Modbus Overwrite in Schneider PLCs or possible security flaw?

rudra00 · ‎2022-03-20

PLC noob here. So go easy on me if I am wrong. I have seen that at some of the projects, we read the status of digital outputs of PLC to SCADA(Citect) using a Modbus Read/Write Register and performing a BITAND operation. This is perfectly fine, I assume, as you get to save a lot many tags. Now this is not where the problem lies, the issue is with the tags in PLC that constitutes the bits of the previous mentioned register. Let me try to explain, Say, I have a 16channel DO, and at PLC side (let's say Schneider M580) we have 16 tags that becomes ON or OFF as a result of logic execution and at the same time constitutes the 16bits of an integer stored in 40001. This integer is supposed to report the status of DOs in SCADA with BITAND function and also write data to the device tags with a move function which would turn ON or OFF a field device. Now if there was a device that could write data to modbus registers (40001 in our case) faster than PLC's scan cycle, wouldn't that device be capable of altering the DOs?

(I have not tested this. Neither have I done any PLC programming on my own without supervision. I am familiar with embedded devices and LabVIEW. I have seen such a code and before executing my first own project in PLC I just wanted to know if this might be possible and at the same time do tell me if this is the right way to program. As of now, what I have planned to do is write status of device tags to a register and read that register rather than going the other way around.)

10.0.0.0.1 192.168.1.254

BevanWeiss · ‎2022-03-22

Normally things like Modbus reads/writes are synchronous to the scan. So they will only occur at the start / end of a cycle.

i.e. the flow would be:

Modbus external writes are processed

PLC logic executes

Modbus external reads are processed

This isn't really considered a security flaw anyway. If you allow writes to your data, then it should be considered that any write at any time is valid. It would be up to the application code (your PLC logic) to enforce what operations on the data are allowable, and at what times. If you are writing logic that allows a Modbus value to directly manipulate IO, then that's on you.

Generally Modbus should only be issuing 'requests', these would then be processed by the application logic to ensure that actual device operations are safe and sensible. So if a positive displacement pump has its outlet valve closed, it should not be allowed to run. The PLC logic should ensure so far as is possible that this is the case.

If a user requests the run, it should be disallowed (or at least it should be considered as to why it would not be disallowed).

Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..