SCADA MODBUS Protocol Vulnerabilities

Supervisory Controls and Data Acquisition (SCADA) protocols are communications protocols designed for the exchange of control messages on industrial networks. Over the past three decades, several hundred of these protocols have been developed for serial, LAN, and WAN-based communications in a wide variety of industries including petrochemical, automotive, transportation, and electrical generation/distribution. SCADA MODBUS is the most widely used SCADA Protocol. This article provides an overview of the MODBUS protocol and reveals why it is also one of the most vulnerable ones to cyber attacks.

SCADA MODBUS is an application layer messaging protocol, positioned at level 7 of the OSI model. It provides client/server communication between devices connected to different types of buses or networks. Developed by Modicon published by Modicon® in 1979 for use with its programmable logic controllers (PLCs). It is a method used for transmitting information over serial lines between electronic devices. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.

The protocol’s simplicity and efficiency caused it to become the most widely used network protocol in the industrial manufacturing environment. It has been implemented by hundreds of vendors on thousands of different devices to transfer discrete/analog I/O and register data between control devices.

The Internet community can access MODBUS at a reserved system port 502 on the TCP/IP stack.
A simple request-reply scheme is used for all MBAP transactions. The client (also known as master) device initiates a request and the server (also known as slave) replies. For example, when a Human Machine Interface (HMI) workstation requires a value from a PLC it sends a request message to start the data transfer process. The PLC then sends a response providing the requested information. In this situation, the device running the HMI is acting as the client/master and the PLC is acting as the server/slave. Each message contains a function code that is set by the client/master and indicates to the server/slave what kind of action to perform. Function codes are the number tells the slave which table to access and whether to read from or write to the table.

Following a request, there are 4 possible outcomes from the slave:

1. The request is successfully processed by the slave and a valid response is sent.
2. The request is not received by the slave, therefore no response is sent.
3. The request is received by the slave with a parity, CRC or LRC error. The slave ignores the request and sends no response.
4. The request is received without an error, but cannot be processed by the slave for another reason. The slave replies with an exception response.

An example of exception code:
02-Illegal Data Address-The data address received in the query is not an allowable address for the slave will generate exception 02.

SCADA MODBUS/TCP protocol vulnerabilities:

The MODBUS/TCP protocol implementation contains multiple vulnerabilities that could allow an attacker to perform reconnaissance activity or issue arbitrary commands.

1. Lack of Confidentiality: All MODBUS messages are transmitted in clear text across the transmission media.
2. Lack of Integrity: There are no integrity checks built into the MODBUS application protocol. As a result, it depends on lower layer protocols to preserve integrity
3. Lack of Authentication: There is no authentication at any level of the MODBUS protocol. One possible exception is some undocumented programming commands.
4. Simplistic Framing: MODBUS/TCP frames are sent over established TCP connections. While such connections are usually reliable, they have a significant drawback. TCP connection is more reliable than UDP but the guarantee is not complete.
5. Lack of Session Structure: Like many request/response protocols (i.e. SNMP, HTTP, etc.) MODBUS/TCP consists of short-lived transactions where the master initiates a request to the slave that results in a single action. When combined with the lack of authentication and poor TCP initial sequence number (ISN) generation in many embedded devices, it becomes possible for attackers to inject commands with no knowledge of the existing session.

These vulnerabilities allow an attacker to perform reconnaissance activity on the targeted network. The first vulnerability exists because a SCADA MODBUS slave device may return Illegal Function Exception responses for queries that contain an unsupported function code. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted function codes to carry out reconnaissance on the targeted network.

An additional reconnaissance vulnerability is due to multiple Illegal Address Exception responses generated for queries that contain an illegal slave address. An unauthenticated, remote attacker could exploit this vulnerability by sending queries that contain invalid addresses to the targeted network and gathering information about network hosts from returned messages.

Another vulnerability is due to lack of sufficient security checks in the SCADA MODBUS/TCP protocol implementation. The protocol specification does not include an authentication mechanism for validating communication between MODBUS master and slave devices. This flaw could allow an unauthenticated, remote attacker to issue arbitrary commands to any slave device via a MODBUS master.

The SCADA MODBUS/TCP protocol contains another vulnerability that could allow an attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability is due to an implementation error in the affected protocol when processing Read Discrete Inputs request and response messages.

An unauthenticated, remote attacker could exploit the vulnerability by sending request or response parameters that contain malicious values for the data field option to a system that contains a vulnerable MODBUS/TCP implementation. The processing of the messages could trigger a DoS condition on the vulnerable system.

Another attack on Modbus can be Modbus TCP packet that exceeds the maximum length.

Modbus TCP is a protocol commonly used in SCADA and DCS networks for process control. MODBUS limits the size of the PDU to 253 bytes to allow the packet to be sent on a serial line, RS-485 interface. Modbus TCP prepends a 7-byte MODBUS Application Protocol (MBAP) header to the PDU, and the MBAP_PDU is encapsulated in a TCP packet. This places an upper limit on legal packet size.

An attacker creates a specially crafted packet longer than 260 bytes and sends it to a MODBUS client and server. If the client or server were programmed incorrectly, this could lead to a successful buffer overflow or a denial-of-service attack.

Attacking IoT Systems Using Modbus

The easiest attack to use against Modbus is to simply sniff the traffic on a network, find the Modbus devices and then issue harmful commands to the Modbus devices.

Modbus/TCP has no security or encryption features, so it is easy to use Wireshark to gather information from packets of data that are on your network to and from a Modbus port on a device.

Read the contents of those packets. Since Modbus is not encrypted or secured in any way, the packets of information travel in plain text. Wireshark allows you to easily see what is contained within these packets. In this case, we are looking at the IP address of the BMS and at the IP address of the receiving Modbus device. We then see the Function Code of the request and with all this data, it becomes easy to identify the Modbus device and find its Modbus Register Map to identify its control command options.

Make the hack – once we have identified the device and its control commands via Modbus, there is no limit to what can be done to the device. You can simply begin to issue commands as if you were the BMS.

Secure SCADA MODBUS vulnerabilities

SCADA, CIS, ICS and similar MODBUS based systems have always been the target of many types of cyber-attacks. These systems become much more vulnerable. MODBUS communication protocol is a widespread communication standard in the critical infrastructures field. A proper solution is needed to protect our infrastructures by making communication over MODBUS secure, and make SCADA systems more reliable.

Liron Benbenishti is an ICS/SCADA Cyber Security QA Engineer at Cyberbit