1. The Modbus Problem: Authenticity Zero

Modbus is the 'lingua franca' of the industrial world. It is simple, robust, and completely unprotected. There is no password, no encryption, and no "Handshake" in traditional Modbus TCP. If you can ping a Modbus device, you can usually control it.

2. Hardening Modbus TCP

Since we cannot easily rewrite the Modbus protocol inside legacy PLCs, hardening happens at the edge.

• Data Diodes: Using hardware that only allows data to flow OUT of the OT network into the IT network, preventing any control commands from entering.
• DPI Firewalls: Industrial firewalls (like Nozomi or Dragos) that don't just block IP ports, but inspect the Modbus payloads. They can allow "Read" commands but block "Write" commands based on the source IP.
• Modbus Security (MB-TCP/CP): A recent effort to wrap Modbus in TLS (Transport Layer Security). This is effective but requires modern hardware support.

3. DNP3-SA: Secure Authentication

DNP3 (Distributed Network Protocol) is used primarily in the electrical utility industry. Unlike Modbus, DNP3 has an official security extension called Secure Authentication (SA).

4. The Industrial Sandbox: The Purdue Model

Hardening protocols is useless if the architecture is flat. We enforce the Purdue Model to create air-gapped zones (Levels 0-5).

• Level 0: Sensors & Actuators (Physical).
• Level 1: Controllers (PLCs/RTUs).
• Level 2: Supervisory (HMI).
• DMZ: The critical barrier between the factory floor and the business office.

Conclusion

The future of industrial security lies in Protocol Translation. We use secure gateways that take Modbus/DNP3 at the machine level and translate it into encrypted MQTT or OPC-UA for transmission over the wider network. The "legacy" stays in the machine room; the "security" stays in the fiber.