IEC 60870-5-104, commonly called IEC 104, remains one of the most widely deployed telecontrol protocols in power system SCADA networks worldwide. It extends IEC 60870-5-101 for operation over TCP/IP, enabling real-time data exchange between control centers and remote terminal units (RTUs) in electrical engineering and power system automation applications.
As of early 2026, the IEC 104 base protocol itself remains unchanged. However, the ecosystem surrounding it has evolved substantially — through a landmark new security specification, a refreshed network management standard, a comprehensive 2026 standards pack, growing regulatory pressure from the EU’s NIS2 Directive, and an expanding threat landscape that makes security adoption increasingly urgent.
Table of Contents
Core Standard Status
IEC 60870-5-104:2006 + AMD1:2016 remains the current version of the base protocol, included as-is in the IEC 60870-5:2026 series pack. No Edition 3.0 or new amendment has been announced.
This stability is intentional. The IEC’s strategy is to harden the protocol’s security posture through supplementary specifications — not by altering its fundamental behavior. This allows utilities and vendors to maintain long-term compatibility while incrementally adopting stronger security controls.
The Central 2025 Security Update: IEC TS 60870-5-7 Edition 2.0
The most significant development connected to IEC 104 in recent times is the publication of IEC TS 60870-5-7:2025.
This second edition was published in March 2025 and completely replaces the first edition from 2013. It includes alignment with IEC 62351-3:2023 (transport layer security) and IEC 62351-5:2023 (secure authentication for telecontrol protocols), the definition of specific profiles for application and transport layers, the introduction of a Session Initiation Request to handle connection reestablishment scenarios, the inclusion of multicast security for the unbalanced mode of IEC 60870-5-101 with key management, and the adoption of role-based access control (RBAC) based on IEC 62351-8.
Importantly, the specification does not change the IEC 104 base protocol and does not require replacing existing systems. It acts as a security wrapper, enabling gradual adoption across legacy and new infrastructure alike.
For utilities still using plain IEC 104, IEC TS 60870-5-7:2025 defines the roadmap for upgrading security without operational disruption.
Additional 2025 Updates in the IEC 62351 Security Series
The broader IEC 62351 series — the cybersecurity framework underpinning IEC 104 security — also saw important activity in 2025.
IEC 62351-7:2025 is a notable addition. This new edition defines network and system management (NSM) data object models specific to power system operations. These objects are used to monitor the health of networks and systems, detect possible security intrusions, and manage the performance and reliability of IEDs, RTUs, and distributed energy resource (DER) systems. It explicitly covers IEC 60870-5-104 among the monitored protocols and replaces the 2017 edition.
For IEC 104 operators, this matters practically: it provides a standardized, machine-readable framework for monitoring RTUs and IEDs running IEC 104, enabling proactive detection of anomalies and security events.
The IEC 62351:2026 series pack now consolidates all parts of the standard, including IEC 62351-3:2023, IEC 62351-5:2023, IEC 62351-7:2025, IEC 62351-8:2020, and IEC 62351-9:2023. IEC Procurement and compliance teams should reference this 2026 edition as the authoritative current baseline.
Looking ahead, the IEC 62351 working group is actively developing IEC 62351-14 (in draft), which aims to define security event logs and standardized formats for substation incident reporting. Updates to IEC 62351-9 are also under consideration to support post-quantum cryptography and enhanced group key management for multicast protocols. These upcoming parts are expected to align with the EU NIS2 Directive and IEC 62443-4-2 component certification requirements.
The Regulatory Dimension: EU NIS2 Directive
A major development outside the IEC standards body is now directly shaping how utilities must treat IEC 104 security.
On 20 January 2026, the European Commission proposed targeted amendments to the NIS2 Directive to increase legal clarity and simplify compliance for companies operating in the EU, easing requirements for approximately 28,700 entities.
As of 2025, detailed NIS2 security requirements have been published by several EU Member States, with implementation actively underway across critical sectors including energy. ENISA has released updated resources mapping NIS2 obligations to global cybersecurity frameworks such as ISO/IEC 27001, NIST CSF, and IEC 62443.
In Germany, the NIS2 Implementation Act entered into force on 6 December 2025, with full compliance for essential entities required by March 31, 2026.
For power utilities operating IEC 104 in Europe, NIS2 compliance is no longer a future consideration — it is a present-day obligation. This creates direct pressure to adopt the security extensions defined in IEC TS 60870-5-7:2025 and align IEC 104 deployments with IEC 62351 controls, particularly encryption, authentication, and access management.
The Persistent Threat Landscape
The security limitations of unprotected IEC 104 remain well-documented and actively exploited.
IEC 60870-5-104 itself has no built-in encryption, no standard TLS, and no integral authentication or integrity control. As soon as IEC 104 communication is brought outside a strictly shielded internal network — for example, to the cloud or over the internet — additional security layers must be added by the operator.
The primary risks in unprotected IEC 104 deployments include traffic interception (sniffing of plain-text measurement values and commands), man-in-the-middle attacks (where traffic can be manipulated while both endpoints believe they are communicating legitimately), spoofing and unauthorized control commands (possible because the protocol does not authenticate connecting parties by design), and denial-of-service attacks (IEC 104 devices are often not designed to handle large volumes of malicious traffic).
On the regulatory side, the US CISA and FBI, alongside the UK National Cyber Security Centre, issued joint guidance in September 2025 for OT owners and operators, emphasizing asset transparency, third-party risk accountability, and operational resilience — reflecting a converging international approach to OT cybersecurity.
Conformance Testing and Interoperability
Conformance testing for IEC 104 implementations has also been strengthened. IEC TS 62351-100-3 provides detailed test cases for data and communication security in telecontrol equipment and substation automation systems, and independent certification bodies such as DNV offer verification services to assess device interoperability and adherence to the standard’s security requirements.
Organizations procuring new RTUs, IEDs, or SCADA software should now require conformance verification against IEC TS 60870-5-7:2025 and updated DNV listings as part of procurement specifications.
Updated Summary Table
| Category | Details | Status | Relevance |
|---|---|---|---|
| Core Standard | IEC 60870-5-104:2006 + AMD1:2016 | Unchanged | Stable base protocol |
| Security Extensions | IEC TS 60870-5-7:2025 (Ed. 2.0) | Published March 2025 | Major cybersecurity update |
| Transport / Auth | IEC 62351-3:2023, IEC 62351-5:2023 | Integrated into TS 5-7 | Updated TLS and authentication |
| RBAC | IEC 62351-8:2020 | Adopted in TS 5-7 | Role-based access control |
| Network Monitoring | IEC 62351-7:2025 | Published 2025 | IED/RTU health and intrusion detection |
| Standards Pack | IEC 62351:2026 SER | Published 2026 | Full current baseline |
| Future Work | IEC 62351-14 (event logs), Post-quantum crypto updates | In draft | Emerging security requirements |
| EU Regulation | NIS2 Directive + January 2026 amendments | In force / being transposed | Compliance obligation for energy sector |
| Conformance Testing | DNV IEC 60870-5 register | Updated | Vendor interoperability validation |
Key Takeaways for 2026
The direction for IEC 104 in 2026 is clear:
IEC 104 itself is unchanged — the base protocol remains stable and widely deployed.
The security architecture has evolved significantly — IEC TS 60870-5-7:2025, IEC 62351-7:2025, and the broader 2026 series pack define the current security baseline that utilities and vendors should be aligning with.
Regulatory pressure is accelerating adoption — NIS2 compliance obligations, now actively enforced across EU member states, make adopting these security extensions a legal requirement for many organizations, not merely a best practice.
Procurement and planning should reflect the 2026 baseline — new IEC 104 deployments should be specified against IEC TS 60870-5-7:2025, with TLS 1.3 support, RBAC, certificate-based authentication, and conformance-tested devices as standard requirements.
Post-quantum readiness is on the horizon — while still in draft, upcoming revisions to IEC 62351-9 targeting post-quantum cryptography should be tracked by long-lifecycle infrastructure planners now.