IEC 60870-5-104 - telecontrol protocol in European energy systems
IEC 60870-5-104 (port 2404) - SCADA protocol in the energy sector, no authentication, Industroyer and COSMICENERGY attacks, segmentation recommendations per IEC 62443.
Jozef Sulwinski 
On December 17, 2016, the Industroyer malware cut off one-fifth of Kyiv from the power grid by sending circuit breaker open commands to RTU devices via the IEC 60870-5-104 protocol. Seven years later, in May 2023, Mandiant discovered COSMICENERGY - malware capable of identical operations, likely developed as a training tool by a Russian cybersecurity firm. Both programs exploited the same fundamental weakness: IEC 104 has no authentication mechanism whatsoever. Any host on the network that establishes a TCP connection on port 2404 can send control commands to a power substation.
What is IEC 60870-5-104
IEC 60870-5-104 (IEC 104 for short) is an international telecontrol communication standard developed by the International Electrotechnical Commission (IEC). It defines the rules for data transmission between a dispatch center (controlling station) and field devices (controlled station) - typically RTUs, gateway controllers, and intelligent electronic devices (IEDs) in power substations.
The protocol was created as an adaptation of the earlier IEC 60870-5-101 standard (serial link communication) to TCP/IP networks. It retains the application layer from IEC 101, adding TCP transport on port 2404. It is the dominant SCADA protocol in the European energy sector, as well as in power networks across the Middle East, Asia, and Latin America. Its North American counterpart is DNP3.
Protocol architecture
IEC 104 uses a client-server model: the controlling station initiates a TCP connection to the controlled station. Once the connection is established, both sides exchange data in the ASDU (Application Service Data Unit) format.
APCI frame structure
Each IEC 104 frame begins with an APCI (Application Protocol Control Information) header:
The 0x68 signature identifies an IEC 104 frame. The Control Fields determine the frame type (I/S/U) and contain sequence numbers.
Frame types
The protocol defines three frame formats at the transport layer:
| Format | Type | Function |
|---|---|---|
| I-frame (Information) | Application data | Transmitting ASDUs with process data and commands |
| S-frame (Supervisory) | Supervisory | Acknowledging receipt of I-frames (flow control) |
| U-frame (Unnumbered) | Control | Connection management: STARTDT, STOPDT, TESTFR |
Key ASDU types
The ASDU is the basic data unit in IEC 104. Each contains a type identifier (TypeID), cause of transmission (COT), and information object address (IOA). The most important types:
| TypeID | Description | Direction | Risk |
|---|---|---|---|
| M_SP_NA_1 (1) | Single-point information (binary status) | Monitoring (outstation -> master) | Low |
| M_ME_NA_1 (9) | Measured value, normalized | Monitoring | Low |
| M_SP_TB_1 (30) | Single-point information with timestamp | Monitoring | Low |
| C_SC_NA_1 (45) | Single command (ON/OFF) | Control (master -> outstation) | Critical |
| C_DC_NA_1 (46) | Double command (ON/OFF with confirmation) | Control | Critical |
| C_SE_NA_1 (48) | Set-point command, normalized | Control | Critical |
| C_IC_NA_1 (100) | Interrogation command | Status read | Medium |
| C_CS_NA_1 (103) | Clock synchronization | Time synchronization | Medium |
Types 45, 46, and 48 are control commands - they can open and close circuit breakers, change regulator setpoints, and switch device operating modes. These are the exact ASDU types that Industroyer and COSMICENERGY exploited.
Technical parameters
| Parameter | Value |
|---|---|
| Port | 2404/TCP |
| Transport | TCP/IP |
| Authentication | None |
| Encryption | None |
| Integrity | None (beyond TCP checksum) |
| Standard | IEC 60870-5-104:2006 + Amendment 1:2016 |
| Organization | IEC TC 57 |
Security assessment
Complete absence of security mechanisms
IEC 104 has no authentication, encryption, or integrity mechanisms at the application layer. The protocol was designed in the 1990s with the assumption that the telecommunications network connecting the dispatch center to substations was physically isolated and trusted. Today, when most IEC 104 communication travels over IP networks (often shared with other services), this assumption is false.
Consequences:
- Any host on the network can establish a TCP connection on port 2404 and send control commands
- Communication is transmitted in plaintext - an attacker in a man-in-the-middle position sees all process data and commands
- No integrity mechanisms means packets can be modified in transit
- The protocol does not log security events - there is no mechanism for detecting unauthorized connections
IEC 62351 - security as an overlay
The IEC 62351 standard (Security for Power System Communication) defines security mechanisms for energy sector protocols, including IEC 104. IEC 62351-3 specifies the use of TLS for transport encryption, and IEC 62351-5 adds application-layer message authentication (Authentication Value in ASDU). In practice, however, IEC 62351 adoption is minimal - due to lack of support in legacy RTUs/IEDs, the cost of deploying PKI in distributed energy networks, and operator concerns about impact on communication reliability.
Attacks exploiting IEC 104
Industroyer/CrashOverride (December 2016) - the most advanced attack on a power grid in history. The IEC 104 module of the Industroyer malware acted as a rogue SCADA client:
- Established a TCP connection on port 2404 to the RTU at the “Pivnichna” substation in Kyiv
- Sent valid STARTDT sequences (data transmission activation)
- Performed an interrogation command (C_IC_NA_1, TypeID 100) - reading the current state of all objects in the RTU
- Sent Single Command (C_SC_NA_1, TypeID 45) with OFF value to IOA addresses corresponding to circuit breakers
- Cyclically repeated commands, making it difficult for operators to manually restore power
From the RTU’s perspective, Industroyer’s commands were indistinguishable from legitimate dispatch operator commands - the IEC 104 protocol offers no mechanism for verifying the source of a message.
COSMICENERGY (2023) - malware discovered by Mandiant, likely developed in the context of Russian red team exercises. The PIEHOP component (written in Python) connected to an MSSQL server acting as an intermediary, and the LIGHTWORK component (C++) sent IEC 104 commands to RTUs - specifically ON/OFF commands (TypeID 45) to change circuit breaker states. The COSMICENERGY analysis confirms that the barrier to creating IEC 104 attack tools is low - understanding the publicly available protocol specification is sufficient.
Industroyer2 (April 2022) - a simplified but more targeted version of Industroyer, detected by CERT-UA and ESET just before a planned attack on Ukrainian energy infrastructure. It contained hardcoded IP addresses and IEC 104 parameters specific to the targeted substation. The attack was stopped before the execution phase.
MITRE ATT&CK for ICS
| Technique | ID | IEC 104 context |
|---|---|---|
| Unauthorized Command Message | T0855 | Sending C_SC_NA_1 / C_DC_NA_1 without authorization |
| Manipulation of Control | T0831 | Opening/closing circuit breakers |
| Point & Tag Identification | T0861 | Interrogation command (C_IC_NA_1) for IOA enumeration |
| Spoof Reporting Message | T0856 | Spoofing telemetry data (M_SP_NA_1) to deceive operators |
| Monitor Process State | T0801 | Passive eavesdropping on process data |
Industroyer is cataloged as S0604, and COSMICENERGY as S1099 in MITRE ATT&CK for ICS.
Segmentation and protection recommendations
TIP
IEC 104 offers no native security mechanisms - protection must be 100% implemented at the network architecture level. In practice, this means: a firewall with DPI between every IEC 104 communication zone, encrypted transport (TLS/IPsec), passive anomaly monitoring, and strict access control to port 2404. Energy sector organizations must treat segmentation as a foundation, not a supplement to security. A complete guide to the IEC 62443 zones and conduits model can be found in the article OT network segmentation - zones and conduits.
Key recommendations
-
Encrypt transport - TLS or IPsec - every IEC 104 connection between the dispatch center and a field substation should pass through an encrypted tunnel. The IEC 62351-3 standard defines a TLS profile for IEC 104. If end devices do not support TLS, use crypto gateways or site-to-site IPsec tunnels.
-
DPI filtering on OT firewalls - deploy firewalls with deep packet inspection that understand IEC 104. Define rules at the TypeID level: allow control commands (TypeID 45-48) only from authorized controlling station IP addresses. Block and log all other control command attempts. Firewalls with IEC 104 DPI support: Fortinet FortiGate, Palo Alto NGFW (App-ID), StormShield SNi40, RAD SecFlow.
-
Dedicated telecom network - IEC 104 communication between dispatch centers and substations should travel over a dedicated WAN (MPLS, SDH/SONET) or - if using a public network - over an encrypted overlay (VPN). Never expose port 2404 to the internet.
-
Passive monitoring - deploy an anomaly detection system for IEC 104 traffic (Dragos, Claroty, Nozomi Networks, Rhebo). The system should alert on: control commands from unknown IP addresses, unusual TypeID sequences, connections from new sources, and communication pattern changes (baseline deviation).
-
Connection allowlist - on the firewall, explicitly define which IP address pairs can communicate over IEC 104. Each controlled station should accept connections only from its controlling station. Redundancy (backup master) requires adding a second authorized address - not opening the port for the entire network.
-
IEC 62351 migration plan - for new investments and modernizations, require RTU/IED suppliers to support IEC 62351 (TLS + message authentication). Include IEC 104 security requirements in procurement specifications - not as an option, but as a mandatory condition.
-
Time synchronization - IEC 104 uses timestamps in telemetry data (TypeID 30-40). Manipulating the RTU clock (via a forged C_CS_NA_1 or NTP attack) can disrupt event ordering in the SCADA system and hinder incident analysis. Use an authenticated time source (NTP with authentication or PTP with IEC 61850-9-3 profile).
Summary
IEC 60870-5-104 is the foundation of SCADA communication in European energy systems - and simultaneously a protocol without any native security mechanisms. Industroyer, Industroyer2, and COSMICENERGY have proven that the lack of authentication in IEC 104 is not a theoretical risk but an actively exploited attack path. Protection requires a multi-layered approach: network segmentation, transport encryption, DPI filtering, passive monitoring, and ultimately migration to IEC 62351. For energy sector organizations, securing IEC 104 communication should be an absolute priority in the OT cybersecurity program.
Open source tools
| Tool | Language | Description | Link |
|---|---|---|---|
| lib60870 | C | Complete IEC 60870-5-101/104 implementation (master and slave) with examples | GitHub |
| c104 | Python | Python library for IEC 60870-5-104 communication | PyPI |
| Wireshark | C | Built-in IEC 104 dissector - analysis of I/S/U frames and ASDU types | Wireshark |
TIP
lib60870 includes ready-made master and slave examples - ideal for building a lab environment where you can test DPI firewall rules and anomaly detection for IEC 104 commands (TypeID 45-48).
Sources:
- IEC 60870-5-104:2006 - Telecontrol equipment and systems - IEC
- IEC 62351 - Security for Power System Communication - IEC TC 57
- Industroyer - S0604 - MITRE ATT&CK for ICS
- COSMICENERGY - S1099 - MITRE ATT&CK for ICS
- COSMICENERGY: New OT Malware Possibly Related to Russian Emergency Response Exercises - Mandiant, 2023
- Industroyer2: Industroyer Reloaded - ESET, 2022
- NIST SP 800-82 Rev. 3 - Guide to OT Security - NIST, 2023
- MITRE ATT&CK for ICS - MITRE Corporation
- NERC CIP Standards - NERC
Need help in this area?
Our experts will help you assess the risk and plan next steps.