To meet the requirements of today’s and tomorrow’s automation systems, PROFINET Specification V2.5 was launched. Users, technology providers, device developers, and service providers now benefit from a technology that is even more modern, flexible, and secure.
To keep pace with the industry’s growing demands, the PROFINET specification is continuously being refined. In doing so, PI pays attention not only to current developments but also to backward compatibility. This is no simple task, as PROFINET has been on the market for more than 20 years —and has been exceptionally successful.
The new PROFINET V2.5 specification also sets another innovative milestone. This includes, among other things, enhanced security features (“security inside”), practical real-time communication alongside parallel TCP/IP traffic, and a newly defined transport channel. This ensures secure and flexible implementation of use-cases such as parameterization, tool access, or standardized firmware updates.
These enable end-to-end, scalable networking from sensors all the way to IT applications. At the same time, a wide range of of data can be collected via the network and analyzed using AI-based methods to specifically improve processes in a targeted manner.
For Different Target Audiences
PROFINET V2.5 is based on international standards and paves the way for future requirements regarding cybersecurity, scalability, and efficiency. As always with PI, backward compatibility is maintained, allowing existing devices and systems to continue operating. The various target audiences benefit differently from the new features.
For end customers, the look and feel of PROFINET remains unchanged. This means existing devices can continue to be operated as before. However, the functions and possibilities are expanding. Examples include scalable security and standardized event monitoring, which allows users to check the status of a system (including historical data) at any time. Thanks to IT/OT convergence, all types of information can be collected and analyzed in parallel.
For technology providers, the new unified SXP protocol for horizontal and vertical communication opens up entirely new markets. It flexibly supports convergence within the network as well as direct data exchange between the IT and OT levels. Scalable security and enhanced device and asset management, e.g., via certificates, enable new applications and software licensing models. Cyclic and acyclic communication can also be controlled more easily.
Device manufacturers should promptly implement the new state-of-the-art security measures. In addition to integrating updated components from technology providers, measures must be taken, for example, for secure certificate storage, a unique manufacturer signature (IDevID) in the production process, and tamper protection, such as locking or securing local device interfaces. This opens up opportunities for new applications and markets.
Service providers and tool developers are advised to integrate the PROFINET V2.5 specification promptly, as the new device functions can only be configured and used with the appropriate tools. The features of the new specification include, among others, SXP as a new protocol for data exchange, new security settings in accordance with the specification and guidelines, as well as certificate handling for various use-cases. PI assists with implementation.
A Closer Look at the Details
PI has been working on security for many years and has integrated it into its technologies in a variety of ways. However, new guidelines, regulations, and regional as well as international customer requirements demand greater flexibility. Therefore, the previous Security Class 1 is now an integral part of the new PROFINET V 2.5 specification. A Secure Cell is thus mandatory and forms the basis for communication. This is supplemented by:
Secure Access: This is the method for communicating into the cell from the outside. It may be necessary to read all types of data from a controller or device or, for example, to write firmware updates. The protocol for this is called SXP (Service Exchange Protocol).
Secure Real-Time is an additional security measure between devices within the cell. At this point, increased security requirements come into play, ranging from authenticated secure communication to full encryption. Here, too, the SXP protocol will be used in the future. With the new SXP protocol, there will be a unified approach for internal (Layer 2) and external (Layer 3) communication in the future. Among other things, it also replaces CL-RPC and SNMP.
With the new protocol, on-demand and multiple connections to a device can be established, either in plain text or encrypted. This offers a variety of options that manufacturers and customers can utilize individually, depending on the security required on-site. Manufacturers continue to decide which of these features to incorporate into their devices.
IT-Friendliness and Transparency in the Network
End users will enjoy greater security in the future, as the signing process for GSDX files will become mandatory for manufacturers. Manufacturers must add their company’s signature to the device description files (GSDML). This increases trust among integrators, operators, and end customers.
All devices can be addressed from the IT level via TCP/IP. This allows information to be retrieved and updated. Firewalls help protect the network from cyber threats. The SXP protocol also simplifies the configuration of these firewalls. For greater transparency in the network, all types of security-related messages can be more easily collected in a single location in the future. This allows filtering based on individual requirements at any time as needed.
Manufacturers usually have their own methods for retrieving data and information from their devices. With SYSLOG support, this will also be possible across manufacturers in the future.
In the future, manufacturers will also be able to provide their devices and components with an electronic “birth certificate” (IDevID). For every PROFINET device (controller, device, switch, etc.), it can be verified at any time whether it is an original. This fosters greater trust and security among customers in the global market. With PROFINET V2.5, there are no longer any differences between the Conformance Classes, as these are part of the system’s basic functionality. This eliminates the need for complex configuration to determine how to address the device correctly. Managing the system, plant, or machine thus becomes even easier.
Backward Compatibility is Maintained
New devices can continue to support the existing functions of PROFINET Version 2.4x. This ensures that backward compatibility is always maintained. As a result, all stakeholders can continue to decide whether, where, and how they wish to integrate, activate, and configure security in their devices and systems.
Alex Wangler