What Actually Travels Through IEC 104 Port 2404?

Most people know one fact about IEC 60870-5-104.

It uses TCP port 2404.

The more interesting question is:

What actually travels through it?

Every second, power plants, substations, water treatment facilities, and industrial sites exchange thousands of IEC 104 messages.

Not documents.

Not diagrams.

Real process data.

What Is IEC 104?

IEC 60870-5-104, commonly known as IEC 104, is one of the most widely deployed communication protocols in critical infrastructure.

It is commonly used between:

• SCADA systems
• RTUs
• PLCs
• IEDs
• Control centers

Unlike older serial-based protocols, IEC 104 operates over TCP/IP networks, making it suitable for modern industrial communications.

Its simplicity, interoperability, and reliability contributed to widespread adoption across energy, water, transportation, and industrial sectors.

What Travels Inside IEC 104?

IEC 104 carries information that represents the state of real-world processes.

Digital Signals

Binary process states such as:

• Pump Running
• Breaker Open
• Emergency Stop Active
• Boiler Fault
• Alarm Status
• Equipment Availability

These values often represent the current condition of field equipment.

Analog Measurements

Continuous process values such as:

• Voltage
• Current
• Pressure
• Temperature
• Flow Rate
• Tank Level

These measurements provide visibility into operational conditions.

Control Commands

Actions that influence industrial processes:

• Pump Start / Stop
• Valve Open / Close
• Breaker Open / Close
• Setpoint Changes
• Remote Control Operations

Unlike passive monitoring protocols, IEC 104 supports commands that can directly affect physical systems.

Common IEC 104 Type IDs

Several message types appear frequently in operational environments.

M_SP_NA_1 (0x01)

Single Point Information

Represents simple digital states.

M_ME_NC_1 (0x0D)

Floating Point Measurements

Used for analog process values.

C_SC_NA_1 (0x2D)

Single Commands

Used to control field devices.

C_DC_NA_1 (0x2E)

Double Commands

Typically used for operations such as breaker control.

C_IC_NA_1 (0x64)

General Interrogation

Requests process data from remote devices.

C_CS_NA_1 (0x67)

Clock Synchronization

Synchronizes time between systems.

The Architecture Is Simple

A typical communication path looks like this:

SCADA / Control Center ↓ TCP Port 2404 ↓ RTU / PLC / IED

The protocol is straightforward.

That simplicity helped drive adoption across critical infrastructure.

The Security Challenge

The same simplicity that makes IEC 104 effective can also create security concerns.

Many deployments still rely on trust-based communication models.

In some environments, protocol-level authentication is limited or absent.

This raises important operational questions.

Can unauthorized commands be identified?

Can unexpected control operations be detected?

Can device behavior be validated under different scenarios?

Can command execution be measured and monitored?

Why Visibility Matters

Understanding IEC 104 is not about memorizing Type IDs.

It is about understanding process behavior.

Every message represents a real-world state, measurement, or action.

A command may start a pump.

A measurement may indicate process instability.

A status signal may reveal equipment failure.

Industrial cybersecurity begins when protocol behavior becomes observable and measurable.

Because OT security should not rely on assumptions.

It should rely on validation.

OT security must be testable.

Not documented.