Skip to content
ProtocolPorts

Port reference

Port 2404 (TCP) – IEC 60870-5-104

IEC 60870-5-104 telecontrol protocol — monitors and commands RTUs and substations over TCP/IP in power grids.

tcpRegisteredCommonly attacked

Default state

Open on RTUs, substation gateways, and SCADA front ends speaking IEC-104, with no authentication on the protocol.

Common attacks

  • Unauthenticated control commands (breaker open/close) injected to RTUs
  • Reading telemetry and ASDU data to map the grid
  • Spoofing and replay of monitoring/command APDUs
  • Denial of service against substation gateways

Hardening

  • Never expose port 2404 to the internet — isolate telecontrol on an OT WAN
  • Segment with firewalls/DMZ and restrict to authorized control centers
  • Wrap links in IPsec/VPN or use IEC 62351 security extensions
  • Monitor with an ICS IDS for unexpected control ASDUs

nmap snippet

nmap -p2404 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 2404?

Port 2404 carries IEC 60870-5-104 (IEC-104), the TCP/IP telecontrol protocol used in electrical power systems. Control centers exchange ASDUs with RTUs and substation gateways to read telemetry (voltages, currents, status) and send commands such as opening or closing breakers. It is the IP profile of the serial IEC 60870-5-101 standard.

Why it matters for security

IEC-104 was designed for dedicated, trusted telecontrol links and has no authentication, no encryption, and no integrity protection. Any host that reaches port 2404 can read grid state and inject control commands, directly affecting the physical power network. Because the impact includes tripping breakers and disrupting electricity supply, exposed IEC-104 endpoints are treated as critical-infrastructure and national-security risks.

How it's attacked

Attackers identify endpoints by banner-grabbing port 2404 or via Shodan, then read monitoring ASDUs to map the substation. With no authentication, they can inject single/double commands to operate field equipment, or replay and spoof APDUs. Flooding the gateway causes a denial of service that blinds operators.

Hardening checklist

Never expose port 2404 to the internet — keep telecontrol on a dedicated, isolated OT WAN behind firewalls and a DMZ, and allowlist only authorized control centers. Wrap links in IPsec/VPN and, where supported, apply the IEC 62351 security extensions for authentication. Deploy an ICS IDS to alert on unexpected control ASDUs. Use the nmap snippet above only on systems you are authorized to test.

Related ports

Port 102Port 502Port 20000Port 44818

Frequently asked questions

Does IEC-104 have authentication?
No. IEC 60870-5-104 has no built-in authentication or encryption. Any host that reaches port 2404 can read telemetry and inject control commands such as opening or closing breakers. IEC 62351 adds optional security on top.
Why is IEC-104 considered critical infrastructure?
IEC-104 is the telecontrol protocol used between control centers and electrical substations. Manipulating it can trip breakers and disrupt power delivery, so exposed RTUs are treated as a national-security-grade risk.