Passive Scanning in Modbus Networks
This paper describes the design and implementation of a passive scanner for Modbus networks. The tool integrates packet parsing and passive scanning functionality to interpret Modbus transactions and provide accurate network representations. In particular, the scanner monitors Modbus messages to maintain and update state table entries associated with field devices. Entries in the state tables record important information including function codes, transaction state, memory access and memory contents. The performance and reporting capabilities of the passive scanner make it an attractive network troubleshooting and security tool for process control environments.
Keywords: Process control systems, Modbus protocol, passive network scanning
KeywordsRequest Message Process Control System Reply Message Function Code Protocol Data Unit
- American Petroleum Institute, API 1164: SCADA Security, Washington, DC, 2004.Google Scholar
- S. Boyer, SCADA: Supervisory Control and Data Acquisition, Instrumen- tation, Systems and Automation Society, Research Triangle Park, North Carolina, 2004.Google Scholar
- British Columbia Institute of Technology, Good Practice Guide on Fire- wall Deployment for SCADA and Process Control Networks, National Infrastructure Security Co-ordination Centre, London, United Kingdom, 2005.Google Scholar
- E. Byres, J. Carter, A. Elramly and D. Hoffman, Worlds in collision: Eth- ernet on the plant floor, Proceedings of the ISA Emerging Technologies Conference, 2002.Google Scholar
- Instrumentation Systems and Automation Society, Security Technologies for Manufacturing and Control Systems (ANSI/ISA-TR99. 00. 01-2004), Research Triangle Park, North Carolina, 2004.Google Scholar
- K. Mandia, C. Prosise and M. Pepe, Incident Response and Computer Forensics, McGraw-Hill/Osborne, Emeryville, California, 2003.Google Scholar
- Modbus IDA, MODBUS Application Protocol Specification v1. 1a, North Grafton, Massachusetts (www.modbus. org/specs. php), June 4, 2004.
- Modbus IDA, MODBUS Messaging on TCP/IP Implementation Guide v1. 0a, North Grafton, Massachusetts (www.modbus. org/specs. php), June 4, 2004.
- Modbus IDA, Modbus TCP is world leader in new ARC study, North Grafton, Massachusetts, (www.modbus. org/docs/Modbus ARC study May 2005.pdf), 2005.
- Modbus. org, MODBUS over Serial Line Specification and Implementation Guide v1. 0, North Grafton, Massachusetts (www.modbus.org/specs.php), February 12, 2002.
- Modicon, Inc., MODBUS Protocol Reference Guide, Document PI-MBUS-300 Rev. J, North Andover, Massachusetts, 1996.Google Scholar
- S. Northcutt and J. Novak, Network Intrusion Detection: An Analyst’s Handbook, New Riders, Indianapolis, Indiana, 2002.Google Scholar
- S. Northcutt, L. Zeltser, S. Winters, K. Frederick and R. Ritchey, Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers and Intrusion Detection Systems, New Riders, Indiana, 2002.Google Scholar
- M. Smith and M. Copps, DNP3 V3. 00 Data Object Library Version 0. 02, DNP Users Group, Pasadena, California, 1993.Google Scholar
- M. Smith and J. McFadyen, DNP V3. 00 Data Link Layer Protocol De- scription, DNP Users Group, Pasadena, California, 2000.Google Scholar