Security

Security

• PROFINET Security Overview
• Webinars
   

PI Working Group CB/PG 10: PROFINET Security

• Purpose: CB/PG10 Security specifies security mechanisms for PROFINET and provides guidance, documentation, and best practices for PROFINET Security.
• Resources: PROFINET Specification including Security Functions, implementation and usage guidelines, test bundles for testing and verifying PROFINET security, whitepapers
• Target group: Technology providers, device manufacturers and machine builders that develop and produce PROFINET components and systems.
• Activities: Advancing protocol and security configuration management (e.g. migrating to modern TLS versions); enhancing secure communication across all layers, including vertical integration; preparing for post-quantum cryptography and long-term cryptographic agility; improving update and lifecycle security for devices and software; defining secure models for device onboarding.
• Planned: Whitepaper PROFINET Security for end user

Interop Testfield
AdHoc WG: PROFINET Security Interop Field Test for Ethernet APL and PROFINET 

• Purpose: Coordinating an interoperability field test for PROFINET Security for PROFINET field devices, switches, controllers and DCS providers with PN Security capability in process automation, with a focus on Ethernet APL devices.
• Resources: Presentation "Security and PROFIsafe for PROFINET over APL"
• Target group: Users, technology manufacturers and device and system manufacturers specialising in process automation.
• Activities: Investigate the functionality and usability of workflows and use cases for a PROFINET security application such as credentialing, secure onboarding, communication setup, device replacement, firmware update, identity and access management.
• Planned: Publication of test results and findings on the integration of PROFINET devices into control systems by the end of 2026.

Device/Tool Security

JWG: Device and Tool security for Ethernet-based communication protocols
Standardization organizations FieldComm Group, ODVA, OPC Foundation, and PROFIBUS & PROFINET International have formed a Joint Working Group (JWG) to collaborate on the important issue of "Device/Tool Security for Ethernet-Based Communication Protocols."

• Purpose: Uniform interpretation and implementation of security in Ethernet-based protocols.
• Resources: Call for Experts
• Target group: Users, technology manufacturers, and device manufacturers.
• Planned:  Develop a framework that allows suppliers and end users to meet industry requirements in accordance with the IEC 62443 and IEC 61784-6 (Part 6: Security) standards. Recommend updates as necessary.

Additional Ressources:

Security Extensions for PROFINET Whitepaper

First, this document describes the motivation and the procedure for developing a security concept. Next, it determines the security requirements and the actors in the security process. Then the basic principles of PROFINET security are explained.

Read more
 

PROFINET Security Guideline

The Security guideline points out the key aspects for the establishment of a security concept in an industrial environment and provides appropriate recommendations. This guideline (Order. No. 7.001, 7002) dates November 2013. It will be replaced by an updated guideline that considers the PROFINET security concept as well as the requirements of the IEC 62443.

Read more
 

PROFINET Security Class 1 Guideline

This document is intended to provide an overview of the planed methods, applications and processes of the PROFINET Security extension in Security Class 1. It addresses component manufacturers, system vendors, and users of PROFINET technology.

Read more

PI White Paper: OT-Security - Classification of IEC62443

This white paper first provides an overview of the various parts of the IEC 62443 series of standards and briefly describing their contents. Next, it assigns the standard parts to the stakeholders in the OT security process. In the field of Operational Technology (OT) these include plant operators, system integrators and the product suppliers. Building on these front-up considerations, the document maps the security concept of PROFINET to the different parts of the IEC 62443.
Read more
 

IT security extensions for PROFINET

Karl-Heinz Niemann
This paper was presented at the IEEE 17th International Conference on Industrial Informatics (INDIN) in 2019. It gives an overview of the concepts of PROFINET security.
Read more
 

Security extensions for PROFINET - Concepts, Status and Prospects

Karl-Heinz Niemann, Andreas Walz, Axel Sikora
This paper was presented at the Embedded World 2023 Exhibition & Conference 2023. It describes the technological concepts of PROFINET security.

Read more
 

A Mechanism for Seamless Cryptographic Rekeying in Real-Time Communication Systems

Heiko Bühler, Andreas Walz, Axel Sikora
The paper was presented at  17th IEEE International Conference on Factory Communication Systems (WFCS) in 2021. The document presents a novel seamless rekeying approach, which can be embedded into cyclic application data exchanges. Although, being agnostic to the underlying real-time communication system, the developed demonstrator can emulate the widespread industrial Ethernet system PROFINET IO and successfully use this rekeying mechanism.

Read more
 

PROFINET Security: A Look on Selected Concepts for Secure Communication in the Automation Domain

Andreas Walz, Karl-Heinz Niemann, Julian Göppert, Kai Fischer, Simon Merklin, Dominik Ziegler, Axel Sikora
The paper was published at the IEEE 21st International Conference on Industrial Informatics (INDIN) in 2023. It provides a brief overview of the cryptographic security extensions for PROFINET, as defined and specified by PROFIBUS & PROFINET International (PI)

Read more
 

How to develop a secure PROFINET device: Organizational and technical OT security measures during the development of PROFINET devices

Karl-Heinz Niemann, Andreas Walz, Simon Merklin, Andreas Ziegler, Boris Waldeck
This article was originally published in the atp magazine 09/2023. The article shows which technical and organizational measures have to be considered during the development of a PROFINET device supporting PROFINET security. An Ethernet APL transmitter serves as an example. Based on that analysis, requirements for the secure design of Ethernet APL communication combined with PROFINET are derived from.

Read more
 

OT Security Requirements for Ethernet-APL field devices
Karl-Heinz Niemann, Simon Merklin
This paper was published in the atp magazine 05/2022. It describes cyber security attack scenarios for automation systems using current loop with HART, PROFIBUS PA and Ethernet APL in combination with PROFINET.

Read more
 

Cryptographic Protection of Cyclic Real-Time Communication in Ethernet-Based Fieldbuses: How Much Hardware is Required?

Matthias Skuballa, Andreas Walz, Heiko Bühler, Axel Sikora
This paper was presented at 26th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA ) in 2021. It evaluates the performance of or the EAS-GCM Algorithm that is used for PROFINET security.

Read more