My momma raised me right. Growing up, she taught me there are certain topics you avoid expressing your opinions on to just anybody. Those were: religion, politics, and cybersecurity 😉. Nowadays though, it’s hard to avoid talking about these topics.
As the Industrial Internet of Things (IIoT) and Industry 4.0 solutions become more prevalent, network security features prominently in the discussion. As an Ethernet-based protocol, cybersecurity has always been relevant to PROFINET. The recommendation from PROFIBUS & PROFINET International (PI) is to secure the network as a whole, thereby protecting not only the automation traffic, but any other protocols also running on the network.
History
The basis for this holistic approach to network security has always been grounded in technology: PROFINET is engineered in such a way that nearly all its traffic goes directly from Layer 2 of the ISO/OSI Model to Layer 7. This allows the protocol to achieve the speed and determinism required for industrial applications.
That’s not to say PROFINET devices don’t have IP addresses (they do) or cannot optionally use TCP/IP or UDP/IP for certain tasks like diagnostics or configuration (they can). It merely means that the vast majority of PROFINET traffic remains in its own subnet. Its Ethernet frames are directed (in Ethernet switches) across the network based on the destination MAC address inside the frame. Therefore, if a malicious actor were to attempt to manipulate this traffic, they would only be able to do so from inside the network. The reasoning goes that if an attacker is able to get inside the network, then the entire network itself hasn’t been properly secured via defense-in-depth or similar methods (firewalls, DMZs, access protection, etc.).
Motivation
Despite this history, there are three factors leading to an expansion of PROFINET’s existing security concept. First, as a direct result of Industry 4.0 and IIoT, networks are growing all the time and, thus, increasing their attack surfaces. Second, customers are requesting extended security measures to mitigate potential liability. Third, if given the means to penetrate a network, we must ask ourselves—from a purely PROFINET perspective—what could an attacker potentially compromise?
Device Availability / Robustness
An attacker may attempt to shut down a device to bring a system or process offline. There are many ways they may accomplish this. A common approach here is a denial of service attack. This has already been addressed for a number of years within PI where PROFINET devices are subjected to a Netload test during certification. Furthermore, PROFINET security measures [Security Class 1] here include the abilities to:
- Change SNMP (Simple Network Management Protocol) default strings;
- Set DCP (Discovery and Configuration Protocol) commands as read-only; and
- Sign GSD (General Station Description) files to protect against changes.
Data Integrity / Device Authenticity
An attacker may attempt to manipulate Ethernet telegrams, so that devices receive falsified or malformed messages. A common approach here is a man-in-the-middle attack. To mitigate such an attack, PROFINET security measures [Security Class 2] here will include the ability to digitally sign messages. Using a key/certificate to prove they are the originator of a message, devices can authenticate themselves thus proving the integrity of their data.
Data Confidentiality
An attacker may attempt to read the data inside PROFINET telegrams to infer company secrets. In industrial networks, data confidentiality does not have as high a priority as device availability and data integrity. However, certain users may have automation traffic that contains proprietary information (e.g., recipes). To ensure such confidentiality, PROFINET security measures [Security Cass 3] here will include the ability for devices to encrypt their IO data before sending it over the network.
Summary
Not all manufacturers will require the same level of network security. The PROFINET Security Classes described above can be applied as needed. Most environments may only require Security Classes 1 and 2. Like all cybersecurity protections, these are only a few of a number of tools that can be employed to secure a network. The goal here is to address IIoT and Industry 4.0 cybersecurity concerns where they might enter the discussion—whether momma likes it or not.
Michael Bowne