Hi Matthijs,
One industry standard is that Modbus registers are read only, until a password has been written into a specific register*.
Also, when writing mission critical registers, then 2 registers have to be written simultaneously with either the same or 2’s complement values. Response to an unauthorised write could either be a return of the current register value, or a modbus error code indicating ‘illegal’ register or function.
As far as security goes, Most connections from LAN to WAN go through a router with a firewall. All that is needed here is to block incoming access to port 502.
For security on your LAN - that is your local problem.
I do like the read only options as above.
If you want someone to have a look at your modbus documentation, then I think you have access to my email.
Note: This concept could embody 2 or 3 different passwords, each allowing greater access to register sets, thus allowing restricted, elevated or unlimited access.
The read only option is a few days work for us, max. Anything else is more.
Writing passwords also sounds logical, but does lead into the discussion what password then, and its over an non-encrypted channel: even after adding password protection it will still not be secure. Even worse, passwords will be sent of the network in a non-encrypted manner.
Etc etc.
I’ll consider it, but for now I do like the simplicity of the read only option. It will come, might take a while - for now the priority is to work towards release of v3.60.
I want to thank everybody for kind support and attention, but there is a thing that I feel needs to be stated.
I don’t want to be a pain here, but I get the itching red heebie jeebies whenever I see words to the effect that “network security is the user’s problem”.
I acknowledge that it is true, legally and technically. However, unless we think that everybody who plugs a Victron inverter is going to set up a separate great honking firewall inside their ISP router’s LAN for their Victron to exist safely behind, very bad stuff is going to happen to Victron users one day if we rely on this concept in an engineering sense.
Routers are often very bad. Crappy old router firmware and stupid defaults will put us all on the rocks one day. We need to move to the idea that the little red dot in the Venn diagram needs to get smaller, and generically this means embracing the principle of “least privilege to get the job done”. In the Victron world, this means:
For every single way in which an outside device can talk to a Victron device on a standard network interface in a way that it can read stuff off the Victron as well as set stuff on the Victron, by means of a feature that has no separate strong authentication and that can be enabled by a Venus slider, there needs to be an option to enable reading only and disable setting.
For stuff where you have to go in as root and do things in DBUS, I will fold my hands over my belly and say, “Well, (s)he should know.”. But standard menu settings are different.
Some vendors, and I’m very happy Victron will be one of them, allow Modbus TCP Filtering by setting access levels to Full, Read or None, optionally with an IP address filter to limit hosts that have Full RW access.
Your info is wonderful, Bart - thank you, I am learning a lot. Describing this as MODBUS TCP filtering is something I should have done at the beginning - I think I caused confusion initially by taking about it as if the registers were changing from being read/write to read… It is so obviously the best description now that I have seen you using it🤣
Hi Bob,
No worries, Network security is not an issue that I have to deal with here at home, The cellular networks here all block incoming data unless requested by the user. This prevents a lot of stuff trying to get through.
One or two of my clients also have large local networks that are more exposed, and even though there are ‘expert’ network operators dealing with their systems, some of them are open to malicious attack, and I try to help the network operators close these off. This does not make me an expert, and Bart’s contribution above will bear investigation.
I think that given how early the Modbus standard was initially developed, and then extended to TCP/IP, it’s only intended for use on ‘secure’ networks, and other protocols should be used to secure systems and data over the WAN.
Thanks Mike. Very pleased to read your stuff - I am learning a lot. You and Bart are like firehoses of information
In around 1997 I had to do a course on computer networking with a bit of a security slant to it - it was pitched quite theoretical, looking back, but those practical elements that it did have were mind-boggling.
At that time, plain old authenticated FTP had already become unfashionable but was still in use in many places. I kid you not, it would send a username and password pair to the other side of the planet, together in one single packet, in plain text with stuff that easily identified it as a packet with that stuff in it.
Telnet at least made you work a bit more because you had to reassemble your eavesdroppery from small pieces, but the naiveté of those times takes my breath away today.
MODBUS is a bit the same, but with a different audience who need to stick to what they are confident will work, and so it has hung around longer. Anonymous “read-only” FTP is still there too, but that is OK…
Working with computer networks and Linux for 20 - 30 years in various (sometimes special) environments, I’ve picked up some bits of information left and right
Hospitals and especially Energy sector are among the ‘interesting’ ones.
In the Energy sector it’s common to have separate networks for Information Technology (IT, frontend, regular PCs and such) and Operation Technology (OT, backend process control, PLCs & Modbus galore).
