VCL-Xcöde: IEC 60870-5-104 and DNP Protocol Encryptor


Valiant's VCL-Xcöde is an integrated IEC 60870-5-104 and DNP Data Encryption Equipment with extremely advanced features that may be installed to secure and protect RTU data in critical infrastructure such as Sub-Stations, Smart Grid Distribution Systems, Oil and Gas Infrastructure and Railway Signalling Networks from being compromised or accessed by hostile elements.

Data Sheet -104 Protocol Encryptor

The VCL-Xcöde may be installed in point-to-point or point-to-multi-point applications in centrally managed networks consisting of multiple edge locations to provide secure communications between multiple RTU Terminals and their corresponding IEC 60870-5-104 and DNP central server(s) located in Load Dispatch Centre(s) / SCADA Management Centre(s) and Rail Traffic Control Room(s). Additionally, the VCL-Xcöde also protects the RTUs against hostile network attacks and intrusions arising out of Denial of Service (DoS) attacks and MitM (Man-In-the-Middle).

-104 Protocol Encryptor

Access to the VCL-Xcöde is password protected with advanced firewall capabilities that meet and exceed NERC as well as all mandatory requirements of Password Protection and Control as provided in the GR-815-CORE-2 specifications. VCL-Xcöde can optionally be managed centrally from a RADIUS Server to provide enhanced levels of access security and centralized password management and control.


  • Utilities: Electric generation, transmission and distribution
  • Smart Grid Distribution Systems
  • Oil & Gas production, pipelines
  • Remote nodes in SCADA multi-drop networks
  • Railway Signalling Infrastructure: Rail Traffic Control Room(s)
  • All distributed data networks consisting of a central server and multiple edge locations

Deployment Topology:

  • Point-to-Point (i.e., encrypting RTU data between two Terminals)
  • Point-to-Multipoint (i.e. encrypting data between multiple RTU Terminals and the IEC 60870-5-104 server located in Load Dispatch Centres / SCADA Management Centres and Rail Traffic Control

Supported Data Encryption Algorithms:

  • 3DES, AES128, AES192, AES256 Encryption Algorithm

Interfaces - Terminal:

  • Total Number of Ethernet Interfaces: 5
    • Four 10/100 RJ45 equipment interfaces in the local (trusted) network
    • One 10/100/1000 RJ45 network interface to the WAN (untrusted) network
  • Integrated four-port Ethernet switch
  • Auto MDI/X (straight or crossover Ethernet cable correction)
  • USB serial port for local access and configuration

Interfaces Server:

  • Total Number of Ethernet Interfaces: 3
    • One 10/100/1000 RJ45 interface in the local (trusted) network
    • One 10/100/1000 RJ45 network interface to the WAN (untrusted) network
    • One 10/100/1000 RJ45 interface for configuration and management
  • Integrated four-port Ethernet switch
  • Auto MDI/X (straight or crossover Ethernet cable correction)
  • USB serial port for local access and configuration

Firewall - Features and Capabilities:

  • Deep Packet Inspection
  • Per-frame/packet authentication
  • Firewall
    • Port (Soft) - based
    • MAC - based
    • IP Address - based
    • IP Domain - based
  • White List and Black List options
    • White List Exception allowed and blocks all other traffic by default (system default mode)
    • Black List Exception blocked and allows all other traffic by default
  • Seamless scalability
  • Infrastructure neutral
  • Transparent to network and applications
  • Easy installation and management

Firewall and Security:

  • Ruggedized, IEC-61850-3 compliant firewall
  • Fanless, High reliability hardware
  • Wide Operating Temperature Range: -4°F ~ 149°F (-20°C ~ 65°C)
  • Suitable for installation in sub-stations, SCADA and industrial networks / harsh environments
  • Wide range of power supply options which includes, 24VDC, 48VDC, 110VDC, 250VDC and 90~240VAC 50/60Hz
  • Secure Boot
  • Firewall Security:
    • Inclusion Policy – Access Control based upon White List IP addresses, MAC address and IP Domain
    • Exclusion Policy – Access Control based on Black List
  • Resistance to Denial of Service (DoS) Attack
  • Continuous monitoring of the TLS connection to nullify MitM attacks
  • Encrypted Firmware Updates
  • Non-volatile Access Log with capability to "fingerprint" all successful and failed log-in attempts and keep a log of the IP and MAC addresses of all successful and failed logins / login attempts
  • SNMP trap generation, along with LED and external alarm indication
  • Password Protection with password strength monitor
  • RADIUS Password Authentication
  • SSH (Secure Access Control) with encrypted Password Protection

Network Support:

  • IPv4 and IPv6 Routing
  • Ethernet
  • VLAN tag preservation
  • MPLS tag preservation
  • IPv4

Monitoring and Access Control:

  • Password Strength Monitor
  • Device Management and Alarm Monitoring
  • Command Line Interface – Telnet, SSH
  • SNMPv2 Alarm Monitoring
  • Alarm condition detection and reporting (traps and SNMP alarm table)
  • Syslog
  • Audit Log


  • Power: 1+0 and 1+1 Redundant Power Supply Options (1+1 Redundant Power Supply Options available in the 19-Inch Chassis Only)
  • 18VDC ~ 60VDC (Terminal)
  • 85VDC ~ 250VDC (Terminal)
  • 100~240VAC, 50/60Hz (Terminal and Server)
  • Power Consumption: 9W at maximum load (Terminal)
  • Power Consumption: 210W at maximum load (Server)


  • Compact DIN Rail Terminal: MTBF ≥ 215,000 hours @ 24C ambient with single 48VDC power supply
  • 1U, 19-Inch Rack-mountable Terminal: MTBF ≥ 295,000 hours @ 24C ambient with dual, redundant 48VDC power supplies
  • 2U, 19-Inch Rack-mountable Server: MTBF ≥ 249,000 hours @ 24C ambient with dual, redundant AC power supplies.

Application Diagram

Data Sheet

Data Sheet -104 Protocol Encryptor