— A Defence-in-Depth Playbook
(Module 7 · Security & Hardening – Protecting Industrial Systems)
Executive summary
Modbus is inherently insecure (Chapter 21). The only sustainable defence is a layered architecture that assumes breach and still protects the process. This chapter supplies a field-tested blueprint—from cable tray to SOC dashboard—for transforming “flat, open 502” into a hardened, monitored, auditable infrastructure.
22.1 The seven security layers
| # | Layer | Goal | Typical controls |
|---|---|---|---|
| 1 | Physical | Prevent tap/tamper | Locked panels, tamper seals |
| 2 | Device | Minimise attack surface | Disable unused services, strong creds |
| 3 | Wiring / Serial | Limit who can talk on bus | Address discipline, RS-485 diodes |
| 4 | Network | Contain & filter traffic | VLANs, firewalls, DPI, VPN |
| 5 | Protocol | Authenticate + encrypt | TLS wrappers, MBSec, bump-in-wire |
| 6 | Operations | Detect & respond | IDS/IPS, SIEM, logs, baselines |
| 7 | Governance | Stay secure over time | Patch mgmt, change control, audits |
(Fig-22-1: onion diagram of seven layers)
22.2 Layer-by-layer hardening guide
22.2.1 Physical
| Best practice | Implementation tip |
|---|---|
| Lock every junction box | Abloy PL330 padlocks; unique grandmaster key |
| Seal RS-485 plugs | Tamper-evident heat-shrink marked with asset ID |
| CCTV on control panels | Edge recorder; 30-day retention |
ROI: Prevents “curious insider” attacks before cyber controls even come into play.
22.2.2 Device configuration
| Control | Example (Schneider M241) | Risk mitigated |
|---|---|---|
| Disable writes if device should be RO | Config → “Modbus Write Protection = Enable” | Unauthorised set-point |
| Change default creds | admin/admin → long passphrase | Gateway hijack |
| Turn off unused services | Disable web HMI & FTP | Lateral pivot via HTTP vuln |
| Firmware patch policy | 90-day SLA; test in staging cell | Known CVE exploitation |
Create an asset-owner checklist per device model (Appendix template).
22.2.3 Serial-bus protections
- Unique slave IDs – never reuse address 1 across loops.
- Guard diodes – Bourns SM712 transient suppressors at each node to defeat induced surge.
- Bus segmentation – ≤ 32 devices per loop; add isolated repeaters to compartmentalise faults.
- Write-lock DIP – many VFDs include hardware switch disabling EEPROM writes.
22.2.4 Network segmentation & firewalls
Purdue alignment
| Purdue level | Modbus recommendation |
|---|---|
| Level 0/1 (IO/Drives) | RS-485 only, no routable IP |
| Level 2 (Cell/PLC) | Modbus TCP VLAN per cell |
| Level 3 (Site operations) | Route-filtered → only needed masters |
| Level 4/5 (IT / Cloud) | No direct 502; go through DMZ broker |
(Fig-22-2: VLAN + firewall architecture)
Example Cisco configuration
! 1. Create OT VLAN
vlan 30
name OT_CELL_A
! 2. Assign port
interface Gig0/2
description "PLC 17 - OT_Cell_A"
switchport access vlan 30
switchport mode access
! 3. Inter-VLAN ACL (L3 switch)
ip access-list extended MODBUS_RO
permit tcp host 10.0.3.100 10.0.30.0 0.0.0.255 eq 502 log
deny tcp any any eq 502 log
permit ip any any
interface Vlan30
ip access-group MODBUS_RO in
Outcome: Only historian 10.0.3.100 can reach port 502; writes still possible unless DPI (next section).
22.2.5 Deep-packet inspection (DPI) & function-code filtering
| Firewall / IDS | Feature | Config snippet |
|---|---|---|
| Palo Alto NGFW | App-ID modbus; add “coils-write” signature | threat -> vulnerability -> add rule -> action=reset-both |
| Snort/Suricata | Rule modbus_func in {5,6,15,16} drop | drop tcp any any -> any 502 (msg:"Block Modbus write"; modbus_func 15;) |
| Fortinet 60F | Industrial DPI profile | Enable “Modbus Read Only” |
Tip: Don’t fully block FC 16 if you need recipes—whitelist by Unit-ID or IP.
22.2.6 VPN & remote access
- Site-to-site: IPSec IKEv2 with pre-shared keys or certificates; restrict to
502/TCP. - User-to-site: WireGuard with MFA; client script adds
/sbin/iptables -A OUTPUT ! -d 10.0.30.0/24 -j DROPto keep laptop from roaming IT VLAN. - Disable split-tunnel.
Latency impact: < 2 ms on gig-link; < 40 ms on 4G.
22.2.7 Protocol-layer encryption — three approaches
| Approach | How | Pros | Cons |
|---|---|---|---|
| TLS proxy (“bump-in-the-wire”) | stunnel or HMS Ewon Cosy+; Terminate TLS at each end, unwrap before PLC | No PLC change | Needs gateway hardware; potential s/w lic cost |
| Native Modbus Secure (MBSec/TLS) | Draft spec 1.0 (2024); Modbus/TCP on port 802 | Mutual auth, X.509 | Few vendors; tool support emerging |
| SSH tunnel | ssh -L502:plc:502 user@gw | Quick, free | Single session; key mgmt burden |
Certificate governance: 4096b RSA or 256b ECDSA; 1-year validity; automated renew via SCEP or offline CA; CRL distribution via local web-server.
22.2.8 Intrusion detection / prevention (IDS/IPS)
| Sensor | Placement | Rule pack |
|---|---|---|
| Zeek | SPAN off core switch Level 3 → DMZ | ICS-Modbus scripts (github.com/zeek/icsmodbus) |
| Suricata | Inline transparent bridge between OT VLAN and historian | Emerging Threats “industrial.rules” |
| Nozomi / Claroty | Dedicated appliance | Vendor proprietary ML + signatures |
Configure alert severity mapping:
Write attempts to 4X on safety PLC → Critical
New Master IP → High
FC 43/14 (device ID dump) → Medium
Forward to SIEM (Splunk, ELK) over syslog-TLS; store ≥1 year.
22.2.9 Monitoring & logging
| Metric | Target | Collection method |
|---|---|---|
modbus.exception_rate | < 0.1 % of polls | Zeek counter → Prometheus |
tcp.retransmissions | < 0.5 % | Wireshark tap / Zeek |
plc_write_attempts_denied | 0 | Firewall log counter |
Grafana dashboards with traffic + exception overlay (Appendix sample JSON).
22.3 Putting it all together — reference architecture
(Fig-22-3: full defence-in-depth diagram)
- Field devices (RS-485) → Hardened Modbus gateway (TLS proxy, FC filter).
- OT cell switch VLAN30, ACL blocks 502 except to Cell-HMI.
- Firewall Level-3/DMZ: DPI allows FC 03/04 only; VPN terminator.
- Level-3 historian queries read-only; writes require jump-host + MFA.
- IDS duplicate span; SIEM correlation rules; SOC 24 × 7.
Result: Even if attacker phishes Level-3 engineer laptop → can’t write coils; SOC alarms on abnormal reads.
22.4 Implementation roadmap
| Week | Milestone | Stakeholders |
|---|---|---|
| 1 | Asset inventory & traffic baseline | OT, IT |
| 2 | VLAN carve-out & ACL prototype | Network |
| 3 | Deploy read-only DPI rules; monitor | OT, SOC |
| 4 | Roll VPN, deprecate open firewall pinholes | IT Sec |
| 5 | Harden devices (creds, disable writes) | Maintenance |
| 6 | TLS proxy pilot on 1 gateway | OT Eng |
| 7 | SOC rule tuning, incident drill | SOC, OT |
22.5 Best-practice checklist
| ✔︎ | Control |
|---|---|
| ☐ | No direct 502 from IT or Internet—VPN or DMZ only. |
| ☐ | DPI/firewall blocks FC 05/06/15/16 globally; whitelist per asset if needed. |
| ☐ | Every gateway & PLC has unique, non-default credentials. |
| ☐ | Certificates auto-renew; expired cert alert 14 days early. |
| ☐ | IDS monitors new Unit-ID or master IP and raises alarm. |
| ☐ | Exception and retransmission rates are graphed and alert at thresholds. |
| ☐ | Quarterly tabletop and cable-cut drills validate both cyber and physical controls. |
Chapter recap
- Segmentation + DPI + crypto delivers practical security even for 1979-era protocol designs.
- Controls must span physical to SOC; a single layer fails eventually.
- FC filtering and read-only rules stop 90 % of Modbus misuse without upgrading endpoints.
- TLS wrappers or upcoming MBSec close confidentiality & integrity gaps—plan certificate ops early.
- Continuous monitoring, patching and drills keep the defences healthy long after commissioning.
Assets to create
| ID | Visual / file |
|---|---|
| Fig-22-1 | Seven-layer security onion |
| Fig-22-2 | Purdue segmentation with VLAN & firewall |
| Fig-22-3 | Reference defence-in-depth architecture |
| Cisco/Fortinet/Palo rule cookbook | |
| Grafana JSON | Modbus security dashboard |
Next: Chapter 23 – Modbus Secure (MBSec) & Future Trends will examine the TLS-enabled official variant, migration paths, and emerging standards such as zero-trust gateways and IEC 62443 alignment.