2023 IEEE Conference on Standards for Communications and Networking (CSCN)

Securing Modbus TCP Communications in Ι4.0: A

Penetration Testing Approach Using OpenPLC and
Factory IO
2023 IEEE Conference on Standards for Communications and Networking (CSCN) | 979-8-3503-9538-9/23/$31.00 ©2023 IEEE | DOI: 10.1109/CSCN60443.2023.10453119

George Lazaridis Anastasios Drosou Periklis Chatzimisios

Information Technologies Institute (ITI) Information Technologies Institute (ITI) International Hellenic University,
Centre for Research & Technology Centre for Research & Technology Greece & University of New Mexico,
Hellas & International Hellenic Hellas USA
University Thessaloniki, Greece [email protected]
Thessaloniki, Greece [email protected]
[email protected]

Dimitrios Tzovaras
Information Technologies Institute (ITI)
Centre for Research & Technology
Hellas
Thessaloniki, Greece
[email protected]

Abstract— The advent of Industry 4.0 has brought forward security posture of Modbus TCP implementations in industrial
transformative advancements in industrial automation and systems.
control systems, enhancing operational efficiency and
productivity. Among the key communication protocols The current research paper embarks on a journey to address
facilitating this paradigm shift, Modbus TCP is a widely the pressing need for enhanced cybersecurity in industrial
adopted protocol for real-time data exchange between devices in systems. Leveraging the power of penetration testing, we
industrial environments. However, the proliferation of explore the vulnerabilities and potential attack vectors that
interconnected devices also raises significant cybersecurity may threaten Modbus TCP communications. To conduct this
concerns. The current paper presents a comprehensive research, we employ a robust, comprehensive but semi open-
penetration testing approach aimed to securing Modbus TCP source testing software environment consisting of OpenPLC,
communications within the context of Industry 4.0. Leveraging Factory IO, pfSense and Kali Linux. Through this approach,
the capabilities of software platforms, such as OpenPLC and we aim to assess the security landscape of Modbus TCP in
Factory IO, we simulate industrial control systems to assess the industrial settings, identify weaknesses and propose a
vulnerabilities and weaknesses present in Modbus TCP penetration testing strategy, with the ultimate goal of further
implementations. By proactively addressing Modbus TCP researching on automating the penetration testing process by
security issues, our research work contributes to the introducing Machine Learning (ML) techniques in order to
safeguarding of critical infrastructure and underscores the
simplify the whole procedure. With this approach, we
importance of cybersecurity in the Industry 4.0 era.
endeavour to contribute to the protection of critical
Keywords—Industry 4.0, Modbus TCP, penetration testing, infrastructure, ensuring its resilience against the evolving
simulation, cybersecurity, PLC threat.
The rest of the paper is organized as follows: Section II
I. INTRODUCTION
presents background information on Modbus TCP penetration
In an era marked by the convergence of Information testing together with the related work. Section III analyzes the
Technology (IT) and Operational Technology (OT) in the industrial simulation environment, presenting all
scope of Industry 4.0 (I4.0), the industrial landscape has aforementioned tools that are jointly utilized. Section IV
witnessed unprecedented transformations. Industrial Control illustrates the conducted penetration testing procedures,
Systems (ICSs), once isolated and proprietary, have now taking advantage of the earlier-mentioned testbed and lists the
become interconnected and increasingly reliant on standard findings, while Section V concludes the performed work and
networking protocols. Among these, Modbus TCP stands as a proposes potential future directions.
prominent choice for communication within industrial
systems, offering efficiency and flexibility. However, the II. BACKGROUND AND RELATED WORK
integration of Modbus TCP into the fabric of critical
infrastructure has not come without its cybersecurity The discussion about security for ICSs, particularly of
challenges. Modbus TCP communications, has garnered significant
attention in recent years due to the growing interconnectivity
The proliferation of interconnected devices and the advent of of industrial devices and the potential risks associated with
the Industrial Internet of Things (IIoT) have expanded the cyberattacks on critical infrastructure. A wealth of research
attack surface of industrial environments, rendering them and practical solutions has emerged to address the unique
susceptible to a spectrum of cyber threats. Securing Modbus security challenges posed by Modbus TCP and similar
TCP communications is of paramount importance, as any protocols. More specifically, authors in [1] demonstrate the
security compromise could lead to severe consequences, potential of misuse-based Intrusion Detection Systems (IDSs)
including unauthorized access, data manipulation and system to detect and prevent attacks on Modbus/TCP-based Industrial
downtime. Thus, it is imperative to thoroughly evaluate the Automation and Control Systems (IACSs). The proposed

Authorized licensed use limited to: Universita degli Studi di Genova. Downloaded on December 10,2024 at 08:14:48 UTC from IEEE Xplore. Restrictions apply.
979-8-3503-9538-9/23/$31.00 ©2023 IEEE 265
 2023 IEEE Conference on Standards for Communications and Networking (CSCN)

approach is simple to be implemented and can be used to focusing on the increasing use of open-source software and
detect a wide range of attacks. Nevertheless, the authors of the hardware, the increasing use of cloud computing to deploy and
work in [2] present a novel and effective approach to securing manage these testbeds and finally the increasing use of AI and
industrial communication protocols. This proposal, based on ML to improve the effectiveness of ICS testbeds.
a widely used protocol, addresses several key security
vulnerabilities and can be used to protect ICSs from various III. SIMULATION ENVIRONMENT
attacks. One of the most significant challenges in the industrial
Previous research efforts have delved into the security cybersecurity sector is the prohibitive cost of purchasing the
assessment of Modbus TCP in industrial settings. Notable devices, together with any software licensing, required to gain
studies have conducted vulnerability assessments, penetration practical experience working with OT systems and processes.
tests and threat-modelling to uncover weaknesses and Virtualization is an excellent method to overcome this
potential attack vectors. These assessments have revealed obstacle and start becoming familiar with the protocols and
weaknesses of unauthorized access, command injection and characteristics of the ICS world with only a relatively small
data manipulation, and the need for advanced security. primary cost.
Authors in [3] present an approach for testing the security of
Modbus TCP devices. The proposed tool, namely MTF, can
easily be used to find a wide range of security vulnerabilities
and by organizations to improve the security of their IACSs.
On the other hand, authors in [4] propose a combined AI-
based detection and SDN-based mitigation solution to defend
the IIoT against Modbus TCP threats, while in [5] authors
propose a novel method for enhancing the cybersecurity of
Modbus TCP-based IACSs by implementing an
authentication method based on Message Authentication
Codes (MACs).
Penetration testing has also emerged as a crucial tool in
assessing the cybersecurity of industrial systems. Researchers
Fig. 1. Physical architectural diagram of simulated environment
and practitioners have employed penetration testing
methodologies to identify vulnerabilities in critical
Figure 1 depicts the simulated industrial environment that
infrastructure components, including Programmable Logic
consists of the following components, all of which were
Controllers (PLCs), Remote Terminal Units (RTUs) and
installed on a Windows 11 host machine (Intel Core i5-6600
Human-Machine Interfaces (HMIs). These assessments have
CPU @ 3.30Ghz, 40GB RAM, 2x 1TB SSD), either as Virtual
provided valuable insights into the security of industrial
Machines (VMs) or straight installations on the host:
environments, emphasizing the significance of rigorous
testing and security audits. The authors in [6] investigate • pfSense: Software for simulating the network equipment
methods to secure RTUs in smart grid systems. RTUs are the
• SCADABR: Software for simulating the HMI
building blocks of smart grids and are responsible for
collecting and transmitting data from field devices to central • OpenPLC: Software for simulating the PLC
control systems. However, RTUs are also vulnerable to a • OpenPLC Editor: Complementary software in order to
variety of cyberattacks, which could disrupt or disable the program the PLC activities
smart grid. Going one step further, researchers have already
studied the possibility of integrating Artificial Intelligence • Factory IO: Software for simulating the RTU (driver)
(AI) into the process of penetration testing in order to make it and the sensors & actuators (scene)
more automated, smarter and less time consuming. For this • Kali Linux: Operating System (OS) simulating the
reason, authors in [7] present a comprehensive overview of the malicious actions against the Modbus TCP simulation
state-of-the-art, and the benefits and the research challenges environment
of AI-enabled IoT penetration testing.
The use of industrial simulation environments, such as A. pfSense
OpenPLC and Factory IO, has gained prominence for pfSense is an open-source, FreeBSD-based firewall and
evaluating ICS security. These platforms enable researchers to routing software that has gained significant popularity in the
create realistic industrial scenarios, replicate system field of network security and management. It was initially
configurations and conduct controlled experiments. Studies developed as a fork of the m0n0wall project [10] in 2004 and
have demonstrated the effectiveness of such environments in has evolved into a robust and versatile solution for a wide
assessing the security of industrial protocols, making them range of networking needs. With flexibility and scalability, it
invaluable tools for security researchers. An example of a
suits businesses, schools, and individuals. pfSense boasts a
developed industrial testbed is presented in [8], where authors
describe a novel testbed for cybersecurity analysis of Nuclear rich feature set that caters to diverse network requirements.
Power Plants (NPPs). The testbed is open-source and based on Core features include NAT, VPN, and traffic shaping,
the Modbus protocol. It can be used to simulate a realistic NPP managed via an intuitive web interface. pfSense excels at
environment and to test the security of ICS devices and Quality of Service (QoS) for bandwidth optimization and
networks. Besides the aforementioned testbed, authors in [9] supports packages like IDS/IPS, content filtering, and proxy
survey a wide range of ICS testbeds, including testbeds that services. In the context of our testbed, pfSense runs in a VM
are developed by academia, industry or government agencies and created two network interfaces as depicted in Figure 2.

Authorized licensed use limited to: Universita degli Studi di Genova. Downloaded on December 10,2024 at 08:14:48 UTC from IEEE Xplore. Restrictions apply.
266
 2023 IEEE Conference on Standards for Communications and Networking (CSCN)

B. SCADABR The simulation setup unfolds as follows: Firstly, the pfSense

SCADABR, a versatile open-source SCADA system, aids VM is activated to establish two crucial network interfaces –
real-time process monitoring. Its web interface, historical one for VM-to-VM communication and one for internet
data, and customizability attract users for cost-effective access. Next, the VM with OpenPLC will boot, simulating a
SCADA solutions. In our testbed system runs on a separate PLC communicating via Modbus TCP. OpenPLC Editor is
Ubuntu Server VM, connected via pfSense's network utilized to upload the firmware via a function block diagram.
interface. The Factory IO simulation platform then starts, which
represents a RTU for handling actuators and sensors. Scene
C. OpenPLC should be uploaded and Modbus TCP communication
OpenPLC, a flexible open-source PLC platform, aids between OpenPLC (client) and Factory IO (server) should be
industrial automation. It supports diverse hardware, configured. The simulation initiates and displays the
languages, and protocols, plus simulation. Test system is production line. Lastly, Kali Linux is executed to investigate
running on Ubuntu Server VM and is connected to pfSense Modbus TCP protocol vulnerabilities in the simulated
and SCADABR for seamless communication. industrial environment for cybersecurity purposes.
D. OpenPLC Editor IV. PENETRATION TESTING AND FINDINGS
OpenPLC Editor is an Integrated Development Environment Industrial penetration testing is a specialized cybersecurity
(IDE) for OpenPLC, streamlining control logic program practice focused on assessing the security of critical
creation and management. It simplifies design and infrastructure and industrial control systems used in sectors
deployment for automation engineers. This software tool like energy or manufacturing. It involves ethical hackers,
does not run in a VM (runs straight on the host machine), often with expertise in industrial automation, conducting
complementary to OpenPLC. It supports various systematic tests to identify vulnerabilities, weaknesses and
programming languages and is integral to programming potential entry points within ICS environments. The primary
PLCs compliant with IEC 61131-3. goal is to proactively uncover security flaws that could lead to
disruptions, unauthorized access or safety risks, allowing
E. Factory IO organizations to strengthen their defences and protect vital
Factory IO, an interactive simulation software, is ideal for industrial processes and assets from cyber threats.
industrial automation training. It creates a virtual
There are five penetration testing phases, namely
environment (Figure 3) for users to experiment with
reconnaissance, scanning, vulnerability assessment,
scenarios. It's a commercial program, installed on the host
exploitation and reporting. In some cases, there might be even
machine, communicating via pfSense, as shown in Figure 2. more penetration testing phases, e.g., a pre-engagement
F. Kali Linux interactions phase, but usually they are five. On the other
hand, three different penetration testing approaches occur, the
Kali Linux is essential for cybersecurity experts and
white box, the grey box and the black box. In the current work,
enthusiasts. It's purpose-built with a rich toolset and strong the selected penetration testing approach is the white box,
community support for ethical hacking and penetration assuming that the tester has comprehensive knowledge of the
testing. In the context of this research, it is installed in a target system, including internal architecture, source code and
separate VM, communicating with the other VMs through the configurations.
network interface.
In this paper, the primary emphasis will be placed on the initial
stage of penetration testing, which is the reconnaissance
phase, also known as information gathering. This phase is very
important becuase it serves as the cornerstone for obtaining
critical insights. This information enables researchers to
comprehensively understand the production environment and
map its operations and subsequently execute targeted attack
strategies. In most cases, it is possible that the attacker will
employ a specialized hacking OS, such as Kali Linux or Parrot
OS. Consequently, the selection of Kali Linux not only
replicates the environment used by an actual attacker, thereby
introducing their toolset to researchers, but also furnishes
Fig. 2. Simulated industrial environment depicting all used software
them with the requisite software tools. These tools enable
cybersecurity personnel to proficiently oversee and interpret
the communication and data exchanges transpiring within the
targeted systems.
The initial step involves the identification of our position
within the current subnet or network. Instead of havingh a
simulation testbed and possessing comprehensive knowledge
of the system's components, the best practice is to gain a
thorough understanding of the network we are operating
within. This not only helps identifying our target systems but
Fig. 3. Factory IO screenshot of the simulated production line also allows a carefull examination of the entire network or

Authorized licensed use limited to: Universita degli Studi di Genova. Downloaded on December 10,2024 at 08:14:48 UTC from IEEE Xplore. Restrictions apply.
267
 2023 IEEE Conference on Standards for Communications and Networking (CSCN)

subnet, with the objective of identifying potential

vulnerabilities or tools that could serve as the attack vectors.
To accomplish this activity, we employ the terminal console
of a Kali Linux distribution and execute the "ifconfig"
command. This command serves the purpose of retrieving the
IP address and examining the subnet mask. Our observation
reveals that the subnet mask is configured as 255.255.255.0, Fig. 5. Nmap execution for 192.168.88.201 showing open ports
indicating that we are presently situated within a Class C
network, as denoted by the Classless Inter-Domain Routing The process of recognition has become significantly more
(CIDR) notation of /24. This particular configuration implies straightforward. It is now evident that the asset with the IP
that the network used has the capacity to accommodate up to address 192.168.88.100 is the machine of interest. This
254 assets, which may include computers, production assumption can be drawn with confidence as Factory IO is
machinery, servers or other industrial devices. exclusively deployed and executed in a Windows
environment. Moreover, the presence of port 502, utilized for
With this initial and valuable information in hand, the next
step involves the utilization of Nmap, a versatile tool Modbus communications but also for various other Windows
employed for host and service discovery on computer services, leaves no room for ambiguity. Consequently, the
networks. Nmap achieves this by sending packets and asset assigned to the IP address 192.168.88.201 can logically
meticulously analyzing the ensuing responses. It may be be assigned to the OpenPLC software. This deduction is
tempting to consider this step unnecessary, given that we are grounded by several key factors. Firstly, OpenPLC operates
familiar with the simulated network topology, as already on a Linux-based system, distinguishing it from other
mentioned. However, this assumption is not accurate and the components. Secondly, the utilization of port 502 aligns with
deployment of Nmap holds immense value, as it allows us to Modbus communications. With this information, we can now
precisely identify the production line components actively confidently note which machine corresponds to each specific
interacting within the network. This, in turn, simplifies our software component.
role as attackers, allowing us to effectively monitor the data
exchanges transpiring between these components. To initiate Once the IP addresses of each VM were identified and
this process, we execute the following command within our confirmed, since the followed approach is the white box,
terminal: “nmap 192.168.88.0/24”. The outcome of this Wireshark was executed in order to capture some exchanged
command outputs four IP addresses, all of which constitute packets between the OpenPLC and the Factory IO. Wireshark
integral parts of our simulated environment. was executed directly from Kali Linux and the capturing of
the network traffic of interface eth0 started, which is in
With a single command, the essential information about our promiscuous mode and therefore able to monitor all network
network configuration was successfully acquired. The traffic. As we are only interested in Modbus communication,
performed analysis reveals the presence of four assets
we will use the filter “tcp.port==502”. This will allow us to
(SCADABR is not part of this simulation) within our
simulated network and it is important to identify each follow all exchanged data between these two components. The
component accurately. We can presume that our own IP communication begins with the standard 3-way handshake,
address is .207 based on the “ifconfig” command previously following the usual TCP connection patern. It is important to
executed. Furthermore, the identification of ports 53 (DNS), understand that the machine initiates the communication, in
80 (HTTP) and 443 (HTTPS) allows us to ascertain that the order to distinguish the server from the client. Since the one
device requiring DNS services is our pfSense router. By the that has the production lines’ instructions and transmits them,
process of elimination, we can narrow our focus to the is usually the OpenPLC, we expect that it is the one sending
remaining two machines of interest. However, none of them the first SYN to Factory IO. Factory IO replies with the
appears to be the production line devices utilizing the Modbus standard SYN/ACK, and as the last step of the handshaking,
protocol. It is important to note that Nmap, by default, scans OpenPLC responds with an ACK, so the communication
the most commonly used ports for each protocol. channel is ready to be used.
Consequently, Modbus TCP port 502 was only scanned after
the Nmap command was configured correctly. This specific From an early stage, it can be noticed that there is a loop in
configuration is depicted below: the communication, which is described and appears to be well-
documented in the “MODBUS Messaging on TCP/IP
$ sudo nmap -sT -sV -O -A -vv -p- [IP] Implementation Guide” [11]. In the scenario that we consider
The aforementioned command is executed for both IPs in the current work, Modbus uses two standard functions: the
192.168.88.100 and 192.168.88.201. The results are depicted “Read Discrete Inputs” and the “Write Multiple Coils”. Each
in Figures 4 and 5: of the repetitions consists of the query, the response and the
ACK part. Having this information in mind, allows us to
monitor the communication easier and more effectively. In the
scope of the current work, we will examine carefully a “Read
Discrete Inputs” and a “Write Multiple Coils” request.
Fig. 4. Nmap execution for 192.168.88.100 showing open ports
A. Read Discrete Inputs
The following information can be extracted from the traffic
recording in Wireshark:

Authorized licensed use limited to: Universita degli Studi di Genova. Downloaded on December 10,2024 at 08:14:48 UTC from IEEE Xplore. Restrictions apply.
268
 2023 IEEE Conference on Standards for Communications and Networking (CSCN)

1. Regarding the source and destination ports, since

OpenPLC initiates the communication, it uses a random
port, while the FactoryIO which is only listening, is
waiting for instructions on port 502.
2. For both request and response, the same Transaction ID
is used.
3. For the first time, we are obtaining the RTU’s ID Fig. 6. Point names as illustrated in the OpenPLC program
number. In our simulation, the ID is constantly “1”, but
in a real-life production environment, this number may Finishing the mapping process, we are able to tell the exact
vary or even have multiple IDs for multiple RTUs. location of the sensors placed in the production line. From the
4. For both request and response, it is observed that the descriptive point names, we can always assume what are the
function code is “000 0010”, which is equal to decimal performed action. However, we need to understand which
“2”. This function code in Modbus actually corresponds sensor belongs to each production line. In order to perform
to “Read Discrete Input”. this task, we need to correspond the point names with the
5. Finally, the request requires 16 bits (8 and 8 bits) actual components, by using the Factory IO and matching the
starting at position 0 (as a reference number). In our values. By the end of this task, we will know with certainty
testing environment, we configured OpenPLC and how sensors are correlated with our simulated environment.
FactoryIO to use two production lines (Figure 3), each
of 8 total inputs. So, the first number (query digits 1 and B. Write Multiple Coils
2), refers to the inputs of the first production line, while The same applies in this Modbus function, meaning that the
the second one (query digits 3 and 4), refers to the inputs following information can be extracted from the traffic
of the second production line. recording in Wireshark:
To this end, numbers 0016 4416 are observed and we know that 1. For the source and destination ports, the same
the first number refers to the 1 st production line. As a first assumption is made as in the previous function (Read
step, we convert the number to binary, so we have 0016 <==> Discrete Inputs): OpenPLC initiates the communication
000000002. We know that the first bit starts at position 0, so using a random port and then FactoryIO who is
we have the following bits in the following positions: listening, awaits instructions on port 502.
Position 0 1 2 3 4 5 6 7
2. For both, request and response, the same Transaction ID
Bits 0 0 0 0 0 0 0 0
is used.
3. In this field, we are expecting to see the RTU’s ID
We apply the same technique for the second production line. number, which is 1, but -as already mentioned- in an
First converting the 4416 to binary, gives us the following bits: actual production environment, that number may vary
010001002 or even have multiple IDs for multiple RTUs.
4. For both, request and response, we can observe that the
Position 0 1 2 3 4 5 6 7
function code is “000 1111”, which equals to decimal
Bits 0 1 0 0 0 1 0 0
“15”. This function code in Modbus actually
The mapping shown above reveals the status of each input corresponds to “Write Multiple Coils”.
(1=on, 0=off), however we cannot retrieve the information of 5. This function requires 14 bits (7 and 7 bits) starting at 0
which input corresponds to which sensor. Therefore, this (as a reference number). In this testbed, we configured
issue will be examined in one of the next steps. At this point OpenPLC and Factory IO to use 2 production lines, each
we need the assistance of OpenPLC. From the captured consisting of 7 total outputs. To this end, the first
values and by using the registers, we can understand which number refers to the outputs of the first production line,
sensor corresponds to each component in our production while the second one refers to the outputs of the second
lines. For example, if we have a payload of production line.
01110110010000002, we can map it as following: In this case, we need to examine different frames of the
Reg %IX %IX %IX %IX %IX %IX %IX %QX %IX %QX captured traffic, to better understand the use of the actuators.
iste 100 100 100 100 100 100 100 100. 101 101.
r .0 .1 .2 .3 .4 .5 .6 7 .0 1 This will allow us to understand the changes as they occur,
Bit 0 1 1 1 0 1 1 0 0 1 and map them, in order to find out which actuator
corresponds to which component in Factory IO. In the
Observing the above table, we can understand what is the
following table, the output for both production lines can be
exact state of all our sensors. It is worth mentioning, that the
summarized:
last 6 bits are not used, because in our schema, both
production lines use only 10 sensors. Yet, we still do not R
e
gi
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
%
Q
X1
know which value corresponds to each component in Factory st
er
00
.0
00
.1
00
.2
00
.3
00
.4
00
.5
00
.6
00
.7
01
.0
01
.1
01
.2
01
.3
01
.4
01
.5
01
.6

IO. The assistance of OpenPLC will allow us to map the Bi

t
0 0 0 0 0 0 0 0 0 1 0 0 0 1 0

registers with the point names:

Now, the exact state of all our actuators is known. But we still
do not know which value corresponds to each component. We
can use the assistance of OpenPLC again, allowing us to map
the registers with the point names, as already shown in Figure
6.

Authorized licensed use limited to: Universita degli Studi di Genova. Downloaded on December 10,2024 at 08:14:48 UTC from IEEE Xplore. Restrictions apply.
269
 2023 IEEE Conference on Standards for Communications and Networking (CSCN)

Having analyzed all Modbus information and with the usage to an I4.0 scene. The penetration testing activities described
of the information collected by Factory IO, we are able to in the current research paper will be further developed, taking
distinguish which actuators are in which production line and advantage of ML algorithms that will automate the
performed all corresponding activities. At this point, it is procedures and itroduce intelligence that will eliminate the
worth mentioning that in all Modbus communications (TCP, human intervention in some steps of the penetration testing
RTU) there are no security mechanisms implemented, process. The final step will include the deployment of the
meaning that someone could have full access to the industrial AI-based automated penetration module in a real
information allowing a malicious actor to read and write all industrial environment in the context of the research project
data in Modbus communications. Consequently, the packet funding this work. This will allow us to draw conclusions of
sniffing with Wireshark revealed several pieces of the proposed algorithm in a real environment and examine as
information that could be used to compromise the Modbus many as possible communication protocols.
TCP communication.
ACKNOWLEDGMENT
Based on the information gathered using the Wireshark tool
This work has received funding from the European Union’s
and taking advantage of the known information on the
Horizon Europe research and innovation programme under
sensors and actuators in Factory IO, also including the
grant agreement No. 101057083 – Zero-SWARM
mapping of the components used in the scene, we are able to
recognize the packet sequences they exchange. By listing the REFERENCES
exact bits they receive, the security researcher had the ability [1] F. Katulić, D. Sumina, I. Erceg and S. Groš, “Enhancing Modbus/TCP-
to intervene and execute a Man-in-The-Middle (MiTM) Based Industrial Automation and Control Systems Cybersecurity Using
attack and inject different bits than those sent regularly. This a Misuse-Based Intrusion Detection System“, in Proceedings of the
action was conducted using the Metasploit framework of International Symposium on Power Electronics, Electrical Drives,
Automation and Motion (SPEEDAM), Sorrento, Italy, pp. 964-969,
Kali. More specifically, it provides a Modbus tool that allows 2022.
the user, to read the registers and then perform the [2] W. Jingran, L. Mingzhe, X. Aidong, H. Bo, H. Xiaojia and Z. Xiufang,
intervention (write function) of a different bit. This leads to “Research and Implementation of Secure Industrial Communication
the malfunction of the production line, causing several Protocols”, in Proceedings of the IEEE International Conference on
Artificial Intelligence and Information Systems (ICAIIS), Dalian,
damage and financial loss. Besides Metasploit, another China, pp. 314-317, 2020.
Modbus penetration testing tool was examined, namely the [3] A. Voyiatzis , K. Katsigiannis, and S. Koubias,. “A Modbus/TCP
Smod tool, but the attacks conducted through this tool did not fuzzer for testing internetworked industrial systems”, in Proceedings
affect the operations of the testbed at all. of the 20th IEEE Conference on Emerging Technologies & Factory
Automation (ETFA 2015), pp. 1–6, 2015.
V. CONCLUSIONS [4] P. Radoglou-Grammatikis et al., “Defending Industrial Internet of
Things Against Modbus/TCP Threats: A Combined AI-Based &
The current work presented the initial work of our Detection and SDN-Based Mitigation Solution,” SSRN Electronic
cybersecurity research in industrial environments, aiming at Journal, 2022.
the development of an industrial AI-based automated [5] F. Katulić, D. Sumina, S. Groš and I. Erceg, “Protecting Modbus/TCP-
penetration testing module that can be easily used by anyone, Based Industrial Automation and Control Systems Using Message
Authentication Codes”, in IEEE Access, vol. 11, pp. 47007-47023,
without the need of any particular cybersecurity knowledge. 2023.
Towards this direction, we first deployed a industrial [6] E. R. Ling, J. E. Urrea Cabus, I.Butun, R. Lagerström, and J. Olegard,
simulated environment to be able to simulate modbus “Securing Communication and Identifying Threats in RTUs: A
communications and then we gathered the necessary Vulnerability Analysis”, in Proceedings of the 17th International
information in order to perform the penetration tests. The first Conference on Availability, Reliability and Security (ARES 2022). pp.
1–7, 2022.
results reveal that the Modbus TCP protocol can be easily
[7] Greco Claudia, Fortino Giancarlo, Crispo Bruno, Choo Kim-Kwang
compromized by performing only a simple attack by injecting Raymond “AI-enabled IoT penetration testing: state-of-the-art and
information different from the information expected. The research challenges”, Enterprise Information Systems, vol. 17, issue 9,
findings of these tests where illustrated in the simulation pp. 1223–1247, 2023.
environment of Factory IO, showing that the production line [8] I. B. de Brito and R. T. de Sousa Jr., "Development of an open-source
was malfunctioning. On the other hand, the Smod tool failed testbed based on the modbus protocol for cybersecurity analysis of
nuclear power plants”, MDPI Applied Sciences, vol. 12, no. 15, 2022.
to perform any attacks towards the simulation evironment.
[9] H. Holm, M. Karresand, A. Vidström & E. Westring, “A survey of
The next steps of our research journey include the industrial control system testbeds”, in Proceedings of the Nordic
Conference on Secure IT Systems (NordSec 2015), pp. 11–26, 2015.
development of an IEC 61499-based automation platform
[10] The m0n0wall project (https://m0n0.ch/wall/index.php)
that supports Modbus TCP, MQTT and OPC-UA
[11] MODBUS Messaging on TCP/IP Implementation Guide V1.0b
communication protocols that will allow the examination of (https://www.modbus.org/docs/Modbus_Messaging_Implementation_
cybersecurity activities in a more realistic environment closer Guide_V1_0b.pdf)

Authorized licensed use limited to: Universita degli Studi di Genova. Downloaded on December 10,2024 at 08:14:48 UTC from IEEE Xplore. Restrictions apply.
270