Login
Book a demo

IEC 60870-5-104

IEC 60870 5 104 Security Testing and Validation

IEC 60870 5 104 is one of the most widely used communication protocols in industrial control systems. It carries critical telemetry and control information between substations, remote terminal units and central SCADA masters. Because the protocol is used in power transmission and distribution networks, the reliability and security of its implementations are essential.

IEC 60870 5 104 was designed for interoperability and deterministic behaviour. It was not originally built with strong security mechanisms, which means that incorrect parsing or weak validation can introduce serious risks. Attackers may exploit malformed frames, unexpected control sequences or improper timeout processing to influence system behaviour or interrupt operations.

CyTAL supports the secure development and validation of IEC 60870 5 104 implementations. Using ProtoCrawler, we identify parsing faults, connection handling weaknesses, state machine issues and denial of service vulnerabilities that traditional network tests do not uncover.

What is IEC 60870 5 104

IEC 60870 5 104 extends the IEC 60870 5 101 serial protocol for operation over TCP IP networks. It is widely used in energy and utility infrastructure due to its efficiency and predictable timing behaviour. The protocol uses Application Service Data Units carried within Application Protocol Data Units that run on top of a reliable transport layer.

IEC 60870 5 104 supports:

  • Telemetry reporting

  • Remote control commands

  • Time synchronisation

  • Event reporting

  • Cyclic data acquisition

  • Spontaneous and interrogated transmissions

Because it operates within critical infrastructure, even minor implementation flaws can create operational or safety risks.

Architecture and Attack Surface

IEC 60870 5 104 introduces several layers where vulnerabilities may occur.

Transport and Session Handling

IEC 60870 5 104 uses TCP for reliable delivery. Weaknesses appear when systems:

  • Fail to handle connection drops

  • Accept duplicate or unexpected frames

  • Process out of sequence packets

  • Mismanage window sizes

APCI Frame Structure

The Application Protocol Control Information layer controls communication flow. Vulnerabilities often arise from:

  • Incorrect sequence number processing

  • Failure to validate U, S and I format frames

  • Boundary miscalculations

  • Faulty acknowledgement handling

ASDU Parsing and Validation

Application Service Data Units carry control and telemetry messages. Issues include:

  • Length field misinterpretation

  • Invalid type identifiers

  • Missing validation of cause of transmission

  • Incorrect handling of sequence or single data elements

  • Time tag parsing flaws

State Machine Behaviour

IEC 60870 5 104 devices maintain internal states that track communication status. Attackers may exploit:

  • Unexpected control sequences

  • Invalid activation or deactivation flows

  • Timeouts that trigger undesirable behaviour

Operational Impact

Because IEC 60870 5 104 controls real industrial processes, vulnerabilities may lead to:

  • Disrupted telemetry

  • Loss of visibility

  • Control command delays

  • Incorrect remote operations

  • Denial of service in substations or remote units

Common Vulnerabilities in IEC 60870 5 104 Implementations

1. Parsing and Length Validation Errors

Incorrect boundary handling may cause:

  • Crashes

  • Memory corruption

  • Acceptance of malformed frames

  • Unreliable behaviour during high traffic

2. Improper Sequence Number Handling

Incorrect processing leads to:

  • Silent frame loss

  • State desynchronisation

  • Unexpected session resets

3. Faulty ASDU Type Handling

Systems may incorrectly process:

  • Undefined or reserved type identifiers

  • Incorrect cause of transmission values

  • Malformed single point or double point information

  • Unexpected control command structures

4. Timeout and Session Management Flaws

Weaknesses include:

  • Failure to enforce timeouts

  • Misbehaviour under delayed transmissions

  • Repeated session restarts

5. Denial of Service Conditions

Devices may become unresponsive due to:

  • Rapid U frame flooding

  • Oversized ASDUs

  • Resource exhaustion

  • TCP connection storms

Testing IEC 60870 5 104 with ProtoCrawler

ProtoCrawler enables deep and systematic testing of IEC 60870 5 104 behaviour.

Protocol Aware Packet Generation

We generate valid frames and apply targeted mutations that test:

  • APCI header handling

  • ASDU type processing

  • Variable structure qualifier parsing

  • Time tag validation

  • Sequence number enforcement

State Machine Verification

ProtoCrawler evaluates:

  • Activation and deactivation flows

  • Spontaneous and interrogated transmission sequences

  • Session recovery under disruption

  • Proper acknowledgement behaviour

Control Command Testing

We analyse how devices react to:

  • Correct and incorrect control commands

  • Invalid cause of transmission values

  • Edge case telemetry sequences

  • Timing sensitive operations

Stress and Resilience Testing

ProtoCrawler assesses robustness under:

  • High frequency frame injection

  • TCP connection cycling

  • Mixed valid and invalid traffic

  • Large ASDU bursts

Safety Focused Behavioural Analysis

Industrial devices must fail safely. We evaluate:

  • Misoperation resistance

  • Reaction to invalid commands

  • Behaviour under partial communication loss

Integration with Development Pipelines

ProtoCrawler integrates with CI systems to provide continuous protocol assurance during development.

Best Practices for IEC 60870 5 104 Security

Enforce Strict Validation

Check all APCI and ASDU fields, including lengths, types and sequence numbers.

Harden Timeout and Session Logic

Ensure deterministic behaviour under load, delays and unexpected disconnects.

Protect Against Control Abuse

Require validation of all control command sources and states.

Apply Input Rate Limiting

Prevent resource exhaustion by bounding processing rates.

Monitor Communication Patterns

Detect abnormal behaviour such as repeated U frames or unusual telemetry bursts.

Use Secure Network Architectures

Place IEC 60870 5 104 systems within monitored and segmented industrial networks.

Frequently Asked Questions

Q: Why is IEC 60870 5 104 vulnerable?
It was designed for reliability rather than security and relies on correct implementation and secure network architecture.

Q: Can ProtoCrawler simulate full IEC 60870 5 104 sessions?
Yes. ProtoCrawler models APCI and ASDU sequences and tests devices under realistic and edge case conditions.

Q: What issues are most common?
Parsing faults, sequence number errors and session management weaknesses.

Q: Do both master and outstation devices need testing?
Yes. Vulnerabilities may appear in either direction.

Q: How often should IEC 60870 5 104 communication stacks be validated?
During development, after major code changes and as part of regular security testing.

Strengthen Your IEC 60870 5 104 Implementation

CyTAL helps organisations secure industrial communication systems by identifying protocol level weaknesses early. ProtoCrawler provides in depth testing that reveals vulnerabilities long before they impact operational networks.

Contact us to arrange a demonstration or to discuss how ProtoCrawler can support your industrial security strategy.