Principal Investigator: Venkat Pothamsetty
Project Description: Modbus/TCP is an open automation protocol used in a variety of SCADA, PLC, and industrial IO applications. Modbusfw is a Linux 2.4.x Netfilter Extension that permits filtering decisions (DROP, REJECT, etc.) based on application-layer values, allowing finer-grained access control than is currently possible by simply blocking TCP port 502.
Project Impact: One of the most important trends in industrial networking is the transition from proprietary to standards-based protocols and the accompanying adoption of commercial IT products. Windows-based PCs (often utilizing browser-based code such as Java and ActiveX) are replacing proprietary HMIs in SCADA, PLC, and distributed control system networks, and Ethernet, TCP/IP, wireless protocols are increasingly being used for data acquisition, device configuration and programming. Modbus/TCP is just one example of how an industrial protocol has been encapsulated within IP/UDP/TCP with only slight modification and with little to no concern for security. Because firewall and packet filters are often used to enforce policy within the network where policies could not be easily enforced on end devices or applications, we added support for Modbus/TCP to Linux Netfilter to determine the feasibility of adding fine-grained access controls for an automation protocol within general-purpose firewall devices.
Project Details: Like most automation protocols (regardless of their transport), Modbus/TCP has no built-in security mechanisms. The protocol has no means of authenticating or authorizing the initiator of the request. Assuming the end-device is network accessible, malicious commands can be sent to it for a variety of objectives. To make matters worse, many of the end devices have no ability to perform packet filtering to even restrict which hosts may connect to the Modbus/TCP slave, let alone specific Modbus/TCP message types. Currently, the only reasonable solution is to filter via a firewall or router access control lists based on TCP port 502. This only permits or denies Modbus/TCP traffic from a given source to a given destination and provides no control over the type of messages will be processed, and therefore the type of operations that the end device will perform. Depending on the security policy of the organization and the type of application, all hosts may be allowed to perform read operations from a given Modbus/TCP slave (permit from 0x01 through 0x04), a smaller number of hosts maybe allowed to perform write operations, and only a select few devices can program the PLCs (deny function code 0x7E for Modicon PLCs) . Our Netfilter extension makes this sort of fine-grained policy enforcement possible.
Project Deliverables:
- The project's open source implementation is at modbusfw.sf.net
. Modbus Firewall is a Linux/Netfilter based firewall which can filter on Modbus, a UDP based SCADA protocol. It is the first implemented firewall for SCADA protocols, and we hope it will generate interest in the community and the vendors.
- ModbusFW: Deep Packet Inspect for Industrial Ethernet, accepted for presentation at NISCC conference in London, May 2004.
Status: Completed
