Causality Re-Ordering Attacks on the IEC 60870-5-104 Protocol

Alessio Baiocco, Stephen Wolthusen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

442 Downloads (Pure)


The ISO/IEC 60870-5-104 standard for sending telecontrol messages first published in 2000 does not include security features, although the ISO/IEC 62351 standard adds features such as integrity protection and authentication even if this is not yet widely used.However, in this paper we argue that even in the presence of such security extensions, it is still possible to realise attacks by subverting the temporal relation between APDUs which implementations assume to be correct. To this end we have investigated attacks against the Network Time Protocol (NTP) used for clock synchronisation in most implementations and demonstrate that Master and Slave entities or other entities including intrusion detection sensors can be made to obtain messages with different time-stamps. This can lead to the assumption of causality reversal and will affect both control loops and process reconstruction by auditing, monitoring, and intrusion detection system. We demonstrate these results analytically and in a scenario based on a simulation framework allowing the study of different topologies and their varying effects on the visibility of messages and time synchronisation before proposing a mitigation mechanism.
Original languageEnglish
Title of host publicationProceedings of the 2018 IEEE PES General Meeting
PublisherIEEE Press
Number of pages5
ISBN (Electronic)978-1-5386-7703-2
Publication statusPublished - 24 Dec 2018

Cite this