Modbus

Examining the Modbus Protocol

Offensive Security Perspective

The Modbus protocol is one of the de facto industry standards for remote monitoring and control in Supervisory Control and Data Acquisition (SCADA) systems. While plenty of articles cover the Modbus protocol with varying degrees of detail and usage, this article aims to examine the Modbus protocol with an offensive security lens. We will begin with a brief overview of the protocol.

History of Modbus

https://www.se.com/us/en/faqs/FA168406/Modbus was created in 1979 by Modicon (Now Schneider Electric). The original Modbus protocol was designed to monitor and control Programmable Logic Controllers (PLCs) via a serial connection to a Human Machine Interface (HMI). There are two Modbus variants that operate on RS-485 serial cables, Modbus RTU and Modbus ASCII. Several variants operate over Ethernet, the most common of which is Modbus TCP/IP. This protocol was assigned the TCP port 502 by Internet Assigned Number Authority (IANA) in 1996.

Using Modbus TCP/IP

All Modbus protocols operate in a client-server/interrogator-responder relationship. The client/interrogator device is typically an HMI or some form of desktop host running a SCADA management application. The server/responder device can be any PLC or RTU including sensors, valves, and other devices. The interrogator-responder relationship is a classic example of centralized authority. In a traditional Modbus set-up, a single client/interrogator gives all the orders. Servers/Responders do not speak unless spoken to and will not transmit data unless directed to do so by the interrogator device. In recent history, the convergence of IT/OT networks has led to the development and widespread adoption of Modbus TCP/IP. There are several benefits to Modbus TCP/IP when compared to its serial predecessors. Using Modbus TCP/IP provides greater flexibility when designing Modbus networks. Traditional serial implementations are limited to 247 responder devices, the Modbus TCP/IP protocol does not have an upper cap on the number of responder devices connected to a single interrogator device. Additionally, Modbus TCP/IP is not limited to a single interrogator, there can be multiple client/interrogator devices in a single environment.

Security Flaws of Modbus TCP/IP

Ease of access and flexibility are the greatest benefits of IT/OT convergence but are also its greatest weaknesses. Office IT networks often possess external attack vectors via the internet or wireless networks. If proper segmentation is not in place, then a malicious actor with a foothold in an IT network may be able to attack operations devices. Protocols like Modbus and the later Modbus TCP/IP were not developed with security in mind. Modbus TCP/IP is an extremely vulnerable protocol that when looked at from a security perspective possesses several major design flaws.

Security Flaws of Modbus TCP/IP:

  1. Cleartext Protocol
  2. Lack of Authentication
  3. Non-existent Session Handling

First and foremost, Modbus TCP/IP is a cleartext protocol. Without any encryption to secure communications, any malicious actor with the right foothold in the network can listen in on communications between the client/interrogator and servers/responders. This can be used to perform passive reconnaissance within the network.

Man-In-The-Middle Attack Against Modbus

When the lack of encryption is combined with non-existent authentication and session handling, opportunities to intercept and modify messages between the client and server become available. There is an excellent whitepaper by Gabriel Sanchez published by the SANS Institute titled “Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark.” This whitepaper demonstrates how a malicious actor can leverage these security flaws to perform a MitM attack. With proper placement within a target network, an offensive security professional can use a tool like Ettercap to perform an ARP spoofing attack. This will cause the client and server to transmit packets to the attacker machine instead of each other. The attacker can then use an Ettercap filter to manipulate communications. This can be used to write malicious data to the responder device or provide inaccurate data to the interrogator. The attack complexity is minimal, but the results could be devastating given the right preconditions. The infamous Stuxnet used a similar concept of writing malicious data and reporting standard operation values back to the HMI. This can prevent facility personnel from detecting an anomaly until it is too late.

PLC devices often have very limited resources

Several tools exist for enumerating and attacking devices via the Modbus TCP/IP protocol. Modbus-cli provides a low-level tool for directly communicating with Modbus devices. The tool can be used to read and write data to and from PLCs. However, the smod-1 open-source application (https://github.com/theralfbrown/smod-1) offers additional functionality and a similar feel to Metasploit. This tool has modules that perform discovery, device enumeration, UID brute forcing, ARP poisoning, DOS attacks, and more. Remember that PLC devices often have very limited resources and will easily succumb to DOS attacks.  Well-known tools such as NMAP and Metasploit also have some limited Modbus testing functionality. The NMAP script modbus-discover.nse can be used to elicit device identification information from a PLC. Metasploit has modules that can perform enumeration (modbusdetect, modbus_findunitid) and reading and writing data (modbusclient).

Modbus is an enormous liability from a security perspective

By this point, it should be evident that Modbus is an enormous liability from a security perspective. As an offensive security professional, it is easy to be an outsider looking in and describing the continued use of Modbus as lunacy. While I don’t entirely disagree, it is important that we understand why this protocol has become the SCADA standard and why the industrial control system (ICS) community is so far behind on security compared to other industries. Modbus is an open protocol that many of the major players in the ICS community leverage and have contributed considerable resources to at a time when ICS/SCADA systems were considered “immune” to cyber-attacks. Why would anyone think that? Prior to Stuxnet, most people considered ICS systems too isolated and air-gapped to be successfully attacked. This of course was not true, but it was at least truer than it is now. The divide between IT and OT is becoming increasingly blurred in modern ICS environments, and many ICS systems are far from air-gapped.

Conclusion

Fortunately, while adoption is slow, the ball has at least begun rolling on improving/replacing Modbus TCP/IP with more secure protocols. The new MODBUS/TCP Security which was released in late 2018 has essentially TLS-wrapped the original Modbus TCP/IP protocol. This new protocol operates on port 802, utilizing certificates and key exchanges to encrypt Modbus communications. This is a major step in the right direction for the protocol. Unfortunately, many of the older PLC devices are expected to be incompatible with the new protocol, meaning it will likely be some time before widespread adoption occurs. Other alternatives include Open Platform Communications Unified Architecture (OPC UA). OPC UA implements messaging signing and encryption. The protocol is unique from Modbus in that it follows the more modern publisher-subscriber model rather than the old client-server relationship. Regardless of which solution becomes dominant, we would all benefit from a world with greater ICS/SCADA security.

References

Sanchez , G. (n.d.). 38095.pdf on Egnyte. Egnyte. Retrieved August 21, 2023, from https://sansorg.egnyte.com/dl/Li34LIzFti

Exploring OPC UA Security Concepts – OPC Connect. (n.d.). Opcconnect.opcfoundation.org. https://opcconnect.opcfoundation.org/2020/06/exploring-opc-ua-security-concepts/

Modbus.org MB-TCP-Security-v21_2018-07-24 1 MODBUS/TCP Security Protocol Specification. (2018). https://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf

Team, R. (2019, November 21). Hack the Modbus. Radiflow. https://www.radiflow.com/blog/hack-the-modbus/

Related Articles