Modbus Security

If you are new to Modbus, or new to security, you already know everything there is to know about Modbus security: NOTHING. There is no security in Modbus, Modbus RTU, or Modbus TCP. It doesn’t exist.

The truth is that if you can get to a Modbus device on a network, you own it. You can read and write anything and everything.

Firewall Protection… Not

Many people think that because they have their Modbus controller behind a firewall they’re protected. Yes, your controller is not on the Internet, but that doesn’t mean you’re protected. All that does is move your vulnerability up one level. Now, any server you have on the other side of the firewall that’s authorized to access the controller through the firewall is the vulnerability. How vulnerable is that Windows PC that is connected to the Internet? I’ll let you answer that for yourself. When that PC, which often is some older OS or behind on patches, is compromised, you’ve now opened your factory floor controller to the outside world. Better than having the controller on the Internet, but not by that much.

Modbus was not built for security. (It’s not alone EtherNet/IP and Profinet have the same issue.) It has no passwords, no authorizations, no facility to pass certificates or anything else that would be required if you were building it today. For example, there is no concept of a “user name/password” in Modbus that could authenticate a user or a device. Some PLC vendors have layered their own password systems onto Modbus, but by human nature these become easily exploited. We all know people that use post-it notes for user names and passwords.

What You Can Use for Security

Some user name/password system, or a conventional firewall, will likely block the accidental intrusions but they are ineffective against the malicious hacker intending on executing a directed attack on your manufacturing system.
If you are going to use Modbus, and there are a lot of reasons to do so, you should investigate the hardware devices that can not only act as a firewall but authorize devices, authorize users, and do deep packet inspection. These devices are pretty sophisticated and can detect and stop activity that is outside the norm. Yes, it makes life a little more complicated when it prevents some legitimate activity, but the integrity, safety, and reliability of your control system is worth the price.