This is a preview and has not been published. View submission

Experimental Evaluation and Defense-in-Depth Mitigation of Modbus/TCP Security Vulnerabilities in Industrial Control Systems

Authors

  • Mahmoud A. Khalifa Automated Systems and Computing Lab (ASCL), Prince Sultan University, Riyadh, Saudi Arabia
  • Ahmad Taher Azar College of Computer and Information Sciences, Prince Sultan University, Riyadh, Saudi Arabia | Automated Systems and Computing Lab (ASCL), Prince Sultan University, Riyadh, Saudi Arabia
  • Walid El-Shafai Automated Systems and Computing Lab (ASCL), Prince Sultan University, Riyadh, Saudi Arabia | Department of Electronics and Electrical Communications Engineering, Faculty of Electronic Engineering, Menoufia University, Menoufia, Egypt
Volume: 16 | Issue: 3 | Pages: 34782-34794 | June 2026 | https://doi.org/10.48084/etasr.16126

Received: 9 November 2025 | Revised: 15 January 2026, 10 February 2026, and 19 February 2026 | Accepted: 20 February 2026 | Online: 3 April 2026


Corresponding author: Mahmoud A. Khalifa

Abstract

Industrial Control Systems (ICS) remain critically vulnerable due to the widespread deployment of legacy protocols lacking fundamental security mechanisms. This work demonstrates practical exploitation of Modbus/TCP vulnerabilities through a four-phase attack implementation: reconnaissance (FC01), actuator manipulation (FC05), process monitoring (FC03), and setpoint tampering (FC06), using custom C code against the ModBus_SIM environment. Experimental results achieved 100% attack success rates across all phases. Wireshark analysis confirmed complete protocol transparency, exposing all function codes, addresses, and data values in plaintext. The attack phases are systematically mapped to nine MITRE ATT&CK for ICS techniques and correlated with real-world malware including FrostyGoop, INCONTROLLER, Industroyer, and VPNFilter. A comprehensive defense-in-depth architecture integrating network segmentation, authentication gateways, encryption tunneling, and continuous vulnerability management is proposed to mitigate the identified threats. The complete attack implementation is publicly available for reproducible security research.

Keywords:

Modbus/TCP, ModBus_SIM, C programming, attack simulation, unencrypted communication, Industrial Control Systems (ICS), Wireshark, defense-in-depth, network segmentation, cybersecurity

Downloads

Download data is not yet available.

References

P. Huitsing, R. Chandia, M. Papa, and S. Shenoi, "Attack taxonomies for the Modbus protocols," International Journal of Critical Infrastructure Protection, vol. 1, pp. 37–44, Dec. 2008.

S. McLaughlin et al., "The Cybersecurity Landscape in Industrial Control Systems," Proceedings of the IEEE, vol. 104, no. 5, pp. 1039–1057, May 2016.

"ModRSsim2." SourceForge. https://sourceforge.net/projects/modrssim2/.

M. Rashid, Y. Singh, and S. I. Manzoor, "Methodology for Assessing Existing Vulnerabilities in Modbus Protocol," Procedia Computer Science, vol. 259, pp. 1983–1993, Jan. 2025.

A. Rahman, G. Mustafa, A. Q. Khan, M. Abid, and M. H. Durad, "Launch of denial of service attacks on the modbus/TCP protocol and development of its protection mechanisms," International Journal of Critical Infrastructure Protection, vol. 39, Dec. 2022, Art. no. 100568.

W. Alsabbagh, S. Amogbonjaye, D. Urrego, and P. Langendörfer, "A Stealthy False Command Injection Attack on Modbus based SCADA Systems," in 2023 IEEE 20th Consumer Communications & Networking Conference, Las Vegas, NV, USA, 2023, pp. 1–9.

"How to Protect Against FrostyGoop: ICS Malware Targeting Operational Technology." Dragos, Inc. https://www.dragos.com/blog/protect-against-frostygoop-ics-malware-targeting-operational-technology.

F. Alharbi, "IoT Intrusion Detection System for Modbus Networks with Explainable AI," Journal of Advances in Information Technology, vol. 16, no. 7, pp. 973–979, July 2025.

T. Kotsiopoulos, P. Radoglou-Grammatikis, Z. Lekka, V. Mladenov, and P. Sarigiannidis, "Defending industrial internet of things against Modbus/TCP threats: A combined AI-based detection and SDN-based mitigation solution," International Journal of Information Security, vol. 24, no. 4, June 2025, Art. no. 157.

P. R. Grammatikis, P. Sarigiannidis, G. Efstathopoulos, and E. Panaousis, "ARIES: A Novel Multivariate Intrusion Detection System for Smart Grid," Sensors, vol. 20, no. 18, Sept. 2020, Art. no. 5305.

T. Martins and S. V. G. Oliveira, "Enhanced Modbus/TCP Security Protocol: Authentication and Authorization Functions Supported," Sensors, vol. 22, no. 20, Oct. 2022, Art. no. 8024.

F. Katulić, D. Sumina, S. Groš, and I. Erceg, "Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes," IEEE Access, vol. 11, pp. 47007–47023, 2023.

"MODBUS Application Protocol Specification V1.1.b3." Modbus. https://www.modbus.org/file/secure/modbusprotocolspecification.pdf.

"INCONTROLLER, Software S1045." MITRE ATT&CK. https://attack.mitre.org/software/S1045/.

"APT Cyber Tools Targeting ICS/SCADA Devices." CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-103a.

International Electrotechnical Commission, Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels, IEC 62443-3-3:2013, Geneva, Switzerland, 2013.

K. Stouffer et al., "Guide to Operational Technology (OT) Security," National Institute of Standards and Technology, NIST Special Publication (SP) 800-82 Rev. 3, Sept. 2023.

"FrostyGoop Incident, Campaign C0041." MITRE ATT&CK. https://attack.mitre.org/campaigns/C0041/.

M. Graham, C. Ahlers, and K. O’Meara, "Impact of FrostyGoop ICS Malware on Connected OT Systems," Dragos Inc., July 2024. [Online]. Available: https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf.

A. Cherepanov and R. Lipovsky. "Industroyer: Biggest threat to industrial control systems since Stuxnet." Welivesecurity. https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/.

W. Largent. "VPNFilter Update - VPNFilter exploits endpoints, targets new devices." Cisco Talos Blog. https://blog.talosintelligence.com/vpnfilter-update/.

"New Sandworm malware Cyclops Blink replaces VPNFilter." National Cyber Security Centre. https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter.

Downloads

How to Cite

[1]
M. A. Khalifa, A. T. Azar, and W. El-Shafai, “Experimental Evaluation and Defense-in-Depth Mitigation of Modbus/TCP Security Vulnerabilities in Industrial Control Systems”, Eng. Technol. Appl. Sci. Res., vol. 16, no. 3, pp. 34782–34794, Jun. 2026.

Metrics

Abstract Views: 77
PDF Downloads: 52

Metrics Information

License

Copyright (c) 2026 Mahmoud A. Khalifa, Ahmad Taher Azar, Walid El-Shafai

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors who publish with this journal agree to the following terms:

- Authors retain the copyright and grant the journal the right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) after its publication in ETASR with an acknowledgement of its initial publication in this journal.

Crossref
Scopus
Google Scholar
Europe PMC