In the field of automation, security protection is indisputably becoming more and more important all the time. That is why the security experts at PI (PROFIBUS & PROFINET International) have drawn up a comprehensive security concept using recognized methods & means and described it in specifications. Depending on the requirement situation, three PROFINET security classes can now be implemented.
One component of class 1 is signing of the GSDML files, which describes all the characteristics of a device in XML notation. Signing of the GSDML file by a device manufacturer now ensures both authenticity and integrity, i. e. the GSDML file has been created securely by the responsible device manufacturer and has not been tampered with on the way to the user.
The technical basis consists of tried-and-tested methods:
The foundation is the XML signature – the W3C recommendation/IETF RFC 3275 for signature objects in the XML format. Expanded requirements are supported by the XAdES B-LT expansion of the XML signature specification, documented by ETSI EN 319 132-1 and as a W3C note. The signature object, together with the known GSDML file content as per the ISO/IEC 29500-2:2021 (“OPC” = Open Packaging Convention), is packaged in a file, hence the new name extension: GSDX.
Easy generation of this signing requires a corresponding tool environment, which the Support Center of the PROFIBUS Nutzerorganisation e.V. (PNO) is providing with support from security companies. This signature tool signs GSDML files with the help of a local private key and generates GSDX files. The associated public validation key is provided in the form of a public key certificate issued by the PNO. Signing can occur either directly at the PNO Support Center or at the facility of the manufacturer, who has received a derived certificate and smartcard. In the meantime, initial testing has proven successful. The PNO is currently constructing a PKI interface for secure communication between the support center and manufacturers.
The signing of GSDML files is one of the initial use-cases of certificates, and others will follow with secured PROFINET communication in security classes 2 and 3.
As with other functions as well, PNO and PI ensure a workable security implementation, including for industrial communication, through a consistent specification and the corresponding tools.