Home / Blog / Features and security in PROFINET

Features and security in PROFINET

Posted on 02/16/2017, by INCIBE
Features and security in PROFINET

PROFINET is the Industrial Ethernet open standard of the association PROFIBUS International (PI), in accordance with IEC 61784-2 (Communication Profile Family 3 (PROFIBUS & PROFINET) – RTE communication profiles); and one of the most widely used standards in automation networks.

Profinet is based on Industrial Ethernet, TCP/IP and some communication standards from the IT world. Among its features, it stands out for real-time Ethernet, where the devices that communicate through the bus agree to cooperate in the processing of requests made within the bus.

Starting with a basic connectivity, such as the Ethernet cable, and some frames of established communication that are equivalent to levels 1 and 2 of the OSI model, PROFINET is incorporating new functionalities called "profiles" for specific use such as ProfiSafe and ProfiEnergy, through a specific interpretation for each case of data transmitted, modifying level 7 (applicable). In the case of ProfiSafe, safety data and in the case of ProfiEnergy, data and commands for saving and controlling energy.

With PROFINET it is possible to connect devices, systems and cells (sets of isolated devices), improving both the speed and the security of communications and reducing costs to optimise production. Thanks to its features, PROFINET allows compatibility with Ethernet communications more typical of IT environments, taking advantage of their characteristics, with the only difference being the speed of one Ethernet communication located in the corporate networks compared to the real-time performance required by an industrial network.

In addition, use of the PROFINET standard in the E/S level can provide the following advantages:

  • Improved scalability in infrastructures.
  • Access to field devices through the networks. PROFINET, being a protocol that uses Ethernet in its communication, allows access to field devices from other networks in an easier way.
  • Execution of maintenance tasks and provision of service from anywhere. It is possible to access field devices through secure connections such as, for example, VPN, to carry out remote maintenance.

PROFINET Communication

PROFINET uses 3 communication services:

  • Standard TCP/IP: This service is used for non-deterministic functions such as paramterization, transmission of video/audio and transfer of data to IT systems of a higher level.
  • Real Time: The TCP/IP layers are not used to perform for deterministic automation applications, functioning with a delay in the range of 1-10ms. This is a solution based on suitable software for typical E/S applications, including motion control and high performance requirements.

Real Time, Profinet

  • Isochronous Real Time: The prioritising of the signal and switching programmed provides high-precision synchronisation for applications such as motion control. Cycle speeds in sub-millisecond ranges are possible, with jitter (temporal variation when sending digital signals) in the sub-microsecond range.

Isochronous Real Time, Profinet

There exist various protocols defined within the PROFINET context. Below is a list of these protocols along with their specific use.

  • PROFINET/CBA: Protocol associated with automation applications distributed in industrial environments.
  • PROFINET/DCP: Discovery and basic configuration. It is a protocol based on the link layer, used to configure names of devices and IP addresses. It is restricted to a network and principally used in small and medium applications that have no DHCP server.
  • PROFINET/IO: Sometimes called PROFINET-RT (RealTime), it is used for communications with decentralized peripheries.
  • PROFINET/MRP: Media redundancy protocol. Uses the basic principles for restructuring of networks in the event of suffering a fault when the network has a ring topology. This type of protocol is used in networks that require maximum availability.
  • PROFINET/MRRT: Its objective is to provide solutions for media redundancy for PROFINET/RT.
  • PROFINET/PTCP: Precision Time Control Protocol based on the link layer, to synchronize clock/time signals in various PLCs.
  • PROFINET/RT: Transfer of data in real time.
  • PROFINET/IRT: Transfer of isochronous data in real time.

Security

The accessibility provided by PROFINET makes it a protocol that is very exposed to the Internet, which is why it is necessary to improve the cybersecurity of the networks in which it is deployed.

Some of the best practices for protecting industrial environments that use PROFINET are contained in the document “PROFINET Security Guideline” published by PROFIBUS Internacional or in the document “Protocolos y seguridad de red en infraestructuras SCI” published by INCIBE::

  • Protection against errors, incorrect functions and appropriate management of incidents that might arise with procedures established in advance.
  • Prevention against unauthorised access that arise from manipulations in the network or espionage.
  • Use of proven and certified standards and devices (Firewalls, VPN, IDS/IPS, etc.).
  • Network infrastructure measures. The network architectures of flat networks simplify and facilitate communication between systems and devices. However, these present the challenge of maintaining availability, stability and security of the network, as an attacker with access to the network could access all of the nodes. The segmentation of the network with the use of VLAN, router, etc. contributes significantly to mitigating these problems.

Posible uso de VLAN para asegurar una red con Profinet

- Possible use of VLAN to protect a network with Profinet -

  • Protection of end devices. By selectively disabling services, uninstalling unnecessary applications or modifying default passwords, we can protect the devices present in an industrial network, minimising shortcomings and breaches of security.

These points represent some of the keys that must be implemented in order to maintain the integrity of a PROFINET network without applying restrictions to employees who need access and must take advantage of the potential of the standard.

Analysis of Wireshark traffic

To further study the standard, a network frame of this type of communication has been analysed. The following data were compiled:

Datos recopilados con wireshark

PROFINET/DCP (Discovery and Configuration Protocol)

This is a protocol of the PROFINET context that has 2 principal functions:

  1. Used by Supervisor (PC) to assign a unique name to a device (station).
  2. Used by the controller (CPU) to assign a unique IP address to a device (as defined in the hardware configuration) together with the ARP requests.

Filtrado de paquetes profinet

After completing a filtering to see only the packets belonging to the PROFINET standard, it is observed that they are completing a process to establish the connection between 2 devices. The phases produced are the following:

Frame process analized

Assigning of names to devices

The first element of the frame analysed consists of assigning the names to the devices. These names can be configured manually before connecting to the network or automatically when turning these on (previously connected to the network). In this example, the assignation of both the names and the IPs uses PROFINET-DCP.

Análisis de la trama

For the connection of a periphery distributed to a PLC using PROFINET, aside from the protocol's own specifications for the exchange of data, the device will also respond to messages from other Ethernet-based protocols necessary for its configuration such as ARP (Address Resolution Protocol), LLDP (Link Layer Discovery Protocol), SNMP (Single Network Management Protocol) of the same mode that respond to a ping.

As seen throughout the article, PROFINET is a protocol that provides great advantages with respect to the availability of communications in industrial environments, but given the features that use Ethernet, the exposure of systems with PROFINET is elevated and, for that reason, good segmentation of the network is required along with the use of best practice.