Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard. / Baiocco, Alessio; Wolthusen, Stephen.

Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference. IEEE Press, 2018. p. 1-6.

Research output: Chapter in Book/Report/Conference proceedingConference contribution




Control systems rely on correct causal ordering and typically also on exact times and time relationships between events. For non-trivial systems, this implies synchronisation between distributed components, potentially from sensors and actuators to SCADA hierarchies. Whilst this can be accomplished by point-to-point synchronisation against a common reference such as GNSS (global navigation satellite) signals, common practice and codification in the ISO/IEC 60870-5-104 protocol widely used in the power control domain calls for the Network Time Protocol (NTP). In this paper we therefore describe attack patterns allowing the undetected partial re-play of legitimate messages and injection of messages even in the presence of ISO/IEC 62351 protective measures in a multi-staged attack targeting time synchronisation protocols and specifically the NTP protocol, and resulting in a de-synchronisation between a PLC/RTU and higher-level SCADA components. We demonstrate the feasibility of such attacks in a co-emulation environment.
Original languageEnglish
Title of host publicationProceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference
PublisherIEEE Press
Number of pages6
ISBN (Electronic)978-1-5386-4505-5
Publication statusPublished - 2018
This open access research output is licenced under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

ID: 30300947