Modbus Protocol | Security Vulnerabilities

Modbus is one of the predominant protocols in factory automation. It has tested the times, remaining well regarded in the factory controls world. Despite that, it is prone to a number of vulnerabilities that make it a potential target for hackers. 

Modbus RTU

Modbus was first released in 1979 by Modicon, now a part of Schneider Electric. It’s a simple protocol that requires values to be read from and written to registers in the device. Most communications were performed through serial ports with a limited transfer speed at the time of its development. This version of the protocol is referred to as Modbus RTU (Remote Terminal Unit). 

Serial Port for Modbus Device
Serial Ports

The Modbus RTU protocol uses binary communication and is more compact than the Modbus protocol. Additionally, this format requires a cyclic redundancy check checksum to be appended to every message, which checks for transmission errors. The necessity to access the physical device or cabling made Modbus RTU a reasonably safe way to transfer data to and from devices.  

Schneider Electric Meter Modbus device
Schneider Electric Meter

Modbus TCP  

Moving forward to the 1990s, access to high-speed networks made using serial ports for communication less popular. This move away from serial ports promoted the development of Modbus TCP. 

Modbus TCP is a modified version of Modbus RTU that runs directly on the Ethernet. The Ethernet physical network offers a flexible, scalable, reliable, and worldwide network along with vendor-neutral data representation.

Developing Modbus TCP allowed high-speed networks to move data faster and over greater distances. Pulling wires is no longer necessary. You could make use of the existing network cabling to transfer information. Moreover, this means that devices could be across the facility or across the world, could still move the information. With this improvement came more outstanding capabilities. But, it also came with significant risks. 

Smart City depicting network connections between devices

Modbus Vulnerabilities 

Unlimited Access  

When creating Modbus RTU and Modbus TCP, the idea was that there would be limited access to the devices and, therefore, limited risk. However, this safety net disappeared as the use of LANs and WANs to move information became more widespread. Instead of tapping serial wires to see device data or change system states, one merely needs to be on the network and know the device address to gain access. No longer limited by physical location, system attacks can now come from the other side of the world, leaving you vulnerable on a global level. 

Authorization Not Required  

Initially, using a Modbus device required no authentication due to the physical access restrictions. To maintain backward compatibility, this has not changed.

Lock depicting Modus network physical access restrictions

In other words, we must take additional measures this means to prevent access to these devices. As a result, despite implementing more capabilities on new devices, utilization is often low due to a lack of understanding of their value or configuration.

Simple Devices Aren’t Simple Anymore 

Modbus devices were originally built using relatively limited 8-bit microcontrollers. So, to be blunt, they weren’t even smart enough to be hacked or given a virus. In all, they offer minimal capabilities. 

Current Modbus devices are often based on 32-bit embedded CPUs, possess wireless capabilities, and Ethernet ports. Usually, they run a full real-time operating system (RTOS). Additionally, some devices even support their automation packages and may control or retrieve data from other devices.

Further, they may not only provide access to read and change values. These devices may be capable of hosting a virus or providing mechanisms to gain access to a controls network. Multiple services and protocols can exist on them simultaneously and provide multiple intrusion mechanisms. 

Modbus Gateways & Ethernet Serial Port Servers 

Following the global popularity of the internet, serial port servers and Modbus gateway devices became common. The first allows you to place a serial port close to a device using serial communications. Subsequently, a serial port in another building looks like a port on the server from a software perspective. 

A monitoring or SCADA system can monitor the device by sending Modbus requests through the serial port server. Moreover, these devices are inexpensive and provide access to devices that would prove challenging to access without them.

SCADA Systems Devices for Modbus
SCADA Systems

Unfortunately, these devices may encounter security issues of their own. For instance, they may allow anyone to connect to the device using the proper protocol to talk to a serial or Modbus device downstream. 

Modbus Gateways allow you to speak Modbus TCP through the gateway. It forwards requests to one or more devices on a Modbus RTU network. In addition, some devices allow mapping values from multiple devices into a single Modbus map. However, these devices do not necessarily support more security features than the original Modbus device. Therefore, they bring security issues of their own such as embedded operating systems and control applications.    

Poor Communication 

Most network engineers can lock down their network to protect against threats they understand. Unfortunately, network engineers often lack experience with protocols that travel over their network, leaving them unable to defend against the vulnerabilities.

Many don’t understand:

  • Hardware used by controls engineers
  • What these devices control
  • Potential impact on the facility they support

Controls engineers are familiar with the protocols and devices used in a control network. However, most are not familiar with the network environment they exist in and therefore can’t make recommendations for protecting against intrusion. Similarly, they cannot make use of firewalls, virtual LANs, or other network tools to tighten access to these devices. That is to say, finding a controls engineer that knows what global cybersecurity threats are out there is rare and unusual. 

Simply put, it’s as though both teams are speaking different languages..

Communication Problems depicts people speaking different languages

APT Can Help 

We work in a pretty complex environment, continuously evolving on a daily to weekly basis. At APT, we have hard-earned experience working with a wide range of clients across various industries. Above all, we continue to learn, grow, and adapt from our customers to establish the best practices to fit their needs.

Let APT put our experience to work for you. Let’s meet to discuss how APT can help you prevent intrusion into your crucial device networks. 

Rick Deming, APT Systems Engineer