Today is...
Thursday, January 18, 2018
Welcome to the Modbus Community, about
the world's leading automation protocol.
Virus infection via Modbus
Concerns about virus infection by Modbus communication

HI,

This question may seems naive but sometimes we have to look back to detect vulnerable points in the control system for virus threats!

Consider a control system which is connected to various package PLCs with individual Modbus links all using RS-485 physical layer and just transferring data by Modbus known commands.

Each PLC is connected to the control system by a dedicated Modbus module.

Question is: Can an infected PLC send virus via this Modbus link to the control system and infect it?

I have never heard of a PLC getting a Virus, but I have heard of the personal computer used as a Human Machine Interface being infected.

I don't know the answer but it's an interesting question.

>I have never heard of a PLC getting a Virus, ...

I may be wrong, but wasn't the Stuxnet virus one that propagated from PC to PC and when it found one that was connected to a Siemens PLC was able to download itself to the PLC and cause the PLC to not do it's job of control and protection properly?

I would have to say that in my personal opinion it would not be possible for a virus to travel from PC to PLC via MODBUS, simply because the command is primarily for communications, but can do some "simple" control functions. One would have to have a very good knowledge of how the MODBUS for a particular application was programmed in order to be able to send the proper commands at the proper times to cause mayhem, and unless it's a pretty sophisticated MODBUS communication link I think that would be very difficult, indeed. I don't think MODBUS can be used to change the program in a PLC like the Stuxnet virus did (if I'm recalling correctly). As for transmitting a virus via MODBUS, that seems a little far-fetched--but, as "they" say: Where there's a will--there's a way!

Just my two cents based on what may be a flawed memory and a 10,000 metre understanding of MODBUS. I don't believe MODBUS would be a viable method of downloading a malicious rootkit or bit of executable code. But, again, that's just my layman's understanding of the capabilities of MODBUS.

1 out of 1 members thought this post was helpful...

Modbus over serial isn't going to be vulnerable to any common virus or malware attack, as it isn't exposing anything a general purpose virus would recognize or care about. It is possible a particular implementation of Modbus driver might be vulnerable to attack, mostly via bugs--decoding a message type incorrectly exposing a buffer overrun for example. It would be very target specific, and very nearly pointless--it would require either the master or slave device to already be compromised, so your theoretical malware is already in a position to cause havoc anyway.

I'm more worried about the inclusion of telnet, ftp, ssh, and http services in ethernet connected equipment, particularly older stuff that never gets patches. Pretty much every industrial controls vendor out there is worried about it too, and stripping them out of their products wherever possible. There is also a new class of gateway devices coming out that plug in between your antique devices and the network, filtering out any potential attacks (or more mundane network issues like packet storms) while allowing protocols like Modbus TCP through.

1 out of 2 members thought this post was helpful...

For a control system to be infected via Modbus, the system would have to have features such that the control program or related software can be changed using Modbus registers.

I would be surprised if there are control systems that are programmable in a significant way via a Modbus interface.

It is possible for infected computer systems to reprogram PLCs (not necessarily using Modbus), read about Stuxnet for a very sophisticated example.

By Fred Loveless on 5 January, 2018 - 9:06 am

There are no aspects of the Modbus Serial Protocol that are used for programming, and the only devices that I have seen that allow configuration via register data are Power Meters and Temperature controllers. I have seen some level sensors as well.

Stuxnet was effective because it was able to manipulate the Siemens Server which integrates with the Step 7 programming software.

Ethernet devices are more likely to be vulnerable to attack, because they typically allow multiple connections, and you can be connected with a ladder software while it is running and communications with an HMI or SCADA system. I would suspect the most common attack would be to clear or reset the control so that it stopped processing. Manipulating the running program or changing it subtly for Malicious intent Would require a high level understanding of the controller and the running program. That type of attack would be very targeted and would most likely originate from someone within the facility.

By Jake Brodsky on 8 January, 2018 - 9:22 am
1 out of 1 members thought this post was helpful...

>Question is: Can an infected PLC send virus via this Modbus
>link to the control system and infect it?

For this to happen, three things need to be true:

First, what is the key switch on the PLC set to? Is it set to anything other than RUN? If it is, read on.

Second, does the protocol have the ability to upload and download application software (example: Relay Ladder Logic)? Modbus does have a read and write file function --but whether that file is the application software is implementation dependent.

Third, does the interface have the ability to act as both master and slave? Some may have that feature, but most do not. Even if the device has the ability to act as a master, the communications network may not be configured so that it can actually talk to anything other than the Master.

TL;DR:

Such attacks are very unlikely, but with enough feature-rich sloppiness, it might be conceivable. There are too many other concerns that take priority in ICS security before I'd bother spending time or effort on this sort of possibility.