Monitoring SCADA Modbus Traffic Anomalies

When to Use

• Monitoring OT/ICS networks for unauthorized Modbus commands targeting PLCs, RTUs, or HMIs
• Detecting reconnaissance activity such as Modbus device enumeration (function code 43, Read Device Identification)
• Identifying unauthorized write operations (function codes 05, 06, 15, 16) to coils and holding registers that could alter physical process parameters
• Baselining normal Modbus communication patterns and alerting on deviations in function code distribution, register access ranges, or timing intervals
• Investigating suspected sabotage or insider threats manipulating SCADA process values through Modbus register writes

Do not use on networks without authorization from the asset owner, for active injection or fuzzing against production SCADA systems, or as a replacement for safety-instrumented systems (SIS) that provide physical process protection.

Prerequisites

• Network tap or SPAN port on the OT network segment carrying Modbus TCP traffic (port 502)
• Python 3.9+ with pymodbus (>=3.6), scapy (>=2.5), and pandas for traffic analysis
• Zeek (formerly Bro) installed with the Modbus protocol analyzer enabled for passive traffic logging
• Wireshark or tshark for initial packet capture and validation of Modbus frame structure
• A baseline period of normal operations (minimum 48-72 hours) to establish communication profiles per device pair
• Network diagram identifying Modbus master-slave relationships, device IP addresses, and expected function code usage