This scenario serves as an introduction to attacking a Modbus-based PLC. The goal is to gradually understand the system’s behavior by monitoring the PLC registers before executing an attack.

Reconnaissance phase

Before launching an attack, it is crucial to analyze the plant’s behavior. This involves monitoring the PLC registers to identify active ones and understand how they are utilized.

For this purpose, I developed a small tool that continuously monitors Modbus registers to determine which ones are in use. The tool is available in my GitHub repository .

To monitor the PLC behavior for 15 seconds, execute:

./modbus_monitor.py -i 172.26.104.12 -p 502 -t holding -k 15

From our observations, only holding registers are used, specifically registers 1, 2, 3, 4, and 16. Notably, register 16 holds a value of 1, warranting further investigation.

We also identified that these registers store binary information (0 or 1), despite Modbus offering dedicated boolean registers for this purpose.

The system operates in three phases:

• Initialization: The conveyor moves the first bottle under the nozzle.
• Filling: The nozzle opens, filling the bottle.
• Moving: The conveyor moves the next bottle into position.

This cycle repeats indefinitely. During a real-world attack, the adversary would likely lack physical visibility of the system’s operation. However, for this lab, we simplify the analysis.

From the three phases described above, we can observe:

• Sensors: Used to read the state of the plant. There are two sensors: bottle presence and full bottle.
• Actuators: Used to alter the state of the plant. There are three actuators: roller and nozzle.

After observing the plant behavior and associated states for a certain period, we can define that:

Continue reading the post on Patreon .