In the field of power automation, IEC 104 protocol and Modbus as two typical communication protocols that carry very different technical genes and applicable scenarios. In this paper, a systematic comparison of protocol architecture, security mechanisms, interaction modes and other dimensions is carried out to reveal the technical advantages and potential limitations of the IEC 104 protocol, and to provide a basis for decision-making on the selection of industrial communication systems.
1. Technical essence of IEC 104 protocol
1. Protocol infrastructure
IEC 104 protocol is based on IEC 60870-5 series standard, which is a telecommunication protocol specially designed for power monitoring system. Its core features include:
Transport layer dependency: based on TCP/IP protocol stack (port 2404), realizing reliable connection-oriented transmission
Data organization mode: adopting ASDU (Application Service Data Unit) structure, containing fields such as type identification, variable structure qualifier, information body address, etc.
Telegram interaction mechanism: through the I-format (information transmission), S-format (acknowledgement frame), U-format (control frame) Master-slave session management.
2. Master-Slave Interaction Logic
Master Role: Initiate Data Summoning (General Summoning, Group Summoning, and Single Point Summoning), and Issue Remote Control/Setup Commands
Slave Response Rule:
Sudden Data Initiative Upstreaming (Triggered by COS Change)
General Summoning Response to be Transmitted in Multiple APDUs (Subject to APCI Length Limitations)
Remote Control Selection-Execution Two-Step Acknowledgement Mechanism
Typical Message Interaction Flow:
Master: 68 0E 00 00 00 00 00 64 01 06 00 01 00 00 00 00 00 14
(General Call Command, Reason for Transmission = 6, Public Address = 1)
Slave: 68 0E 02 00 02 00 00 64 01 07 00 01 00 00 00 00 00 15
(General Call Acknowledgement, Reason for Transmission = 7)
2. Weakness Analysis of IEC 104 Protocol
1. Lack of Security Mechanism
Risk of Plaintext Transmission: Encryption is not mandatory in the protocol, so there are hidden dangers of data eavesdropping and tampering
Limitation of Identity Authentication: Identify the device only through the public address (usually 2 bytes), which is susceptible to forgery attacks
Possibility of Session Hijacking: Attackers can forge S-format frames to interfere with the serial number synchronization
2. Efficiency of Transmission Bottlenecks
APDU Length Limitation: APCI length field is 1 byte by default, and the maximum application data length is 255 bytes. APDU length limitation: default APCI length field is 1 byte, maximum application data length is 255 bytes, large-scale data sets need to be transmitted in slices.
Acknowledgement mechanism delay: receive window defaults to 12 frames, more than that need to wait for acknowledgement, high load scenarios are prone to congestion.
3. Clock Synchronization Dependency
Sequence of Events Dependency: SOE (Sequence of Events Recording) depends on the slave’s clock accuracy, cross-equipment event sequencing may be distorted.
Limitations of the Timing Mechanism: only supports the master to issue time synchronization commands in one direction. Limitations of the timing mechanism: only supports one-way time synchronization commands issued by the master, and there is no built-in NTP/PTP protocol.
3. Comparison of the core differences with Modbus protocol
1. Differences in protocol stack architecture
| Caractéristiques | IEC 104 | Modbus |
| Network layer | TCP/IP (RFC 793) | Support for TCP (Modbus TCP) and serial links (RTU/ASCII) |
| Data encapsulation | ASDU+APCI structure | PDUs (Function Codes+Data Fields) |
| Transmission modes | Balanced (bi-directional master-slave interactions) | Unbalanced (uni-directional polling by master) |
2. Transmission efficiency comparison
Single frame data capacity:
IEC 104: max. 255 bytes (APDU length field 1 byte)
Modbus TCP: max. 260 bytes (ADU=MBAP+PDU)
Event response speed:
IEC 104 supports COS active uploading, event delay can be controlled within 100ms
Modbus relies on the master station polling, typical polling period ≥s 3. Function code and data type support IEC 104 data type: Single point information (SIQ) Measurement value (e.g. normalized value, scaled value, short float) ≥1s
3. Function code and data type support
IEC 104 data types:
Single point information (SIQ)
Measured values (e.g., normalized values, scaled values, short floats)
Telegrams with timescales (CP56Time2a)
Modbus function codes:
01/02: read coils/discrete inputs
03/04: read hold/input registers
06/16: write single/multiple registers
4. Industry Applicability Differences
IEC 104 Advantageous Scenarios:
Electric power SCADA system (dispatch automation, substation monitoring)
Real-time control system requiring active event reporting
Modbus Applicable Fields:
Industrial device-level communication (PLC, sensors)
Scenarios with low data collection frequency
4. Key Technical Points of Master and Slave Implementation
1. Key Points of IEC 104 Master Development
Session state machine design: need to Realize state transitions such as STARTDT activation, stop, timeout reconnection, etc.
Data partition management: establish a parsing rule base according to ASDU types (1~127)
Transmission window control: dynamically adjust the receive serial number (RSN) and send serial number (SSN) to avoid serial number overflow.
2. Slave implementation considerations
Clock synchronization implementation: need to be built-in high-precision RTC, support for the master station C_CS_NA_1 (clock synchronization commands)
Burst data management: configure the COS change threshold (such as analog changes > 0.5% trigger upload)
Security enhancements:
IP whitelist filtering
TLS tunnel encryption (such as based on the OpenSSL library)
5. Optimization Suggestions for Engineering Practice
1. Transmission Performance Improvement Strategies
APDU Extension Mode: Enable APCI length field extension (0x02 flag bit) to support 65535-byte ultra-long frames
Application of Compression Algorithm: Adopt delta coding + ZigZag compression for floating-point arrays to reduce bandwidth consumption
Batch Read Optimization: Merge multiple single-point summonses into a group summons to reduce the frequency of interactions
2. Security Reinforcement solution
Transport layer encryption: deploy VPN tunnel based on TLS 1.3
Application layer protection:
Implement ASDU signature (ECDSA algorithm)
Add message sequence number to prevent replay attack
Access control: establish device certificate system (X.509 standard)
3. Hybrid networking mode
Protocol conversion gateway: implement IEC 104 to Modbus TCP protocol converter (e.g. Moxa). MGate 5105) to realize heterogeneous system docking
Data aggregation solution: deploy OPC UA server on the edge side to unify and encapsulate multi-protocol data
Conclusion: Technology Selection Decision Tree
The choice between IEC 104 and Modbus should be based on three core elements:
Real-time requirements: IEC 104 is preferred for event-driven systems, and Modbus is preferred for polled scenarios
Security level: High security requirements for IEC 104 are required for the scenario Scenarios require security extensions to IEC 104
System Scale: IEC 104 is suitable for large-scale layered architectures, and Modbus is preferred for device-level communication
With the popularization of the IEC 62351 security standard and the integration of TSN technology, the new-generation enhanced IEC 104 protocol is breaking through the traditional limitations to evolve into a safer and more efficient industrial communication system.
