Introduction to the Modbus Protocol
In Part 5 of this new Cyber Physical Systems series, I will introduce the Modbus protocol which is widely used in ICS/CPS and cover its data types and functions.
ICS Protocols
Due to ICS being different from IT systems in many aspects, traditional IT protocols cannot be used in ICS. All the systems, interfaces and instruments in an ICS use their own protocols. These protocols were first designed for serial connection and gradually evolved over time.
Typical ICS protocols are:
RS-232 & RS-485
Modbus
DNP3
HART
TASE 2.0 and ICCP
CIP
PROFIBUS and PROFINET
FOUNDATION Fieldbus
BACNet
Serial Protocols
RS-232 and RS-485 are probably the oldest protocols that are still widely used. They use serial transmission with a very low data rate (20 kbits/s). They do not have any IP network or internet connectivity and provide a buffer (air gap) from attacks.
However, devices that support these protocols could also have Ethernet or IP protocols that connect them to the Internet.
For example, older laptops had RS-232 and Ethernet allowing the laptop to connect to the internet:
To this date, RS-232 variants (serial com) are being implemented in microcontrollers (Arduino with Atmel), embedded devices, single board computer (raspberry pi), data acquisition devices and instruments, and ICSs. Due to its lightweight implementation and simplicity means it is able to run on these small devices.
In the above image, you could get it up and running with three wires - one for transmission (TX), one for receiving (RX) and one for ground (GND). These 3 are practically enough to get you up and running with RS-232.
The serial protocol is extremely basic and is only used to transfer and receive bits of data with very little to almost no overhead. It cannot even communicate the transmission speed through a handshake and it needs to be set manually on the transmitter and receiver.
There are no security features embedded in this family of serial communication by default. RS-232 is rather used as a channel or tool to develop other protocols such as Modbus Serial. Similiar to Ethernet and TCP/IP where one is based on top of the other.
Modbus
The Modbus protocol was published by Modicon in 1979 for use with its PLC. Modbus is the most common in the industry as it is openly published and royalty-free. Modbus is often used to connect a plant/system supervisory computer with an RTU in SCADA systems.
Therefore, many of the data types are named from industrial control of factory devices. For example, a single-bit physical output is called a coil, and a single-bit physical input is called a discrete input or a contact.
The initial version of Modbus was implemented as a communicating protocol using the serial communication. In Modbus, control commands are sent in a master-slave (client-server) model.
Master-slave is a terminology that is heavily used since 1988 in communication system and control system, and it is still used (PATA, IDE HDD, Raspberry Pi, Arduino).
The terminology has also been used before 1988 in many other fields like:
Clock networks
Microcontrollers
Databases
Photography
Railway systems
Automotive
In June 2020, Modbus declared that they are going to replace master-slave with client-server. So, you might see the client-server terminology as well. The new definition may cause confusion if you come from a networking background. The master is now called the client and the slave is now called the server:
The organization is using "client-server" to describe Modbus communications, characterized by communication between client devices, which initiates the communication and makes requests of server devices, which processes requests and returns an appropriate response (or error message).
In short, the master (client) sends the request and the slave (server) processes the request.
Only the client can initiate the transactions (aka queries). The server responds to the queries. The client is often a PLC/RTU/DCS while servers are transducers, valves, sensors and other devices.
The client can address specific servers to direct the queries specifically to that server or can send a broadcast to all servers.
Modbus serial has later evolved to Modbus TCP by taking advantage of Ethernet, IP and TCP and transforming into an application layer communication.
Modbus that is implemented over serial communication is also known as Modbus Serial (RS-232) or Modbus RTU (RS-485). Modbus TCP/IP Client and Server Gateway devices connect to a TCP/IP network and act like a bridge, router or gateway for interconnection between the TCP/IP and serial sub-networks.
If there are legacy devices with Modbus Serial/RTU on a Modbus TCP/IP network, there are gateways that can be used in the network to perform the translation.
Modbus Frame
Modbus queries have a specific structure defined according to the Modbus protocol standard which is a Modbus Frame.
The Modbus application protocol defines what is known as Protocol Data Unit (PDU) which is completely independent of the underlying communication layers. The PDU structure is always the same, and the PDU is only encapsulated depending on the type of physical connection (i.e. serial or TCP/IP).
The structure of a PDU for Modbus is:
Modbus PDU (Data)
Modbus has 4 main data types:
Inputs (discrete input) - 1 bit of data (0 or 1). It can only be read by user program and its value is assigned/controlled by I/O. For example, you may have a valve that is using Modbus to communicate and it could have a register/discrete input that indicates whether the valve is open/closed. The valve itself would determine the value of that register. It cannot be changed by the client (read only value).
Coils - 1 bit of data (0 or 1). It can be written to (or read from) by the user program. For example, the same valve to be controlled has 1 coil that is a memory register. When that bit is 1, it means the valve is open, when that bit is 0, it closes the valve. The valve automatically would then go and update the discrete input to tell whether the valve is open/closed.
Input register (input data) - 16 bit (2 bytes or 1 word) and is controlled by I/O. Same as discrete input, read only and only set by the devices input/output.
Holding register (output data) - 16 bit (2 bytes or 1 word) and is controlled by the user program. Same as coils, can be written/read by the client.
There are also function codes for Modbus. The function code indicates to the server what kind of action to perform. The most primitive read and writes are shown in bold in the following table:
Reading the table, we can access the bits (bit access) which would be the inputs or the coils. We can also do the same with the 16 bit registers. For example, discrete inputs we can only read and the function code is 2.
If you see a function code of 2, that means you are reading the discrete input. If you see a function code of 1, you are reading one of the coils (can write into them aswell). A function code of 5 means you are trying to write into a coil. A function code of 15 means you are writing to multiple coils at once.
To read input registers, it's a code of 4. To read multiple holding registers, it's a code 3. To write to a single holding register, it's a code of 6. Finally, to write to multiple holding registers, it's a code of 16.
These are the most common, but by no means an extensive list.
PDU in Transit (Serial)
The PDU structure is always the same, and the PDU is only encapsulated depending on the type of physical connection (i.e. serial or TCP/IP communication).
The encapsulation introduces additional fields on the PDU depending on the type of communication. This encapsulation is called Application Data Unit (ADU). For example, this encapsulation for Modbus RTU is as such:
The Address Field contains:
Server address (Client uses to specify the server/client) ranges from 1 to 247
Server responses by placing its own address in this field to let the client know which server is responding
The Error check field contains:
There is often 16 bit redundancy that is calculated depending on the rest of the PDU content and can indicate and correct some level of transmission error.
CRC and LRC stand for Cyclic and Longitudinal Redundancy Check (think of parity bit as very simple versions of CRC and LRC) except a single parity bit can only indicate that there was a transmission error (only if 1 bit is changed) and cannot correct the bit, but CRC/LRC can indicate and correct.
The Modbus RTU PDU Structure:
The Modbus RTU PDU size:
PDU in Transit (TCP/IP)
Modbus has a defined PDU regardless of TCP/IP or Serial communication. Modbus TCP has its own encapsulation of this fixed PDU for transmission over IP network. The encapsulated PDU is called Application Data Unit.
The Modbus Protocol Application header (MBPA) consists of:
Transaction identifier (2 bytes) - used for pairing the transactions of the server and client. Its value is set by the client to identify each request; same value is repeated by the server device in the response.
Protocol identifier (2 bytes) - set by the master to be 0, which corresponds to the Modbus protocol
Length (2 bytes) - this is set by the master and slave, identifying the number of bytes in the message that follow. It is counted from Unit Identifier to the end of the message
Unit Identifier (1 byte) - value is set by the client to identify and address a specific slave. The same value is repeated by the slave in the response to identify itself. It is used for accessing modbus RTU devices over the gateway in a TCP/IP modbus.
For an example of the Modbus TCP message exchange, visit here.
On the website above, you can find an example of a request and response message exchange and its byte-by-byte analysis.
The overall MBPA header is broken down:
An example of this is the following:
11 03 006B 0003 7687
Here, the breakdown is as follows:
11 - device address SlaveID (17 = 11 hex)
03 - Function code (read Analog Output Holding Registers)
006B - Address of the first register (40108-40001 = 107 = 6B hex)
0003 - Number of required registers (reading 3 registers from 40108 to 40110)
7687 - Checksum CRC
PDU in Transit (TCP/IP vs RTU)
ADU comparison of Modbus TCP vs Modbus RTU:
Modbus RTU has error correction overhead in the form of CRC/LRC which is not present in the ADU of the Modbus TCP.
Slave ID in RTU is very similiar to Unit ID in the Mobdus TCP
Modbus ADU contains MBPA header which contains additional information
Modbus Limitations
There are a number of limitations for Modbus. Some of these include:
Limited number of data types (boolean/bit and integer/byte). This is because it was designed in 1970s to communicate to PLCs, and PLCs only understood these data types at that time.
Large binary objects are often not supported
No standard way exists to find the description of a data. How to find out what the register value represents and how it is coded
Since Modbus is a client/server protocol, field devices cannot initiate data request by event handler mechanism. Therefore, client nodes must routinely poll each field device (server) and look for changes in the data. This consumes bandwidth and network time in applications where bandwidth may be expensive, such as over a low-bit-rate radio link.
Modbus is restricted to address 247 devices on one data link, which limits the number of field devices that can be connected to a parent station (except for the Modbus TCP/IP which uses Ethernet)
Modbus protocol itself provides no security against unauthorized commands or interception of data. Any communication is in plain text and can be intercepted and viewed.
Profibus & Profinet
Another two common ICS protocols are Profibus (process field bus) and Profinet (process field net). Profibus is still one of the most common ICS protocols that was designed in the 90s. Depending on how it is connected, it could take the form of:
Profibus-DP (decentralized peripherals)
Profibus-PA (Process Automation)
It is a full duplex communication. It also uses RS-485 protocol for signaling and cables.
Profinet is based on Ethernet and Profibus. It is designed for low latency applications. It is a half duplex communication compared to Profibus which is full duplex. It has higher data transmission speed compared to Profibus.
It uses Profinet Ethernet cables (normal ethernet cables with more robus shielding to protect against interference).