SCADA PROTOCOLS

INTRODUCTION
Kamjoo Bayat
Technical manager
www.pbscontrol.com
AGENDA
 What is Modbus Protocol?
 What is IEC870-5-101/104 Protocol?

 What is DNP3 Protocol?

 What is OPC UA protocol ?

WHAT IS MODBUS PROTOCOL ?

 Modbus is one of the most simple protocols in

industrial Automation
 Modbus is developed for Modicon PLCs in 1979 (
35 Years before)
 Modbus RTU : Modbus Binary frame over
RS232/RS485/RS422 ( Serial )
 Modbus TCP : Modbus Binary Frame over
TCP/IP
 Modbus Architecture : Master/Slave

 All Transactions always starts from Master

WHAT IS MODBUSRTU PROTOCOL ?
Modbus Master 1 – Any Modbus Slave device has 4 Tables Inside
- Digital Input -Input Status 1 X reference
- Digital Output – Coil – 0 X reference
- Analog Input – Input Register – 3 X reference
- Analog Output – Holding register - 4 X reference

2 – Modbus Function codes

ModbusRTU/RS485 - 1 = Read Coil Status
- 2 = Read Input Status
- 3 = Read Holding register
- 4 = Read Input register
- 5 = Force Single Coil
- 6 = Preset Single holding register
ID = 1 ID = 10
- 15 = Force Multiple Coils
Modbus Slave - 16 = Preset Multiple Holding register

3 – Any Modbus Slave must has unique ID in the network . Slave ID is 1 Byte in the Frame
So maximum we can have 255 Slave Device on a network . First Byte in the frame.
4 – When Master Send a frame to network ,all Slaves will get Frame . But Slave that has
Same ID number of frame will answer . Other will forget frame .
WHAT IS MODBUSRTU PROTOCOL ?
Slave ID Function Code
Modbus Master

10 2 0 100 0 64 CRCH CRCL

Start Address Number of channels

ModbusRTU/RS485 2 Bytes 2 Bytes

10 2 8 D D D D D D D D CRCH CRCL

Byte Count Data

ID = 1 ID = 10 1X 0X 3X 4X
Modbus Slave
DI DO AI AO

0 0
0
Tag Address 1
2 Bytes in Frame 100

1
65535
0
MODBUS LIMITATIONS
 No Time label for signals
 No Time synchronization function
 Only simple data types are supported – No float – no
long , …
 For float – long ,… data type you need to use
Modbus registers and simulate as float , Long , …
 No powerful error detection mechanism
 No event buffering mechanism
 only one type of data can be transferred in a
transaction – different commands for digitals and
analogs
 Data Frame length is max 255 bytes : 127 AI or 63
Float
 Mostly use Modbus for local IO and Local HMI
WHAT IS IEC-870-5 ?
WHAT IS IEC870-5 PROTOCOL?
WHAT IS EPA STRUCTURE?
IEC870-5-101 PHYSICAL LAYER
 IEC 870-5-101 specifies frame format FT 1.2 .
 IEC 870-5-101 is an asynchronous protocol with
hamming distance = 4
 Character format
 1 Start bit
 1 Stop bit
 1 Parity bit (even)
 8 Data bits
FT1.2 FRAME FORMAT

is used for data transmission of user is normally used for link is normally used to confirm
data between controlling and layer services data on
controlled link services and to confirm
station. user data

 L Length field range 0 - 255

 L Specifies the number of
L subsequent user data octets
including the control and the
address fields
 C Control field
 A Address field (link)
DATA UNIT IDENTIFIER
 The structure of the DATA UNIT IDENTIFIER is:
 - one octet TYPE IDENTIFICATION
 - one octet VARIABLE STRUCTURE QUALIFIER
 - one or two octets CAUSE OF TRANSMISSION
 - one or two octets COMMON ADDRESS OF ASDU
The TYPE IDENTIFICATION defines the
structure, the type and the format of the
INFORMATION OBJECT. All
INFORMATION OBJECTs of a
specific ASDU (telegrams) are of the same
structure, type and format.
UNBALANCED AND BALANCED
COMMUNICATION
 Unbalanced : Master /Slave Master is always primary and slave is
secondary . All Transactions Starting always from Master

 Balanced : Master and Slave can be primary ( Point to Point)

CONTROL FIELD UNBALANCED

FCB Frame count bit: 0 - 1 = alternating bit for successive SEND/CONFIRM

or REQUEST/RESPOND services per station.
PRM Primary message The frame count bit is used to delete losses and duplications of information
0 = message from transfers. The primary station alternate the FCB bit for each new
secondary(responding) station. SEND/CONFIRM or REQUEST/RESPOND transmission service directed to
1 = message from primary the same secondary station.
Thus the primary station keeps a copy of the frame count bit per secondary
(initiating) station
station.
If an expected reply is timed out (missing) or garbled, then the same
SEND/CONFIRM and REQUEST/RESPOND service is repeated with the
same frame count bit.
In case of reset commands the FCB bit is always zero, and upon receipt of
these commands the secondary station will always be set to expect the next
frame primary to secondary with FCV = valid (FCV = 1) to have the opposite
setting of FCB, i.e. FCB equal to one
CONTROL FIELD UNBALANCED
FCV Frame count bit valid.
0 = alternating function and FCB bit is invalid
1 = alternating function of FCB bit is valid
SEND/NO REPLY services, broadcast messages and
other transmission services that
ACD Access demand.
ignore the deletion of duplication or loss of
There are two classes of message data provided,
information output do not alternate the FCB bit
namely class 1 and 2.
and indicates this by a cleared FCV bit
0 = no access demand for class 1 data transmission
1 = access demand for class 1 data transmission
Class 1 data transmission is typically used for events
DFC Data flow control
or for messages with high priority.
0 = further messages are acceptable
Class 2 data transmission is typically used for cyclic
1 = further messages may cause data overflow
transmission or for low priority
Secondary (responding) stations indicate to the
messages.
message initiating (primary) station that an
immediate secession of further message may cause a
buffer overflow.
CONTROL FIELD BALANCED

DIR Physical transmission direction

DIR=1 Data from controlling to controlled
station
DIR=0 Data from controlled to controlling
station

PRM Primary message

0 =message from secondary (responding)
station
1 = message from primary (initiating)
station
TYPE IDENTIFICATION
TYPE IDENTIFICATION
TYPE IDENTIFICATIONS
TYPE IDENTIFICATIONS
OBJECT STATUS
 OV = OVERFLOW/NO OVERFLOW The value of the
INFORMATION OBJECT is beyond a predefined range of value
(mainly applicable to analog values).
 BL = BLOCKED/NOT BLOCKED The value of the INFORMATION
OBJECT is blocked for transmission; the value remains in the state
that was acquired before it was blocked. Blocking and deblocking may
be initiated for example by a local lock or a local automatic cause.
 SB = SUBSTITUTED/NOT SUBSTITUTED The value of the
INFORMATION OBJECT is provided by the input of an operator
(dispatcher) or by an automatic source.
 NT = NOT TOPICAL/TOPICAL A value is topical if the most recent
update was successful. It is not topical if it was not updated
successfully during a specified time interval or if it is unavailable.
 IV = INVALID/VALID A value is valid if it was correctly acquired.
After the acquisition function recognizes abnormal conditions of the
information source (missing or non-operating updating devices) the
value is then marked invalid. The value of the INFORMATION
OBJECT is not defined under this condition. The mark INVALID is
used to indicate to the destination that the value may be incorrect
and cannot be used.
APPLICATION LAYER FUNCTIONS
LOCAL INITIALIZATION OF
CONTROLLING STATION - UNBALANCED
SYSTEMS
IEC870-5-104
CONTROL FIELD TYPES
 Three types of control field formats are used to
perform
 numbered information transfer (I format),
 numbered supervisory functions (S format)
 unnumbered control functions (U format).
I FORMAT CONTROL FIELD
S FORMAT CONTROL FIELD
U FORMAT CONTROL FIELD
N( S ) , N( R )

Both sequence numbers are sequentially increased by one for each APDU and each direction.
The transmitter increases the Send Sequence Number N(S) and the receiver increases the
Receive Sequence Number N(R). The receiving station acknowledges each APDU or a number
of APDUs when it returns the Receive Sequence Number up to the number whose APDUs are
properly received. The sending station holds the APDU or APDUs in a buffer until it receives
back its own Send Sequence Number as a Receive Sequence Number which is a valid
acknowledge for all numbers <= the received number. Then it may delete the correctly
transmitted APDUs from the buffer. In case of longer data transmission in one direction only,
an S format has to be sent in the other direction to acknowledge the APDUs before buffer
overflow or time out. This method should be used in both directions. After the establishment of
a TCP connection, the send and receive sequence numbers are set to zero.
UNDISTURBED SEQUENCES OF
NUMBERED I FORMAT APDUS
UNDISTURBED SEQUENCES OF NUMBERED I
FORMAT APDUS ACKNOWLEDGED BY AN S
FORMAT APDU
DISTURBED SEQUENCE OF NUMBERED I
FORMAT APDUS
TIME-OUT IN CASE OF A NOT
ACKNOWLEDGED LAST I FORMAT APDU
APCI CONTROL FIELD
STARTDT , STOPDT
 STARTDT (Start Data Transfer) and STOPDT (Stop Data Transfer)
are used by the controlling station (for example, Station A), to control
the data transfer from a controlled station (Station B).

 When the connection is established, user data transfer is not

automatically enabled from the controlled station on that connection,
i.e. STOPDT is the default state when a connection is established. In
this state, the controlled station does not send any data via this
connection, except unnumbered control functions and confirmations
to such functions. The controlling station must activate the user data
transfer on a connection by sending a STARTDT act via this
connection. The controlled station responds to this command with a
STARTDT con. If the STARTDT is not confirmed, the connection is
closed by the controlling station. This implies that after station
initialization (see 7.1) STARTDT must always be sent before any user
data transfer from the controlled station (for example, general
interrogated information) is initiated. Any pending user data in the
controlled station is sent only after the STARTDT con.
STARTDT , STOPDT ( START/STOP DATA
TRANSFER)
 Refer to IEC 60870-5-104 clause 5.3. Only the
controlling station sends the STARTDT. The
expected mode of operation is that the STARTDT
is sent only once after the initial establishment of
the connection (or re-establishment of a
connection). The connection then operates with
both controlled and controlling stations permitted
to send any message at any time until the
controlling station decides to close the connection
with a STOPDT command (or the connection fails
and is automatically closed after the timeouts
expire).
START DATA TRANSFER PROCEDURE
STARTDT/STOPDT is a
mechanism for the controlling
station to activate/deactivate the
monitoring direction. The
controlling station may send
commands or setpoints even if it
has not
yet received the activation
confirmation. Send and receive
counters continue their
functionality
independent of the use of
STARTDT/STOPDT
STOP DATA TRANSFER PROCEDURE
TESTFR
 The controlling and/or controlled station must
regularly check the status of all established
connections to detect any communication
problems as soon as possible. This is done by
sending TESTFR frames
 Unused, but open, connections may be
periodically tested in both directions by sending
test APDUs (TESTFR = act) which are confirmed
by the receiving station sending TESTFR = con.
Both stations may initiate the test procedure
after a specified period of time in which no data
transfers occur (time out). The reception of every
frame – I frame, S frame or U frame – retriggers
timer t3.
UNDISTURBED TEST PROCEDURE
UNCONFIRMED TEST PROCEDURE
PORT NUMBER
MAXIMUM NUMBER OF OUTSTANDING I
FORMAT APDUS (K)
SYNCHRONIZATION MECHANISMS
 Control field data of IEC104 contains various types of formats /mechanisms for
effective handling of network data synchronization
 1. I Format – It is used to perform numbered information transfer. It contains
send-sequence number and receive-sequence number. The transmitter station
increases send-sequence number when it sends any data and receiver increases
receive-sequence number when it receives any data. The sending station has to
hold the send APDUs in the buffer until it receives back the send sequence
numbers as the receive sequence number from destination station.
 2. S Format – It is used to perform numbered supervisory functions. In any
cases where the data transfer is only in a single direction, S-format APDUs has
to be send in other direction before timeout (t2), buffer overflow or when it has
crossed maximum number of allowed I format APDUs without
acknowledgement (w).
 3. U Format – It is used to perform unnumbered control functions. This is used
for activation and confirmation mechanisms of STARTDT (start data transfer)
& STOPDT (stop data transfer) & TESTFR (test APDU).
 4. Test Procedure – Open but unused connections must be tested periodically
(when it has crossed ‘t3’ after the last message) by sending TESTFR frames,
which need to be acknowledged, by the destination station. The connection
needs to be closed when there is no reply for the test message after timeout (t1)
or when there are more numbers of I-format APDUs than the specified ‘k’.
DNP3 PROTOCOL
 Westronic Incorporated developed DNP3 between
1992 and 1994
 Time Label for signals at RTU Side
 Master /Slave and Unsolicited Communication
Supported - RTU can start Data Communication
without master request
 Different type of Data Types
 Event Buffering and data backfilling
 Transferring different type of data in one frame
 Time synchronization
 4 Layer structure ( from 7 layer of OSI)
 Powerful error detecting mechanism
 SBO( Select Before Operate) , Freeze operation
4 LAYER STRUCTURE – ENHANCED
PERFORMANCE ARCHITECTURE - EPA
FRAGMENTS , SEGMENTS , FRAMES
DATA MODELING
 DNP3 Data Modeling is based on Data Type
groups , Variations , Address and Class
 Variation is different presentation of a Tag In a
group
 Event groups Shows Buffered data with time

 Frozen Counter shows Freeze value of a Counter

at specific time
 Example : DI Tag with address 10 ( G1) and G2
tag with Address 10 refer to same point . G1
shows Current value of Tag and g2 Shows
Buffered data
MOST IMPORTANT GROUPS
 Group1 = Digital input
 Group2 = Digital Input Event
 Group3 = Double Bit Input
 Group4 = Double Bit Input Event
 Group 10 = Digital output Status
 Group 11 = Digital output Status Event
 Group 12 = Digital Output Command
 Group 20 = Counters
 Group 21 = Frozen Counters
 Group 22 = Counters Event
 Group 23 = Frozen Counters Event
 Group 30 = Analog Input
 Group 32 = Analog Input Event
 Group 40 = Analog Output Status
 Group 41 = Analog Output Command
 Group 42 = Analog output Status Event
 Group 50 = Date Time
 Group 51 = Common Time of occurrence
 Group 60 = Class Object
 Group 80 = Internal Indication

VARIATIONS
 Variation for a Group is different presentation for
data
 Master can read with any variation from Slave

 When Master is asking for Class 0 , 1,2,3 then

Slave should send by its default variation
 When Slave is sending data by unsolicited
communication , then Slave should use its
default variations
 Default variations can be set in Slave device as
parameters
GROUP 30 VARIATIONS
GROUP 60 CLASS
 DNP Tags has Class .
 Class 0 = Static value . Current value of Tag
 Class 1 = Event Value . Class 1
 Class 2 = Event Value . Class 2
 Class 3 = Event Value . Class 3

 There is no priority for class 1 , 2, 3 . It is only a

logical grouping of tags
 For example you can set All Digital Input tags in
class 1 and all Analog Inputs in class 2 . Then
master can send class 1 request every sec and
class 2 request every 10 sec .
TRANSACTION DIAGRAM
DLL FRAME FORMAT
WHAT IS OPC UA PROTOCOL ?
 At 1993 Microsoft released COM/DCOM
technologies .
 COM is used for real time data transfer between
two or more Windows Applications.
 DCOM is used for communication over Network .

 COM is base technology for many other Microsoft

technologies like ActiveX and OLE .
 COM is based on Interface concept , Means
software components are talking with no
knowledge of their internal implementation.
OPC CLASSIC ( OLE FOR PROCESS CONTROL)

 OPC foundation at 1996 released OPC standard

based on COM/DCOM technologies .
 OPC specifies the communication of real time
plant data between control devices from different
manufacturer .
 Specification defined a standard set of objects ,
interface and methods for use in process control
to facilitate interoperability .
 OPC DA ( data Access) is used for read write of real
time data .
 OPC HA ( Historical Access) is used for access
archived data in Devices .
 OPC AE( Alarm and Event) is used for exchange of
alarms and events between client and server .
OPC STRUCTURE

Database
OPC
OPC Client OPC Server

Database
Mapping Modbus

OPC
Master
Tags
Database
OPC

OPC Client
Database

Modbus
OPC

OPC Client Slave

device
OPC CLASSIC PROBLEMS
 Only based on Windows OS
 DCOM is very difficult to configure . It has many different
security policy for different windows
 DCOM is not very secure
 OPC is not support event based communications between
client and server
 No powerful data modeling
 No redundancy defined in standard
 Not completely implemented for windows CE and
Windows Mobile
OPC UA OPEN PLATFORM COMMUNICATION
UNIFIED ARCHITECTURE
 OPC foundation solved all OPC classic problems
with UA Standard .
 The first version was release after 3 years hard
working in 2006 .
 OPC UA is based on Service Oriented
Architecture ( SOA) and communication layer
can be TCP Binary – Http – Web Service , …
1 – Client Send Request

OPC UA Client
TCP
OPC UA Server

2 – Server send answer

OPC UA SPECIFICATION 14 PART 1250 PAGE
- 1 - Concepts
- 2 - Security Model
- 3 - Address Space model
- 4 - Services
- 5 – Information Model
- 6 – Mappings
- 7 – profiles
- 8 – Data Access
- 9 – Alarms and Conditions
- 10 – Programs
- 11 – Historical access
- 12 – Discovery and global services
- 13 – Aggregation
- 14 - PubSub
CAN WE USE OPC UA FOR SCADA ?
 Can we use OPC UA for communication between
RTU and master SCADA ?
 Can we use OPC UA instead of DNP3 or IEC104
?
 We MUST have following functionalities for a
SCADA Protocol :
 Different type of data types
 Time label for tags

 Time Synchronization mechanism

 Event buffering and back filling

 Freeze of counters

 Integrity Poll

 Send changes by RTU without Master Request

 OPC UA not supported RED Items

OPC UA SECURITY
 OPC UA provides countermeasures to resist threats
to the security of the information that is
communicated
 OPC UA security works within the overall Cyber
Security Management System (CSMS) of a site. Sites
often have a CSMS that addresses security policy and
procedures, personnel, responsibilities, audits, and
physical security. A CSMS typically addresses threats
that include those that were described in 4.3. They
also analyze the security risks and determine what
security controls the site needs.
 the security requirements of the OPC UA interfaces
that are deployed at a site are specified by the site,
not by the OPC UA specification
APPLICATIONS AUTHENTICATION
 OPC UA Applications support Authentication of
the entities with which they are communicating.
As specified in the GetEndpoints and
OpenSecureChannel services in Part 4, OPC UA
Client and Server applications identify and
authenticate themselves with X.509 v3
Certificates and associated private keys (see
[X509]). Some choices of the communication stack
require these Certificates to represent the
machine or user instead of the application
SECURE CHANNEL
 The Secure Channel provides
 encryption to maintain Confidentiality,
 Message Signatures to maintain Integrity
 Certificates to provide application Authentication
 OPC UA supports the selection of several
security modes:
 “None”,
 “Sign”,
 “SignAndEncrypt”
OPC UA ADDRESS SPACE – OBJECT MODEL
 The primary objective of
the OPC UA
AddressSpace is to
provide a standard way
for Servers to represent
Objects to Clients.
 It defines Objects in
terms of Variables and
Methods. It also allows
relationships to other
Objects to be expressed
NODE MODEL
 The set of Objects and related information that the OPC UA Server
makes available to Clients is referred to as its AddressSpace.
 Objects and their components are represented in the AddressSpace as
a set of Nodes described by Attributes and interconnected by
References.
NODE CLASS
MODELING SAMPLE , OPC CLASSIC
OPC UA SERVICES
REQUEST AND RESPONSE HEADER
OPC UA MAPPINGS
OPC UA SECURITY ARCHITECTURE