No. Standard Modbus has no built-in security. Security is enforced at the network level through segmentation, firewalls, and access controls.

What is Modbus Secure?

An extension adding TLS encryption and certificate authentication on port 802. Adoption is growing but most legacy devices don't support it.

How do you prevent unauthorized Modbus writes?

Firewall rules limiting connections to known master IPs, industrial DPI whitelisting function codes and register ranges, and physical RS-485 network security.

Modbus Security Considerations — Protecting Industrial Networks

Quick Answer

Standard Modbus has no built-in security — no authentication, encryption, or authorization. Any device on the network can send commands to any slave. Security is enforced through network segmentation, firewalls, industrial DPI, and physical access controls.

What Modbus Lacks

No authentication (any master can command any slave)
No encryption (all data in plaintext)
No authorization (no user permissions)
No protection against replay attacks

Attack Vectors

Unauthorized read (register enumeration)
Unauthorized write (setpoint manipulation, output forcing)
Denial of service (bus flooding)
Man-in-the-middle (TCP networks)
Replay (repeating captured write commands)

Practical Controls

Network segmentation — OT DMZ, VLANs, firewall rules
Modbus TCP firewalling — Allow only known master IPs on port 502
Industrial DPI — Whitelist function codes and register ranges per device
Encrypted tunnels — VPN for Modbus TCP over untrusted networks
Physical security — Locked RS-485 enclosures and conduit
Read-only configuration — Disable writes where not needed

Modbus Secure

An emerging extension adding TLS encryption and certificate authentication on TCP port 802. Adoption is growing but most legacy devices do not support it.

Frequently Asked Questions