An accurate visualization of Modbus protocol communication & security vulnerabilities
Modbus is a serial communication protocol developed in 1979 for use with programmable logic controllers (PLCs). It has become a de facto standard in industrial communication and is now commonly used for connecting industrial electronic devices.
In a Modbus network:
Uses binary encoding with CRC error checking
More efficient, compact messages
Typically used over RS-485 or RS-232
Uses ASCII characters with LRC error checking
Less efficient but easier to debug
More tolerant of transmission delays
Extension of Modbus for use over TCP/IP networks
Uses MBAP header instead of address field and error check
Allows multiple simultaneous connections
| Data Type | Access | Size | Address Range |
|---|---|---|---|
| Coils | Read/Write | 1 bit | 00001-09999 |
| Discrete Inputs | Read-only | 1 bit | 10001-19999 |
| Input Registers | Read-only | 16 bits | 30001-39999 |
| Holding Registers | Read/Write | 16 bits | 40001-49999 |
| Code | Function | Description |
|---|---|---|
| 01 | Read Coils | Read status of discrete output coils |
| 02 | Read Discrete Inputs | Read status of discrete inputs |
| 03 | Read Holding Registers | Read contents of holding registers |
| 04 | Read Input Registers | Read contents of input registers |
| 05 | Write Single Coil | Write value to a single coil |
| 06 | Write Single Register | Write value to a single register |
| 15 | Write Multiple Coils | Write values to multiple coils |
| 16 | Write Multiple Registers | Write values to multiple registers |
| 08 | Diagnostics | Various diagnostic functions |
Modbus was designed in the late 1970s when industrial networks were isolated and security was not a primary concern. As a result, the protocol has several inherent security weaknesses:
Modbus has no built-in authentication mechanism. Any device can send commands to a Modbus slave if it can access the network.
Data is transmitted in plaintext, allowing attackers to intercept and read all communications, including sensitive control commands.
While CRC/LRC checks detect transmission errors, they don't prevent deliberate tampering with message content.
Modbus is stateless with no session management, making it vulnerable to replay attacks and message injection.
An attacker intercepts communications between master and slave, potentially modifying commands or responses.
Impact: Can manipulate industrial processes by changing setpoints, altering sensor readings, or issuing unauthorized commands.
An attacker captures valid Modbus messages and replays them later to cause the same action to occur repeatedly.
Impact: Can disrupt operations by repeating critical commands out of sequence or at inappropriate times.
An attacker sends unauthorized write commands to Modbus slaves to alter settings or operations.
Impact: Can change critical parameters, disable safety systems, or cause equipment damage.
An attacker floods the Modbus network with invalid requests or excessive traffic.
Impact: Can prevent legitimate commands from being processed, potentially causing system failures or safety issues.
Isolate control systems networks from corporate networks and the internet using firewalls and DMZs.
Use VPN or SSL/TLS tunnels to encrypt Modbus TCP traffic when it must traverse untrusted networks.
Implement strict access controls on network equipment and use whitelisting to allow only known devices.
Deploy IDS/IPS systems that understand industrial protocols to detect anomalous Modbus traffic.
Consider using secure alternatives like OPC UA, Modbus with TLS, or other secure industrial protocols.
Conduct periodic security assessments and penetration testing of industrial control systems.
CRC = Cyclic Redundancy Check for error detection
MBAP Header (Modbus Application Protocol) = Transaction ID + Protocol ID + Length + Unit ID