{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,24]],"date-time":"2026-04-24T19:00:42Z","timestamp":1777057242653,"version":"3.51.4"},"reference-count":41,"publisher":"MDPI AG","issue":"20","license":[{"start":{"date-parts":[[2019,10,14]],"date-time":"2019-10-14T00:00:00Z","timestamp":1571011200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Industrial Control Systems (ICS) and Supervisory Control systems and Data Acquisition (SCADA) networks implement industrial communication protocols to enable their operations. Modbus is an application protocol that allows communication between millions of automation devices. Unfortunately, Modbus lacks basic security mechanisms, and this leads to multiple vulnerabilities, due to both design and implementation. This issue enables certain types of attacks, for example, man in the middle attacks, eavesdropping attacks, and replay attack. The exploitation of such flaws may greatly influence companies and the general population, especially for attacks targeting critical infrastructural assets, such as power plants, water distribution and railway transportation systems. In order to provide security mechanisms to the protocol, the Modbus organization released security specifications, which provide robust protection through the blending of Transport Layer Security (TLS) with the traditional Modbus protocol. TLS will encapsulate Modbus packets to provide both authentication and message-integrity protection. The security features leverage X.509v3 digital certificates for authentication of the server and client. From the security specifications, this study addresses the security problems of the Modbus protocol, proposing a new secure version of a role-based access control model (RBAC), in order to authorize both the client on the server, as well as the Modbus frame. This model is divided into an authorization process via roles, which is inserted as an arbitrary extension in the certificate X.509v3 and the message authorization via unit id, a unique identifier used to authorize the Modbus frame. Our proposal is evaluated through two approaches: A security analysis and a performance analysis. The security analysis involves verifying the protocol\u2019s resistance to different types of attacks, as well as that certain pillars of cybersecurity, such as integrity and confidentiality, are not compromised. Finally, our performance analysis involves deploying our design over a testnet built on GNS3. This testnet has been designed based on an industrial security standard, such as IEC-62443, which divides the industrial network into levels. Then both the client and the server are deployed over this network in order to verify the feasibility of the proposal. For this purpose, different latencies measurements in industrial environments are used as a benchmark, which are matched against the latencies in our proposal for different cipher suites.<\/jats:p>","DOI":"10.3390\/s19204455","type":"journal-article","created":{"date-parts":[[2019,10,14]],"date-time":"2019-10-14T12:14:05Z","timestamp":1571055245000},"page":"4455","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":49,"title":["A Role-Based Access Control Model in Modbus SCADA Systems. A Centralized Model Approach"],"prefix":"10.3390","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5687-1927","authenticated-orcid":false,"given":"Santiago","family":"Figueroa-Lorenzo","sequence":"first","affiliation":[{"name":"Ceit, Manuel Lardizabal 15, 20018 Donostia\/San Sebasti\u00e1n, Spain"},{"name":"Universidad de Navarra, Tecnun, Manuel Lardizabal 13, 20018 Donostia\/San Sebasti\u00e1n, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3799-1410","authenticated-orcid":false,"given":"Javier","family":"A\u00f1orga","sequence":"additional","affiliation":[{"name":"Ceit, Manuel Lardizabal 15, 20018 Donostia\/San Sebasti\u00e1n, Spain"},{"name":"Universidad de Navarra, Tecnun, Manuel Lardizabal 13, 20018 Donostia\/San Sebasti\u00e1n, Spain"}]},{"given":"Saioa","family":"Arrizabalaga","sequence":"additional","affiliation":[{"name":"Ceit, Manuel Lardizabal 15, 20018 Donostia\/San Sebasti\u00e1n, Spain"},{"name":"Universidad de Navarra, Tecnun, Manuel Lardizabal 13, 20018 Donostia\/San Sebasti\u00e1n, Spain"}]}],"member":"1968","published-online":{"date-parts":[[2019,10,14]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Joelianto, E. (2008, January 5\u20137). Performance of an industrial data communication protocol on ethernet network. Proceedings of the 2008 5th IFIP International Conference on Wireless and Optical Communications Networks (WOCN \u201908), Surabaya, Indonesia.","DOI":"10.1109\/WOCN.2008.4542529"},{"key":"ref_2","unstructured":"(2019, July 21). Modbus Organization. Available online: http:\/\/www.modbus.org\/docs\/Modbus_Application_Protocol_V1_1b.pdf."},{"key":"ref_3","unstructured":"Bullema, J.E. (2019, July 22). Available online: https:\/\/www.researchgate.net\/publication\/321770622_2017_-_Bullema_-_Smart_Manufacturing_-_not_only_for_greenfield_high_tech_factories."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Lu, Y., Morris, K.C., and Frechette, S. (2015, January 24\u201328). Standards landscape and directions for smart manufacturing systems. Proceedings of the 2015 IEEE International Conference on Automation Science and Engineering (CASE), Gothenburg, Sweden.","DOI":"10.1109\/CoASE.2015.7294229"},{"key":"ref_5","unstructured":"Whalen, S., Bishop, M., and Engle, S. (2005). Protocol Vulnerability Analysis, Department of Computer Science, University of California. Technical Report CSE-2005-04."},{"key":"ref_6","unstructured":"Rinaldi, J. (2016). OPC UA - Unified Architecture: The Everyman\u2019s Guide to the Most Important Information Technology in Industrial Automation, Independent Publishing Platform. [1st ed.]."},{"key":"ref_7","unstructured":"(2019, July 21). Schneider Electric. Available online: https:\/\/www.schneider-electric.com\/en\/download\/document\/SEVD-2019-134-05\/."},{"key":"ref_8","unstructured":"Alves, T.R., Buratto, M., and de Souza, F.M. (2014, January 10\u201313). OpenPLC: An open source alternative to automation. Proceedings of the IEEE Global Humanitarian Technology Conference (GHTC 2014), San Jose, CA, USA."},{"key":"ref_9","unstructured":"(2019, July 23). Thiago Alves. Available online: https:\/\/www.slideshare.net\/cisoplatform7\/hacking-plcs-and-causing-havoc-on-critical-infrastructures."},{"key":"ref_10","unstructured":"Modbus Organization (2019, July 25). Modbus TCP Security. Available online: http:\/\/modbus.org\/docs\/MB-TCP-Security-v21_2018-07-24.pdf."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Rescorla, E. (2019, July 27). The Transport Layer Security (TLS) Protocol Version 1.3. Available online: https:\/\/tools.ietf.org\/html\/rfc8446.","DOI":"10.17487\/RFC8446"},{"key":"ref_12","unstructured":"Rinaldi, J. (2019, July 29). Available online: https:\/\/www.rtautomation.com\/rtas-blog\/modbus-security-2\/."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Nardone, R., Rodr\u00edguez, R.J., and Marrone, S. (2016, January 5\u20137). Formal security assessment of Modbus protocol. Proceedings of the 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST), Barcelona, Spain.","DOI":"10.1109\/ICITST.2016.7856685"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Luswata, J., Zavarsky, P., Swar, B., and Zvabva, D. (2018, January 6\u20137). Analysis of SCADA Security Using Penetration Testing: A Case Study on Modbus TCP Protocol. Proceedings of the 2018 29th Biennial Symposium on Communications (BSC), Toronto, ON, Canada.","DOI":"10.1109\/BSC.2018.8494686"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Al-Dalky, R., Abduljaleel, O., Salah, K., Otrok, H., and Al-Qutayri, M. (2014, January 23\u201325). A Modbus traffic generator for evaluating the security of SCADA systems. Proceedings of the 2014 9th International Symposium on Communication Systems, Networks & Digital Sign (CSNDSP), Manchester, UK.","DOI":"10.1109\/CSNDSP.2014.6923938"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"1687","DOI":"10.1109\/TPWRD.2012.2187122","article-title":"Authenticated Modbus Protocol for Critical Infrastructure Protection","volume":"27","author":"Phan","year":"2012","journal-title":"IEEE Trans. Power Delivery"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"2628","DOI":"10.1109\/TPWRD.2008.2002942","article-title":"Toward Authenticating the Master in the Modbus Protocol","volume":"23","author":"Liao","year":"2008","journal-title":"IEEE Trans. Power Delivery"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1016\/j.ijcip.2008.08.003","article-title":"Attack taxonomies for the Modbus protocols","volume":"1","author":"Huitsing","year":"2008","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1016\/j.ijcip.2009.10.001","article-title":"An experimental investigation of malware attacks on SCADA systems","volume":"2","author":"Fovino","year":"2009","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Xiong, Q., Liu, H., Xu, Y., Rao, H., Yi, S., Zhang, B., Jia, W., and Deng, H. (2015, January 21\u201323). A vulnerability detecting method for Modbus-TCP based on smart fuzzing mechanism. Proceedings of the 2015 IEEE International Conference on Electro\/Information Technology (EIT), Dekalb, IL, USA.","DOI":"10.1109\/EIT.2015.7293376"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Kim, B.K., and Kang, Y. (2018, January 17\u201319). Abnormal Traffic Detection Mechanism for Protecting IIoT Environments. Proceedings of the 2018 International Conference on Information and Communication Technology Convergence (ICTC), Jeju, South Korea.","DOI":"10.1109\/ICTC.2018.8539533"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Fachkha, C. (2019, January 24\u201326). Cyber Threat Investigation of SCADA Modbus Activities. Proceedings of the 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Canary Islands, Spain.","DOI":"10.1109\/NTMS.2019.8763817"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Hayes, G., and El-Khatib, K. (2013, January 19\u201321). Securing modbus transactions using hash-based message authentication codes and stream transmission control protocol. Proceedings of the 2013 Third International Conference on Communications and Information Technology (ICCIT), Beirut, Lebanon.","DOI":"10.1109\/ICCITechnology.2013.6579545"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Ferst, M.K., de Figueiredo, H.F., Denardin, G., and Lopes, J. (2018, January 12\u201314). Implementation of Secure Communication With Modbus and Transport Layer Security protocols. Proceedings of the 2018 13th IEEE International Conference on Industry Applications (INDUSCON), S\u00e3o Paulo, Brazil.","DOI":"10.1109\/INDUSCON.2018.8627306"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Graham, J., Hieb, J., and Naber, J. (2016, January 8\u201310). Improving cybersecurity for Industrial Control Systems. Proceedings of the 2016 IEEE 25th International Symposium on Industrial Electronics (ISIE), Santa Clara, CA, USA.","DOI":"10.1109\/ISIE.2016.7744960"},{"key":"ref_26","unstructured":"(2019, August 01). X.509: Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks. Available online: http:\/\/www.itu.int\/rec\/T-REC-X.509-201610-I\/en."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Figueroa Lorenzo, S., A\u00f1orga, J., and Arrizabalaga, S. (2019, August 02). A Role-Based Access Control model in Modbus SCADA systems. A Centralized Model Approach. Available online: https:\/\/doi.org\/10.5281\/zenodo.3366479.","DOI":"10.3390\/s19204455"},{"key":"ref_28","unstructured":"Collins, G. (2019, August 03). Pymodbus Documentation. Available online: https:\/\/buildmedia.readthedocs.org\/media\/pdf\/pymodbus\/latest\/pymodbus.pdf."},{"key":"ref_29","unstructured":"The Phython Software Foundation (2019, August 03). TLS\/SSL Wrapper for Socket Objects. Available online: https:\/\/docs.python.org\/3\/library\/ssl.html."},{"key":"ref_30","unstructured":"(2019, July 29). Transport Layer Security (TLS) Parameters, TLS ClientCertificateType Identifiers. Available online: https:\/\/www.iana.org\/assignments\/tls-parameters\/tls-parameters.xhtml."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1016\/j.tcs.2005.03.003","article-title":"A computational interpretation of Dolev\u2013Yao adversaries","volume":"340","author":"Herzog","year":"2005","journal-title":"Theor. Comput. Sci."},{"key":"ref_32","first-page":"16","article-title":"Guide to Industrial Control Systems (ICS) Security","volume":"800","author":"Stouffer","year":"2011","journal-title":"Gaithersburg, MD National Inst. Stand. Technol. (NIST)"},{"key":"ref_33","unstructured":"Pascal, A. (2017). Industrial Cybersecurity Governance. Efficiently Secure Critical Infrastructure Systems, Packt Publishing Ltd."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Dachao, H., Yu\u2019an, H., and Shaokuan, C. (2007, January 5\u20138). Research and Application of Sinec L2 and Modbus Plus Networks on Industrial Automation. Proceedings of the 2007 International Conference on Mechatronics and Automation, Harbin, China.","DOI":"10.1109\/ICMA.2007.4304113"},{"key":"ref_35","unstructured":"Groups, R.S. (2019, August 04). Technical and operational aspects of Internet of Things and Machine-to-Machine applications by systems in the Mobile Service (excluding IMT) Geneva, 2017. Available online: https:\/\/www.itu.int\/dms_pub\/itu-r\/md\/15\/wp5a\/c\/R15-WP5A-C-0469!N36!MSW-E.docx."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Khuzyatov, S.S., and Valiev, R.A. (2017, January 16\u201319). Organization of data exchange through the modbus network between the SIMATIC S7 PLC and field devices. Proceedings of the 2017 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM), St. Petersburg, Russia.","DOI":"10.1109\/ICIEAM.2017.8076369"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Tenkanen, T., and Hamalainen, T. (2017, January 21\u201323). Security Assessment of a Distributed, Modbus-Based Building Automation System. Proceedings of the 2017 IEEE International Conference on Computer and Information Technology (CIT), Helsinki, Finland.","DOI":"10.1109\/CIT.2017.38"},{"key":"ref_38","unstructured":"(2019, August 05). Triangle Microworks. Available online: http:\/\/www.trianglemicroworks.com\/products\/SCADA-data-gateway\/iccp-tase-2."},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Bonganay, A.C.D., Magno, J.C., Marcellana, A.G., Morante, J.M.E., and Perez, N.G. (2014, January 1\u20132). Automated electric meter reading and monitoring system using ZigBee-integrated raspberry Pi single board computer via Modbus. Proceedings of the 2014 IEEE Students\u2019 Conference on Electrical, Electronics and Computer Science, Bhopal, India.","DOI":"10.1109\/SCEECS.2014.6804531"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Figueroa, S., A\u00f1orga, J., Arrizabalaga, S., Irigoyen, I., and Monterde, M. (2019, January 24\u201326). An Attribute-Based Access Control using Chaincode in RFID Systems. Proceedings of the 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Canary Islands, Spain.","DOI":"10.1109\/NTMS.2019.8763824"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Figueroa, S., A\u00f1orga, J., and Arrizabalaga, S. (2019). An Attribute-Based Access Control Model in RFID Systems Based on Blockchain Decentralized Applications for Healthcare Environments. Computers, 8.","DOI":"10.3390\/computers8030057"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/19\/20\/4455\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:26:15Z","timestamp":1760189175000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/19\/20\/4455"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,10,14]]},"references-count":41,"journal-issue":{"issue":"20","published-online":{"date-parts":[[2019,10]]}},"alternative-id":["s19204455"],"URL":"https:\/\/doi.org\/10.3390\/s19204455","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,10,14]]}}}