IEC 60870-5-104 Port Numbers Explained: TCP 2404 & Secure TLS Port 19998

By | January 5, 2026
0 Comment

IEC 60870-5-104, commonly called IEC 104, is a widely used communication protocol in power system SCADA networks. Because IEC 104 runs over TCP/IP, port numbers are a critical part of how devices communicate, how firewalls are configured, and how cybersecurity is enforced.

This guide explains all IEC 60870-5-104 port numbers, with a clear focus on unsecured connections using port 2404 and secured connections using port 19998.

Why Port Numbers Are Important in IEC 60870-5-104

In IEC 104 communication, the TCP port defines where the protocol listens for incoming connections. Both the control center (master) and the remote device (RTU or IED) must agree on the same port number for communication to work.

Incorrect port configuration can lead to connection failures, blocked traffic by firewalls, or serious security risks if the protocol is exposed without protection.

Unsecured IEC 60870-5-104 Port – TCP 2404

What Is Port 2404?

TCP port 2404 is the official and standardized port for IEC 60870-5-104. It is defined in the IEC 60870-5-104 specification as the default port for IEC 104 communication over TCP/IP.

This port is used in most legacy and traditional SCADA systems.

How Port 2404 Is Used

When IEC 104 runs on port 2404, all communication happens in plain TCP. This includes monitoring data, measurements, events, alarms, control commands, and time synchronization.

A typical connection flow is simple: the SCADA master opens a TCP connection to the RTU or IED on port 2404, and data exchange starts immediately after protocol initialization.

Security Limitations of Port 2404

Unsecured IEC 104 on port 2404 does not provide encryption or authentication. Data is transmitted in clear text, and there is no built-in protection against interception or manipulation.

Because of this, port 2404 is vulnerable to packet sniffing, replay attacks, and unauthorized control commands if it is not properly protected by external security measures.

For modern power systems, using port 2404 without additional security controls is considered unsafe.

Learn how to secure IEC 104 traffic using OpenVPN with a step-by-step, practical guide.

Secured IEC 60870-5-104 Port – TCP 19998

What Is Port 19998?

TCP port 19998 is widely used for secured IEC 104 communication using TLS. While the original IEC 60870-5-104 standard does not define security mechanisms, later IEC cybersecurity standards introduce TLS protection for IEC 104 traffic.

In practice, port 19998 has become the common industry port for IEC 104 Secure.

Why Port 19998 Is Used for Secure IEC 104

Using a separate port for secured communication helps clearly distinguish encrypted traffic from unsecured traffic. It simplifies firewall rules, avoids accidental fallback to plain IEC 104, and improves security monitoring.

Port 19998 allows IEC 104 to run over TCP with TLS encryption, certificate-based authentication, and integrity protection.

How Secured IEC 104 Works on Port 19998

When IEC 104 uses port 19998, the TCP connection is established first. A TLS handshake then takes place, where certificates are exchanged and validated. Only after the secure channel is established does IEC 104 application data begin to flow.

All monitoring and control messages are encrypted, protecting them from interception and tampering.

Comparison of IEC 60870-5-104 Ports 2404 and 19998

Port 2404 is used for unsecured IEC 104 communication and offers no built-in security. Port 19998 is used for secured IEC 104 communication and provides encryption and authentication through TLS.

For legacy systems, port 2404 may still be present. For new systems, port 19998 is the recommended choice.

Can IEC 60870-5-104 Use Other Ports?

Some vendors allow IEC 104 to be configured on custom TCP ports. While this is technically possible, it is generally discouraged.

Using non-standard ports can reduce interoperability, complicate troubleshooting, and cause confusion in firewall and security monitoring systems. The best practice is to use standard ports whenever possible.

Firewall Configuration Considerations

For unsecured IEC 104, firewalls must allow TCP traffic on port 2404 between the control center and remote devices. For secured IEC 104, firewalls should allow TCP traffic on port 19998 and support TLS inspection if required by security policy.

In all cases, IEC 104 ports should never be exposed directly to the public internet.

Best Practices for IEC 104 Port Usage

Modern IEC 104 deployments should prioritize security by using TLS-protected communication. Port 19998 should be used for all new installations, while port 2404 should be limited to legacy systems only.

Unused ports should be closed, access should be restricted to known devices, and all IEC 104 traffic should be monitored and logged.

Summary

IEC 60870-5-104 relies on TCP port numbers to establish communication between SCADA systems and field devices. Two ports are commonly used in real-world deployments:

Port 2404 is the standard port for unsecured IEC 104 communication and is mainly used in older systems.

Port 19998 is the preferred port for secured IEC 104 communication using TLS and is recommended for modern power system networks.

Choosing the correct port is essential for reliability, interoperability, and cybersecurity.

IEC 60870-5-104 Protocol
Author: Zakaria El Intissar

I'm an automation and industrial computing engineer with 12 years of experience in power system automation, SCADA communication protocols, and electrical protection. I build tools and write guides for Modbus, DNP3, IEC 101/103/104, and IEC 61850 on ScadaProtocols.com to help engineers decode, analyze, and troubleshoot real industrial communication systems.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *