Detecting Modbus Protocol Anomalies

When to Use

• When deploying Modbus-specific intrusion detection in an OT environment
• When building baseline models for deterministic Modbus polling patterns
• When investigating suspicious Modbus traffic flagged by OT monitoring tools
• When implementing function code allowlisting on industrial firewalls
• When detecting unauthorized Modbus write commands that could manipulate process setpoints

Do not use for securing Modbus communications end-to-end (Modbus has no native security; see implementing-network-segmentation-for-ot for firewall-based controls), for non-Modbus protocol monitoring (see detecting-anomalies-in-industrial-control-systems for multi-protocol), or for active fuzzing of Modbus implementations (see performing-plc-firmware-security-analysis).

Prerequisites

• Network SPAN/TAP access to monitor Modbus/TCP traffic (port 502)
• Zeek (formerly Bro) with Modbus protocol analyzer or Suricata with OT rulesets
• Python 3.9+ with scapy and pymodbus for custom analysis
• Baseline capture of normal Modbus traffic (minimum 1-2 weeks)
• Documentation of authorized Modbus clients, function codes, and register maps