IEC 60870-5-104 Security: The Critical Power Grid Protocol Hackers Love (and LabShock’s Mission to Change That) + Video

By /

Listen to this Post

Featured Image

Introduction

IEC 60870-5-104 (IEC104) is the backbone of modern electrical infrastructure—carrying measurements, alarms, and commands across substations, RTUs, and control centers. Yet, as highlighted in Zakhar Bernhardt’s recent announcement from LabShock Security, this protocol remains deeply integrated despite lacking inherent security, making it a prime target for attackers. With real tools to simulate, test, and validate these critical systems, LabShock’s new “Grid Zone” aims to bridge the gap between theoretical knowledge and hands-on OT security testing.

Learning Objectives

  • Understand the operational fundamentals of IEC 60870-5-104 and why its legacy design poses modern security risks.
  • Deploy practical network-level reconnaissance, traffic analysis, and detection engineering techniques for IEC104 environments.
  • Configure secure lab environments using Docker and open-source tools to simulate attacks and validate defenses without risking live infrastructure.

You Should Know

1. Why IEC104 Remains a Persistent Security Challenge

IEC 60870-5-104 was originally designed for reliable real-time telecontrol over serial lines, and its adaptation to TCP/IP (port 2404) did little to address cybersecurity. One severe issue is the transmission of data without any encryption mechanism, enabling traffic analysis and Man-in-the-Middle (MiTM) attacks. The protocol’s widespread integration into aging power grids, which “are not replaced in a day,” ensures its continued presence and risk profile. Recent CVEs, such as CVE-2026-8479 and CVE-2026-1773, demonstrate active vulnerabilities involving null pointer dereferences and improper handling of U-format frames, leading to Denial of Service (DoS) impacts on critical RTU devices.

Step‑by‑Step: Passive Reconnaissance of IEC104 Devices

To understand your exposure, use Shodan to identify internet-facing IEC104 assets. Attackers actively query for port 2404 (IEC 104), 502 (Modbus), and 102 (Siemens S7).

  1. Install and initialize the Shodan CLI (Linux/Windows WSL): 
    pip install shodan
shodan init YOUR_API_KEY  Get free API key from shodan.io

2. Search for your organization’s exposed OT assets:

shodan search --limit 100 --fields ip_str,port,org,product net:YOUR_NETWORK_CIDR port:2404,502,102

3. Perform deeper fingerprinting with Nmap to identify vendor and firmware:

nmap -p 2404 --script iec-identify <target_IP>

If you discover exposed IEC104 devices, immediately implement network segmentation. Block direct internet access to port 2404 at the perimeter firewall and require VPN or jump hosts for any remote maintenance.

  1. Building a Safe OT Lab: Deploying LabShock with Docker

LabShock provides a controlled OT security laboratory using real industrial protocols. It is not a simulator; it enables safe experimentation with systems that are otherwise inaccessible or safety-critical in production. The platform supports event-driven security understanding, SIEM integration, and progressive learning paths. To get started, you only need Docker.

Step‑by‑Step: Installing and Running LabShock

1. Clone the LabShock repository:

git clone https://github.com/zakharb/labshock.git
cd labshock

2. Launch the lab environment (the platform will start in trial mode with a 40-minute session limit—unlimited restarts):

docker-compose up -d

3. Access the Web UI to begin exploring the OT network, generating protocol traffic, and testing detection rules. The platform includes a complete OT cyber range with SCADA, PLC, and DMZ components deployable in less than 10 minutes.

  1. Deep Packet Analysis: Decoding IEC104 with Wireshark and Zeek

Understanding IEC104’s structure—Application Protocol Control Information (APCI) and Application Service Data Units (ASDU)—is crucial for anomaly detection. Wireshark decodes all key components, including Type IDs (M_SP_NA_1 for single-point information, M_ME_NA_1 for measured values) and CP56Time2a timestamps. For continuous monitoring, a Zeek parser written in Spicy can log each IEC104 message to `iec104.log` with fields like apci_type, cause_tx, and common_address.

Step‑by‑Step: Capturing and Analyzing Live or PCAP Traffic

  1. Set up port mirroring (SPAN) on your lab switch to passively monitor traffic between the control center (master) and RTUs (slaves). Plug your analysis host into the mirror port.
  2. Start a packet capture in Wireshark on the mirrored interface, applying the display filter `iec104` to isolate protocol traffic.
  3. For Zeek monitoring, install the `zeek-iec104` plugin, then run: 
    zeek -r capture.pcap /path/to/zeek-iec104/scripts/

    The resulting `iec104.log` will provide structured, searchable records of every IEC104 message.

4. Detection Engineering: Open-Source Rules for IEC104 Anomalies

Commercial OT security tools can cost $50,000–$200,000 per site, leaving smaller utilities blind. Open-source initiatives like OT Sentinel provide Wazuh and Sigma rules for IEC104, mapped to the MITRE ATT&CK for ICS framework, specifically targeting techniques such as unauthorized command messages (T0855) and manipulation of view (T0832).

Step‑by‑Step: Deploying Detection Rules in Your Lab

1. Clone the OT Sentinel rule repository:

git clone https://github.com/Sbharadwaj05/ot-sentinel-rules.git

2. Import the IEC104 Sigma rules into your SIEM (e.g., Wazuh) using the provided `wazuh-logtest` validation scripts. Start with passive monitoring in your isolated LabShock environment.
3. Generate attack traffic using ICSForge, an open-source tool that supports 10 industrial protocols, 536 scenarios, and 11 attack chains mapped to MITRE ATT&CK for ICS (covering 82% of techniques). Run ICSForge in stealth mode to validate that your detection rules trigger on malicious but not normal traffic.

5. Proactive Hardening: Mitigating Known Vulnerabilities

Both CVE-2026-8479 and CVE-2026-1773 affect systems with IEC104 bidirectional functionality enabled. Enabling secure communication following IEC 62351-3 (TLS for IEC104) does not fully remediate these vulnerabilities, but it reduces the risk of exploitation.

Step‑by‑Step: Hardening Your OT Network

  1. Disable bidirectional IEC104 functionality if it is not operationally required. Review vendor documentation for your RTUs (e.g., Hitachi Energy RTU520–RTU560).
  2. Apply vendor patches immediately. For Hitachi Energy devices, reference security advisory `8DBD000237` for fixed firmware versions.
  3. Implement network segmentation using firewalls to restrict access to port 2404 to only authorized control center IPs. Consider an industrial DMZ architecture that separates corporate IT from OT networks.

  4. Advanced Attack Simulation: Fuzzing and Red Teaming IEC104

Fuzzing is a powerful technique to uncover protocol implementation flaws. Tools like the `scada-scanner` can enumerate vulnerable endpoints, but true red teaming requires sending malformed U-format frames and monitoring for service disruption.

Step‑by‑Step: Basic Fuzzing in a Lab Environment

  1. Set up a target IEC104 slave using LabShock’s PLC service or an open-source simulator.
  2. Use a fuzzer (e.g., a custom Python script using Scapy) to generate malformed APCI frames or invalid U-format sequences.
  3. Monitor the target’s service availability using a simple ICMP ping or a health check script. A successful fuzz test will reveal if the service crashes, simulating a DoS condition equivalent to the published CVEs.
  4. Validate detection coverage: Ensure your SIEM rules (from OT Sentinel) alert on the anomalous frame sequences.

What Undercode Say

  • IEC104 may be a legacy protocol, but its deep integration into global power grids means it will remain a critical attack surface for years. Understanding its operation is not optional for OT security professionals—it is mandatory.
  • The emergence of free, open-source tools like LabShock, OT Sentinel, and ICSForge democratizes OT security testing. Small utilities and water treatment plants can now build realistic cyber ranges and validate defenses without six-figure budgets. The key takeaway is to shift from passive theory to active, hands-on simulation. Start small: deploy LabShock on an old PC or NUC (it runs well on minimal hardware), run a Shodan scan on your own public IP ranges, and build detection rules one protocol at a time. The skills you develop in a safe lab transfer directly to protecting critical infrastructure.

Prediction

  • -1 As long as IEC104 remains unencrypted and widely deployed, attackers will continue to exploit its inherent weaknesses. We will see an increase in ransomware attacks targeting power distribution RTUs, leveraging DoS vulnerabilities like CVE-2026-8479 to cause physical disruptions before demanding payment.
  • +1 The growing availability of open-source OT security platforms and detection rule libraries will enable a new wave of community-driven threat intelligence sharing. Smaller energy cooperatives and municipal utilities will no longer be defenseless; they will adopt these free tools to harden their systems, creating a more resilient grid ecosystem over the next five years.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Zakharb Iec104 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: