PROFINET Security- the easy and affordable security concept
Parallel to the first PROFINET specifications, PI published a comprehensive security concept that was further detailed and adapted in several steps. Then, as now, the same requirements apply: It is not enough to simply protect plant networks and automation components - the protection mechanisms and concepts used must also not disrupt ongoing production operations. In addition, protection concepts must remain easy to implement and affordable.
The IT security concept for PROFINET is based on a defense-in-depth approach. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls. In addition, further protection is possible within the plant by dividing it into zones using firewalls. In addition, a security component test ensures that the PROFINET components are resistant to overload to a certain extent. This concept is supported by organizational measures in the production plant as part of a security management system. Security therefore requires measures at all levels.
Security measures are always changing
However, security is a topic that has to be constantly adapted to current developments and is therefore never complete. This is especially true against the background of increase networking in production facilities.
To name a few key points:
1. Open communication
PROFINET components with added value, such as Web services or OPC UA connectivity, could lead to increased direct communicationwith higher-level systems outside a defined security zone. At the same time, it is becoming increasingly difficult to separate PROFINET networks. This could result in an increased risk of attacks on PROFINET components.
2. Larger networks
More and more components are being connected to a network and interacting with each other. A successful attack on a single (PC) system within such a cell could therefore bypasses advance protection measures.
3. Large-scale systems
Widely distributed facilities hinder the physical protection of networks and access points. As a result, unauthorized persons can gain access to the PROFINET network.
4. Additional protection measures
Previous concepts, which mainly rely on sealing off production facilities, must be supplemented by new concepts that enable protection within the cell. Therefore, the existing measures are extended by further protective measures. These include credential management, e.g. for device authentication, and an end-to-end security extension for PROFINET communication as a configuration option.
Since every application has different security requirements, PROFINET offers different Security Classes.
See the following video for more information.
Secure communication with PROFINET
In view of a future increased networking, for example by Industrie 4.0, situations may arise in which the cell protection concept alone is not sufficient. Further measures would have to be taken here.
Focus on reliability and real-time
In the IT world, there are proven security concepts, which also guide similar concepts in automation communication technology. However, PI has found in its analyses that these cannot simply be transferred to the automation world. Just to name a few examples:
PROFINET devices are primarily geared towards reliability and real-time communication. Additionally, usability aspects in an industrial environment play an important role in technology design. It must be possible to implement security functions, e.g., a certificate check, in a practical manner. For example, inserting a smart card into an IP65 device is not exactly feasible. In addition, in business IT, the protection goals are sometimes prioritized differently, where confidentiality is an important asset. This plays a subordinate role in communication networks in automation technology.
Prioritization of protection targets
The IEC 62443, the standardfor industrial security, is the basis for the security concepts from PI. In many automation systems, these goals, which may certainly differ in individual cases and applications, are prioritized as follows:
Availability and robustness
This is about the characteristic of a system to always fulfill its required function. Depending on the production process, there are usually high to very high availability equirements. This is especially true for critical infrastructure.
This is about the characteristic of a system for protection against unauthorized data manipulation. For example, message packets must not be falsified, otherwise actuators may be unintentionally activated or incorrect measured values may be recorded.
Authenticity (devices / users)
Authenticity ensures the unique identification of a system component and its data. The components must "identify themselves" and have a forgery-proof digital identity. The authorizations assigned to an authenticated user (human user, software process or device) allow its required actions in the automation system to be performed, enforced, and the use of these authorizations to be monitored.
The usage control ensures that only authorized users can intervene in the automation system.
Information is only accessible to certain participants and remains hidden from third parties. The protection goal of confidentiality of IO data is considered to be low - as long as no conclusions can be drawn from it about company secrets (e.g. secret recipes).
Security classes according to PROFINET
Since the multitude of industries and applications also entails different security requirements, three security classes were introduced in PROFINET. This is because the requirement of 'confidentiality', for example, entails a very high computing time expenditure for encryption measures. However, this is not necessary in many applications.
Security Class 1 (robustness) generally provides for sealing off the system from the outside, segmentation of the production network, access protection, and other measures (Defense-in-Depth concept). This will now be extended in some points. This includes the ability to change SNMP default strings, DCP commands can be set to "read only" and GSD files can be protected against unnoticed changes by signing. These changes were already introduced in the PROFINET specification V2.4 MU1 in April 2020.
For Security Class 2 (integrity and authenticity), in addition to Security Class 1, the integrity and authenticity of IO data communication, as well as the confidentiality of configuration data via cryptographic functions is specified. This is the case, for example, in systems that cannot be easily divided into zones or where access from the outside is not secured, such as outdoor installations.
In Security Class 3, the confidentiality of IO data is also specified. This is the case, for example, if company secrets can be inferred from this data.
The majority of applications will be able to work on the basis of Security Classes 1 and 2. The creation/checking of security information during protocol extension generally leads to an increase in component resources. Such integrity and authenticity checks must not have any qualitative effects on the performance of PROFINET.
Protective measures in the PROFINET communication network
The PROFINET security concept is based on well-known and generally accepted cryptographic algorithms and protocols. However, flexible lifecycle management is required for security functions. This is important in case cryptographic algorithms can be assumed to be insecure or weaknesses in the concept are discovered. In addition, there are other aspects that must be considered for secure PROFINET communication:
- Ensuring the authenticity of PROFINET stations by means of a cryptographically secured digital identity in the form of certificates. The concept should include the possibility of securely storing this identity, e.g., in a specially secured hardware component in the respective station.
- Ensuring the integrity of communication by cryptographic measures, e.g. cryptographic checksums. This security should cover all communication channels of the PROFINET device, including IP communication, PROFINET real-time communication, and communication for network management.
- Ensuring system startup and the assignment of components, e.g. from IO devices to IO controllers and engineering tools, by means of cryptographic measures. This also applies to a system startup after a connection termination.
- Reporting of security-relevant events that can be detected by PROFINET devices. For example, through additional PROFINET IT security alarms.
- Ensuring the confidentiality of acyclic data and configuration data. Additional assurance of confidentiality for cyclic data as an optional function in Security Class 3.
- Ensuring minimum requirements against denial of service attacks.
- Protection of the integrity and authenticity of device master files (GSD files).
- Secured end-to-end communication between controllers and associated devices and optional integration of monitoring/diagnostic systems.
- Configuration option for machines with higher security requirements (different security profiles)
- Support and protection - as transparent as possible - of existing PROFINET profiles/functions, e.g. PROFIsafe
Since April 2019 a whitepaper about the security measures at PI is available. The described measures are continuously incorporated into the corresponding PROFINET specifications. In addition, PI offers training and other services on the subject, a Cyber Security Incident Response Team (CSIRT) is being set up at PI.
The differences in Security Classes
Each application has different security requirements, therefore different security classes have been introduced. The majority of applications will be able to work on the basis of Security Classes 1 and 2.
- Security Class 1 includes incremental improvements over the current state of PN security available.
- Security Class 2 is intended for systems where there is an increased volume of communication to areas outside the system or where access to the system is less easy to monitor. This class is used if the operator has higher IT security requirements for communication via PROFINET. In this operating mode, the cyclic services are protected against unauthorized modifications. At the same time, the trustworthiness as well as the integrity and authenticity of the acyclic services are secured.
- Security Class 3 ensures the integrity, authenticity, and confidentiality of all services. It is assumed that Security Class 3 is only applied in cases where company secrets can be inferred from the reading of cyclic IO data. Note: The acyclic communication services of Security Class 2 offer an alternative for the transmission of confidential data, such as recipes.
The different security classes also require different efforts by the device manufacturers for implementation in the devices and by the users for integration into their systems and machines.
Handling of certificates
Authentication is based on certificates, both for devices and operators. The handling of certificates is required in Security Class 2 and above. An authentication via username/password is not planned. Each communication partner must have a Certificate Authority certificate. The PROFINET Certificate Management handles the initial provision of certificates as well as the renewal/updating and revocation. Key generation is supported by devices as well as external sources (e.g. tools).
Handling of GSDs
The integrity and authenticity of GSD files must be ensured. For example, manufacturers must be able to digitally sign their GSD files as an optional security extension. Individual provider-specific certificates can be requested from the PNO. The engineering system will validate the GSD signature during import. This creates trust in the GSD configuration data. A user guide with details (about all Class 1 features) is available.
Here you can find several frequently asked questions:
Parallel operation of secured and unsecured connections in an IO system and also in existing network infrastructure (e.g. switches) is possible.
The beginnings of the international series of standards IEC 62443 are roughly 20 years old and specify a holistic security approach for operators, integrators, and device vendors. The IEC 62443 is the accepted international series of standards on "Industrial communicationnetworks - IT security for networks and systems". The standards can be divided into four areas:
- The first area describes basic concepts such as Defense-in-Depth, basic security requirements, and then refers to the other parts of the standard for concrete implementation.
- A further area defines guidelines and guides for the implementation of organizational measures and gives recommendations.
- The third part describes technical aspects such as security levels and security requirements.
- The fourth part is aimed specifically at the product and component view (sensors, interfaces, chips, etc.) and is therefore more aimed at device vendors
Security Extensions for PROFINET Whitepaper
This document first describes the motivation and the procedure for the development of a security concept. Next, the security requirements are determined and the actors in the security process named and distinguished from one another.
PROFINET Security Guideline
The Security guideline points out the key aspects for the establishment of a security concept in an industrial environment and provides appropriate recommendations.
PROFINET Security Class 1 Guideline
This document is intended to give component manufacturers, system vendors and users of the PROFINET technology an overview about the planed methods, applications and processes of the PROFINET Security extension in Security Class 1.
IT security extensions for PROFINET
The impact of vertical and horizontal integration in the context of Industry 4.0 requires new concepts for the security of industrial Ethernet protocols. The defense in depth concept, basing on the combination of several measures, especially separation and segmentation, needs to be complimented by integrated protection measures for industrial real-time protocols. To cover this challenge, existing protocols need to be equipped with additional functionality to ensure the integrity and availability of the network communication, even in environments, where possible attackers can be present. In order to show a possible way to upgrade an existing protocol, this paper describes a security concept for the industrial Ethernet protocol PROFINET.
Security extensions for PROFINET - Concepts, Status and Prospects
Operators of production plants are increasingly emphasizing secure communication, including real-time communication, such as PROFINET, within their control systems. This trend is further advanced by standards like IEC 62443, which demand the protection of realtime communication in the field. PROFIBUS and PROFINET International (PI) is working on the specification of the security extensions for PROFINET (“PROFINET Security”), which shall fulfill the requirements of secure communication in the field.
This paper discusses the matter in three parts. First, the roles and responsibilities of the plant owner, the system integrator, and the component provider regarding security, and the basics of the IEC 62443 will be described. Second, a conceptual overview of PROFINET Security, as well as a status update about the PI specification work will be given. Third, the article will describe how PROFINET Security can contribute to the defense-in-depth approach, and what the expected operating environment is. We will evaluate how PROFINET Security contributes to fulfilling the IEC 62443-4-2 standard for automation components.
PROFINET Security: Technical background and details
A Mechanism for Seamless Cryptographic Rekeying in Real-Time Communication Systems by H. Bühler, A. Walz, A. Sikora
PROFINET Security: A Look on Selected Concepts for Secure Communication in the Automation Domain
A. Walz, K.-H. Niemann, J. Göppert, K. Fischer, S. Merklin, D. Ziegler, A. Sikora
Cryptographic Protection of Cyclic Real-Time Communication in Ethernet-Based Fieldbuses: How Much Hardware is Required?
M. Skuballa, A. Walz, H. Bühler, A. Sikora