Category Archives: Uncategorized

Cyber Security for IEC Protocols Series Part 3: Securing IEC 61850 and MMS

A Deep Technical Study of Vulnerabilities, Secure Communication Protocols, and the Application of IEC 62351-4 to Digital Substation Messaging

Abstract

IEC 61850, the cornerstone of modern digital substations, uses the Manufacturing Message Specification (MMS) for client-server communications. As a comprehensive and extensible protocol suite, IEC 61850 enables powerful data modeling and efficient communication across intelligent electronic devices (IEDs), human-machine interfaces (HMIs), and control centers. However, the increased reliance on TCP/IP networking, vendor interoperability, and remote access capabilities has also expanded the protocol’s attack surface.

This article explores the cybersecurity implications of MMS-based IEC 61850 communications and evaluates how IEC 62351-4 introduces robust protections to address authentication, integrity, and confidentiality requirements. The discussion includes deep protocol analysis, threat vectors, cryptographic countermeasures, implementation recommendations, and performance considerations in substations where real-time operation and security must coexist.

Introduction to IEC 61850 and MMS

IEC 61850 defines a unified communication framework for substation automation. Its layered architecture includes:

  • Abstract Communication Service Interface (ACSI): Protocol-agnostic interface for data access
  • MMS (Manufacturing Message Specification): Implements the ACSI services for client-server messaging
  • TCP/IP and Ethernet: Transport layers used for communications across IEDs and SCADA systems

MMS enables operations such as Read, Write, ReportControl, Command, LogQuery, and more. These messages are exchanged between engineering workstations, SCADA clients, protection relays, and IEDs.

Originally, MMS and IEC 61850 offered no built-in security. All control and monitoring actions—such as tripping a breaker or querying protection settings—could be spoofed or intercepted. This lack of security became a pressing issue with the rise of networked substations, remote access, and sophisticated adversaries capable of exploiting protocol weaknesses.

Threat Landscape for MMS Communications

The IEC 61850/MMS layer is vulnerable to a wide range of threats:

Message Spoofing

Attackers who gain network access can forge MMS messages, particularly Write or Control commands, to mimic legitimate clients. Because early implementations of IEC 61850 lack built-in message authentication, an attacker can impersonate an operator or engineering station. This spoofing can result in unauthorized actions like opening circuit breakers or changing protection settings—leading to equipment damage, service interruption, or even safety risks.

Man-in-the-Middle (MITM) Attacks

In a MITM attack, adversaries position themselves between communicating devices and intercept the MMS traffic. Since IEC 61850 was not originally encrypted, the attacker can alter messages in transit, feeding incorrect data to SCADA operators or engineering systems. This could result in misleading situational awareness or manipulated control decisions. A particularly dangerous variant involves injecting malicious configuration updates without the operator realizing the breach.

Replay Attacks

Replay attacks exploit the stateless nature of some MMS operations. Attackers capture legitimate messages and resend them to repeat a prior valid command—like toggling a control output. Without sequence counters or timestamps to track freshness, these duplicate commands appear valid to the receiver, resulting in unintended device behavior and potentially repeated disruptions.

Unauthorized Access

If devices do not enforce authentication and authorization, attackers with network access may connect directly to IEDs. Through valid MMS operations like Read, GetNameList, or FileOpen, they can extract sensitive configuration data or deploy malicious firmware. Without role-based restrictions, even non-critical users could gain control privileges if they present a valid but unrestricted client identity.

Denial-of-Service (DoS)

IEDs and control systems typically have limited resources for processing requests. Attackers can craft malformed MMS packets or flood the network with high-volume queries, causing legitimate services to time out or become unresponsive. These attacks are especially disruptive during commissioning or emergency response, when high system availability is critical.

IEC 62351-4: Security Framework for MMS and ACSI

IEC 62351-4 defines the security mechanisms for MMS over TCP/IP, targeting the client-server communications in IEC 61850 and its abstract interface (ACSI). The standard introduces a multi-layered defense model comprising transport layer protection, cryptographic authentication, role-based access control, and session integrity.

TLS-Based Transport Protection

IEC 62351-4 mandates the use of TLS as a foundational requirement to protect MMS over TCP/IP. TLS establishes a secure channel that encrypts all communications, preventing adversaries from reading or modifying traffic. The handshake process authenticates both client and server using digital certificates, reducing the risk of impersonation. Moreover, TLS ensures integrity by using cryptographic hashes to detect message tampering.

The standard recommends TLS version 1.2 or higher, aligning with modern security practices. Cipher suites such as AES-GCM provide authenticated encryption, combining confidentiality and integrity in a single operation. Elliptic-curve Diffie-Hellman (ECDHE) enables forward secrecy, ensuring that compromise of long-term keys doesn’t expose past sessions—a vital feature for protecting long-lived substation devices.

Mutual Authentication via Certificates

Both client and server endpoints are required to authenticate using X.509 certificates. The verification process includes:

  • Certificate signature validation against a trusted Certificate Authority (CA)
  • Certificate revocation checking (via CRL or OCSP)
  • Matching certificate identities to roles (e.g., SCADA operator, protection relay, commissioning tool)

Role-Based Access Control (RBAC)

RBAC in IEC 61850, as defined in IEC 62351-8, assigns permissions based on predefined roles rather than individual users. This model simplifies administration and improves scalability. Each role—such as Viewer, Operator, Engineer, or Commissioning Tool—is granted specific rights aligned with its function. For example, an Operator may be allowed to issue control commands but not alter IED settings.

Role assignments are bound to the client’s certificate, meaning the identity and role are cryptographically verified during the TLS handshake. This tight integration prevents privilege escalation—even if an attacker manages to connect to the device, they can only execute operations allowed by their role. Enforcement happens directly within the IED’s security stack, ensuring access control decisions are made locally and quickly.

Secure Associations and Session Management

Once TLS is established, an ACSI Association is created. IEC 62351-4 requires:

  • Session integrity tracking
  • Freshness verification (via sequence numbers or session IDs)
  • Binding of authenticated identities to sessions

If a session is interrupted or suspicious activity is detected, devices may force re-authentication or close the session entirely.

Implementation Architecture

To integrate IEC 62351-4 in substation networks, several architectural elements are recommended:

Certificate Management Infrastructure

Establishing a robust Public Key Infrastructure (PKI) is a prerequisite for secure IEC 61850 deployments. Utilities must operate or contract a trusted Certificate Authority (CA) responsible for issuing, signing, and revoking certificates. These certificates validate the identity of SCADA clients, engineering stations, and IEDs.

To streamline deployment and reduce human error, automated enrollment protocols like SCEP (Simple Certificate Enrollment Protocol) or EST (Enrollment over Secure Transport) are recommended. These allow devices to request and renew certificates without manual intervention. Revocation mechanisms, such as Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP), must be in place to ensure compromised identities can be quickly disabled.

IED Security Stack Enhancements

IEDs must support:

  • TLS termination and certificate validation
  • MMS over TLS (port 102)
  • Access control enforcement for MMS operations
  • Logging and audit trail for security-relevant events

Resource-constrained IEDs may require hardware cryptographic acceleration or external proxies.

Network Design Considerations

A secure MMS deployment requires careful network segmentation. Substation LANs should be organized into VLANs that separate control, engineering, and monitoring functions. Firewalls and layer-2/3 filtering should restrict MMS traffic to approved endpoints. Engineering workstations, for instance, should only communicate with IEDs during scheduled maintenance windows.

Deep Packet Inspection (DPI) firewalls can further enhance security by inspecting MMS/TLS payloads to detect malformed or unauthorized traffic. In environments with legacy systems, TLS proxy devices can be introduced to enforce encryption without replacing all IEDs. Limiting network exposure to the public internet and applying strict IP whitelisting are also best practices

Interoperability and Conformance Testing

Given the complexity of TLS integration, conformance testing is critical. IEC 62351-100-4 defines test cases for verifying:

  • Proper TLS handshake and cipher negotiation
  • Certificate validation behavior
  • Access control enforcement by role
  • Session timeout and re-authentication mechanisms

Independent certification programs can validate vendor compliance and help identify interoperability gaps before deployment.

Performance Considerations

TLS Overhead

While TLS adds latency due to handshake and encryption, modern IEDs and processors can complete handshakes in under 100 ms and maintain high-throughput encrypted sessions.

TLS session resumption and long-lived connections mitigate performance impacts. AES-GCM cipher suites provide both speed and integrity.

Control Operation Timing

Time-critical operations, such as breaker tripping, are typically handled via GOOSE or SV, not MMS. Nevertheless, TLS encryption must not significantly impact normal control or configuration tasks via MMS.

IEC 62351 allows optimization such as:

  • Offloading cryptographic tasks to hardware
  • Persistent TLS connections
  • Streamlined access control checks

Summary of Best Practices

To effectively secure IEC 61850/MMS communications:

  • Mandate TLS for all MMS traffic using IEC 62351-4 and 62351-3 profiles
  • Deploy mutual authentication via X.509 certificates
  • Use role-based access control to restrict MMS operations based on identity
  • Monitor and audit all MMS connections and actions
  • Integrate certificate management with utility PKI infrastructure
  • Perform conformance testing using IEC 62351-100-4 test suites

Conclusion

Securing MMS-based IEC 61850 communications is essential for the trustworthiness and safety of digital substations. IEC 62351-4 provides a technically robust and scalable security model by integrating TLS, mutual authentication, and fine-grained access control. These protections, when properly implemented and tested, ensure that substation devices operate securely in increasingly interconnected and threat-prone environments.

In Part 4 of this series, we will turn to TASE.2/ICCP, the protocol of choice for utility control center interconnection, and explore how IEC 62351-6 secures this vital communication layer.

IEC 60870-5-101/104 Version 2.4.1 Released: Important Security and Stability Update

MZ Automation has released IEC 60870-5-101/104 version 2.4.1, the latest update to our IEC 60870-5-101/104 C source code library.

This release focuses primarily on security, stability, and reliability. It addresses the vulnerabilities reported during recent weeks, including several issues affecting ASDU parsing, TLS certificate validation, message-length validation, and server communication.

Version 2.4.1 is not intended as a major feature release. However, it also includes a limited number of minor improvements and API additions.

Vulnerability Fixes

The release contains several important security corrections:

  • Added message-length validation when parsing Information Object Addresses within ASDUs and information objects.
  • Fixed an out-of-bounds read in the decoder for ASDU type S_IT_TC_1
    (LIB8705-305, GHSA-f5xp-w6f3-vvrv).
  • Fixed a TLS certificate-validation bypass affecting the mbedTLS 2.28 integration when allowOnlyKnownCertificate=true and validateChain=false
    (LIB8705-304, GHSA-fc2j-39h7-c7v9).
  • Removed the unencrypted TLS_RSA_WITH_NULL_SHA256 cipher suite from the default TLS configuration for both mbedTLS 2.28 and 3.6
    (LIB8705-303).
  • Added validation of the ASDU Variable Structure Qualifier field against the expected payload size when creating an ASDU from a buffer
    (GHSA-7v97-jmwv-w5j7).

Users are strongly encouraged to update to version 2.4.1, particularly when IEC 60870-5-101/104 is used in network-connected or security-sensitive environments.

Additional Improvements

Version 2.4.1 also introduces several smaller improvements:

  • Added a mutex to protect Certificate Revocation List updates and access during runtime for the mbedTLS 2.28 and 3.6 integrations
    (LIB8705-307).
  • Added the previously missing IntegratedTotalsForSecurityStatistics_getAID function.
  • Added checks to determine whether an ASDU type permits multiple information objects before information objects are added to or read from an ASDU.
  • Improved TLS renegotiation handling for mbedTLS 2.28 by driving renegotiation and processing timeouts through TLSSocket_tick, allowing precise time-based renegotiation intervals.
  • Added validation of the user-provided index passed to CS101_ASDU_getElement.
  • Added the TLSConfiguration_setMaxCertificateSize function and an optional maximum certificate-size check during the TLS handshake.
  • Fixed the BufferFrame implementation
    (LIB8705-313).

Other Bug Fixes

The release also resolves the following functional and stability issues:

  • Fixed a CS104 server issue where switching connections without stopping the old connection could cause retransmissions to be sent out of order over the new connection
    (LIB8705-283).
  • Fixed a potential deadlock in the CS104 server thread.
  • Fixed a potential memory leak during TLS renegotiation when the peer certificate must be stored.
  • Corrected the Cause of Transmission used by the CS101/104 client and master when sending a read command
    (LIB8705-270).

Important Compatibility Notice

Customers using the secure authentication module must update it to the latest version when upgrading to IEC 60870-5-101/104 2.4.1 to ensure compatibility.

Updating to Version 2.4.1

Commercial customers with an active Maintenance and Support agreement can obtain the new release through the MZ Automation customer portal or via the official GitHub.

Because this release addresses multiple reported vulnerabilities, we recommend reviewing existing deployments and planning the update as soon as possible.

More information and updates can be found on our other platforms:

YouTube: https://www.youtube.com/@MZAutomation2014

LinkedIn: https://www.linkedin.com/company/mz-automation-gmbh/

IEC 61850 Protocol Library v1.6.1 Now Available

We at MZ Automation are happy to announce we have just released an update of our IEC 61850 Protocol Library. This update includes multiple enhancements across client connection handling, Sampled Values Control Block support, and many more updated in the .NET API, making it even easier for engineers and system integrators to build robust, interoperable solutions for substation automation and related energy applications.

What’s New in IEC 61850 Library v1.6.1?

Enhanced Client Connection Management

  • ClientConnection_abort: Allows a server application to actively terminate a client connection.
  • ClientConnection_claimOwnership and ClientConnection_release: Enable programmatic access to client connections outside of standard callback functions. (LIB61850-488)

Extended .NET API for IEC 61850

  • Support for SVControlBlock: Enables configuration and handling of Sampled Value messages in .NET-based systems.
  • RBAC-ready access control: New callback interfaces allow custom restrictions on external access to the IEC 61850 data model—critical for role-based access control.
  • LogStorage function wrapper added for server-side logging via the IEC61850ServerAPI.
  • MMS Data Encoding/Decoding: Functions MmsValue_encodeMmsData and MmsValue_decodeMmsData allow direct handling of MMS binary content.
  • TLS enhancements: TLS-related functions added to improve secure communication. (LIB61850-486)
  • Server Log Service support now available via the .NET API. (LIB61850-461)
  • Improved data model representation: MmsVariableSpecification class extended with additional properties. (LIB61850-460)
  • Resolved logging issue in example projects log_client and log_server.

Improved IEC 61850 Engineering Tools

  • New .NET Tools: Static and dynamic model generation tools are now available in .NET (Java versions still included for compatibility).
  • SCLParser: Now available as a standalone tool—load and parse SCL (Substation Configuration Language) models for direct use with the library.
  • MmsError_toString function added to simplify MMS error handling. (LIB61850-423)
  • Sampled Values (SV) Publisher Update
  • Added support for the optional gmIdentity field in SV messages for improved interoperability with time synchronization sources.

Version 1.6.1 is available to all customers with an active maintenance and service contract.

Please feel free to contact our sales team directly if you have any questions about this update or any of our other products.

Upcoming Release: IEC 61850 Server Simulator

We are thrilled to announce that in just a few weeks, MZ automation will be launching an innovative new tool for the IEC 61850 protocol: the IEC 61850 Server Simulator. This powerful tool is designed to streamline testing and development processes in environments that require precise control over Intelligent Electronic Device (IED) operations.

What Makes the IEC 61850 Server Simulator Stand Out?

  • Intuitive User Interface: Navigating the complexities of IEC 61850 has never been easier. The simulator features an intuitive graphical user interface (GUI) that simplifies the simulation of IEDs as servers. Whether you’re loading CID, ICD, SCD, or IID files, the GUI offers seamless management of Data Sets, Control Blocks, Data Objects, and more.
  • Dynamic Control and Monitoring: With real-time insights into server operations, the simulator gives you full control over simulations. You can make dynamic changes to data attributes and server parameters for precise testing and development, while easily monitoring connected clients, subscribed Report Controls, and managing server configurations.
  • Enhanced Testing Capabilities: The simulator allows you to streamline testing processes, from automating data attributes to managing write access configurations. Use the Group View feature for efficient monitoring of selected data attributes, and update DAI (data attribute information) in real-time using MMS communication with the Predefined Values Editor.
  • Comprehensive Server Management: Manage non-client IED servers with ease using the simulator’s robust Server Management interface. Set local IP addresses, manage TCP ports, and configure TLS for enhanced security. The Server Configuration Window enables optimization of server settings, including report buffer sizes, for greater control over server operations.

Why Choose MZ automation’s IEC 61850 Server Simulator?

At MZ automation GmbH, we are committed to providing easy-to-use, intuitive tools that help engineers succeed. The IEC 61850 Server Simulator is designed to support your company’s testing and development goals by making your processes more efficient and manageable. Whether you are ensuring protocol compliance, testing new configurations, or optimizing system performance, this simulator is your trusted companion.

Explore the capabilities of this powerful tool and see how it can enhance your operations. Stay tuned for the official release!

Introducing the IEC61850 ICD Designer – Now Available

We are excited to announce the release of the 61850 ICD Designer, the latest tool from MZ automation GmbH. This powerful software is designed to simplify the creation and management of Intelligent Electronic Device (IED) models, ensuring full compliance with the IEC 61850 standard.

Why Choose the 61850 ICD Designer?

Our 61850 ICD Designer has been crafted with the needs of modern engineers and technicians in mind. Its robust features and intuitive interface offer unmatched efficiency and reliability for all your IED configuration tasks.

Key Features and Benefits:

  • User-Friendly Interface: The tool’s modern, intuitive interface simplifies navigation and configuration. With drag-and-drop functionality, setting up your IED models is quick and seamless, reducing both time and effort.
  • Comprehensive File Management: Easily create, modify, and extend ICD and other SCL files. This flexibility gives you the tools needed to meet any project challenge.
  • Enhanced Data Type Template Management: Create and manage data type templates within the IEC61850 protocol. The tool supports adding and editing templates based on the NSD document version and revision, making it highly adaptable for various projects.
  • Advanced Error and Warning Messaging: The error and warning messaging system identifies potential issues, ensuring your models stay fully compliant with IEC61850 standards and minimizing the risk of costly mistakes.

Optimize Your IED Configuration Process

Built for both efficiency and reliability, the 61850 ICD Designer is the ideal tool for professionals looking to streamline their IED configuration processes. Whether you’re starting a new project or managing existing systems, this tool provides the advanced features and intuitive interface needed for success.

To learn more about the 61850 ICD Designer and how it can transform your operations, visit our company website.

Introducing IEC 61850 Library V1.6.0 – Now Available

We’re excited to announce the release of IEC 61850 Library V1.6.0, which brings several key improvements and new features aimed at enhancing functionality and security. This version has been developed to meet the latest standards, ensuring optimal performance and compliance.

Key Enhancements:

  • Reworked array handling: Every array element is now a separate ModelNode instance.
  • New access control features: Supporting IEC 62351-8 compliant Role-Based Access Control (RBAC).
  • TLS 1.3 support: Available when compiled with mbedtls 3.6, while mbedtls 2.28 can still be used.

New Features:

  • IED Server:
    • Additional callbacks for controlling external access to the data model (for RBAC implementation).
    • Write access handler for array elements (LIB61850-437).
    • New function: IedServer_handleWriteAccessForDataObject.
    • Retrieve the timestamp of received commands with ControlAction_getT (LIB61850-422).
    • Configuration options to make RCB elements read-only (LIB61850-404).
  • IED Client:
    • Added function: IedClientError_toString.
    • New asynchronous functions for handling RCB values: IedConnection_setRCBValuesAsync and IedConnection_getRCBValuesAsync (LIB61850-334).
  • Java Tools: Now support timestamp Val elements.
  • .NET API: Added SetReportSetting and GetReportSetting functions to IedServerConfig (LIB61850-404).

Security Enhancements:

  • TLS 1.3: Improved support, ensuring secure communication channels.

Additional Beta Features:

  • Support for R-GOOSE and R-SV.
  • SNTP client code.

Please note that IEC 61850 Library V1.6.0 is not backward compatible with previous versions. If you’re upgrading, you’ll need to regenerate static model code and adapt dynamically generated data models for the new array element structure.

If you prefer not to publish your own source code due to GPLv3 licensing requirements, a commercial license is available. Contact us via our company website for pricing and further details.

For a detailed overview of all the new features, changes, and technical information, visit the official release notes on our company website.

New Release 1.5.1 of libiec61850

This is a new maintenance release for the 1.5 branch.

New features and improvements

  • added server side ReportControlBlock events and value access functions
  • added functions Timestamp_fromMmsValue and Quality_toMmsValue
  • made server report reservation compatible with Ed. 2.1 (LIB61850-293)
  • new functions MmsValue_getOctetStringOctet and MmsValue_setOctetStringOctet
  • IedConnection: added function IedConnection_getDataSetDirectoryAsync
  • IedConnection: added function IedConnection_createDataSetAsync
  • IedConnection: added new function IedConnection_deleteDataSetAsync
  • IedServer instance can be restarted
  • new function IedConnection_setTimeQuality – Added support to set time quality for client generated time stamps (LIB61850-280)
  • .NET API: added wrapper for IedConnection_setFile and IedConnection_setFilestoreBasepath (LIB61850-258)
  • IED server: improved accuracy of integrity report intervals
  • .NET API: GooseSubscriber – added GetGoId, GetGoCbRef, GetFataSet methods
  • IED server: add support for SMV control blocks (“SMVC”) in config file parser
  • .NET API: added support for server integrated GOOSE publisher
  • MacOS thread layer: replaced semaphore by mutex

Fixed bugs and vulnerabilities

  • fixed vulnerability of GOOSE subscriber to malformed messages (LIB61850-304)
  • fixed – Bug in presentation layer parser can cause infinite loop (LIB61850-302)
  • .NET API: fix problem with garbage collected delegates for async client functions (LIB61850-301)
  • fixed compilation problem with option CONFIG_MMS_THREADLESS_STACK
  • fixed – TPKT error when connection is interrupted during message reception (LIB61850-299)
  • handle presentation layer data messages with transfer-syntax-name
  • fixed – UBRB: library can’t work at the same time with URCB with preconfigured client and URCB without preconfigured client (LIB61850-292)(#355)
  • fix – server crashes when presentation message has no user data (LIB61850-291)(#368)
  • MMS server: query log service returns services error instead of reject message when log does not exist (LIB61850-290)
  • fixed – IED server: crash during invalid control access – FC=CO on invalid layer (LIB61850-282)
  • fixed – Server: ctlNum and origin(status) are not updated automatically by the server when APC command is received (LIB61850-277)
  • MMS server: fixed problem with continue-after in some get-name-list handling cases
  • fixed – IedConnection: outstanding call on IEC layer is not release under some circumstances (LIB61850-270, LIB61850-251)
  • fixed bug in IsoServer that caused memory violation when the server was restarted while a client was connected
  • IED client: send RptEna as first element when RCB is to be disabled
  • fixed problem with double free of TLS configuration structure (LIB61850-254)
  • .NET API: Fixed problem with AccessViolationException in GooseControlBlock.GetDstAddress
  • MMS server: fixed data race bug in transmitBuffer handling (#338)
  • IED server: fixed crash when IEDName+LDInst is too long
  • .NET API: fixed bug – server write access handler causes “CallbackOnCollectedDelegate” exception (LIB61850-236)
  • MMS server: fixed potential crash when client connection closed during file upload (LIB61850-2)
  • MMS client: fixed problem – doesn’t close file when the setFile (obtainFile) service is interrupted e.g. due to connection loss (LIB61850-230)
  • Ethernet Socket (Windows): fixed bug and added workaround for problem on Windows (most GOOSE/SV messages are not received when waiting with WaitForMultipleObjects – observed with winpcap 4.1.3 and Windows 10
  • fixed problem in BER integer decoder (problem with GOOSE fixed length message decoding)
  • .NET API: Fixed memory release problem in method ModelNode.GetObjectReference
  • IED server: fixed bug in GoCBEventHandler
  • fixed problem in BSD ethernet layer (#328)
  • fixed bug in cmake file for BSD
  • fixed compilation problem when compiling without GOOSE support (#325)
  • IED server: control handling – fixed problem in test flag handling
  • IED server: For SBOes check test flag match when accepting operate (sSBOes8)
  • IED server: Reject Cancel/SBOw in WaitForChange state – fixed problem with test case sCtl26

Release 1.5.0

The new release 1.5.0 includes a lot of small improvements and bug fixes to make it compatible with latest test descriptions. The most notable new feature is the server side support for service tracking . This release is mostly compatible with version 1.4. It can and should be used to update existing project using version 1.5.

IEC 60870-5-101/104 Test Client

The new version 1.2.0 of our IEC 60870-5-101/104 Test Client tool is available.

It is an easy to use GUI client tool with a lot of features useful for testing. The professional edition provides CS 104 TLS support, CS 101 balanced and unbalanced mode, telegram details view, file transfer in monitoring and control directions, message logging, filtering, and a lot of other features.

The freeware and professional editions are available here.