Secure Communication with PROFINET
In view of a future increased networking, for example by Industrie 4.0, situations may arise in which the cell protection concept alone is not sufficient. Further measures would have to be taken here.
Focus on Reliability and Real-Time
In the IT world, there are proven security concepts, which also guide similar concepts in automation communication technology. However, PI has found in its analyses that these cannot simply be transferred to the automation world. Just to name a few examples:
PROFINET devices are primarily geared towards reliability and real-time communication. Additionally, usability aspects in an industrial environment play an important role in technology design. It must be possible to implement security functions, e.g., a certificate check, in a practical manner. For example, inserting a smart card into an IP65 device is not exactly feasible. In addition, in business IT, the protection goals are sometimes prioritized differently, where confidentiality is an important asset. This plays a subordinate role in communication networks in automation technology.
Prioritization of Protection Targets
The IEC 62443, the standard for industrial security, is the basis for the security concepts from PI. In many automation systems, these goals, which may certainly differ in individual cases and applications, are prioritized as follows:
Availability and Robustness
This is about the characteristic of a system to always fulfill its required function. Depending on the production process, there are usually high to very high availability requirements. This is especially true for critical infrastructure.
Integrity (Data)
This is about the characteristic of a system for protection against unauthorized data manipulation. For example, message packets must not be falsified, otherwise actuators may be unintentionally activated or incorrect measured values may be recorded.
Authenticity (Devices / Users)
Authenticity ensures the unique identification of a system component and its data. The components must “identify themselves” and have a forgery-proof digital identity. The authorizations assigned to an authenticated user (human user, software process or device) allow its required actions in the automation system to be performed, enforced, and the use of these authorizations to be monitored.
Authorization
The usage control ensures that only authorized users can intervene in the automation system.
Confidentiality
Information is only accessible to certain participants and remains hidden from third parties. The protection goal of confidentiality of IO data is considered to be low – as long as no conclusions can be drawn from it about company secrets (e.g. secret recipes).
Security Classes According to PROFINET
Since the multitude of industries and applications also entails different security requirements, three security classes were introduced in PROFINET. This is because the requirement of ‘confidentiality’, for example, entails a very high computing time expenditure for encryption measures. However, this is not necessary in many applications.
Security Class 1
Security Class 1 (robustness) generally provides for sealing off the system from the outside, segmentation of the production network, access protection, and other measures (Defense-in-Depth concept). This will now be extended in some points. This includes the ability to change SNMP default strings, DCP commands can be set to “read only” and GSD files can be protected against unnoticed changes by signing. These changes were already introduced in the PROFINET specification V2.4 MU1 in April 2020.
The integrity and authenticity of GSD files must be ensured. For example, manufacturers must be able to digitally sign their GSD files as an optional security extension. Individual provider-specific certificates can be requested from the PNO. The engineering system will validate the GSD signature during import. This creates trust in the GSD configuration data. A user guide with details (about all Class 1 features) is available.
Security Class 2
For Security Class 2 (integrity and authenticity), in addition to Security Class 1, the integrity and authenticity of IO data communication, as well as the confidentiality of configuration data via cryptographic functions is specified. This is the case, for example, in systems that cannot be easily divided into zones or where access from the outside is not secured, such as outdoor installations.
Authentication is based on certificates, both for devices and operators. The handling of certificates is required in Security Class 2 and above. An authentication via username/password is not planned. Each communication partner must have a Certificate Authority certificate. The PROFINET Certificate Management handles the initial provision of certificates as well as the renewal/updating and revocation. Key generation is supported by devices as well as external sources (e.g. tools).
Security Class 3
In Security Class 3, the confidentiality of IO data is also specified. This is the case, for example, if company secrets can be inferred from this data.
The majority of applications will be able to work on the basis of Security Classes 1 and 2. The creation/checking of security information during protocol extension generally leads to an increase in component resources. Such integrity and authenticity checks must not have any qualitative effects on the performance of PROFINET.
Protective Measures in a PROFINET Network
The PROFINET security concept is based on well-known and generally accepted cryptographic algorithms and protocols. However, flexible lifecycle management is required for security functions. This is important in case cryptographic algorithms can be assumed to be insecure or weaknesses in the concept are discovered. In addition, there are other aspects that must be considered for secure PROFINET communication:
- Ensuring the authenticity of PROFINET stations by means of a cryptographically secured digital identity in the form of certificates. The concept should include the possibility of securely storing this identity, e.g., in a specially secured hardware component in the respective station.
- Ensuring the integrity of communication by cryptographic measures, e.g. cryptographic checksums. This security should cover all communication channels of the PROFINET device, including IP communication, PROFINET real-time communication, and communication for network management.
- Ensuring system startup and the assignment of components, e.g. from IO devices to IO controllers and engineering tools, by means of cryptographic measures. This also applies to a system startup after a connection termination.
- Reporting of security-relevant events that can be detected by PROFINET devices. For example, through additional PROFINET IT security alarms.
- Ensuring the confidentiality of acyclic data and configuration data. Additional assurance of confidentiality for cyclic data as an optional function in Security Class 3.
- Ensuring minimum requirements against denial of service attacks.
- Protection of the integrity and authenticity of device master files (GSD files).
- Secured end-to-end communication between controllers and associated devices and optional integration of monitoring/diagnostic systems.
- Configuration option for machines with higher security requirements (different security profiles)
- Support and protection – as transparent as possible – of existing PROFINET profiles/functions, e.g. PROFIsafe
Current Status
Since April 2019 a whitepaper about the security measures at PI is available. The described measures are continuously incorporated into the corresponding PROFINET specifications. In addition, PI offers training and other services on the subject, a Cyber Security Incident Response Team (CSIRT) is being set up at PI.