1. Ports
  2. Port 2404

Port 2404: IEC-104 — The Port That Controls the Power Grid

What This Port Does

Port 2404 carries IEC 60870-5-104 (commonly called IEC 104), a telecontrol protocol used by electric utilities worldwide. It is the channel through which SCADA control centers communicate with Remote Terminal Units (RTUs) and Intelligent Electronic Devices (IEDs) at electrical substations.

The port is IANA-registered under the service name iec-104. 1

Concretely: when an operator at an energy control center sends a command to trip a circuit breaker at a substation 300 kilometers away, that command goes over TCP port 2404. When the substation sends back voltage measurements, current readings, and alarm states, those come back over port 2404. This is operational technology (OT) — the protocol doesn't manage servers or web traffic. It manages physical infrastructure.

How IEC 104 Works

IEC 104 is an adaptation of an older serial protocol, IEC 60870-5-101, extended to run over TCP/IP. The original IEC 101 was designed for serial connections over telephone lines. When utilities began moving to Ethernet networks in the late 1990s, the IEC needed a way to carry the same telecontrol messages over IP networks. IEC 104 is that bridge.

The protocol is simple. A control center (the "master") connects to a substation device (the "slave") on TCP port 2404. The two sides exchange structured messages called APDUs (Application Protocol Data Units). These messages carry:

  • Monitoring data: voltage, current, active power, switch status, alarms
  • Control commands: open breaker, close breaker, change tap position
  • Time synchronization: keeping all clocks aligned across the grid

The protocol is designed for reliability on unreliable links, with flow control and acknowledgment built in. It is not designed for security.

The History

IEC Technical Committee 57, Working Group 03 developed the IEC 60870-5 family of standards for telecontrol equipment used in electric power systems. IEC 60870-5-101 was published in 1995 for serial communication. IEC 60870-5-104 followed in 2000 as the TCP/IP extension. 2

The choice of port 2404 is embedded in the standard itself. The IEC assigned the port, and IANA subsequently registered it. Every IEC 104 implementation defaults to this port.

Security: The Real Problem

IEC 104 on port 2404 transmits everything in plaintext. There is no encryption. There is no authentication. If your device accepts a TCP connection on port 2404, it will execute commands from anyone who connects.

This was an acceptable design in 1995, when "the network" meant a dedicated serial line between two utility buildings. It is not acceptable today, when many of these same devices are reachable over IP networks, sometimes over the public Internet.

Industroyer (2016): The Industroyer malware, deployed against the Ukrainian power grid in December 2016, included a dedicated IEC 104 attack module. The attackers connected to substations on port 2404 and sent valid protocol commands to open circuit breakers. Approximately 200,000 customers lost power. The attack worked not by exploiting a software vulnerability but by using the protocol exactly as designed. 3

Shodan regularly surfaces IEC 104 services exposed to the public Internet. Some are honeypots. Some are not.

If you are running IEC 104, it should be on an isolated network, behind a firewall, with access restricted to known IP addresses. The protocol itself offers no protection.

The Secure Alternative: Port 19998

IEC 62351 defines security extensions for IEC 104, including TLS encryption and certificate-based authentication. Secure IEC 104 runs on TCP port 19998.

New installations should use port 19998. Port 2404 remains in widespread use because retrofitting security onto operational grid infrastructure is slow, expensive, and risky during the transition period. Legacy systems will be running on port 2404 for years.

Related Ports

PortProtocolUse
2404TCPIEC 60870-5-104 (plaintext)
19998TCPIEC 60870-5-104 with TLS (secure)
2101TCPIEC 60870-5-101 over TCP (older, less common)
4712TCPIEC 61968/61970 CIM (Common Information Model)

Checking What Is Listening on This Port

# Linux: see what process is listening
ss -tlnp | grep 2404

# macOS
lsof -i TCP:2404

# Windows
netstat -ano | findstr :2404

# Network-level scan (requires permission)
nmap -sV -p 2404 <target>

If you see something listening on port 2404 on a machine that is not industrial control equipment, it is worth investigating. Application software occasionally binds to registered ports for unrelated purposes.

Frequently Asked Questions

پێشوو

Port 2403: TaskMaster 2000 Web — A Registered Port with a Ghost

دواتر

Port 2405: TRC Netpoll — A Registered Ghost

ئایا ئەم پەڕەیە بەسوود بوو؟

😔
🤨
😃