As digitalization spreads to all levels and applications in manufacturing, IT security gains more importance. Previous security concepts relied primarily on isolating production plants from external users and networks. But in the nowadays connected environment, security strategies must take another approach. PROFIBUS and PROFINET International (PI) is working towards implementing a state of the art and future proof security strategy to PROFINET.
Several enterprises and organizations have adopted the Defense in Depth (DiD) approach to security. Nevertheless, increasing Industry 4.0 requirements will entail more robust measures. With this in mind, PI has decided to expand the security concept to the protocol level for PROFINET.
Proposed Security Classes
Security Class 1 allows for DCP commands to be set to “read-only” mode. Also, GSD* files are protected against changes by signatures.
Security Class 2: Integrity + Authenticity
In addition to the requirements of Security Class 1, the integrity and authenticity of the assets and the communication relations are secured through cryptographic functions. Security Class 2 ensures the confidentiality of configuration data. The confidentiality of the IO data is not necessary since IO data is not routable.
Security Class 3: Confidentiality
Security Class 3 covers all requirements from Security Class 2. Besides, Security Class 3 ensures the integrity, authenticity, and confidentiality of all services. This class is aimed at cases where information about company secrets can be obtained by reading cyclic IO data.
*GSD (General Station Description) file: PROFINET device description provided by the device manufacturer
Next Steps
The PROFINET Security Classes above were proposed in the Security Extensions for PROFINET – White Paper last year. PI and the Security Working Group are working together in developing those security measures to protect PROFINET at the protocol level. The related products will become available when the Security Classes are integrated into the specifications for PROFINET.