gateway icon  PRODUCT SELECTOR:

Connect Your:

To:

RTA's Blog

Modbus Security

Posted on by John S Rinaldi
04
May

If you are new to Modbus, or new to security, you already know everything there is to know about Modbus security: NOTHING. There is no security in Modbus, Modbus RTU, or Modbus TCP. It doesn’t exist.

The truth is that if you can get to a Modbus device on a network, you own it. You can read and write anything and everything.

Firewall Protection… Not

Many people think that because they have their Modbus controller behind a firewall they’re protected. Yes, your controller is not on the Internet, but that doesn’t mean you’re protected. All that does is move your vulnerability up one level. Now, any server you have on the other side of the firewall that’s authorized to access the controller through the firewall is the vulnerability. How vulnerable is that Windows PC that is connected to the Internet? I’ll let you answer that for yourself. When that PC, which often is some older OS or behind on patches, is compromised, you’ve now opened your factory floor controller to the outside world. Better than having the controller on the Internet, but not by that much.

Modbus was not built for security. (It’s not alone EtherNet/IP and Profinet have the same issue.) It has no passwords, no authorizations, no facility to pass certificates or anything else that would be required if you were building it today. For example, there is no concept of a “user name/password” in Modbus that could authenticate a user or a device. Some PLC vendors have layered their own password systems onto Modbus, but by human nature these become easily exploited. We all know people that use post-it notes for user names and passwords.

What You Can Use for Security

Some user name/password system, or a conventional firewall, will likely block the accidental intrusions but they are ineffective against the malicious hacker intending on executing a directed attack on your manufacturing system.
If you are going to use Modbus, and there are a lot of reasons to do so, you should investigate the hardware devices that can not only act as a firewall but authorize devices, authorize users, and do deep packet inspection. These devices are pretty sophisticated and can detect and stop activity that is outside the norm. Yes, it makes life a little more complicated when it prevents some legitimate activity, but the integrity, safety, and reliability of your control system is worth the price.

Avatar photo
John S Rinaldi

John Rinaldi is Chief Strategist, Business Development Manager and CEO of Real Time Automation (RTA). After escaping from Marquette University with a degree in Electrical Engineering, John worked in various jobs in the Automation Industry before once again fleeing back into the comfortable halls of academia. At the University of Connecticut, he once again talked his way into a degree, this time in Computer Science (MS CS). John is a recognized expert in industrial networks and the author of six books: Modbus: The Everyman’s Guide to Modbus, OPC UA – Unified Architecture: The Everyman’s Guide to OPC UA, EtherNet/IP: The Everyman’s Guide to EtherNet/IP, The Smart Product Manager’s Guide to Industrial Automation Connectivity, The Smart Product Manager’s Guide to Connectivity in the Packaging Industry, and his latest, The Everyman’s Guide to Properly Architecting Ethernet/IP Networks.