Modbus function code filtering

SPGControls

Member
S
Join Date
Nov 2009
Location
San Luis Obispo
Posts
7
Does anyone have a suggestion for how to filter function codes that are sent to (or responded to by) a Modbus slave device?

I'm trying to prevent write access to a Modbus device that is a slave on a larger network. I want the SCADA system to be able to read from it, but there have been events in the past where data has been overwritten by other devices on a given network. I can't seem to find any sort of firewall hardware to put between the slave and the network that would prevent this. Tofino makes a factory-level solution, but I'm hoping to implement something at the machine level.
 
You could drop in a redlion datastation or master controller in between the network and the device to be protected. Set the redlion to read the data you want, then expose the data in the Redlion device as read only registers. It will act as a Master and Slave at the same time, though depending on the physical layer you are using, you may need an RS232-RS485 adapter.

I haven't tried this, but it should work. If there is a read/write problem that I am not thinking of, it can definitely be addressed with some scripting. In a script, write to the new set of tags that are exposed to the problem network - so even if these are changed, there is no write mechanism to the actual tagged linked to the target, protected device.
 
SPGControls said:
Thanks, that's not a bad suggestion. The data station is a bit beefier than I need, but would certainly do the job.

Can anybody else suggest a similar device?
Click to expand...

The idea of a Redlion Data Station is a very good one. I have used the DSPLE in just this type of application. The DSPLE is fairly inexpensive. My application was Modbus/TCP so multiple masters (with write capability) was posssible but not preferable.

Be sure to connect your RTU device to the DSPLE directly and not as a part of the modbus RTU "daisy-chain"

Having said that, using multiple masters on one "daisy-chain" is not the best idea. There should only be one device configured as the master in any RTU arrangement.

If I have missed (or misunderstood) something in your question let me know.
 
JHarbin said:
The idea of a Redlion Data Station is a very good one. I have used the DSPLE in just this type of application. The DSPLE is fairly inexpensive. My application was Modbus/TCP so multiple masters (with write capability) was posssible but not preferable.

Be sure to connect your RTU device to the DSPLE directly and not as a part of the modbus RTU "daisy-chain"

Having said that, using multiple masters on one "daisy-chain" is not the best idea. There should only be one device configured as the master in any RTU arrangement.

If I have missed (or misunderstood) something in your question let me know.
Click to expand...

That's exactly the problem here. The state of the network beyond our machine is out of our hands, unfortunately, so we need some way to protect it. Thanks for the input.
 
SPGControls said:
That's exactly the problem here. The state of the network beyond our machine is out of our hands, unfortunately, so we need some way to protect it. Thanks for the input.
Click to expand...

If you put a DSPLE in the enclosure with your modbus device and wire the two directly together they will be on their own network. Then configure the modbus addressing in the DSPLE to exactly mirror your device (except that you don't grant write access) you can wire the "daisy chain" part of the plant network to the DSPLE rather than your device. You will need the expansion card in the DSPLE, but it will work.

The DSPLE will act as a master to your device and as a slave on the plant network. Since they are on different networks, you can configure them with the same modbus address and will appear seamless.
 
Most PLCs that support Modbus could do this too - if they also support multiple serial ports. Many do, and I can think of several. But this approach will probably cost more for hardware, and will certainly take more in programming time. Your application is a little different in that you need a master and a slave at the same time - I don't know of any of the pre-packaged gateways that do that on serial. All I know of that do this type of stuff do serial to ethernet. You could do two of these bridging ethernet in the middle... but then with the solutions already presented, you have one unit (which is simpler, IMHO). And no, I don't work for Redlion - I just find the flexibility they have in their devices to be at the forefront of the industry as far as data communications is concerned. JHarbin's second post on setup is what I was thinking of. I wouldn't try two masters - completely isolate the network you want to protect, and you can make the Redlion device look like any other Modbus slave so the current master will never even know the difference.
 
robertkjonesjr said:
Most PLCs that support Modbus could do this too - if they also support multiple serial ports. Many do, and I can think of several. But this approach will probably cost more for hardware, and will certainly take more in programming time. Your application is a little different in that you need a master and a slave at the same time - I don't know of any of the pre-packaged gateways that do that on serial. All I know of that do this type of stuff do serial to ethernet. You could do two of these bridging ethernet in the middle... but then with the solutions already presented, you have one unit (which is simpler, IMHO). And no, I don't work for Redlion - I just find the flexibility they have in their devices to be at the forefront of the industry as far as data communications is concerned. JHarbin's second post on setup is what I was thinking of. I wouldn't try two masters - completely isolate the network you want to protect, and you can make the Redlion device look like any other Modbus slave so the current master will never even know the difference.
Click to expand...

Yeah, I considered the secondary PLC route, but nixed it for the reasons you mentioned. I also agree with your and JHarbin's isolated network setup plan; that's exactly what we would be doing. Thanks again.
 
SteveMaves said:
Is this the Tofino "Factory Level" solution you mention?
http://www.tofinosecurity.com/node/41

Is is really overkill for protecting your machine? I've seen them, nice little DIN rail mount package that would fit nicely in a panel. I have no idea how expensive it is relative to Red Lion?
Click to expand...

Yeah, that's the one. Seems like a nice little appliance, but I think it is intended to be part of a larger, integrated security solution that would be deployed on-site by our customer. From what I can tell, you can't simply install the module on your machine, you have to purchase at least a couple other pieces of software to configure, manage and monitor it. The whole package starts at a couple thousand, I think.
 
SPGControls said:
Yeah, that's the one. Seems like a nice little appliance, but I think it is intended to be part of a larger, integrated security solution that would be deployed on-site by our customer. From what I can tell, you can't simply install the module on your machine, you have to purchase at least a couple other pieces of software to configure, manage and monitor it. The whole package starts at a couple thousand, I think.
Click to expand...

Good to know, thanks.
 
Actually, under the 'Network Master Config' of the Digi One IAP, under protocols you'll find three filter options:
* Allow and process all incoming requests (this is the default and all Modbus functions 1 to 127 are allowed)
* Allow and process only read-only requests (this limits Modbus to only functions 1 to 4)
* Allow and process only read or write requests (this limits Modbus to only 1-6,15,16 meaning none of the PLC programming or other extended functions would be allowed. It kind of dumbs Modbus down to generic form).

If you do the manual/telnet config it is the 'permit' command with syntax permit=(all|readonly|rdwrdata). It applies only ot the incoming master, so there is no way to configure different behavior by slave/destination.

Needless to say, it is NOT a very widely used command ... and not sure why I put it in there :). I guess I assumed someone might want to enable a Modbus/TCP master on say TCP port 502 which is READ-ONLY, and then create a SECOND master on say TCP port 23052 (a kind of hidden port) which supports all commands.

And to be fair, there ARE several "Modbus Firewall" Linux projects, such as http://modbusfw.sourceforge.net/ which allow deep packet inspection to support a finer grain filtering, so that host 'A' can read/write, but 'B' and 'C' can only read and all others are blocked.

Best Regards
- Lynn August Linse (lynnl) at digi.com
 
lynnlinse said:
Actually, under the 'Network Master Config' of the Digi One IAP, under protocols you'll find three filter options:
* Allow and process all incoming requests (this is the default and all Modbus functions 1 to 127 are allowed)
* Allow and process only read-only requests (this limits Modbus to only functions 1 to 4)
* Allow and process only read or write requests (this limits Modbus to only 1-6,15,16 meaning none of the PLC programming or other extended functions would be allowed. It kind of dumbs Modbus down to generic form).

If you do the manual/telnet config it is the 'permit' command with syntax permit=(all|readonly|rdwrdata). It applies only ot the incoming master, so there is no way to configure different behavior by slave/destination.

Needless to say, it is NOT a very widely used command ... and not sure why I put it in there :). I guess I assumed someone might want to enable a Modbus/TCP master on say TCP port 502 which is READ-ONLY, and then create a SECOND master on say TCP port 23052 (a kind of hidden port) which supports all commands.

And to be fair, there ARE several "Modbus Firewall" Linux projects, such as http://modbusfw.sourceforge.net/ which allow deep packet inspection to support a finer grain filtering, so that host 'A' can read/write, but 'B' and 'C' can only read and all others are blocked.

Best Regards
- Lynn August Linse (lynnl) at digi.com
Click to expand...

Thanks for the inside information. I'll have to reconsider using Digi.

I have seen the Modbus Firewall project, and I really hope it makes it into some off-the-shelf devices.

Also, if anyone is interested, I found a company called HMS that makes a series of nice little serial gateways/protocol converters called Anybus Communicators. Looks like this could do the job also.
 
Last edited:

Similar Topics

V
Modicon, Momentum. Illegal Modbus function code OL9-21581
Hi ! I'm have Modicon Momentum. The plc go to stop and Ethernet port is locked. The message received: "Illegal Modbus function code OL9-21581"...
Replies
0
Views
5,859
vlad
V
B
MODBUS Write_var function block with Memory Double word
Hi! I am using a TM200CE40T PLC from Schneider to write data over Modbus. I have used Memory words (%MW) before using the Write variable...
Replies
1
Views
533
drbitboy
drbitboy
ganutenator
modbus rtu function block
I'm looking to create a modbus rtu fuction block master in codesys or structured text. I could devote an entire thread to the why. Not trying to...
Replies
0
Views
1,429
ganutenator
ganutenator
J
SoMachine Basic Modbus Function Block Help
Hi all, I have a HACH sc200 controller with 2 sensors which I hope to connect an M221 plc to via Modbus RS485 in order to display the info on a...
Replies
4
Views
2,266
chud
chud
D
Modbus Question regarding function codes
I am familiar with using modbus registers. Although they start to confuse me when they need to flipped, inversed, reversed and manipulated every...
Replies
3
Views
2,057
AustralIan
A
Back
Top Bottom