Security & Safety
▮ Overview
What you'll learn
What classic Modbus does not protect, write safety practice, and TLS / Modbus Security.
Sections
11
Labs
1
Quiz
8 Qs
What you'll be able to do
- List what classic Modbus does not protect (authentication, encryption, integrity beyond CRC).
- Apply defensive write practices (allowlists, rate limits, write-readback).
- Describe Modbus/TCP Security at a high level.
Why you'll need this
- "Your auditor asks how you prevent unauthorized writes on a flat OT network. What do you point at?"
Three things people get wrong
- 1.Relying on 'Modbus is internal'Fix Flat OT networks are common. Assume the wire is reachable and design accordingly.
- 2.Writing without read-back verificationFix A successful FC 06/16 response says the bytes arrived, not that the device accepted them. Always read back a critical write.
- 3.Ignoring Modbus Security because 'no one uses it yet'Fix Adoption is rising. Even if not deploying it today, design with a migration path in mind.
From the field
The pump that ran on weekend nights
An overnight pump cycle no one had scheduled turned out to be a misconfigured maintenance script writing to the wrong Unit ID. There was no authentication, no audit log, and no read-back — just a script running on a laptop someone forgot in a panel.
Cited sources
Primary sources come from protocol and standards publishers. Secondary sources provide supporting tool, vendor, or reference context.
- Primary sourceModbus/TCP Security Protocol Specification v36 ↗
- Primary sourceISA/IEC 62443 ↗
This module is paginated — step through the sections, run the labs, then take the quiz. Progress is saved locally.
Print one-pager →