Cyber resilience act implications for Modbus RTU

Most Modbus devices doesn't have any encryption by default since its a simple DATA exchange between 2 devices.
The slave doesn't know who the master is, if a hacker has access to your Modbus network, he can behave like master and gain full control of any of your Modbus slave devices. (Remember STUXNET ??)

If you need more compliant one then switching to OPC UA is the most preferred way in the industry.
 
Modbus RTU is a serial protocol developed before external data security regimens existed. It does not have a structure that would support attainment of CRA compliance. Since the core data mechanisms are similar, Modbus/TCP on Ethernet faces similar compatibility issues to cybersecurity requirements. The briliance and success of these protocols relates to early origination in the market, simplicity, openness, and near ubiquitous support across vendors. The market would need solutions to encapsulate or emulate them within a secure shell to continue future viability.
 
Without knowing the details of the law/rule, it is very likely users will be forced to upgrade their RTU devices over to Modbus TCP.

Uses the same RTU packet, but encapsulated in a TCP packet which is secure.

There are already PLENTY of adapters for legacy instruments.

OR.....

They force everyone to use EtherNet/IP for everything lol
 
Top