Stories around ModBus (Richard Harmann)[FOSDEM 2020]

The presentation opens with “SNMP is bad, ModBus is worse”.

Without SNMP the internet would break down within hours.

Richard takes this further and says that if ModBus went away society as a whole would stop working as a whole. This is scary, and Harmann immediately adds the disclaimer that it will become more scary as if ModBus goes away there would be:

No power No water No ports No medicine No processes food No clothes

All these things depend on ModBus.

Harmann jokes that it’s so important for society that it has no security implemented. A lot of times it makes sense to keep investing in the already established ModBus infratstructure instead of moving to something more secure.

Different flavours of Modbus exist, of varying popularity:

  • Modbus RTU: serial with binary, most common, hard RT
  • Modbus ASCII: not used anymore. ASCII
  • Modbus TCP: bridge
  • Modbus over TCP: slight
  • Modbus UDP

Focus is on Modbus RTU and Modbus TCP as they are most used RTU is only one that supports hard real-time. Typically islands of RTU with a unit that does ModBus TCP. This would be the master unit.

It has an adressing scheme which is rooted in 1970’s industrial control, so the way you read out data no longer reflects what it originally was.

Discrete output coils (read current), discrete input contacts (relays), analog input registers (multiple bits), analog output holding registers.

These input and output directions are seen from the sender.

If you do something wrong the device stops to work. This is a very easy and reliable way to test something. It is also horrible, especially considering the different industries that depend on ModBus.

ModBus has a concept of a map, which works similarly to SNMP MIBs. There is however no way to test these without actually using the device. The documentation for these maps in productin systems are sometimes scans of old photocopies. This is scary considering the industries that depend on this infrastructure.

Harmann’s experience with ModBus is in Datacenter management. The list he provides of all systems that depend on ModBus is long, and includes a lot of essential systems.

Jokingly he mentions that the reason he uses ModBus is because he enjoys pain. The reality is though that there is no getting around it. One positive note is that once a ModBus system is set-up and working it is very reliable. Given the safety critical applications this is of course very welcome.

A secure version of ModBus exists, UMAS, but since most users of ModBus are electricians it has not found widespread adoption. Other busses like CAN and Profibus share the same issues.

Better standards exist but due to inertia in the industry and the long lifetimes of these types of systems they’re not widely used.