🏭 Modbus RTU and Modbus TCP: The Industrial Protocol That Never Dies

What Is Modbus?

Modbus is a serial communication protocol developed by Modicon in 1979 for use with its PLCs. Despite its age, Modbus remains one of the most widely deployed protocols in industrial automation and SCADA systems worldwide — found in PLCs, VFDs, power meters, flow meters, RTUs, and countless field devices. Its longevity comes from its simplicity: Modbus is easy to implement, royalty-free, and supported by virtually every industrial device manufacturer.

Modbus RTU vs. Modbus TCP

Modbus RTU (Remote Terminal Unit) runs over serial communication — RS-232 or RS-485. It is a master/slave protocol: one master device polls one or more slave devices in sequence. The RTU frame format includes the slave address, function code, data, and a 16-bit CRC for error detection. RS-485 allows up to 32 devices on a single bus at distances up to 1,200 meters at 9,600 baud (or shorter distances at higher baud rates like 115,200).

Modbus TCP encapsulates the Modbus protocol inside TCP/IP packets, allowing it to run over standard Ethernet networks. The CRC is dropped (TCP handles error correction), and a Modbus Application Protocol (MBAP) header is added. Modbus TCP uses TCP port 502. It supports multiple simultaneous connections, making it much faster and more scalable than RTU. Most modern devices now support Modbus TCP; RTU remains common on legacy installations and field devices with limited connectivity.

Modbus Data Model: The Four Register Types

Modbus organizes data into four tables:

• Coils (0x) — Single-bit read/write values: digital outputs, relay states, on/off commands
• Discrete Inputs (1x) — Single-bit read-only values: digital input states, switch positions, alarm contacts
• Holding Registers (4x) — 16-bit read/write values: setpoints, PID parameters, configuration values, floating-point data (two registers = one 32-bit float)
• Input Registers (3x) — 16-bit read-only values: analog measurements (temperature, pressure, flow, current)

Addresses start at 0 in the protocol but are often displayed starting at 1 in device documentation — watch for the "off-by-one" difference between protocol addresses and the address map in a device's manual.

Key Function Codes

• FC 01 — Read Coils
• FC 02 — Read Discrete Inputs
• FC 03 — Read Holding Registers (most common)
• FC 04 — Read Input Registers
• FC 05 — Write Single Coil
• FC 06 — Write Single Register
• FC 15 — Write Multiple Coils
• FC 16 — Write Multiple Registers

Modbus in a SCADA System

In a typical SCADA architecture, the SCADA master (server) polls field devices (PLCs, RTUs, meters) using Modbus. The master sends a request: "Read registers 30001–30010 from slave address 5." The device responds with the current values. The SCADA system logs the values, displays them on HMI screens, and triggers alarms if values exceed setpoints.

Poll rates are configurable — critical measurements like tank levels may poll every 1 second, while configuration registers may poll every 60 seconds. Excessive polling on an RS-485 bus can cause communication timeouts; calculate the total scan time carefully when designing large serial networks.

Modbus Limitations

Modbus has no built-in security — no authentication, no encryption, no integrity verification beyond the CRC. In OT cybersecurity terms, any device on the network can send Modbus commands to any device. This is acceptable on isolated plant networks but is a significant vulnerability when devices are connected to corporate networks or the internet. Modern OT security architecture places Modbus devices behind firewalls and monitors all Modbus traffic for anomalies.