4p0cryph0n

4p0cryph0n

Friendly Neighbourhood Malware Man

OT Security: IEC 104 Attack and Defend

3 minute read

Objective

In the ever-evolving landscape of cyber threats, let us have a look at a rapidly developing domain in cyber-security; Operational Technology (OT) Security. In this post, we will be engaging in an attack and defend exercise targeting IEC 104 - a communication protocol used by various types of OT/ICS systems.

Threats towards OT Systems - A Quick Introduction

In order for us to understand the importance of OT security and the ever-growing threat landscape, let’s take a look at a geo-political warfare case.

During the Russia-Ukraine war, Mandiant documented a coordinated cyber campaign by Russian state-sponsored threat groups. A key aggressor in this campaign was an APT tracked as Sandworm (a.k.a APT44), which has been attributed to Russian intelligence (GRU).

Sandworm utilized custom OT/ICS malware, namely INDUSTROYER.V2, to perform targeted attacks on Ukraine energy infrastructure. These attacks were coordinated with physical missile and drone attacks on substations to increase damage and gain tactical advantage, especially since this war was going on during the winters.

This case, among many, shows the rapid evolution of OT threats and how they fit into the bigger pictures such as cyberwarfare. It also highlights the importance of shifting our glance as an industry to securing these OT/ICS systems in order to ensure that critical infrastructure stays secure and provides continuous services during wars and other disturbances.

Source: Mandiant Blog

IEC 104 - Overview

IEC 104 (IEC-60870-5-104) is a communication protocol that is utilized by many types of OT/ICS and SCADA systems especially those that are a part of energy and power infrastructure.

It facilitates remote control and monitoring over TCP/IP and is usually used for connecting control centers (client/master) to RTU/IEDs and substations (server/slave). Using this protocol, several data points such as breaker status, tank levels, etc. can be monitored, ingested, and controlled.

Target Lab Setup

To simulate an IEC 104 setup, I will be using an open-source OT security lab project called Conpot along with Kali Linux. Conpot is a OT systems honeypot that contains multiple templates for security templates, one of which is the IEC 104 template.

Conpot can be installed using Docker as such:

docker pull conpot/conpot

And can be run using the command:

docker run -it -p 80:80 -p 102:102 -p 502:502 -p 161:161/udp --network=bridge honeynet/conpot:latest /bin/sh

The Conpot binary is in .local/bin. To run it with the IEC 104 template, we do:

~/.local/bin $ ./conpot -f -t IEC104

This will spin up a good IEC 104 testing environment with one substation.

Red Team - Attack

Let’s go over the Red Team part of this exercise. Our main objective would be to compromise the substation and tamper with critical resources by sending malicious control commands in order to cause cyber/physical damage.

Target Reconnaissance

First, we will conduct some reconnaissance on the target IP. We will be using nmap for this, and will be using the flags -Pn and -p- to skip the ping check and scan all ports.

kali:iec104_testing:% nmap 172.17.0.2 -Pn -p- 
Starting Nmap 7.94 ( https://nmap.org ) at 2025-05-09 08:13 EDT
Nmap scan report for 172.17.0.2
Host is up (0.000034s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT     STATE SERVICE
2404/tcp open  iec-104

Nmap done: 1 IP address (1 host up) scanned in 7.85 seconds

From the output, we can see that the service iec-104 is running on port 2404 of our Conpot instance. But this only confirms that the service is running. In order to interact with it, we need to go through substations that are connected to the master.

An Application Service Data Unit (ASDU) is a message wrapper that facilitates communication and the transmission of data points between a Remote Terminal Unit (RTU) and the master. Each ASDU has a common address, known as an ASDU Common Address which is unique to each RTU.

nmap has a neat script to discover these ASDU addresses, which is called iec-identify.nse. Let’s utilize this:

kali:iec104_testing:% nmap 172.17.0.2 -Pn -p 2404 --script iec-identify.nse
Starting Nmap 7.94 ( https://nmap.org ) at 2025-05-11 08:44 EDT
Nmap scan report for 172.17.0.2
Host is up (0.00047s latency).

PORT     STATE SERVICE
2404/tcp open  iec-104
| iec-identify: 
|   ASDU address: 7720
|_  Information objects: 59

Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds

The output shows one ASDU address connected to the master, which is 7720 and will come in handy during further stages of the attack. Another notable observation is the number of information objects.

An Information Object is a data point that is contained within an ASDU. Information Objects relay a variety of information from the master, for example, breaker status, sensor readings, etc.

Each Information Object has an Information Object Address (IOA), which is the address of the data point within the ASDU. Along with the IOA, the value of each data point can also be observed.

IOA Discovery

You may also enjoy