Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 22 port 502 TCP - Modbus

Published: 2009-10-22
Last Updated: 2011-01-30 04:33:58 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

"Modbus Protocol is a messaging structure developed by Modicon in 1979. It is used to establish master-slave/client-server communication between intelligent devices. It is a de facto standard, truly open and the most widely used network protocol in the industrial manufacturing environment. It has been implemented by hundreds of vendors on thousands of different devices to transfer discrete/analog I/O and register data between control devices. It's a lingua franca or common denominator between different manufacturers. One report called it the "de facto standard in multi-vendor integration". Industry analysts have reported over 7 million Modbus nodes in North America and Europe alone." From: http://www.modbus.org/faq.php

Modbus was oroginally developed as a proprietary communication/command protocol for SCADA/Process Control systems. It has been migrated to TCP/IP since 1999. There really isn't much to the protocol specification at all.

One of the first main issues with Modbus is that it is not designed to be run on open networks, it was intended to be used on dedicated lines, such as a serial connection, or a closed network. Ideally this is achieved through an airgap between the PCS network and the corporate IT network. It is however quite convenient to be able to monitor or even control these systems from a corporate desktop. The devices that communicate using Modbus are also typically not designed to be on open networks, and often fail from a port or vulnerability assessment scan. There really isn't much to 'hacking' these devices, if you can talk to them they do whatever you tell them to.

The Modbus protocol itself contains no security whatsoever. If you can communicate directly with a Modbus server or client you can issue commands. This can be quite important depending on the function that the slave devices are performing. The only real choices are as mentioned previously to completely airgap Modbus from any other network, or severely limit access to authorized masters. 

This brief article is just the tip of the iceberg for the Modbus protocol, and any discussion of Process Control, SCADA systems and security.

Additional reading:

http://www.digitalbond.com/wiki/index.php/Modbus

http://www.mudynamics.com/resources/collaterals/MODBUS-v3.pdf

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

0 comment(s)

Truecrypt 6.3 released

Published: 2009-10-22
Last Updated: 2011-01-30 04:19:10 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

from their version history notes:

  • Full support for Windows 7.
  • Full support for Mac OS X 10.6 Snow Leopard.
  • The ability to configure selected volumes as 'system favorite volumes'.

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device).

More information here: http://www.truecrypt.org/docs/?s=version-history

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Keywords: truecrypt
0 comment(s)
Snort Updated to Version 2.8.5.1
Sysinternals updates: Disk2vhd v1.1, ZoomIt v4.1, Coreinfo v2.0, VMMap v2.4
Diary Archives