Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard. / Wolthusen, Stephen; Baiocco, Alessio.

Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference. IEEE Press, 2018. p. 1.

Research output: Chapter in Book/Report/Conference proceedingConference contribution




Control systems rely on correct causal ordering and
typically also on exact times and time relationships between
events. For non-trivial systems, this implies synchronisation
between distributed components, potentially from sensors and
actuators to SCADA hierarchies. Whilst this can be accomplished
by point-to-point synchronisation against a common reference
such as GNSS (global navigation satellite) signals, common
practice and codification in the ISO/IEC 60870-5-104 protocol
widely used in the power control domain calls for the Network
Time Protocol (NTP).
In this paper we therefore describe attack patterns allowing the
undetected partial re-play of legitimate messages and injection
of messages even in the presence of ISO/IEC 62351 protective
measures in a multi-staged attack targeting time synchronisation
protocols and specifically the NTP protocol, and resulting in a
de-synchronisation between a PLC/RTU and higher-level SCADA
components. We demonstrate the feasibility of such attacks in a
co-emulation environment.
Original languageEnglish
Title of host publicationProceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference
PublisherIEEE Press
Number of pages6
StateAccepted/In press - 21 May 2018
This open access research output is licenced under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

ID: 30300947