Implementation and Detection of Modbus Cyberattacks

Supervisory Control and Data Acquisition (SCADA) systems play a significant role in Critical Infrastructures (CIs) since they monitor and control the automation processes of the industrial equipment. However, SCADA relies on vulnerable communication protocols without any cybersecurity mechanism, thereby making it possible to endanger the overall operation of the CI. In this paper, we focus on the Modbus/TCP protocol, which is commonly utilised in many CIs and especially in the electrical grid. In particular, our contribution is twofold. First, we study and enhance the cyberattacks provided by the Smod pen-testing tool. Second, we introduce an anomaly-based Intrusion Detection System (IDS) capable of detecting Denial of Service (DoS) cyberattacks related to Modbus/TCP. The efficacy of the proposed IDS is demonstrated by utilising real data stemming from a hydropower plant. The accuracy and the F1 score of the proposed IDS reach 81% and 77% respectively.


I. INTRODUCTION
In the era of the Internet of Things (IoT), Information and Communication Technology (ICT) constitutes an integral part of the Critical Infrastructures (CIs). In particular, focusing on the energy domain, the conventional electrical grid is transformed into a new paradigm called Smart Grid (SG), by providing multiple benefits such as self-monitoring, twoway communication, self-healing, and distributed generation. However, SG raises critical cybersecurity hazards due to the vulnerabilities of ICT and mainly of the insecure communication protocols, such as Modbus, Profinet, Distributed Network Protocol (DNP3), and IEC 60870-5-104.
In this paper, we focus on the security of the Modbus/TCP protocol, which is commonly utilised by the Supervisory Control and Data Acquisition Systems (SCADA). Modbus/TCP does not include any authentication or access control mechanism, thus allowing potential cyberattackers to perform a plethora of cyberattacks such as Denial of Service (DoS), Manin-the-Middle (MitM), and unauthorised access. In particular, the contribution of this paper is twofold; first, we investigate and enhance the various Modbus/TCP cyberattacks supported by Smod [1]. Smod is the most widely known pen-testing tool related to Modbus/TCP, aggregating a set of diagnostic and offensive features [1]. In this paper, we extended Smod with new five cyberattacks. Second, we provide an Intrusion Detection System (IDS) capable of detecting DoS attacks against Modbus/TCP. The rest of this paper is organised as follows. Section II provides relevant works regarding the Modbus/TCP security. In Section III, we list the various cyberattacks supported by Smod and describe our extensions. Section IV analyses the architecture of our IDS, while Section V evaluates its efficacy. Finally, Section VI concludes this paper.

II. RELATED WORK
Many papers have examined the vulnerabilities of Modbus. More specifically, in [2], P. Huitsing et al. provided a detailed theoretical study about the various cyberattacks against the Modbus protocol. In particular, they classified the attacks into three categories, namely a) serial only attacks, b) Serial and TCP attacks, and c) TCP only attacks. In [3], B. Chen et al. executed and examined the impact of Modbus-related MiTM and TCP SYN flood attacks against a real testbed. Similarly, utilising a simulation environment, S. Li et al. in [4] performed four kinds of cyberattacks related to Modbus in order to collect appropriate traces that can be used for machine learning algorithms. Specifically, their dataset includes traces concerning 1) reconnaissance attacks, 2) response injection, 3) command injection and 4) DoS. Finally, A. Voyiatzis et al. [5], and S. Bhatia et al. [6] developed a Modbus/TCP fuzzer and a Modbus flooding attack tool, respectively.
On the other side, there are also several works focusing on detecting cyberattacks or anomalies against Modbus. In [7], T. Morris et al. provided a set of rules related to Modbus that can be used by known signature-based IDS like Snort and Suricata. Accordingly, in [8] N. Goldenberg and A. Wool presented a relevant anomaly-based IDS, which relies on a Deterministic Finite Automaton (DFA). In a similar manner, S. Anton et al. in [9] utilised and evaluated various machine learning classification techniques for detecting Modbus attacks. Finally, in [10], P. Wang et al. provided an IDS for Modbus based on honeypots' logs.

B. Flag Flood Module
Flag Flood [2] belongs to the DoS category. In particular, it tries to flood the target by using a plethora of TCP packets with specific flags (ACK, FIN, SYN, and RST). Algorithm 2 provides the relevant implementation details.

C. Port Pool Exhaustion Module
The Port Pool Exhaustion [2] aims to deplete the available bandwidth of the target. When this attack module is activated, a plethora of concurrent threads is generated to connect to the target Modbus TCP port for a particular time duration, thus destructing the Modbus communication. Algorithm 3 gives the corresponding implementation details.

D. Response Delay Module
The response delay attack [2] belongs to the category of the replay attacks. It utilises first an ARP poisoning attack in x ← x + 1 while attacking == T rue do poisionT arget() restoreT arget() order to insert the attacker between the two communication points. Thus, the attacker is able to obtain the exchanged request packets and send the appropriate responses with a specific delay time. In other words, the response packets are transmitted only by the attacker with a specific delay. Such delays can have disastrous consequences in an industrial environment. The implementation of the attack was based on iptables and the netfilter queue. Algorithm 5 summarises the attack's steps. In particular, it consists of three threads. The first one sends periodically fake ARP packets. The second thread waits for a specific amount of time and then forwards all the packets in the queue. Finally, the main thread receives all the packets and appends them in the queue.

E. Baseline Response Replay Module
The baseline response replay attack [2] aims at confusing or even interrupting the communication between two endpoints, by capturing and replaying the information sent between two devices. Specifically, the attacker executes an ARP poisoning attack in order to receive the exchanged traffic. Next, some of the packets are replayed to the destination. Algorithm 4 provides the implementation steps.  The following subsections analyse each module.

A. Network Traffic Monitoring Module
The Network Capturing Module is responsible for capturing periodically the network traffic. To this end, the Scapy library was utilised. In particular, the various Packet Capture (PCAP) files are generated based on two criteria: a) when their size is equal to a specific threshold or b) when a specific amount of time is equal to a second threshold. These thresholds are defined based on each use case.

B. Modbus Flows Extraction Module
The Modbus Flows Extraction Module receives the PCAP files generated by Network Traffic Capturing Module and is responsible for extracting the corresponding Modbus/TCP flows using the CICFlowMeter software [11]. These flows are stored in an Elasticsearch database of Server. CICFlowMeter generates 83 features for each Modbus flow that are used in order to detect the DoS attacks.

C. DoS Detection Module
The DoS Detection Module receives from the Elasticsearch database the Modbus/TCP flows and undertakes to detect potential DoS attacks by using classification machine learning models. The efficacy of these models is presented in Section V. The produced security events are stored in a different index of the Elasticsearch database of Server.

D. Response Module
The Response Module informs the user about the security events based on a web-based user interface. To this end, Kibana of Elastic Stack was used. Table II compares the efficacy of the proposed algorithms used in order to train the various intrusion detection models. For this evaluation, a) Accuracy, b) F1 score, c) True Positive Rate (TPR), and d) Precision were used. These metrics are defined and described thoroughly in [12]. Regarding the dataset used for the training and testing process, we combined real Modbus/TCP data from a power plant in Greece as well as DoS data of [13]. The overal dataset was divided into two subsets: a) training dataset (70%) and b) testing dataset (30%). The scikit-learn Python library was used for the training and testing process. According to the evaluation results, Adaboost and Random Forest classifiers give the most efficient results in terms of Accuracy and F1.

VI. CONCLUSIONS
This paper is focused on the security of the Modbus/TCP protocol. In particular, first, we investigated and enhanced the Smod pen-testing tool, by introducing new five attack modules. Subsequently, we provided an anomaly-based IDS capable of discriminating DoS attacks related to Modbus/TCP. The evaluation analysis demonstrates the efficiency of the proposed IDS since Accuracy and F1 score reach 81% and 77% respectively.

VII. ACKNOWLEDGEMENT
This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 787011 (SPEAR).