Critical infrastructure

Modbus, DNP3 and HART

Nitesh Malviya
March 24, 2020 by
Nitesh Malviya


Modbus is a serial communication protocol developed by Gould-Modicon systems (now Schneider Electric) in 1979 for integrating and using it with PLCs (Programmable Logic Controller). Modbus has become an industry standard for connecting various industrial devices.

Modbus is a master-slave communication protocol and can support up to 247 slaves for connecting and communications with supervisory computers with a remote terminal unit (RTU) in SCADA systems. The device supplying the information is the Modbus slave, while the Modbus master is the device requesting the information.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Why Modbus? A few of the reasons for widespread use of Modbus are:

  1. Developed specifically for industrial purpose
  2. Open source protocol
  3. Easy to develop, deploy and maintain.

Modbus variants

Modbus has many variants available for serial communication. They are:

  1. Modbus RTU
  2. Modbus over TCP/IP
  3. Modbus over UDP
  4. Modbus ASCII
  5. Modbus Plus (MB+)
  6. Pemex Modbus
  7. Enron Modbus

The most widely and commonly used Modbus variant is Modbus RTU. Modbus RTU uses RS-485 or RS-232, and all communication in Modbus RTU happens over UART (Universal Asynchronous Receiver Transmitter). One bit is transferred at a time and it uses a baud rate from 1200–115200 bits per second.

Modbus security issues

Since Modbus was developed in 1979, security concerns were not taken into consideration. Due to this, many security issues exist in Modbus. These include:

  1. All the messages in Modbus are communicated without authentication
  2. There is no encryption present; all the communication can be easily read and understood
  3. Lack of broadcast suppression
  4. Lack of message checksum for checking errors and garbled messages


DNP3 stands for Distributed Network Protocol. It was developed by GE Harris in 1993 and is widely used in the U.S. and Canada. Like Modbus, DNP3 is also an open-source serial communication protocol, which is one of the key reasons for its wide use and implementation in SCADA networks.

DNP3 is specifically used between various components in process automation. In a typical SCADA network, DNP3 is mainly used by master stations, RTUs and IEDs. DNP3 finds it major utilities in water and electric companies.

DNP3 salient features

A few of the features stated below make DNP3 fit for its usage in SCADA systems. They are:

  1. DNP3 can work over IP, encapsulated in TCP/UDP packets. This makes communication smooth and compatible for modern systems and networks
  2. DNP3 is very reliable and well suited for real-time data transfer
  3. Utilizes several standardized data formats and supports time-stamped data
  4. Error checking in the form of CRC checks. DNP3 supports up to 17 CRCs
  5.  Link-layer acknowledgements and authentication support for reliability and assurance
  6. Unlike Modbus, DNP3 is bidirectional and supports exception-based reporting

Security issues in DNP3

DNP3 suffers from following security issues:

  1. No support for authentication
  2. No encryption. All of the data is thus sent in plaintext
  3. Response replay
  4. Man-in-the-middle attack

Secure DNP3

Secure DNP3 is the secure version of DNP3. Secure DNP3 adds authentication and implements an idle session timeout of 20 minutes. It is very difficult to perform data manipulation and spoofing attacks in Secure DNP3.


HART (Highway Addressable Remote Transducer) was developed by Rosemount Inc. in mid-1980. HART is an open-source and hybrid (analog + digital) industrial automation protocol.

HART is the industry standard for transmitting and receiving data between smart devices and monitoring systems. HART is also a bidirectional communication protocol — i.e., it can send and receive data at same time. The benefits of using HART include reduced cost, simplified design, simple implementation and flexible operation.

HART operational modes

HART has two operational modes. They are

  1. Point-to-point mode: In this mode, there is a single master and a single slave
  2. Multi-drop mode: In this mode, there are multiple masters and multiple slaves

HART working

HART is based on the Bell 202 telephone communication standard and makes use of Frequency Shift Keying (FSK) for sending digital data. Digital signal is made of two frequencies: 1200 HZ and 2200 HZ, representing bits 1 and 0 respectively.

Communication modes

HART supports two communication modes.

  1. Master-slave: HART is a master-slave protocol; slaves can speak only when spoken to by a master. Masters are usually Distributed Control Systems, PC, PLCs, etc., and slaves are transmitters, actuators and controllers
  2. Burst mode: As the name suggests, in this mode master instructs slaves to broadcast HART reply messages continuously. Usually, three to four messages are sent per second by slave to master.

Security issues

HART is susceptible to the following attacks:

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.
  1. Spoofing attacks
  2. Lack of authentication
  3. XML injection attack


  2. Modbus 101 - Introduction to Modbus, Control Solutions Minnesota
  4. Overview Of DNP3 Protocol, DNP
  5. Tutorial on DNP3: Intro, Communication, and Objects - Part 1, DPS Telecom
  6. What is HART Protocol ?, Instrumentation Tools
Nitesh Malviya
Nitesh Malviya

Nitesh Malviya is a Security Consultant. He has prior experience in Web Appsec, Mobile Appsec and VAPT. At present he works on IoT, Radio and Cloud Security and open to explore various domains of CyberSecurity. He can be reached on his personal blog - and Linkedin -