[OT Sec] 🛠 MODBUS: The Core Communication Language of OT Systems – From Structure to Security

MODBUS, one of the most widely used communication protocols in Industrial Control Systems (ICS), has become a core communication language in smart factories, water treatment facilities, power plants, and more. Its simplicity and versatility have made it a global standard. However, in today’s era of increasing OT security concerns, MODBUS is also known for its lack of built-in security features.

This article comprehensively covers the structure of MODBUS, the difference between RTU and TCP, and how to address related security risks using the ISA/IEC 62443 security framework.

---

1. What is MODBUS?

MODBUS is an industrial automation communication protocol developed by Modicon (now Schneider Electric) in 1979. As an open protocol, it can be freely implemented and is commonly used for data exchange between PLCs, sensors, HMIs, and SCADA systems.

• Communication Structure: Master-Slave model (1 master controls multiple slaves)
• Data Units: Coil, Discrete Input, Input Register, Holding Register
• Transmission Modes: RTU, ASCII, and TCP/IP

---

2. MODBUS RTU vs. TCP/IP: Structural and Security Comparison

Category	MODBUS RTU	MODBUS TCP
Communication	Serial (RS-232/485)	Ethernet-based (TCP/IP)
Data Format	Binary (compact)	TCP/IP packet structure
Security Controls	Virtually none	Can apply firewalls, ACLs
Speed	Slower	Faster
Network Scope	Limited, isolated networks	Wide area, Internet-enabled

Threat Factors from a Security Perspective

Threat Type	MODBUS RTU	MODBUS TCP
Lack of Authentication	No user authentication	IP-based, no additional auth
Data Tampering	CRC check but can be bypassed	Vulnerable via TCP retransmission
Access Control	Easily bypassed if physically accessed	Open port 502 allows anyone
Spoofing	Slave address spoofing	IP/session spoofing possible

---

3. Security Mitigation via ISA/IEC 62443 Framework

ISA/IEC 62443 is an international cybersecurity standard for industrial automation systems, covering asset identification, threat analysis, requirement mapping, secure design, and maintenance.

Requirement ID	Description	MODBUS Mitigation Strategy
SR 1.1	Prevent unauthorized access	Use authentication gateways or firewalls
SR 2.1	User authentication & access control	Integrate with external authentication
SR 3.1	Data integrity protection	Encrypt or tunnel communications (e.g., VPN)
SR 4.1	Confidentiality assurance	VLAN segregation, DPI-based firewalls
SR 5.2	Network boundary protection	Port 502 filtering, ACL configurations
SR 7.1 / 7.6	Event detection / logging	Deploy OT IDS/IPS and protocol analyzers

Real-World Examples

MODBUS TCP Environment

• Limit access to port 502, configure ACLs
• Deploy DPI-enabled OT security appliances

MODBUS RTU Environment

• Lock serial ports and log signals
• Strengthen authentication on serial-to-Ethernet gateways

---

4. Summary: How Should We Approach MODBUS Security?

MODBUS remains a highly prevalent protocol in industrial environments. However, its lack of native security functions is a critical vulnerability. When ICS assets are connected to external networks or enabled for remote control, it’s essential to design and implement security controls based on the ISA/IEC 62443 framework.

✅ Any asset using MODBUS should be treated as a security target.

✅ Use ISA/IEC 62443 to determine the required Security Level (SL-C) and implement corresponding controls.

✅ Even in air-gapped environments, prepare for potential physical intrusions.