Parallel to the first PROFINET specifications, PI published a comprehensive security concept that was further detailed and adapted in several steps. Then, as now, the same requirements apply: It is not enough to simply protect plant networks and automation components – the protection mechanisms and concepts used must also not disrupt ongoing production operations. In addition, protection concepts must remain easy to implement and affordable.
The IT security concept for PROFINET is based on a defense-in-depth approach. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls. In addition, further protection is possible within the plant by dividing it into zones using firewalls. In addition, a security component test ensures that the PROFINET components are resistant to overload to a certain extent. This concept is supported by organizational measures in the production plant as part of a security management system. Security therefore requires measures at all levels.
However, security is a topic that has to be constantly adapted to current developments and is therefore never complete. This is especially true against the background of increase networking in production facilities.
To name a few key points:
1. Open communication
PROFINET components with added value, such as Web services or OPC UA connectivity, could lead to increased direct communicationwith higher-level systems outside a defined security zone. At the same time, it is becoming increasingly difficult to separate PROFINET networks. This could result in an increased risk of attacks on PROFINET components.
2. Larger networks
More and more components are being connected to a network and interacting with each other. A successful attack on a single (PC) system within such a cell could therefore bypasses advance protection measures.
3. Large-scale systems
Widely distributed facilities hinder the physical protection of networks and access points. As a result, unauthorized persons can gain access to the PROFINET network.
4. Additional protection measures
Previous concepts, which mainly rely on sealing off production facilities, must be supplemented by new concepts that enable protection within the cell. Therefore, the existing measures are extended by further protective measures. These include credential management, e.g. for device authentication, and an end-to-end security extension for PROFINET communication as a configuration option.
Since every application has different security requirements, PROFINET offers different Security Classes.
See the following video for more information.
PROFINET Security
In view of a future increased networking, for example by Industrie 4.0, situations may arise in which the cell protection concept alone is not sufficient. Further measures would have to be taken here.
Focus on reliability and real-time
In the IT world, there are proven security concepts, which also guide similar concepts in automation communication technology. However, PI has found in its analyses that these cannot simply be transferred to the automation world. Just to name a few examples:
PROFINET devices are primarily geared towards reliability and real-time communication. Additionally, usability aspects in an industrial environment play an important role in technology design. It must be possible to implement security functions, e.g., a certificate check, in a practical manner. For example, inserting a smart card into an IP65 device is not exactly feasible. In addition, in business IT, the protection goals are sometimes prioritized differently, where confidentiality is an important asset. This plays a subordinate role in communication networks in automation technology.
The IEC 62443, the standardfor industrial security, is the basis for the security concepts from PI. In many automation systems, these goals, which may certainly differ in individual cases and applications, are prioritized as follows:
Availability and robustness
This is about the characteristic of a system to always fulfill its required function. Depending on the production process, there are usually high to very high availability equirements. This is especially true for critical infrastructure.
Integrity (data)
This is about the characteristic of a system for protection against unauthorized data manipulation. For example, message packets must not be falsified, otherwise actuators may be unintentionally activated or incorrect measured values may be recorded.
Authenticity (devices / users)
Authenticity ensures the unique identification of a system component and its data. The components must “identify themselves” and have a forgery-proof digital identity. The authorizations assigned to an authenticated user (human user, software process or device) allow its required actions in the automation system to be performed, enforced, and the use of these authorizations to be monitored.
Authorization
The usage control ensures that only authorized users can intervene in the automation system.
Confidentiality
Information is only accessible to certain participants and remains hidden from third parties. The protection goal of confidentiality of IO data is considered to be low – as long as no conclusions can be drawn from it about company secrets (e.g. secret recipes).
Since the multitude of industries and applications also entails different security requirements, three security classes were introduced in PROFINET. This is because the requirement of ‘confidentiality’, for example, entails a very high computing time expenditure for encryption measures. However, this is not necessary in many applications.
Security Class 1 (robustness) generally provides for sealing off the system from the outside, segmentation of the production network, access protection, and other measures (Defense-in-Depth concept). This will now be extended in some points. This includes the ability to change SNMP default strings, DCP commands can be set to “read only” and GSD files can be protected against unnoticed changes by signing. These changes were already introduced in the PROFINET specification V2.4 MU1 in April 2020.
For Security Class 2 (integrity and authenticity), in addition to Security Class 1, the integrity and authenticity of IO data communication, as well as the confidentiality of configuration data via cryptographic functions is specified. This is the case, for example, in systems that cannot be easily divided into zones or where access from the outside is not secured, such as outdoor installations.
In Security Class 3, the confidentiality of IO data is also specified. This is the case, for example, if company secrets can be inferred from this data.
The majority of applications will be able to work on the basis of Security Classes 1 and 2. The creation/checking of security information during protocol extension generally leads to an increase in component resources. Such integrity and authenticity checks must not have any qualitative effects on the performance of PROFINET.
The PROFINET security concept is based on well-known and generally accepted cryptographic algorithms and protocols. However, flexible lifecycle management is required for security functions. This is important in case cryptographic algorithms can be assumed to be insecure or weaknesses in the concept are discovered. In addition, there are other aspects that must be considered for secure PROFINET communication:
Since April 2019 a whitepaper about the security measures at PI is available. The described measures are continuously incorporated into the corresponding PROFINET specifications. In addition, PI offers training and other services on the subject, a Cyber Security Incident Response Team (CSIRT) is being set up at PI.
Each application has different security requirements, therefore different security classes have been introduced. The majority of applications will be able to work on the basis of Security Classes 1 and 2.
The different security classes also require different efforts by the device manufacturers for implementation in the devices and by the users for integration into their systems and machines.
Authentication is based on certificates, both for devices and operators. The handling of certificates is required in Security Class 2 and above. An authentication via username/password is not planned. Each communication partner must have a Certificate Authority certificate. The PROFINET Certificate Management handles the initial provision of certificates as well as the renewal/updating and revocation. Key generation is supported by devices as well as external sources (e.g. tools).
The integrity and authenticity of GSD files must be ensured. For example, manufacturers must be able to digitally sign their GSD files as an optional security extension. Individual provider-specific certificates can be requested from the PNO. The engineering system will validate the GSD signature during import. This creates trust in the GSD configuration data. A user guide with details (about all Class 1 features) is available.
Security Extensions for PROFINET Whitepaper
This document first describes the motivation and the procedure for the development of a security concept. Next, the security requirements are determined and the actors in the security process named and distinguished from one another.
PROFINET Security Guideline
The Security guideline points out the key aspects for the establishment of a security concept in an industrial environment and provides appropriate recommendations.
Read more
PROFINET Security Class 1 Guideline
This document is intended to give component manufacturers, system vendors and users of the PROFINET technology an overview about the planed methods, applications and processes of the PROFINET Security extension in Security Class 1.
Read more
IT security extensions for PROFINET
The impact of vertical and horizontal integration in the context of Industry 4.0 requires new concepts for the security of industrial Ethernet protocols. The defense in depth concept, basing on the combination of several measures, especially separation and segmentation, needs to be complimented by integrated protection measures for industrial real-time protocols. To cover this challenge, existing protocols need to be equipped with additional functionality to ensure the integrity and availability of the network communication, even in environments, where possible attackers can be present. In order to show a possible way to upgrade an existing protocol, this paper describes a security concept for the industrial Ethernet protocol PROFINET.
Security extensions for PROFINET – Concepts, Status and Prospects
Operators of production plants are increasingly emphasizing secure communication, including real-time communication, such as PROFINET, within their control systems. This trend is further advanced by standards like IEC 62443, which demand the protection of realtime communication in the field. PROFIBUS and PROFINET International (PI) is working on the specification of the security extensions for PROFINET (“PROFINET Security”), which shall fulfill the requirements of secure communication in the field.
This paper discusses the matter in three parts. First, the roles and responsibilities of the plant owner, the system integrator, and the component provider regarding security, and the basics of the IEC 62443 will be described. Second, a conceptual overview of PROFINET Security, as well as a status update about the PI specification work will be given. Third, the article will describe how PROFINET Security can contribute to the defense-in-depth approach, and what the expected operating environment is. We will evaluate how PROFINET Security contributes to fulfilling the IEC 62443-4-2 standard for automation components.
Read More
PROFINET Security: Technical background and details
A Mechanism for Seamless Cryptographic Rekeying in Real-Time Communication Systems by H. Bühler, A. Walz, A. Sikora
Read More
PROFINET Security: A Look on Selected Concepts for Secure Communication in the Automation Domain
A. Walz, K.-H. Niemann, J. Göppert, K. Fischer, S. Merklin, D. Ziegler, A. Sikora
Read More
Cryptographic Protection of Cyclic Real-Time Communication in Ethernet-Based Fieldbuses: How Much Hardware is Required?
M. Skuballa, A. Walz, H. Bühler, A. Sikora
The increasing networking of production facilities increases the risk of cyber-attacks. The communication technologies specified and supported by PROFIBUS & PROFINET International (PI) are also exposed to this risk. In order to counter this risk, the PROFIBUS Nutzerorganisation e.V. operates a Cyber Security Incident and Response Team on behalf of PI (PI-CSIRT)..
The special role of the PI as a manufacturer association means that the PI-CSIRT sees its focus on the handling of weaknesses in the specifications of the technologies of PI and that the handling of product-dependent weaknesses is the responsibility of the respective technology, component or system suppliers. In this case, the PI-CSIRT will provide the necessary support to forward incoming vulnerability reports to the appropriate addressees and to provide appropriate feedback to the reporting person / company.
CSIRT Policy of PROFIBUS Nutzerorganisation e. V.
Form for reporting IT security incidents
Security Advisories
E-mail communication with the PNO
Subscription to the PNO Security Advisories mailing list
v1
Parallel operation of secured and unsecured connections in an IO system and also in existing network infrastructure (e.g. switches) is possible.
The beginnings of the international series of standards IEC 62443 are roughly 20 years old and specify a holistic security approach for operators, integrators, and device vendors. The IEC 62443 is the accepted international series of standards on “Industrial communicationnetworks – IT security for networks and systems”. The standards can be divided into four areas:
Please click on the links below to download some of our recent presentation material.