Virus Infection via serial Modbus

R

Thread Starter

Rob Burghard

Is it possible for an infected powermeter being the Modbus slave to infect its master via a serial connection? Assume that the powermeter was pre-infected by a PC when it was programmed via a Modbus over TCP/IP connection. Then is was installed in the plant en connected to a master via the serial bus.
 
With all bus connections there is always a possibility one device infects an other, but in this case i believe the risk is as good as impossible.

Power meters in general do have a microcontroller, but they are not PC's with operating systems vulnerable to viruses.

Modbus is a master slave protocol, so the master has to request certain registers, the slave responds and then the master will write the received data in dedicated registers. Even tough Modbus can be used to read and write bytes of code it is generally used to exchange bytes of data.
 
R

Rob Burghard

Thank you. Perhaps my question wasn't clear. Let's say this powermeter has an infected OS. Can the virus then be transferred over the serial RS485 bus to the master?
 
If you suspect an infected powermeter transfers a virus to your PC over the serial line using Modbus, I think you have to fire your programmer or use software on your PC from a reliable supplier. If you are really in control over the master communication on the PC the risk is not existing.

Assuming you are using third party software on the PC to communicate with the power meter, this software will use easier ways to infect your PC instead of loading this code from the powermeter.
 
R

Rob Burghard

Thank you. Can we conclude then in general that it is impossible for a Modbus master to get a virus via a SERIAL line from an infected slave?
 
Is this a hypothetical question? If you've got an infected powermeter I'd love to know more details.

There's a prior discussion on this subject already (use search), but it boils down to whether you're talking about a general threat or specific threat. No general malware is going to be able to jump across a modbus link, but there is a chance that an attack designed specifically for a particular Modbus master could do it--if there is a nasty bug or two in its software, and you've got a motivated attacker that knows your system well.
 
L

Luca Gallina

trying to shed some light:

1. a Modbus Master polls for DATA.

2. the Modbus Slave (regardless if infected or not) will reply with DATA

3. the Modbus Master will receive the DATA and will store it within its DATA memory (not program memory).

All that said, an improbable infected power meter will just send wrong DATA values, not code nor instructions.
I would say that there are no "virus" that can harm your Master on a serial line.
 
F

Fred Loveless

It is possible but highly improbably that a virus could be passed up to the PC from the slave. The master would have to be poorly written and allow it to process malformed packets from the slave that could over write protected memory areas allowing the virus to then propagate on the PC.

The more likely result of an infected meter would be incorrect data. Mostly effecting any process loops in the meter or causing the master to take actions that are detrimental to the process monitored by the meter.

You are more susceptible to having the packet hijacked and manipulated on its way from the meter to the master especially if you are going through a gateway.

These types of attacks require an inside knowledge of the meters and the process that they are used in.
 
It isn't that simple. Depending heavily on what programming language, processor, OS, and libraries are involved, malformed data can certainly be used as an attack vector.

For example, passing an address out of range in a write register command could easily attack a modbus driver running on a 16-bit microcontroller--if the developer is an idiot and didn't check the address against the valid range. I've seen plenty of that kind of vulnerability in older devices though.

Even on a PC based Modbus master you can't rule out an attach without actually auditing the code for vulnerabilities--which is certainly done for many devices, but not all (good vendors use static code analysis, code reviews, and independent security audits). Buffer overruns are the usual culprit, or attacks on specific logic bugs in the processing of the modbus frame.

All that said, we're taking <i>possible</i> here, not <i>likely</i>. There has to both a vulnerability and a determined attacker. We're talking stuxnet level APTs here, where the modbus link is just one of hundreds of vectors the attacker is evaluating for a particular target. They'll use it if they can, move on to other components of the system if not.
 
R
Thank you!

The question is a very fundamental but real one: Can an infected Modbus slave infect its master also via a serial connection? I know that via an IP-connection it's possible.
 
Hi Rob,

Your question requires more detail and analysis than you probably thought going into it. My short answer is "It depends, but it's possible but not likely".

First, a normal computer virus written for a Windows based system will not traverse a serial based MODBUS link. Things like Conficker, or WannaCry, or something that was originally built for a Windows system just isn't built with the capability to zip over a non-TCP/IP connection.

Second, threats to serial based protocols are generally based on two conditions: 1) the capability of the protocol to do other functions that could be leveraged to attack and 2) the potential that poor construction of the software involved might allow additionally functionality that was never intended. MODBUS serial doesn't have capability in the protocol to do additional functionality that could be directly used infect a 'master' system, so you're reasonably safe there. There may be protocol extensions your meter may use that are NOT standard MODBUS (such as MODBUS strings, report by exception, or modbus file transfer) that might make certain scenarios possible. I recommend reading your manual there.

For the poor construction of software piece, there are several different packages of software used for processing MODBUS Serial. There have been efforts to test these protocol stacks for common cyber vulnerabilities, but nothing formal and nothing standard. This is basically your faith in your vendor at this time. I can tell you that I've seen reports of DNP3 slaves having influence over certain DNP3 masters because of poor construction, but not in MODBUS.

Where I hesitate is where I see you trying to claim 'impossible' for it to traverse. Just because MOST viruses won't traverse a MODBUS Serial link doesn't mean there isn't a virus out there (or one that has yet to be written) that could do it. This is the same engineering argument about buildings being impossible to blow over, or bridges being impossible to fall down, or boats being impossible to sink.... Eventually, nature may throw you a curveball in the form of a wind outside of design, or a load that wasn't anticipated, or a bigger iceberg.

Computer security is even more fun because behind every virus is a human(s) who built it specifically to overcome obstacles. It's not out of the realm of possibility that a human would build a virus that transmits over MODBUS serial, I've some zany things in my 13 years doing cyber security for industrial systems.

So, basically, trying to make something possible/impossible isn't a good engineering argument. What is better is that you define what you are concerned about, what the consequences of failure are, build the system with appropriate components, and then monitor for changes to those preconditions (such as a notification of MODBUS Serial viruses). I currently don't know of any active threat of infection from MODBUS serial connections right now. That could change.

And lastly, if you work in a specific industry you may have requirements about digital interactions you have to adhere to. I won't go into these, but if you're in a nuclear, chemical, or other highly regulated place, you may have specific requirements to follow.

>Is it possible for an infected powermeter being the Modbus
>slave to infect its master via a serial connection? Assume
>that the powermeter was pre-infected by a PC when it was
>programmed via a Modbus over TCP/IP connection. Then is was
>installed in the plant en connected to a master via the
>serial bus.
 
W
I think that it would be fair to say that a Modbus master it is unlikely get a virus from a serial Modbus slave using standard serial Modbus. This does not necessarily let the Modbus Master or slave off the hook from cybersecurity. Vigilance in all digital transmissions is important, even in systems you think are secure. If the standard Modbus is modified to provide other features, this may open the door for a virus as could a poorly constructed Modbus Master program. Any added features should be evaluated to see if they open the door for a cyber attack (file transfers and function codes that allow large numbers (buffer overfill) are potential candidates). Testing the Modbus system at the limits of transmitted data probably is a good idea.

The original Modbus also included function codes to allow programming of slaves, which could allow reprogramming of some legacy Modbus slaves if the master has a virus or if there are multiple slaves, then a slave could also do it. A virus most likely in a slave could send the master incorrect information, which if not recognized, could cause problems.

William (Bill) L. Mostia, Jr. PE
ISA Fellow, FS Eng. (TUV Rheinland)
WLM Engineering Co.

"No trees were killed to send this message, but a large number of electrons were terribly inconvenienced." Neil deGrasse Tyson

Any information is provided on a Caveat Emptor basis.
 
Thread starter Similar threads Forum Replies Date
S Distributed Control Systems - DCS 0
H Cyber Security 8
D Cyber Security 4
A Cyber Security 0
S Cyber Security 0
Top