After wrapping up an in-depth three days of meetings and presentations in Seoul, I can come away feeling more secure in my ability to talk about cybersecurity without feeling insecure ;).
The host for this year’s annual PI Meeting was the generous and capable team in PI Korea. Meaningful discussions, thought-provoking presentations, and eye-opening demonstrations were aplenty. Now onto the clear highlight: cybersecurity.
Until now, security in industrial automation has almost been treated as an afterthought. Protect the perimeter, segment the network, hope for the best. For decades, protocols like PROFINET operated in relative isolation — defense-in-depth was the security model. That era is over.
Going forward, PROFINET represents something genuinely different: security baked into the protocol itself, not bolted on afterward.
From Perimeter to Identity
The old model of automation cell security, firewalls around isolated islands of devices, still has a role to play. But it was never sufficient on its own, and depending on the installation, perhaps isn’t sufficient at all —particularly considering new laws and regulations. As industrial environments connect to enterprise IT systems, cloud platforms, and remote engineering tools, the perimeter dissolves. What remains is the question: do you know who, is on your network, and can you trust them?
PROFINET answers this with certificate-based device identity. Identity is the foundation of every other security control. You cannot enforce access controls, policies, anomaly detection, or conduct a meaningful audit if you don’t know with certainty who is communicating with whom.
Access Control That Scales
Role-Based Access Control (RBAC) in PROFINET distinguishes between who can operate a device and who can configure it. A Controller handling cyclic real-time data has different permissions than a diagnostic tool, an HMI, or a network manager adjusting topology. Roles are encoded directly in certificates and then enforced.
End-to-End Protection, Not Just Tunnels
PROFINET V2.5 provides a unified security layer that works consistently across both Layer 2 and Layer 3 transports. Cryptographic key renewal can now happen in the background without disrupting I/O traffic, helping alleviate one of the longstanding operational objections to certificates in OT environments.
The Operational Reality
None of this requires a complete rip-and-replace. PI acknowledges three realistic migration paths: keeping existing devices behind firewall protection for isolated cells; selectively upgrading critical devices while running mixed environments; or committing to full end-to-end certificate infrastructure for maximum assurance. It all depends on your risk assessment. What’s changed is that industrial operators no longer need to assemble security from disparate, vendor-specific pieces. The protocol itself carries the architecture.
In the past, security as an afterthought yielded afterthought-quality outcomes. PROFINET’s new integration of identity and access control into the core specification is a recognition that industrial networks are critical infrastructure — and should be protected accordingly.
Michael Bowne