LAB-05 · IEC 60870-5-104 · 2404/tcp
IEC 60870-5-104: substation traffic analysis
A simulated 110 kV substation generates IEC 104 traffic. Two of the captures contain Industroyer-style operate commands disguised as routine setpoint changes. Find them.
Duration
120m
Level
advanced
ISA SL
SL3 · SL4
Track
ot defense
Objectives
- 01Decode IEC 104 ASDUs from a captured substation trace
- 02Spot Industroyer-style malicious switch operations
- 03Write a SOC playbook for the pattern
Success criteria
- Annotated pcap with the malicious frames highlighted
- A SOC playbook (markdown) that catches the pattern