Attack taxonomies for the Modbus protocols

https://doi.org/10.1016/j.ijcip.2008.08.003Get rights and content

Abstract

The Modbus protocol and its variants are widely used in industrial control applications, especially for pipeline operations in the oil and gas sector. This paper describes the principal attacks on the Modbus Serial and Modbus TCP protocols and presents the corresponding attack taxonomies. The attacks are summarized according to their threat categories, targets and impact on control system assets. The attack taxonomies facilitate formal risk analysis efforts by clarifying the nature and scope of the security threats on Modbus control systems and networks. Also, they provide insights into potential mitigation strategies and the relative costs and benefits of implementing these strategies.

Introduction

The Modbus protocol defines the message structure and communication rules used by process control systems to exchange supervisory control and data acquisition (SCADA) information for operating and controlling industrial processes [1]. Modbus’ open protocol specifications and TCP extension have contributed to its popularity, especially in the oil and gas sector, where it is the predominant control protocol for pipeline operations.

The Modbus protocol has two principal variants, Modbus Serial [6] and Modbus TCP [5]. In the Modbus Serial protocol, messages are transmitted between a master and slaves (field devices) over serial lines using the ASCII or RTU transmission modes. The newer Modbus TCP protocol provides connectivity within a Modbus network (master and its slaves) as well as for IP-interconnected Modbus networks (multiple masters, each communicating with possibly overlapping sets of slaves). The TCP variant enables a master to have multiple outstanding transactions and permits a slave to engage in concurrent communications with multiple masters.

Attacks on Modbus systems and networks can produce effects ranging from sporadic disruptions of field devices (sensors and actuators) to large-scale outages or even loss of control in the case of a spoofed master. The attacks can be grouped into three categories. The first category includes attacks that exploit the Modbus protocol specifications. The second category comprises attacks that exploit vendor implementations of the Modbus protocols. Attacks in the third category target the support infrastructure, which includes information technology, networking and telecommunications assets.

This paper considers attacks in the first category, i.e., attacks that are common to all Modbus implementations that conform to the protocol specifications [4], [5], [6]. The analysis focuses on the Modbus Serial and TCP protocols and presents the corresponding attack taxonomies. The primary targets include the master, field devices, serial communication links (Modbus Serial) or network communication paths (Modbus TCP). Four threats are considered: interception, interruption, modification and fabrication. Attack preconditions include the availability of a Modbus sniffer and/or packet injector. Avenues for attack include the master, field devices and serial communication links or network communication paths.

Our comprehensive analysis of Modbus has identified 20 and 28 attacks for the serial and TCP protocols, respectively. These attacks can be used to target Modbus assets in 59 and 113 distinct ways for the serial and TCP protocols, respectively. For reasons of space and sensitivity, it is not possible to discuss all the attacks in detail. However, representative attacks are discussed and the corresponding attack taxonomies are presented. The attack taxonomies provide insights into the nature and scope of security threats as well as strategies for securing Modbus systems and networks.

Section snippets

Modbus protocol

Originally formulated in 1979, the Modbus protocol is one of the oldest, but most widely used, industrial control protocols [4], [5], [6]. Modbus engages a simple request/reply communication mechanism between a control center and field devices. For example, a control center (master unit) might send a “read” message to a sensor (slave device) to obtain the value of a process parameter (e.g., pressure). Alternatively, it might send a “write” message to an actuator (slave device) to perform a

Attack identification methodology

In general, attacks on Modbus systems and networks can be grouped into three categories: (i) attacks that exploit the Modbus protocol specifications, (ii) attacks that exploit vendor implementations of the Modbus protocols, and (iii) attacks that target the support infrastructure, which includes information technology, networking and telecommunications assets.

This paper considers attacks in the first category, i.e., attacks that are common to all Modbus systems and networks that conform to the

Modbus attacks

This section discusses attacks on the Modbus Serial and TCP protocols. To simplify the presentation, the attacks are divided into three groups: (i) attacks unique to the Modbus Serial protocol, (ii) attacks common to the Modbus Serial and TCP protocols, and (iii) attacks unique to the Modbus TCP protocol.

Table 1, Table 2 present the attack taxonomies for the Modbus Serial and TCP protocols, respectively. Modbus Serial attacks are designated by Sxy, where x identifies the attack and y denotes

Attack impact

Table 3 summarizes the impact of the twenty Modbus Serial attacks (59 attack instances). A total of twelve attack instances affect confidentiality—seven enable an attacker to obtain information about field devices, four impact communication links, and one affects messages.

Of greater concern are the eighteen attack instances that interrupt the master unit (3 instances), field devices (11), link operation (1) and message passing (3). Equally serious are the 23 attack instances that modify Modbus

Conclusions

Our detailed analysis of the Modbus Serial and TCP protocol specifications with respect to threats, control system targets and attack entry points has facilitated the identification of attacks and their categorization within attack taxonomies. The analysis of the protocols, while thorough, is certainly not comprehensive. Indeed, we believe that many attacks are yet to be theorized. Nevertheless, the numbers of attacks and attack instances discovered are much higher than expected. Even more

Acknowledgements

This work was partially supported by the Institute for Information Infrastructure Protection (I3P) at Dartmouth College, Hanover, New Hampshire, under Award 2003-TK-TX-0003 and Award 2006-CS-001-000001 from the US Department of Homeland Security.

References (8)

  • S. Boyer

    SCADA: Supervisory Control and Data Acquisition

    (2004)
  • DigitalBond....
  • DigitalBond, Modbus TCP IDS signatures....
  • Modbus IDA, MODBUS Application Protocol Specification v1.1a, North Grafton, Massachusetts. www.modbus.org/specs.php,...
There are more references available in the full text version of this article.

Cited by (0)

View full text