• Home
  • Cybersecurity Articles

Protocol-Level Vulnerabilities: Securing Industrial Communications at the Foundation

Modbus, PROFINET and EtherNet/IP lack basic security. Discover how protocol-aware monitoring and deep packet inspection protect against command injection and spoofing attacks

Cybersecurity Matters

Protocol-Level Vulnerabilities:
Securing Industrial Communications at the Foundation

The Language of Control is the Language of Risk: Securing Industrial Protocols

That Modbus TCP command stopping your production line is perfectly formatted, entirely legitimate, and completely malicious. Your controllers can't tell the difference.

The foundational protocols running your industrial operations - Modbus TCP, PROFINET, DNP3, EtherNet/IP - were designed in an era of trusted networks and physical isolation. They prioritize deterministic performance over security, transmitting commands in clear text with no authentication or integrity checks. This fundamental design flaw means any attacker on your network can speak directly to your controllers in their native language, and your controllers will obediently comply.

When Legitimate Commands Become Weapons

The 2021 Oldsmar water treatment plant attack demonstrated this vulnerability with terrifying clarity. An intruder accessed the system remotely and changed the sodium hydroxide levels from 100 parts per million to 11,100 - a change that could have poisoned the water supply. The attack didn't exploit a zero-day vulnerability or sophisticated malware. The attacker simply sent legitimate commands to the control system using the same protocol the operators used daily.

This pattern repeats because industrial protocols suffer from three inherent weaknesses:

Cybersecurity Matters

The Authentication Gap
Protocols like Modbus TCP have no concept of user identity. A command from a legitimate HMI carries the same weight as one from an attacker's laptop. There's no mechanism to verify that the entity sending a "valve open" command is authorized to do so.
The Secrecy Deficit
Every command, setpoint change, and sensor reading travels across the network in plain text. An attacker with basic network access can eavesdrop on operations, learn process patterns, and identify critical control points without ever sending a single packet.
The Integrity Void
These protocols lack checks to ensure commands haven't been modified in transit. An attacker can intercept legitimate communications, alter critical values, and forward the modified commands without detection. The receiving device has no way to know the data has been tampered with.

Why Traditional Defences Are Blind to Protocol Attacks

Standard IT security tools fail completely against these threats because they operate at the wrong layer of the network stack. Your enterprise firewall might expertly block malicious IP addresses and filter web traffic, but it's completely blind to a malicious write command sent to a PLC's holding register.

The challenge runs deeper than just visibility:

Content-Agnostic Filtering
Traditional firewalls make decisions based on IP addresses, ports, and protocols - they see Modbus TCP traffic but can't distinguish between a normal polling request and a command that would dangerously override a safety interlock.
Signature-Based Limitations
Conventional intrusion detection systems rely on known attack patterns, but protocol-level attacks use perfectly formatted commands that match the protocol specification. There's no malicious signature to detect - only malicious intent to recognize.
Context Ignorance
IT security tools lack the industrial context to understand what constitutes normal behavior. A sequence of commands that would be routine in a packaging line might be highly suspicious in a safety system. This operational awareness is essential for effective detection.
The Shift to Protocol-Aware Security
The solution requires security tools that understand industrial protocols as deeply as your engineers do. This means moving beyond simple packet filtering to deep packet inspection that comprehends the semantics of industrial communications.

Protocol-aware security operates on three key principles:

Cybersecurity Matters

Command-Level Analysis
Instead of just allowing or blocking Modbus TCP traffic, modern industrial IDS/IPS systems inspect the actual function codes and register addresses. They can distinguish between a read request from an HMI and a write command to a critical setpoint, applying different security policies to each.
Behavioral Baselining
By learning normal communication patterns over time, these systems can detect anomalies that indicate compromise. If a PLC that normally only communicates with two HMIs suddenly receives commands from a third IP address, that deviation triggers an alert - even though the commands themselves are technically valid.
Contextual Enforcement
system.
Operations
Security policies can be tailored to specific operational contexts. Commands that are acceptable during normal production might be blocked during emergency shutdown procedures. Write operations from engineering workstations might be permitted during maintenance windows but prevented during normal operations.

Building Your Protocol Defence Strategy

Implementing effective protocol security requires more than just deploying new tools. The most successful approaches follow a structured methodology:

1. Protocol Inventory and Risk Assessment
Begin by cataloguing every industrial protocol in use across your operations. Not all protocols carry equal risk - Modbus TCP's simplicity makes it particularly vulnerable to spoofing, while PROFINET's real-time requirements create different challenges. Understanding which protocols support your most critical processes helps prioritize your efforts.
2. Communication Pattern Mapping
Document normal communication patterns for each protocol. Which devices initiate conversations? What ranges of registers or tags do they access? During what time windows do certain communications occur? This baseline becomes the foundation for detecting anomalies.
3. Strategic Monitoring Deployment
Place protocol-aware monitoring at critical network boundaries and within key operational zones. Monitoring the traffic between your control network and DMZ catches external attacks, while internal monitoring detects lateral movement. The goal is visibility where it matters most.
4. Response Planning
Determine in advance how you'll respond to protocol-level attacks. Will you block malicious commands automatically, or simply alert and allow operations to decide? The answer depends on the criticality of the system and your tolerance for false positives.

The Emerging Standards: A Glimpse of the Future

While compensating controls provide essential protection today, the industry is gradually moving toward more secure protocol implementations. OPC UA with its built-in security features represents the future, while enhancements like CIP Security for EtherNet/IP offer backward-compatible improvements.

The transition to secure protocols will take years - possibly decades - given the long lifecycle of industrial equipment. In the meantime, protocol-aware security provides the essential bridge that allows you to operate existing equipment without accepting its inherent vulnerabilities.

One automotive manufacturer demonstrated the power of this approach when they detected anomalous PROFINET commands targeting their robotic welding cells. The protocol-aware monitoring system flagged commands that were technically valid but violated established operational sequences. Investigation revealed a compromised engineering workstation that was attempting to subtly alter weld parameters - a sabotage attempt that would have caused gradual quality degradation rather than immediate failure.

Answering - Some Frequently Asked Questions

Q1: We use encryption at the network layer with VPNs. Doesn't this protect our protocol communications?

VPNs protect against eavesdropping but do nothing to prevent malicious commands from authorized users or compromised systems. Once traffic is decrypted at the VPN endpoint, it's still vulnerable to protocol-level attacks. Encryption provides confidentiality but not integrity or authentication at the application layer where industrial protocols operate.

Q2: How do we handle protocols that use broadcast or multicast communications?

Broadcast and multicast traffic presents particular challenges for security monitoring because responses may come from multiple devices. The solution involves understanding normal broadcast patterns and monitoring for anomalies. Some protocols also support unicast alternatives that may be more suitable for secure environments. In critical cases, strategic network segmentation can contain broadcast domains.

Q3: What about performance impact? Deep packet inspection sounds computationally intensive.

Modern industrial security appliances are designed specifically for this workload, using specialized hardware to perform deep packet inspection at wire speed. The key is proper sizing and placement - deploying appropriately sized appliances at strategic points in your network where they can handle the traffic load without introducing latency.

Q4: We have some proprietary protocols that aren't supported by commercial tools. How do we secure these?

For proprietary protocols, consider working with the vendor to understand whether they can provide security extensions or monitoring capabilities. Alternatively, behavioural monitoring can still detect anomalies even without full protocol decoding - unusual traffic patterns, unexpected source/destination pairs, or timing anomalies can all indicate problems worth investigating.

Q5: How do we distinguish between legitimate operational changes and actual attacks?

This is where the combination of technical controls and operational processes becomes essential. Implementing a robust change management process ensures that planned modifications are documented and communicated to security teams. Modern systems can also integrate with change management platforms to automatically adjust security baselines when authorized changes occur.

Q6: Are there any protocols that are inherently secure enough that we don't need additional protection?

While newer protocols like OPC UA have security built into their specifications, no protocol is completely immune to misconfiguration or implementation flaws. The defence-in-depth principle applies even to "secure" protocols. Additionally, many operations use mixed environments where secure and legacy protocols coexist, requiring comprehensive protection that covers all communications.

From Inherently Insecure to Operationally Secure

The inherent vulnerabilities in industrial protocols don't have to mean accepting unacceptable risk. The technology and methodologies to monitor, detect, and prevent protocol-level attacks are available and proven in critical infrastructure worldwide.

Subscribe to the Link & Layer | Smart Learning Hub to receive our "Industrial Protocol Security Handbook," featuring deep technical analysis of major protocols, deployment guides for leading security platforms, and real-world case studies of protocol-level attacks detected and prevented.

Your controllers may not know the difference between friend and foe, but your security systems can.



You May Also Be Interested In ...

Cybersecurity Matters
OT Asset Visibility: How to Eliminate Your Industrial Network's Foundational Blind Spot

Unknown devices create unmonitored attack paths in industrial networks. Discover passive discovery techniques to build a dynamic OT asset inventory without disrupting operations

Read This Article »
Cybersecurity Matters
OT Network Segmentation: Replacing the Air Gap Myth with Defensible Architecture

Securing remote access for legacy PLCs is the critical, often overlooked, frontier in industrial cybersecurity. This guide reveals a practical, defense-in-depth strategy to protect your vital assets without a full-scale rip-and-replace

Read This Article »
Cybersecurity Matters
The Human Firewall: Mitigating Insider Threats in OT Environments

Your technical controls are only as strong as your people. Learn how to build a human firewall against social engineering and insider threats in industrial operations

Read This Article »

We have the solution to meet your exact needs.

Our products get your Industrial Data Communications speaking fluenty!

Talk to Us!