1 category
— Risks & Attack Vectors
(Module 7 · Security & Hardening – Protecting Industrial Systems)
Learning objectives
By the end of this chapter you will be able to …
- Explain why classic Modbus (RTU, ASCII, TCP) is insecure-by-design.
- Enumerate every major attack vector—passive snooping, active manipulation, DoS, and lateral pivoting.
- Map each vector to OSI layers and typical plant topologies (Purdue model).
- Recognise real-world consequences through documented incidents and red-team exercises.
- Prepare your environment for Chapters 22 & 23, where we implement layered mitigations and explore Modbus Secure (MBSec).
21.1 Why Modbus is inherently insecure
| Security property (CIA triad) | Native support in classic Modbus | Reality |
|---|---|---|
| Confidentiality (encryption) | ❌ None | Every byte plain-text on wire. |
| Integrity (tamper detection) | ❌ CRC/LRC only detects random line noise, not malicious edits. | Attacker can recalculate CRC in microseconds. |
| Authentication (who talks) | ❌ None | Anyone who can reach port 502 (or serial trunk) is “master”. |
| Authorisation (what actions) | ❌ None | Protocol cannot distinguish read vs write roles; everything allowed. |
| Replay protection | ❌ None | Old valid frames accepted indefinitely. |
Bottom line: Classic Modbus trusts the physical environment; once the attacker is “inside the wire”, the protocol provides no additional shields.
21.2 Threat model & attacker personas
| Persona | Skill / Access | Motive | Typical entry |
|---|---|---|---|
| Curious insider | Low – Med | Tweak set-point, bypass interlocks | Maintenance laptop on OT VLAN |
| Cybercriminal | Med | Ransomware, cryptomining via PLC backdoors | Compromised VPN credentials |
| Advanced adversary (APT) | High | Sabotage, espionage | Phish IT → pivot OT via flat network |
| Competition / disgruntled vendor | Med | Reduce line uptime | Service port in remote panel |
| Researcher / red-team | High | Demonstrate risk | Controlled engagement |
(Fig-21-1 placeholder: attacker personas wheel.)
21.3 Attack-surface map (layered)
| Layer | Vulnerability class | Example |
|---|---|---|
| Physical | Tap into RS-485 pair | Crocodile-clip probe under cable tray |
| Data-link / RTU | No frame authentication | Inject forged address 17 write |
| Transport / TCP | Default open port 502 | Shodan lists > 30 000 Modbus endpoints |
| Application | Unrestricted function codes | FC 16 writes PLC memory |
| Human-machine | Engineering station reuse login | Shared account “engineer/engineer” |
| System | Flat OT/IT VLAN | Lateral movement from Windows patch share |
(Fig-21-2 placeholder: Purdue model with attack arrows.)
21.4 Catalogue of attack vectors
21.4.1 Passive eavesdropping
- Goal: Harvest process IP, tag names, set-points → fuel spear-phishing or competitive intelligence.
- Method: SPAN port, Wireshark filter
modbus. - Impact: Leakage of P&ID values, recipe data, energy consumption—can break NDAs.
21.4.2 Unauthorised reads (industrial espionage)
- Any master can issue FC 03/04 to dump registers.
- Many devices expose firmware version, serial #, product code via FC 43/14.
21.4.3 Unauthorised writes
| Scenario | Attack | Consequence |
|---|---|---|
| PLC as motor controller | FC 06 to HR 40002 = 3 000 RPM | Mechanical over-speed |
| Burner management | FC 05 to Coil 00012 “Gas Valve OPEN” | Fire / explosion risk |
| Power-meter CT ratio | FC 16 multi-reg | Wrong billing, under-protection |
21.4.4 Replay attacks
- Capture valid “Start pump” frame ⟶ retransmit later; slave cannot tell old vs new.
- Mitigation requires out-of-band sequencing (Chapter 22).
21.4.5 Man-in-the-Middle (MitM)
- Compromised gateway rewrites HR 40010 “Level” from 78 % → 52 %, confusing operator into overfill.
- Very hard to spot without cryptographic signatures.
21.4.6 Denial-of-Service (DoS)
| Vector | Mechanics | Payload time |
|---|---|---|
| TCP SYN flood | Exhaust PLC socket table | Seconds |
| Serial frame flood | No T3.5 gap; slaves stay silent | Instant |
| Exception storm | Send illegal FC every ms; slave CPU 100 % | Variable |
| Broadcast write (ID 0) | All slaves process heavy FC 16 | Cable saturates |
21.4.7 Gateway pivot attacks
- Compromise Modbus/TCP gateway → gain RS-485 access behind air-gap.
- Often has default password (
admin/1234).
21.5 Documented incidents
| Year | Industry | Vector | Outcome | Reference |
|---|---|---|---|---|
| 2019 | Water utility, EU | Plain-text write to VFD speed | Pump cavitation; 3 h outage | Public CERT-EU brief |
| 2021 | Food processing | Mis-configured remote access + Modbus write | CIP (clean-in-place) temp set to 2 °C → bacterial risk | Vendor IR report |
| 2023 | Academic red-team on 1500 MW gas plant demo rig | SYN flood + broadcast FC 16 | Control network stuck 17 min | DEF CON ICS Village talk |
(Fig-21-3 placeholder: timeline graphic.)
21.6 Risk assessment matrix
| Likelihood | Impact | Vector examples | Risk rating |
|---|---|---|---|
| High | Low | Passive snoop | Medium |
| High | Medium | Unauth read/write small params | High |
| Medium | High | DoS, broadcast storm | High |
| Low | High | Safety-critical set-point overwrite | Critical |
| Medium | Critical | MitM + slow drift | Critical |
(Table 21-A: colour-coded heat map).
21.7 Detecting active attacks
| Indicator | Tool & filter | Baseline vs anomaly |
|---|---|---|
| FC usage spike (05/06/15/16) | Wireshark modbus.func_code in {5,6,15,16} | > 1 % of traffic |
| New source IP on port 502 | Zeek ids notice | None expected on OT VLAN |
| Broadcast frames (ID 0) | Serial tap decode addr 0 | Should be 0 % |
| Coil toggles > human max | Historian trend vs 10 Hz | Likely script attack |
| Strange Unit-ID values | Logs show ID 255, 111 | Gateway scan or fuzz |
21.8 Foundational mitigations (preview)
(Full hardening in Chapter 22)
- Network segmentation – move Modbus to isolated VLAN or physical link.
- Read-only firewall – block FC 05/06/15/16 by DPI.
- Gateway ACL – white-list master IP(s); drop everything else.
- Passive monitoring – PCAP ring buffer + alert on new FC.
- Firmware hygiene – patch gateways, change default creds.
21.9 Best-practice checklist (pre-hardening)
| ✔︎ | Immediate step |
|---|---|
| ☐ | Inventory every Modbus endpoint: IP/serial, firmware, function-code permissions. |
| ☐ | Disable unused serial ports; set slave addresses ≠ 1 if possible. |
| ☐ | Remove port 502 exposure on corporate firewall; require VPN. |
| ☐ | Begin baseline capture: 7 days of “normal” traffic for future anomaly detection. |
| ☐ | Train operators: recognise exception storms, slow drifts, and field physical tamper clues. |
Chapter recap
- Classic Modbus offers no encryption, authentication, or anti-replay, making it trivial to snoop, spoof, or sabotage.
- Attack vectors span from cable taps to SYN floods to subtle MitM value drifts.
- Real incidents prove consequences range from downtime to safety hazards.
- Detection relies on baselining and traffic inspection; full defence demands segmentation, filtering, and cryptographic wrappers (next chapters).
Assets to create
| ID | Visual / file |
|---|---|
| Fig-21-1 | Attacker persona wheel |
| Fig-21-2 | Purdue model attack-surface diagram |
| Fig-21-3 | Incident timeline |
| Table 21-A | Likelihood-impact heat map |
| Sample pcap | Broadcast write attack |
Next: Chapter 22 – Best Practices for Securing Modbus Implementations will build a defence-in-depth playbook: segmentation, firewalls, VPNs, deep-packet inspection, and SOC monitoring that turn today’s vulnerabilities into manageable, auditable residual risks.