Examining the Suitability of Stream Ciphers for Modbus-TCP Encryption on Resource Constrained Devices

The advent of inter-connectivity between Industrial Control Systems (ICS) and Information Technology (IT) has greatly enhanced operational efficiency within many Critical National Infrastructure (CNI) sectors, such as energy generation and water treatment. However, prominent industrial network protocols such as Modbus, were designed and implemented without cyber-security considerations, promoting low overheads and real-time communications over digital resilience. Since insecure industrial protocols continue to prevail, considering future protocol implementations and retrofitting security controls to existing exposed environments is critical to mitigate the growing cyber threats that target ICS. In this paper, we aim to address security limitations that are inherent within industrial protocol plain-text transmission, specifically Modbus-TCP. We use Raspberry Pis to represent real resource constrained Modbus devices and evaluate two encryption solutions: 1) Direct on-device encryption and 2) an encrypted SOCKS5 proxy server to facilitate secure communications between Modbus devices. Both methods employ symmetric encryption using stream ciphers and are evaluated for throughput, latency, and Queries Per Second (QPS). Experimental results demonstrate that while on-device encryption provides superior performance compared to the proxy-based solution, it comes at the cost of greater complexity and potential hardware upgrades. Hence, the trade-off between performance and adaptability requires careful consideration.