PROFIBUS & PROFINET International (PI) is working to enhance security for PROFINET networks. Current security measures include network segmentation, access control, and component testing. Planned improvements include extending the "Defense in Depth" concept with integrated security and optional end-to-end encryption. PROFINET will define security classes based on requirements for integrity, authenticity, confidentiality, and availability. A new "Safety over OPC UA" approach is also being developed to enable plant-wide functional safety communication using OPC UA.

1. PROFIBUS & PROFINET International (PI)
Peter Brown, CSA Group
PROFINET Security Concept
Safety over OPC UA

2. PROFIBUS & PROFINET International (PI)
PROFINET Security today
Use of Defense-in-Depth Concept:
Network segmentation und network
access control via security modules
Physical access protection for complete
network / security zone
Communication robustness tests for
PROFINET components
© 2019
Security
Module
Controller
Drive
I/O Module
Separated
network segment
Supervisor

3. PROFIBUS & PROFINET International (PI)
PROFINET Security – under consideration
Planned Approach
Extension of security measures
according to the „Defense in Depth“
concept
Integrated security in PROFINET
components
End-to-End security for PROFINET
communication as configuration option
Security
Module
Controller
Drive
I/O Module
Supervisor
Secured PROFINET Communication
Operator specific key material
© 2019

4. PROFIBUS & PROFINET International (PI)
Protection goals Relevance for
PROFINET
Details
Integrity High
Message packets must not be falsified as this could e.g. lead to unintentional
activation of actuators or the recording of incorrect measured values
Authenticity High
Messages packets must be uniquely assignable to its source. The components
must “identify” themselves and have a counterfeit-proof digital identify
Authorization High Only authorized components / users may have access to the automation system
Availability High
Depending on the production process, there are generally high to very high
availability requirements.
Confidentiality Low
The confidentiality of IO data is estimated as low as long as no conclusions can be
drawn with regard to company secrets (e.g., recipes)
Non-repudiation Medium When an event occurs, the initiating person/device should be identifiable.
Refers to installations where traceability of user intervention is required
© 2019
Security Objectives / Security Measures

5. PROFIBUS & PROFINET International (PI)
PROFINET Security Requirements
© 2019
Category Details
Secured End-to-End-
Communication
Secured End-to-End-Communication between Controller and associated Devices as well
as optional integration of Supervisor- / Diagnostic systems
Configuration option
Security extension is a configuration option for machines with higher security
requirements (different security profiles)
Parallel Operation
Parallel operation of secured and unsecured connections in one IO-System and also with
existing network infrastructure (e.g. switches) must be possible
Transparency for PN-
Functions / -Profiles
Support and protection for existing PROFINET Profiles / functions as transparent as
possible (for example PROFIsafe)
Performance
Integrity and authenticity checks must not have any qualitative impact to the PROFINET
performance characteristics
Note: Creation / check of security information in protocol extension in general leads to
increased component resources

6. PROFIBUS & PROFINET International (PI)
PROFINET Security Requirements
© 2019
Category Details
Crypto Algorithms &
Protocols
Security concept based on well-known and commonly accepted cryptographic algorithms
and protocols
Operator specific keys
Protection based on machine / plant specific key material
→ Individual for each PROFINET component
LifeCycle Management
for crypto functions
Support of a flexible LifeCycle Management for security functions
→ Preparation for the case, when cryptographic algorithms once must be assumed as
unsecure or vulnerabilities in the concept will be detected
Crypto Hardware Support of optional cryptographic hardware accelerator and / or key store
Manufacurer
certificates
Support of optional device identifiers integrated by device manufactures
(Manufacturer certificates)

7. PROFIBUS & PROFINET International (PI)
Secure communication establishment in 2 phases
© 2019
Asymmetric
key pair
Phase 1
Authentication +
Key exchange
Phase 2
Device Configuration +
Communication
……
IO Controller
IO Supervisor IO Device
Asymmetric
methods
Symmetric
methods
IO Sup.
Symmetric
key

8. PROFIBUS & PROFINET International (PI)
Phase 1: Authentication
Exchange of Operator Certificates
Exchange of public keys
Check of certificates
Establish a secure connection
IO DeviceIO Controller /
IO Supervisor
IO Sup.
Asymmetric
key pair
Asymmetric
key pair
Relatively slow method
Only for connection establishment
© 2019

9. PROFIBUS & PROFINET International (PI)
Phase 2: Secured Communication
Protection of subsequent real-time
communication
Usage of a symmetric method
Shared key per AR
Negotiated via key exchange mechanism
Usage of Message Authentication Code
mechanism → Protection of Integrity
Optionally usage of data encryption
→ Protection of confidentiality
Protection of real-time as well as non-real-
time communication
Secured Communication
IO Device
IO Controller /
IO Supervisor
IO Sup.
© 2019

10. PROFIBUS & PROFINET International (PI)
PROFINET Security Classes
Class Class Name Definition Area of application
1 Robustness Network robustness according to NetLoad
specification and additionally :
•
•
•
Changeable SNMP community name
DCP Read-Only mode
Integrity protection for GSD files
System is separated into zones and has
limited external communication;
** Introduction of class in Discussion **
2 Integrity +
Authenticity
Additionally to class1):
Integrity and authenticity• of
communication relations between
IOC / Supervisor and IOD
Confidentiality of configuration data
communication
•
System can not or not easily be
separated into zones; Access can not be
secured (e.g. outdoor installations).
Application places no requirements with
respect to confidentiality of IO data.
3 Confidentiality Additionally to class2):
• Confidentiality of IO data
communication
System like 2),in which information about
company secretscan be obtained from the
IO data of the system
© 2019

11. PROFIBUS & PROFINET International (PI)
More information in PROFINET Security Whitepaper
- available on PI Website
Summary
In future more consistent communication
across network zones will become the norm
– this will increase security risks.
Integrated Security Extensions for PROFINET
will enhance the existing cell protection concept.
Security Extensions will future proof
PROFINET communication.
© 2019

12. PROFIBUS & PROFINET International (PI)
Plant-wide functional safety
Controller A Controller B Controller C
Feldebene
Safety
over
OPC UA
Safety
over
OPC UA
PROFIsafe Safety-Profile XXX PROFIsafe
© 2019

13. PROFIBUS & PROFINET International (PI)
Network Layers
OPC UA Stack
Safety over
OPC UA
Safety-Application
“Black Channel”:
Changes do not require a
Re-Certification
Certified according:
IEC 61508
IEC 61784-3
…
OPC UA - Mapper
Scope of
“Safety over
OPC UA”
e.g. OPC RMI
Industry Specific Interface
(Companion Specification)
OPC UA Stack
Safety over
OPC UA
Safety-Application
OPC UA - Mapper
Industry Specific Interface
(Companion Specification)
Safety PDU
Application PDU
Protocol Data
Unit
Remote Method
Invocation
© 2019

14. PROFIBUS & PROFINET International (PI)
Key features of “Safety over OPC UA”
uses either OPC UA client/server or OPC UA pub/sub (with or without TSN)
unidirectional, bidirectional, and multicast communication patterns
arbitrary network-topology: line, tree, star, ring, mesh, …
arbitrary structured user data, length: 1-1500 bytes
dynamic establishment of safe connections during runtime
no requirements on regular (i.e. non-safe) network participants
no need for synchronized clocks
unlimited number of network components and terminals
unlimited data rate
© 2019

15. PROFIBUS & PROFINET International (PI)
Safety case
Based on IEC61784-3-3 (“PROFIsafe”)
Fault model follows IEC61784-3 (functional safety for fieldbus)
Cyclic watchdog (local clock of the consumer suffices)
32-Bit CRC-polynomial:
“Properness” shown for all data length between 1-1500 bytes
calculated PFH-value suffices for SIL4
IDs are used to detected authenticity errors such as misdirected telegrams
A Monitoring Number (MNR) is used to detected timeliness errors
The arguments are essentially identical to the arguments for PROFIsafe V2.6
© 2019

16. PROFIBUS & PROFINET International (PI)
Connection Types
Unidirectional connection
Bidirectional connection
Multicast
Controller A Controller B
Safety-
App
Provider
Safety-
App
Consumer
Controller A Controller B
Safety-
App
Provider Safety-
App
Consumer
Consumer Provider
Controller A
Safety-
App
Provider 1
Provider 2
Provider N
Controller
B1
Safety-AppConsumer
Controller
B2
Safety-AppConsumer
Controller
BN
Safety-AppConsumer
…
…
© 2019

17. Thank you.
Peter Brown
Technical Oversight Specialist
Unit 6 Hawarden Industrial Estate, Hawarden
CH5 3US, United Kingdom
+44 7501 494545
peter.brown@csagroup.org