In PROFINET, we define three network cybersecurity classes. Security Class 1 addresses robustness, where we tighten up security for DCP (Discovery & Configuration Protocol) and SNMP (Simple Network Management Protocol) and protect GSD (General Station Description) files. Class 2 addresses integrity, where we authenticate communication between controllers and devices. And Class 3 addresses confidentiality, where we encrypt real time I/O data. This video addresses PROFINET Security Class 1.
DCP is essential for detection and basic configuration of PROFINET devices. Unfortunately, DCP commands can change a device’s configuration during operation either by unintended or malicious action. By putting DCP in read-only mode during operation, a bad actor cannot disrupt the network as such.
Since SNMP can be useful for network management , we don’t want to completely restrict its use, merely ensure it is secure by default. So, devices supporting Security Class 1 can be configured to either: (A) completely disable SNMP (B) run SNMP in read-only mode or (C) use the SNMP Community Name for read/write access.
Finally, with signed GSD files, a user can verify that a GSD file is unchanged by a bad actor, and that the manufacturer is authorized by PI to sign GSD files for the used Vendor ID.