Virus infection via Modbus

HI,

This question may seems naive but sometimes we have to look back to detect vulnerable points in the control system for virus threats!

Consider a control system which is connected to various package PLCs with individual Modbus links all using RS-485 physical layer and just transferring data by Modbus known commands.

Each PLC is connected to the control system by a dedicated Modbus module.

Question is: Can an infected PLC send virus via this Modbus link to the control system and infect it?
 
I have never heard of a PLC getting a Virus, but I have heard of the personal computer used as a Human Machine Interface being infected.

I don't know the answer but it's an interesting question.
 
Modbus over serial isn't going to be vulnerable to any common virus or malware attack, as it isn't exposing anything a general purpose virus would recognize or care about. It is possible a particular implementation of Modbus driver might be vulnerable to attack, mostly via bugs--decoding a message type incorrectly exposing a buffer overrun for example. It would be very target specific, and very nearly pointless--it would require either the master or slave device to already be compromised, so your theoretical malware is already in a position to cause havoc anyway.

I'm more worried about the inclusion of telnet, ftp, ssh, and http services in ethernet connected equipment, particularly older stuff that never gets patches. Pretty much every industrial controls vendor out there is worried about it too, and stripping them out of their products wherever possible. There is also a new class of gateway devices coming out that plug in between your antique devices and the network, filtering out any potential attacks (or more mundane network issues like packet storms) while allowing protocols like Modbus TCP through.
 
For a control system to be infected via Modbus, the system would have to have features such that the control program or related software can be changed using Modbus registers.

I would be surprised if there are control systems that are programmable in a significant way via a Modbus interface.

It is possible for infected computer systems to reprogram PLCs (not necessarily using Modbus), read about Stuxnet for a very sophisticated example.
 
>I have never heard of a PLC getting a Virus, ...

I may be wrong, but wasn't the Stuxnet virus one that propagated from PC to PC and when it found one that was connected to a Siemens PLC was able to download itself to the PLC and cause the PLC to not do it's job of control and protection properly?

I would have to say that in my personal opinion it would not be possible for a virus to travel from PC to PLC via MODBUS, simply because the command is primarily for communications, but can do some "simple" control functions. One would have to have a very good knowledge of how the MODBUS for a particular application was programmed in order to be able to send the proper commands at the proper times to cause mayhem, and unless it's a pretty sophisticated MODBUS communication link I think that would be very difficult, indeed. I don't think MODBUS can be used to change the program in a PLC like the Stuxnet virus did (if I'm recalling correctly). As for transmitting a virus via MODBUS, that seems a little far-fetched--but, as "they" say: Where there's a will--there's a way!

Just my two cents based on what may be a flawed memory and a 10,000 metre understanding of MODBUS. I don't believe MODBUS would be a viable method of downloading a malicious rootkit or bit of executable code. But, again, that's just my layman's understanding of the capabilities of MODBUS.
 
F

Fred Loveless

There are no aspects of the Modbus Serial Protocol that are used for programming, and the only devices that I have seen that allow configuration via register data are Power Meters and Temperature controllers. I have seen some level sensors as well.

Stuxnet was effective because it was able to manipulate the Siemens Server which integrates with the Step 7 programming software.

Ethernet devices are more likely to be vulnerable to attack, because they typically allow multiple connections, and you can be connected with a ladder software while it is running and communications with an HMI or SCADA system. I would suspect the most common attack would be to clear or reset the control so that it stopped processing. Manipulating the running program or changing it subtly for Malicious intent Would require a high level understanding of the controller and the running program. That type of attack would be very targeted and would most likely originate from someone within the facility.
 
J

Jake Brodsky

>Question is: Can an infected PLC send virus via this Modbus
>link to the control system and infect it?

For this to happen, three things need to be true:

First, what is the key switch on the PLC set to? Is it set to anything other than RUN? If it is, read on.

Second, does the protocol have the ability to upload and download application software (example: Relay Ladder Logic)? Modbus does have a read and write file function --but whether that file is the application software is implementation dependent.

Third, does the interface have the ability to act as both master and slave? Some may have that feature, but most do not. Even if the device has the ability to act as a master, the communications network may not be configured so that it can actually talk to anything other than the Master.

<b>TL;DR:</b>

Such attacks are very unlikely, but with enough feature-rich sloppiness, it might be conceivable. There are too many other concerns that take priority in ICS security before I'd bother spending time or effort on this sort of possibility.
 
A common question Hasseli.

Please read carefully the three replies I thumbs Up'ed (demigrog2, Fred Loveless and Jake Brodsky), they are spot on. Back after Stuxnet we had major newspapers and magazines with "Experts" and article titles stating "Virus in PLC". I corrected a few back then until I grew tired. :) Back then our survey showed over 90% did not know PLCs don't get viruses, computers do. (As Demi, Fred and Jake detailed for you.) I would just add <b>PLCs (micro-processors) do not, but HMI (computers) and PACs (computers) do</b>. Most secure operation is isolation, training... training, then industrial serial, industrial proprietary protocol (like DH+), then isolation industrial network (no connection to front office). Least secure... Cloud/internet connected and smart phone connected.

To see more detailed explanations, see https://bin95.com/Industrial-network-security.htm and http://plc-training.org/plc-network-to-hmi-scada.html

Hope this helps more.

<i>(Thanks Demi, Fred and Jake for education other visitors to this discussion.)</i>
 
I'd take exception to the statement that PLCs don't get viruses; no reason they can't. Most are just industrial PCs running a RTOS like Vxworks, realtime linux, or QNX. While general purpose viruses probably won't touch those platforms, the "advanced persistent threats" out there certainly do. Sometimes it is trivially easy--a lot of industrial devices still have SSH or Telnet ports open, and have hardcoded or simple defaults for root passwords. Too many people depend on airgaps, sometimes without knowing their airgap has been compromised and their PLC shows up on a simple port scan of the internet. Sad, but fortunately getting less common as the easy pickings are taken out by hackers and script kiddies.
 
Thread starter Similar threads Forum Replies Date
S Distributed Control Systems - DCS 0
R Cyber Security 11
D Cyber Security 4
A Cyber Security 0
S Cyber Security 0
Top