Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard

Alessio Baiocco, Stephen Wolthusen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

537 Downloads (Pure)


Control systems rely on correct causal ordering and typically also on exact times and time relationships between events. For non-trivial systems, this implies synchronisation between distributed components, potentially from sensors and actuators to SCADA hierarchies. Whilst this can be accomplished by point-to-point synchronisation against a common reference such as GNSS (global navigation satellite) signals, common practice and codification in the ISO/IEC 60870-5-104 protocol widely used in the power control domain calls for the Network Time Protocol (NTP). In this paper we therefore describe attack patterns allowing the undetected partial re-play of legitimate messages and injection of messages even in the presence of ISO/IEC 62351 protective measures in a multi-staged attack targeting time synchronisation protocols and specifically the NTP protocol, and resulting in a de-synchronisation between a PLC/RTU and higher-level SCADA components. We demonstrate the feasibility of such attacks in a co-emulation environment.
Original languageEnglish
Title of host publicationProceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference
PublisherIEEE Press
Number of pages6
ISBN (Electronic)978-1-5386-4505-5
Publication statusPublished - 2018

Cite this