Nowadays, many companies still use old and insecure protocols in Industrial Control Systems (ICSs). An example of such protocols is Modbus, one of the most employed industrial protocols. Also, companies are moving to Modbus/TCP when there are TCP devices involved in the facility. While remaining insecure, this migration also disrupts the assumption of air-gapped industrial networks, opening more attack surface to previously isolated systems. Due to legacy and efficiency constraint, the replacement of Modbus/TCP with secure protocols is not possible, generating big security issues.

In this paper, we present TAMBUS (Transmitter Authentication and packet integrity in Modbus/TCP). This method is the first that at the same time: is not implemented in a secure by obscurity design and keeps the Modbus/TCP protocol compatible with legacy devices. TAMBUS allows detecting attacks with high statistical confidence, by leveraging two covert channels as a mean of providing security: 1) Storage-based, that hides authentication messages into the Modbus/TCP protocol fields; 2) Timing-based, that considers the inter-arrival time of packets. We demonstrate the feasibility and effectiveness of our method through a prototype implementation and testing in an industrial testbed environment. Our experiments confirm that TAMBUS introduces only a small overhead, negligible in most application, and it preserves the regular functioning of industrial systems. In particular, considering the storage-based covert channel, TAMBUS introduces an error into transmitted values of only $1.19\times 10^{-5}\text{\%}$, without traffic overhead. On the other hand, TAMBUS can transmit correct security information through the timing-based covert channel with an accuracy of more than 99.99%.

如今，许多公司仍在工业控制系统（ICS）中使用旧的和不安全的协议。此类协议的一个示例是Modbus，它是最常用的工业协议之一。此外，当设施中包含TCP设备时，公司也将转向Modbus / TCP。在保持不安全的同时，这种迁移也打断了带有空隙的工业网络的假设，为先前孤立的系统提供了更多的攻击面。由于遗留问题和效率限制，无法用安全协议替换Modbus / TCP，从而产生了很大的安全性问题。

在本文中，我们介绍了TAMBUS（Modbus / TCP中的传输器身份验证和数据包完整性）。该方法是同时实现的第一个方法：不能通过模糊设计安全地实现，并且使Modbus / TCP协议与旧版设备兼容。TAMBUS通过利用两个秘密通道来提供安全性，从而以很高的统计置信度来检测攻击：1）基于存储，将身份验证消息隐藏在Modbus / TCP中协议字段；2）基于时间，考虑数据包的到达时间。我们通过在工业测试平台环境中进行原型实现和测试来证明我们的方法的可行性和有效性。我们的实验证实，TAMBUS仅引入了很小的开销，在大多数应用中可以忽略不计，并且保留了工业系统的正常功能。特别是，考虑到基于存储的隐蔽通道，TAMBUS将错误引入到仅传输的值中。$\mathrm{1个}。19\times \mathrm{1个}{0}^{-5}\text{％}$，没有流量开销。另一方面，TAMBUS可以通过基于定时的隐蔽信道传输正确的安全信息，其准确性超过99.99％。