Modbus Monitoring for Networked Control Systems of Cyber-Defensive Architecture
Information and Communications Technology
While the use of traditional Information and Communications Technology (ICT) security techniques (e.g. firewalls, antivirus software and intrusion detection systems) is effective for vulnerabilities in corporate networks, they do not address the attacks specific to process control networks. This is due to the intrinsic weakness of the communication protocols used in control networks, one of which is a Modbus system, to control and monitor field devices in critical infrastructure installations. Modbus was originally published in 1979 by Modicon (now Schneider Electric) as an open serial communication protocol for use with its programmable logic controllers (PLCs) . Modbus has since become the de facto standard due to its simplicity and robustness. Initial design of the Modbus protocol did not place a high priority on security and hence Modbus based control systems are susceptible to classical information security threats . Modbus neither encrypts traffic, nor verifies the integrity of messages or authenticates master and slave devices . Even with the vulnerability, the Modbus control network is still being popularly used in
process control systems. Furthermore, the Modbus control network is now connected through the Internet to corporate networks which allows remote access to the control network and thus to the control devices. This configuration of “no air gap” control network opens the door to exploitable vulnerabilities to the connected devices and poses a threat to not only the normal plant operation but also public safety .Even though Modbus was originally designed to work over a serial link like RS-232 or RS- 485, it has evolved to an application layer messaging protocol for client/server communication. Due to its request/reply architecture it allows IP packets to be embedded on it and connect devices on different networks. Modbus is an application layer protocol at layer 7 of the OSI model. It can therefore relay over a set of different protocols. In 1999 an open Modbus TCP/IP specification was released. Modbus Transmission Control Protocol (TCP) and Internet Protocol (IP) allows Modbus information to be passed to TCP where additional information is attached and given to IP . A typical Modbus network will have a RTU or other type of device that will be monitored or controlled using ModbusTCP/IP. Transmitting ModbusTCP messages introduces high levels of complexity in trying to ensure reliable delivery of control packets in a real-time process control environment. The limitations of Modbus can be exploited by hackers to create havoc on control systems in the form of attacks such as: Man-in-the-middle attack, Denial-of-service attack, Replay attack, and unauthorized command execution attacks. In countering the exploitable vulnerabilities of control network, an attempt was made previously in securing fail-safe or fail-operate of the control network even under compromised situations, by applying diversified defensive control architecture and operation-basis resiliency under compromised situation . The resilient control system comprises of an isolated duplicated controller in addition to the networked primary controller and a supervisor which monitors the two controllers and their control outputs. This new system architecture has shown great potential as a resilient control system against cyber-attacks and especially an attack using a legitimate control computer, after maliciously obtaining the credentials to the authorized computer, which is indeed legitimate to the control network and the devices of the network. However, the weakness of theproposed operation-basis defensive architecture is that, when the hacked device operates closely to its intended functions, even though the desired fail-operate and resiliency can be maintained, the presence of unauthorized remote access to the network cannot be detected.
