IEC 60870-5-104¶
IEC 60870-5-104 is the TCP/IP form of the IEC 60870-5 telecontrol family, common in electrical SCADA. A connected TCP
socket is not enough on its own: STARTDT is the explicit instruction that opens data transfer, and until it is confirmed
the link carries nothing. General Interrogation pulls the full current picture in one exchange, and after that the
controlled station reports spontaneously, sending events as they occur rather than waiting to be asked. The three frame
formats divide the labour, I for information, S for acknowledgement, U for control such as STARTDT, so an
S-format frame is pure bookkeeping with no payload. Classic IEC 104 carries no authentication, and IEC 62351 is the
standard that layers security on, with deployment still patchy in the field.
104 mapping¶
IEC 60870-5-104, commonly called simply “104”, maps the application layer of IEC 60870-5-101 onto TCP/IP. The 101 standard, published through the 1990s, defined a serial telecontrol protocol for communication between SCADA masters and remote terminal units in electric utility environments. The 104 amendment, published in 2000 and revised in 2006, kept the application layer intact and replaced the serial link layer with TCP on port 2404.
The result is the dominant SCADA protocol for power generation, transmission, and distribution in Europe, and widely deployed in Asia, Latin America, the Middle East, and water and wastewater systems globally. In North American power utilities, DNP3 fills the same role. The protocols occupy the same architectural position, carry similar data types, and share the same fundamental security gap: the base specification carries no authentication.
The protocol structure¶
A 104 message is an Application Protocol Data Unit (APDU). Every APDU begins with a four-byte Application Protocol Control Information (APCI) header: a Start byte fixed at 0x68, a length byte, and two control-field bytes. Three frame formats use this header differently.
I-format frames carry numbered information transfers. Each I-frame carries a send sequence number and a receive sequence number. The sequence numbers provide reliable ordered delivery within a TCP session and allow the receiver to acknowledge multiple frames with a single S-format (Supervisory) response. U-format (Unnumbered) frames handle connection control: STARTDT activates data transfer, STOPDT suspends it, and TESTFR provides keepalive. A session opens with a TCP connection, then a STARTDT act/con handshake before I-frames begin flowing. An RTU that receives I-frames before the STARTDT handshake completes may reject them or buffer them depending on implementation.
The application payload inside an I-frame is the Application Service Data Unit (ASDU). An ASDU carries a Type Identification byte, a Variable Structure Qualifier indicating how many information objects follow, a Cause of Transmission byte, a Common Address identifying the RTU, and one or more Information Objects each with an Information Object Address (IOA) and data.
Data types and commands¶
The Type Identification byte determines what kind of information the ASDU carries. Monitoring types include single-point information (Type 1, M_SP_NA), double-point information (Type 3, M_DP_NA), and measured values in several representations (Types 9, 11, 13 for short float, normalised, and scaled values). These carry breaker states, analogue measurements, and protection element states from RTU to master.
Command types run in the opposite direction: master to RTU. Single command (Type 45, C_SC_NA) operates a single-point output. Double command (Type 46, C_DC_NA) operates a double-point output, covering the open and close states of a switchgear. Setpoint commands (Types 48 to 50) write analogue values. General Interrogation (Type 100, C_IC_NA) asks the RTU to report all current values.
The Cause of Transmission byte distinguishes spontaneous reports (value 3, sent by the RTU when a monitored point changes) from interrogation responses (value 5), activation (value 6), and activation confirmation (value 7). Commands use the activation/activation confirmation/activation termination sequence. The select-before-operate pattern available in the standard requires the master to first send a command with a Select qualifier, receive confirmation, then send the Operate; the RTU executes only if the same point was recently selected. Which commands require select-before-operate is configuration, not enforcement.
Sending commands as the SCADA master¶
Port 2404 is the attack surface boundary. Discovery first:
nmap -p 2404 -sV --open 10.0.0.0/24
A device that can reach port 2404 and send correctly formatted APDUs can do everything the legitimate SCADA master can do. There is no credential to present, no session token to obtain, no certificate to authenticate.
The most direct attack is command injection. A Type 45 ASDU (C_SC_NA_1, single command) with Cause of Transmission set to activation operates the corresponding digital output on the RTU:
import struct
# Type 45 ASDU: single command to IOA 100, COT=activation, CA=1, execute ON
type_id = 45
vsq = 0x01 # 1 information object
cot = struct.pack('<H', 0x0006) # Cause of Transmission: activation
ca = struct.pack('<H', 1) # Common Address of ASDU
ioa = struct.pack('<I', 100)[:3] # Information Object Address (3 bytes, LE)
cmd = 0x01 # EXECUTE + ON (0x00 = OFF)
asdu = bytes([type_id, vsq]) + cot + ca + ioa + bytes([cmd])
# Wrap in I-frame APCI (0x68 start byte, length, send/recv sequence) and send to port 2404
On a transmission substation RTU, the outputs addressed by these ASDUs include breaker trip and close commands. The RTU processes the command and returns an activation confirmation. From the RTU’s perspective, the exchange is indistinguishable from a legitimate SCADA command.
False data injection is the read side of the same absence. An attacker who can intercept or insert traffic before it reaches the SCADA master can craft spontaneous data reports (Cause of Transmission 3) carrying fabricated breaker states or measurement values. The master’s display shows a consistent picture while the physical process differs. An operator acting on the falsified data makes decisions against a picture that does not exist.
General Interrogation carries particular value to an attacker mapping a new target. A C_IC_NA request returns the current state of all monitored points on the RTU: every breaker position, every measured value, every protection element state. No authentication is needed. The response is a complete snapshot of the substation’s electrical state.
The connection state mechanism provides a denial-of-service path. The sequence number windows (k, the maximum unacknowledged I-frames; w, the acknowledgement interval) are configured parameters. A device that injects I-frames with sequence numbers outside the expected window can force the RTU or master to close the TCP connection and re-establish it. Depending on the RTU’s reconnection behaviour, this may cause a gap in monitoring visibility.
IEC 62351-5¶
IEC 62351 Part 5 defines authentication for the IEC 60870-5 series, including 104. The mechanism appends a Message Authentication Code to ASDUs carrying critical commands. An RTU that receives a command ASDU checks the MAC before executing; a command without a valid MAC is rejected.
The key structure follows the same pattern as DNP3 SA v5: a pre-shared Update Key is installed during commissioning, and session keys are derived from it periodically. The Update Key exchange itself is authenticated, preventing an attacker without the current key from substituting a new one.
Deployment of IEC 62351 Part 5 is limited. It requires firmware support on the RTU and corresponding support in the SCADA master software. Substations commissioned before the standard was widely supported in vendor firmware are difficult to retrofit without hardware replacement. New projects specifying 104 can include IEC 62351 Part 5 requirements in procurement; the retrofit question is more constrained.
Closing the port, filtering the types¶
The set of IP addresses legitimately permitted to send commands to an RTU on port 2404 is typically one or two SCADA master addresses. A firewall rule restricting TCP port 2404 traffic to those addresses removes the largest part of the exposure without requiring any changes to the RTU or its configuration:
iptables -I INPUT -p tcp --dport 2404 -s 10.0.10.5/32 -j ACCEPT
iptables -A INPUT -p tcp --dport 2404 -j DROP
Application-layer inspection adds the ability to filter by ASDU Type ID and Cause of Transmission. Command Type IDs (45 through 51, 58 through 64 for time-tagged variants) arriving from any source other than the known SCADA master addresses can be blocked or alerted at an OT-aware firewall. Monitoring-only connections from historian or data diode feeds have no reason to send command Type IDs; restricting those connections to monitoring Types only is straightforward to specify.
Passive monitoring that decodes 104 traffic and baselines normal Type ID patterns, IOA ranges, and Cause of Transmission values provides detection capability without requiring changes to the RTU. A General Interrogation arriving from an IP address that has not previously sent one is a recognisable signal. A command sequence arriving outside normal SCADA polling windows is another.
The sequence number parameters k and w, and the connection timeout parameters t1, t2, and t3, are configured on both master and RTU during commissioning. Documenting the expected values and alerting on sessions that use anomalous parameters is a lighter-weight control than it might appear: a default-configuration attack tool is likely to use the standard default values, which may differ from the site-specific configuration.
Related¶
DNP3: occupies the same architectural role in North American power grids; DNP3 Secure Authentication v5 and IEC 62351 Part 5 implement the same challenge-response design
IEC 61850: the substation automation standard that coexists with 104 in many installations; IEC 62351 covers both
IEC 62351: Part 5 defines authentication for the IEC 60870-5 family including 104; Part 3 provides TLS wrapping for the TCP transport
Shodan: port 2404: internet-exposed IEC 104 endpoints