MODBUS/TCP Security (over TLS)

It looks like there is some movement from some of the vendors I am working with to migrate toward securing Modbus TCP. I was wondering if there is any work being done on IA’s side in regards to developing or updating the current driver to start implementing this.

It looks like the full specification has been out since about 2018 (and I was surprised to see our vendors mention it). Modbus TCP Security Protocol

Nothing planned, never seen this in the wild.

It was a surprise to me too! Apparently Schneider Electric is planning to migrate to enabling the ability in their Modicon line to use Modbus TLS (as they stated) early next year. I’m sure the old unsecure version will still be viable, but with several initiatives focused on cyber security improvements, it’s likely not the only company migrating this way.

Maybe this is an early notification! Honestly, however, we might just migrate to OPC UA instead since it already has security built in and it will magically integrate well with Ignition :wink:

I’ll keep it in mind if the Modbus driver rewrite ever bubbles its way to the top of the priority pile… what a PITA though. You’ll need to manage an X509 certificate per Modbus TLS connection.

Not really much different with OPA UA. I think it’s just the new normal! I guess we’ll just have to get better at managing certificates. Maybe a new feature potential in EAM?

It’s a little different, because there’s only 1 certificate for all the outgoing OPC UA connections.

The Modbus TLS spec embeds a client-specified (!!) operator role in each client certificate, which means not only do you need one per connection, you can’t sensibly use self-signed certificates, you have to deal with having a CA-signed and issued certificate per connection from a CA that the Modbus TLS server trusts.

Oh, I see what you’re saying now. Well, I know we’ve been pushing using certificates from a CA anyway for all our LDAPS and gateway communications, but yeah, one for each outbound connection, now that sounds depressing. Maybe you need to develop a self-signed CA and do it that way (we are using internal CA’s).

Anyway, still several years before we know what all that looks like.