Modbus, an open serial communication protocol standard used in industrial environments, has long been recognized as an insecure protocol. The lack of integrity and authentication in Modbus networks has left them vulnerable to various attacks, including reconnaissance attacks. To address this issue, the Modbus Security Protocol (MSP) was developed and published in 2018, nearly 40 years after the introduction of Modbus. This article will explore common Modbus reconnaissance attacks and discuss the impact of MSP on these attacks.
In industrial environments, Modbus is used for communication between electronic devices in Supervisory Control and Data Acquisition (SCADA) systems. It enables control message communication between control devices like the Programmable Logic Controller (PLC) and a main controller. However, due to the protocol’s inherent insecurities, Modbus networks are susceptible to attacks such as Denial of Service (DoS) attacks, code injection, and reconnaissance attacks.
Reconnaissance attacks are a category of attacks used in Industrial Control Systems (ICS) and Operational Technology (OT) environments. These attacks are carried out to gather information about the system for potential future attacks. In the case of Modbus, there are four common reconnaissance attacks that specifically target Modbus servers: address scans, function code scans, device identification attacks, and points scans.
Address scans are used to identify the Modbus server addresses on a network. By sending Modbus queries to all devices connected to the network, the attacker can determine the existence of these devices and gain an understanding of the attack surface.
Function code scans are conducted after the address scan and involve identifying which function codes the Modbus servers support. Function codes dictate the type of request to be performed on the network, such as reading or writing data. By analyzing the responses to these requests, the attacker can gather information about the devices, including the model and vendor.
Device identification attacks involve collecting more detailed information about the Modbus server, such as its build number, ID, and vendor’s name. This attack is primarily carried out using read functions that report specific information about the server. The information gathered can be used to search for known vulnerabilities and exploits for further attacks.
Points scans are used to identify programming points in devices connected to a Modbus network. These points store input and output values and can be accessed through the lack of authentication in the Modbus protocol. By scanning for points, an attacker can create a memory map of a device and read its contents.
While the Modbus Security Protocol introduced authentication and message integrity to the protocol, its implementation in existing ICS and SCADA systems remains a challenge. Legacy hardware is often incompatible with the updated protocol, making it difficult to secure Modbus networks. As a result, additional network security measures like VPNs, firewalls, and layered security are commonly used to protect against Modbus attacks.
It is worth noting that the Modbus protocol has more vulnerabilities and identified attacks than those mentioned in this article. The lack of authentication in the protocol allows unauthorized adversaries to communicate with connected ICS devices. The Modbus Security Protocol was developed to address this vulnerability, but widespread implementation in existing systems remains a challenge due to compatibility issues. In the future, it is hoped that newer ICS devices and products compatible with the Modbus Security Protocol will be developed to improve and integrate security measures.
In conclusion, Modbus reconnaissance attacks pose a significant threat to industrial environments. While the Modbus Security Protocol aims to mitigate these attacks, its implementation in existing systems remains an ongoing challenge. It is crucial for organizations to adopt standard security measures, such as VPNs and firewalls, to protect against Modbus attacks until the secure version of the protocol becomes more widely adopted.