Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 22 port 502 TCP - Modbus

Published: 2009-10-22
Last Updated: 2011-01-30 04:33:58 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

"Modbus Protocol is a messaging structure developed by Modicon in 1979. It is used to establish master-slave/client-server communication between intelligent devices. It is a de facto standard, truly open and the most widely used network protocol in the industrial manufacturing environment. It has been implemented by hundreds of vendors on thousands of different devices to transfer discrete/analog I/O and register data between control devices. It's a lingua franca or common denominator between different manufacturers. One report called it the "de facto standard in multi-vendor integration". Industry analysts have reported over 7 million Modbus nodes in North America and Europe alone." From: http://www.modbus.org/faq.php

Modbus was oroginally developed as a proprietary communication/command protocol for SCADA/Process Control systems. It has been migrated to TCP/IP since 1999. There really isn't much to the protocol specification at all.

One of the first main issues with Modbus is that it is not designed to be run on open networks, it was intended to be used on dedicated lines, such as a serial connection, or a closed network. Ideally this is achieved through an airgap between the PCS network and the corporate IT network. It is however quite convenient to be able to monitor or even control these systems from a corporate desktop. The devices that communicate using Modbus are also typically not designed to be on open networks, and often fail from a port or vulnerability assessment scan. There really isn't much to 'hacking' these devices, if you can talk to them they do whatever you tell them to.

The Modbus protocol itself contains no security whatsoever. If you can communicate directly with a Modbus server or client you can issue commands. This can be quite important depending on the function that the slave devices are performing. The only real choices are as mentioned previously to completely airgap Modbus from any other network, or severely limit access to authorized masters. 

This brief article is just the tip of the iceberg for the Modbus protocol, and any discussion of Process Control, SCADA systems and security.

Additional reading:

http://www.digitalbond.com/wiki/index.php/Modbus

http://www.mudynamics.com/resources/collaterals/MODBUS-v3.pdf

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

0 comment(s)
Diary Archives