Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes

Critical infrastructure (CI), such as energy and water distribution systems, is essential for the stability well-being of modern society. Industrial automation control systems (IACSs) form backbone CIs enable operation in a safe reliable manner. However, with increasing use industrial Ethernet communication protocols, Modbus-over-TCP (Modbus/TCP), once air-gapped IACSs are becoming vulnerable to potential cybersecurity threats. This paper presents novel method enhancing Modbus/TCP-based by implementing an authentication based on message codes (MACs). To provide partial protection even when communicating legacy Modbus/TCP peers, we propose supervising device that analyzes exchanged messages verifies authenticity protected messages. experimentally verify method, water-treatment cyber-physical system (CPS) was implemented digital twin programmable logic controller (PLC). The underlying MAC Chaskey-12, lightweight defined IEC 29192-6. It PLC program using programming languages 61131-3. As additional contribution, presented implementation allows between PLCs other peers installed existing without hardware or firmware modifications. results show provides against network attacks significantly affecting performance, also demonstrating feasibility IACSs.