A Modbus command and control channel

Since the discovery of Stuxnet, it is no secret that skilled adversaries target industrial control systems. To defend against this threat, defenders increasingly rely on intrusion detection and segmentation. As the security posture improves, it is likely that the attackers will move to stealthier approaches, such as covert channels. This paper presents a command and control (C&C) covert channel over the Modbus/TCP protocol that represents the next logical step for the attackers and evaluates its suitability. The channel stores information in the least significant bits of holding registers to carry information using Modbus read and write methods. This offers an explicit tradeoff between the bandwidth and stealth of the channel that can be set by the attacker.