the current editions did something simpler: they shrank the protocol.

MMS defines over 86 services. TASE.2 needs roughly a dozen and a half. Earlier editions left the rest optional; the current functional profile marks them excluded — domain management, program invocation, semaphores, journals, file access and file management, event management, operator communication, data exchange management, access control services, all of it. Excluded is a strong word in profile language: the implementation shall behave as if the feature were not implemented. The standard states the reasoning plainly: the size of the MMS service set had been assessed as a potential security issue, and services not required for TASE.2 shall be disabled.

The same revision deleted conformance blocks 6 through 9 — programs, events, accounts, time series — removing, among other things, the ability to remotely start and kill programs on a peer’s server, a capability that reads very differently in 2026 than it did in 1996. The conformance blocks article has the full story.

For an operator, this cuts two ways. A conforming current implementation exposes a genuinely minimal MMS surface: variable access, name lists, association management, and little else. But conformance is per implementation — legacy gateways predating the revision may still answer services the current profile bans. A simple test during commissioning: send a GetCapabilityList or a file service request and confirm you get a rejection. A peer that answers is running more protocol than the standard allows.

The two cryptographic hooks

The standards place security at two layers, and the division of labor matters.

Transport: TLS, port 3782. Secured ICCP runs over TLS on TCP port 3782 (IANA-registered, shared with secured IEC 61850 MMS), with the TLS usage profiled by IEC 62351-3. The current edition of that profile — IEC 62351-3:2023, which replaced the first edition and both of its amendments — defines complete profiles for both TLS 1.2 and TLS 1.3, including mandatory cipher suites, session resumption and renegotiation parameters, and certificate revocation handling via CRL and OCSP. It’s also deliberately self-contained: a referencing standard now only has to name the port, and the profile supplies every other TLS parameter, which removes the old ambiguity about “which TLS options” a secured link should run.

For an ICCP link the translation is simple: mutual certificate authentication, TLS 1.2 minimum, TLS 1.3 preferred — an ICCP link is exactly the place for mutual TLS, since both ends are known machines under written agreement.

Application: ACSE authentication per IEC 62351-4. Independently of TLS, the association itself can be authenticated: the AARQ/AARE exchange carries authentication values per IEC 62351-4, proving the application-level identity that the bilateral table then authorizes. In the original 2007 mechanism, that value is certificate-based: an X.509 certificate plus a timestamp signed with the sender’s RSA key, verified bidirectionally at association setup, with anti-replay enforcement — a peer that presents a timestamp more than ten minutes off local time, or reuses a signed value seen within the last ten minutes, gets the association aborted.

The current TASE.2 profile made the ACSE authentication machinery mandatory to implement — the functional unit is required equipment in every conforming implementation — while its use per 62351-4 remains optional to deploy. In other words: any modern conforming ICCP product has the hooks; whether a given link is authenticated is configuration and agreement, not procurement.

The layering answers a question that comes up in every design review: why both? TLS authenticates and protects the connection between two machines. ACSE authentication proves the application association — which matters when connections traverse proxies or gateways, and it’s the identity the bilateral table logic consumes. Defense in depth here is not redundancy; the two mechanisms answer different questions.

IEC 62351-4 grew up in 2018

The 62351-4 referenced by the TASE.2 documents is the 2007 Technical Specification — historically important, functionally modest. It secured the association handshake with the certificate-and-signed-timestamp exchange described above, and it defined the secure transport profile that gave us port 3782.

But it’s a document of its time, and its time shows: TLS as specified there is version 1.0, the mandatory cipher suite is DH-DSS with AES-256 and SHA-1, the recommended list includes 3DES and RC4, the minimum RSA key length is 1024 bits, and the anti-replay design accepts a ten-minute window of vulnerability by construction. Nothing after the handshake is protected at the application layer at all. A link “secured per 62351-4” in the 2007 sense, with today’s cryptographic expectations, is not secured.

In 2018, IEC 62351-4 was republished as a full International Standard (amended in 2020), and it’s a different animal. It defines two modes. Compatibility mode preserves interoperability with 2007-era implementations — handshake authentication in the style the TASE.2 profile references. Native mode extends protection to the data transfer phase: integrity and authentication of the application messages themselves, application-layer encryption with shared key management, and end-to-end security that survives zero or more intermediate entities between the endpoints.

That end-to-end property is the strategic one for ICCP. Plenty of real ICCP architectures have something in the middle — protocol gateways, DMZ relays, communication processors — and TLS only ever protects hop by hop. Native-mode 62351-4 protects control-center-to-control-center regardless of what sits between. Vendor adoption of native mode is still maturing; when evaluating products, ask specifically which 62351-4 edition and mode they implement, because “62351-4 support” can mean 2007 handshake authentication and nothing else.

The deployment reality, and what to require

Field truth: a large share of ICCP links in service today still run plaintext on port 102 across private WANs, protected by network architecture and contractual trust. Migration is genuinely hard — both organizations must move together, certificates must be managed across a company boundary, and nobody wants to be the change that drops a link two control rooms depend on. Hard is not impossible, and regulation is steadily removing the option of not trying: in North America, NERC CIP-012 explicitly requires protecting the confidentiality and integrity of real-time assessment and monitoring data transmitted between control centers — a requirement aimed at exactly the traffic ICCP carries.

For a new link, or a renegotiated bilateral agreement, the defensible baseline looks like this:

TLS per IEC 62351-3:2023 on port 3782 with mutual certificate authentication, TLS 1.2 minimum and 1.3 preferred, and an agreed certificate management process between the two organizations — issuance, renewal, and revocation are now a bilateral matter, so write them into the agreement next to the point lists. The 2023 profile specifies revocation checking via CRL and OCSP, a real upgrade over the 2007-era approach of polling revocation lists on a twelve-hour default cycle; it also defines security events for TLS handshake and certificate-validation failures, so require that those events reach your monitoring rather than dying in a gateway log. ACSE authentication per IEC 62351-4 enabled, with the edition and mode stated explicitly.

Conformance to the current profiles confirmed in the PICS, verified during commissioning by probing for excluded services. Firewall rules scoped to the peer’s declared addresses and the two ICCP ports, with idle timeouts that respect months-long associations. Block 5 granted only where the agreement genuinely requires remote control, with SBO behavior fully specified. And the link placed in your zone model deliberately — an ICCP server is a textbook conduit between organizational zones in IEC 62443 terms, and it belongs in a DMZ-style segment with the same engineering rigor as any IT/OT boundary.

None of that list is exotic. All of it is specifiable today with mainstream products, and the marginal cost is a fraction of what the same utilities spend securing far less consequential connections.

FAQ

Is ICCP encrypted?

Not by default. Base ICCP on port 102 is plaintext. Encryption comes from TLS profiled by IEC 62351-3:2023 (conventionally on port 3782), which defines complete TLS 1.2 and TLS 1.3 profiles for the power system domain, and, in the 2018 native mode of IEC 62351-4, optionally at the application layer as well.

Is the bilateral table a security mechanism?

It’s authorization — a good, granular, server-enforced one. It is not authentication: it checks a claimed identity against a list without proving the claim. Pair it with TLS mutual authentication and ACSE authentication and the combination is sound.

What does IEC 62351-4 add over TLS?

Application-association authentication in all editions, and in the 2018 native mode, integrity and encryption of the messages themselves end to end — protection that survives intermediate gateways, which TLS alone cannot provide.

Can an old ICCP gateway be secured?

Sometimes. Products predating the current profile may lack 62351 support entirely; interim options include TLS-terminating front-ends or network-level encryption (IPsec) on the WAN path, which protect the pipe without touching the application. Treat those as bridges to replacement, not endpoints.

Does securing ICCP break interoperability with a partner who hasn’t upgraded?

It can’t be one-sided — both ends must speak TLS, or both run plaintext. That’s why security terms belong in the bilateral agreement itself: the link is a shared asset, and so is its protection. The 62351-4:2018 compatibility mode exists precisely to ease mixed-era transitions at the application layer.

Which attack actually worries ICCP operators most?

Less the exotic man-in-the-middle, more the mundane: a compromised peer. Your link terminates inside another organization’s network, and your exposure is bounded by your bilateral table and your zone architecture, not by their security program. Grant the minimum object set, scope block 5 ruthlessly, and treat the ICCP server as a boundary device — because it is one.

Author: Zakaria El Intissar

I've spent 13 years in power system automation, electrical protection, and SCADA communication, as an automation and industrial computing engineer. ScadaProtocols.com is where I turn what I've learned on site into plain guides and working tools — so other engineers can decode, analyze, and troubleshoot industrial communication protocols without the guesswork.