Abstract

Modbus over TCP (Modbus/TCP) is a very popular protocol in industrial automation and control systems (IACS), but at the same time it is completely unprotected in terms of cybersecurity. This allows adversaries to manipulate controlled processes by forging or modifying process values in the Modbus protocol data unit (PDU), potentially causing damage to IACSs. In this paper, we propose the use of a misuse-based intrusion detection system (IDS) to detect out-of-bound process values and in that way make it difficult for an adversary to manipulate process values. To test the feasibility of this approach, a cyber-physical system was created, simulating an IACS water treatment plant. The implemented rule-based alarms and warnings were based on the industrial process and an adversary threat model, focusing on the process values of the IACS. This approach shows a promise as an additional safety mechanism to standard IACS cybersecurity solutions.