Detecting Modbus Command Injection Attacks

When to Use

• When deploying intrusion detection for environments using Modbus TCP (port 502) or Modbus RTU
• When investigating suspected unauthorized modifications to PLC registers or coils
• When building detection analytics for OT SOC monitoring Modbus-heavy environments
• When responding to FrostyGoop-style attacks that leverage Modbus TCP for operational impact
• When performing baseline validation after a suspected compromise of a Modbus master

Do not use for detecting attacks on non-Modbus protocols (see detecting-dnp3-protocol-anomalies for DNP3), for general IT network intrusion detection, or for Modbus device configuration (see performing-ot-vulnerability-scanning-safely).

Prerequisites

• Network SPAN/TAP on the segment carrying Modbus TCP traffic (typically port 502)
• Baseline of normal Modbus communication patterns (masters, slaves, function codes, register ranges, polling intervals)
• Suricata, Zeek, or commercial OT IDS deployed with Modbus protocol parsers enabled
• Understanding of Modbus function codes used in the environment (read vs write operations)