Southwest Research Institute Develops Cyber Security Intrusion Detection System for Modbus TCP Networks

By Chantal Polsonetti

Company and Product News

Southwest Research Institute (SWRI) has developed technology to help government and industry detect cyber threats to industrial networks used in critical infrastructure and manufacturing systems. SwRI funded the research to address Cyber Security Intrusion Detectionemerging cyber threats in the rapidly evolving ecosystem for industrial automation.

The research team used algorithms to scan for cyber threats across network protocols that transmit industrial control data for everything from natural gas pipelines to manufacturing robots. The research led to development of an intrusion detection system (IDS) for industrial control systems (ICS), which have often relied on air gaps to insulate themselves from IT networks.  Unplugging industrial networks from information technology (IT) networks is no longer an option, however, for modern automation systems that rely on the industrial internet of things (IIoT) to transmit vast amounts of data.

The SwRI team focused their research on scanning for cyberattacks over the Modbus/TCP protocol. Utilities and industry have used this Ethernet-based networking protocol for decades in supervisory controls and data acquisition (SCADA) systems equipment.

SwRI researchers originally developed the algorithms to scan Controller Area Network (CAN) bus networks used in automotive hardware. They customized cybersecurity algorithms to scan a simulated network equipped with industrial devices before evaluating the new algorithms on a real-world industrial network. The test system used the Modbus/TCP protocol to send data packets over a network. The network featured an Ethernet switch that connected personal computers, programmable logic controllers (PLCs) and input/out (I/O) modules. The effort included customizing the previous algorithms to recognize the different ways the Modbus/TCP protocol grouped data packets in sequences and time signatures.

The newly developed algorithms applied to the test network recognized normal Modbus/TCP traffic and identified cyberattack vectors such as out-of-band timing, address probing and data fuzzing/manipulation. The algorithms classify data packets as “regular” if they come from an uncompromised industrial control device or “attack” if the source is an unexpected or compromised device.

For more information, visit SWRI’s Cyber Security Services and Industrial Robotics & Automation

Engage with ARC Advisory Group