What Is It, How It Works, and Vulnerabilities & Scenario
Hello HackHouse family! If you came to learn about the Modbus protocol, how it’s used, and how it has been attacked, you’re in the right place. This article is intended for beginners in the ICS (industrial control systems) security arena, as I am one myself. In a world where our ICS systems such as gas, oil, electricity, water treatment, etc. can and are attacked on a daily basis, it is worth being aware of Modbus and how it’s attacked in order to better defend ICS systems and processes. NOTE: If you click the links in this article, you will be taken to reputable sites for more information.
This information is intended for learning ONLY. Please don’t be part of the problem. Let’s use this information to be part of the solution by learning and building more secure systems and protocols for the future. I am open to constructive feedback!
What is it – Modbus is one of several protocols in which ICS devices use to communicate over a network. It is a master/slave application layer communication protocol used in an ICS environment. Modbus is quite aged which leaves it vulnerable. It was created in 1979 by Modicon and is still in use today. Currently Modbus is owned and maintained by Schneider Electric.
You may ask yourself why such an old and vulnerable protocol is still in use in 2021? That’s a great question. In ICS environments the CIA triad tends to be altered from its normal state of confidentiality, integrity, and availability of data. The ICS CIA triad has been altered to AIC (availability, integrity, and confidentiality) of SCADA (supervisory control and data acquisition) systems data. It is important to note that the reason for this shift of the triad is due to the importance of systems and process uptimes. System uptime is critical and at a minimum should be available 99.999% of total operational time. It is difficult for these systems to be taken down for upgrades and maintenance due the nature of ICS.
Let’s get back to why you came here. I wanted to provide some context on why I think it is still in use! Next I will describe, at a basic level, how it works.
How it Works
There are two types of the Modbus protocol: the older serial connection style and the newer version which is Modbus TCP/IP. Data transmission occurs over physical connections such as ethernet, RS232, RS422, or RS485. The two versions of Modbus are able to interpret each other via a DCS (distributed control system) gateway. The master can range from a DCS, HMI (human machine interface), or a RTU (remote terminal unit) for example. The master’s job is to read and write data queries from up to 247 slaves, a.k.a field devices, such as actuators, sensors, PLC (programmable logic controller), etc. This allows for the master to monitor data based upon the current environment and adjust, maintain, or simply provide device status as necessary depending on the business process. For a more in depth look at Modbus and the fields each IP packet contains click here.
(Master/Slave Request/Response Query Transaction)
Vulnerabilities & Scenario
Modbus wasn’t designed with security in mind, unfortunately, and is therefore vulnerable to attacks, vulnerabilities include:
- Vulnerable data confidentiality due to plain text transmission across the wire, allowing for an attacker to read critical data.
- Vulnerable data integrity due to lack of integrity checks, allowing an attacker to alter data.
- Vulnerable data authentication due to lack of device authentication, allowing an attacker more opportunity for altering various data.
A MITM (man-in-the-middle) scenario of sorts would be an attacker breaks into an ICS network that communicates using Modbus. The first step is to use a sniffer such as Wireshark to view packets and understand what is occurring on the network. Understanding the environment and what’s in it is crucial in determining attack options. Do your research using a tool like NMAP and Google. Now, you may want to attempt to alter master/save data packets using a tool like Ettercap. Doing so can have SEVERE real world consequences as you are altering a physical process digitally. It is best to build a virtual lab, like this one, for learning.
(Modbus MITM Attack Diagram)
Some ICS security informational web pages, podcast, and a game I’ve learned from:
- Website: Dragos
- Website: SANS ICS
- Website: CISA
- Game: ThreatGen: Red vs. Blue
- Document: NIST Guide to ICS Security
- Podcast: Hack the Plan[E]t