Attack taxonomies for the Modbus protocols
Introduction
The Modbus protocol defines the message structure and communication rules used by process control systems to exchange supervisory control and data acquisition (SCADA) information for operating and controlling industrial processes [1]. Modbus’ open protocol specifications and TCP extension have contributed to its popularity, especially in the oil and gas sector, where it is the predominant control protocol for pipeline operations.
The Modbus protocol has two principal variants, Modbus Serial [6] and Modbus TCP [5]. In the Modbus Serial protocol, messages are transmitted between a master and slaves (field devices) over serial lines using the ASCII or RTU transmission modes. The newer Modbus TCP protocol provides connectivity within a Modbus network (master and its slaves) as well as for IP-interconnected Modbus networks (multiple masters, each communicating with possibly overlapping sets of slaves). The TCP variant enables a master to have multiple outstanding transactions and permits a slave to engage in concurrent communications with multiple masters.
Attacks on Modbus systems and networks can produce effects ranging from sporadic disruptions of field devices (sensors and actuators) to large-scale outages or even loss of control in the case of a spoofed master. The attacks can be grouped into three categories. The first category includes attacks that exploit the Modbus protocol specifications. The second category comprises attacks that exploit vendor implementations of the Modbus protocols. Attacks in the third category target the support infrastructure, which includes information technology, networking and telecommunications assets.
This paper considers attacks in the first category, i.e., attacks that are common to all Modbus implementations that conform to the protocol specifications [4], [5], [6]. The analysis focuses on the Modbus Serial and TCP protocols and presents the corresponding attack taxonomies. The primary targets include the master, field devices, serial communication links (Modbus Serial) or network communication paths (Modbus TCP). Four threats are considered: interception, interruption, modification and fabrication. Attack preconditions include the availability of a Modbus sniffer and/or packet injector. Avenues for attack include the master, field devices and serial communication links or network communication paths.
Our comprehensive analysis of Modbus has identified 20 and 28 attacks for the serial and TCP protocols, respectively. These attacks can be used to target Modbus assets in 59 and 113 distinct ways for the serial and TCP protocols, respectively. For reasons of space and sensitivity, it is not possible to discuss all the attacks in detail. However, representative attacks are discussed and the corresponding attack taxonomies are presented. The attack taxonomies provide insights into the nature and scope of security threats as well as strategies for securing Modbus systems and networks.
Section snippets
Modbus protocol
Originally formulated in 1979, the Modbus protocol is one of the oldest, but most widely used, industrial control protocols [4], [5], [6]. Modbus engages a simple request/reply communication mechanism between a control center and field devices. For example, a control center (master unit) might send a “read” message to a sensor (slave device) to obtain the value of a process parameter (e.g., pressure). Alternatively, it might send a “write” message to an actuator (slave device) to perform a
Attack identification methodology
In general, attacks on Modbus systems and networks can be grouped into three categories: (i) attacks that exploit the Modbus protocol specifications, (ii) attacks that exploit vendor implementations of the Modbus protocols, and (iii) attacks that target the support infrastructure, which includes information technology, networking and telecommunications assets.
This paper considers attacks in the first category, i.e., attacks that are common to all Modbus systems and networks that conform to the
Modbus attacks
This section discusses attacks on the Modbus Serial and TCP protocols. To simplify the presentation, the attacks are divided into three groups: (i) attacks unique to the Modbus Serial protocol, (ii) attacks common to the Modbus Serial and TCP protocols, and (iii) attacks unique to the Modbus TCP protocol.
Table 1, Table 2 present the attack taxonomies for the Modbus Serial and TCP protocols, respectively. Modbus Serial attacks are designated by , where identifies the attack and denotes
Attack impact
Table 3 summarizes the impact of the twenty Modbus Serial attacks (59 attack instances). A total of twelve attack instances affect confidentiality—seven enable an attacker to obtain information about field devices, four impact communication links, and one affects messages.
Of greater concern are the eighteen attack instances that interrupt the master unit (3 instances), field devices (11), link operation (1) and message passing (3). Equally serious are the 23 attack instances that modify Modbus
Conclusions
Our detailed analysis of the Modbus Serial and TCP protocol specifications with respect to threats, control system targets and attack entry points has facilitated the identification of attacks and their categorization within attack taxonomies. The analysis of the protocols, while thorough, is certainly not comprehensive. Indeed, we believe that many attacks are yet to be theorized. Nevertheless, the numbers of attacks and attack instances discovered are much higher than expected. Even more
Acknowledgements
This work was partially supported by the Institute for Information Infrastructure Protection (I3P) at Dartmouth College, Hanover, New Hampshire, under Award 2003-TK-TX-0003 and Award 2006-CS-001-000001 from the US Department of Homeland Security.
References (8)
SCADA: Supervisory Control and Data Acquisition
(2004)- DigitalBond....
- DigitalBond, Modbus TCP IDS signatures....
- Modbus IDA, MODBUS Application Protocol Specification v1.1a, North Grafton, Massachusetts. www.modbus.org/specs.php,...