Enhancing Modbus TCP Protocol Security with eBPF Technology

The core component of an Industrial Control System (ICS) is often a Programmable Logic Controller (PLC) combined with various modules. In such systems, the communication between devices is mainly based on the Modbus protocol, which was developed by Modicon (now Schneider Electric) in 1979 as an application-level communication protocol and has become a de facto standard for ICS for the past 40 years. Modbus TCP is a variant of this protocol for communications over the TCP/IP network. However, the Modbus protocol was not designed with security in mind, and the use of plaintext transmissions during communication makes information easily accessible to the attackers, while the lack of an authentication mechanism gives any protocol-compliant device the ability to take over control. In this study, we use the eBPF technology to shift the process of protocol change to the lower level of the operating system, making the change transparent to the existing software, and enhancing the security of the Modbus TCP protocol without affecting the existing software ecosystem as much as possible.