In this article, (and video) the PROFIBUS Group updates MachineBuilding.net readers with the latest state of play concerning industrial network security
From the beginning, in parallel with the first PROFINET specifications, PROFIBUS & PROFINET International (PI) published an extensive security concept, which has been further refined and adapted in multiple steps. It was not sufficient simply to protect plant networks and automation components: importantly, the protective mechanisms and concepts in use should not interfere with the running of production operations either. Further, protection concepts had to be easy to implement and remain affordable. But even more important is that the concepts must be able to be adapted time and again to suit current developments. With these factors in mind, PI has now expanded its IT security concept.
Defence in depth
The IT security concept used for PROFINET employs a defense-in-depth approach. With this method, the production plant is protected against attacks – particularly from the outside – by means of a multi-layer perimeter (including, among other things, firewalls). In addition, further safeguarding within the plant is possible by dividing into zones through the use of firewalls.
Further, a security component test ensures the ability of the PROFINET components to withstand overloading in a defined scope. This concept is supported by organizational measures in the production plant within the framework of a security management system.
A never ending task
Security is, however, a topic that must be continuously adapted to the current development and, as a result, is never finished. This applies in particular with respect to the increasing networking of production plants. The use of PROFINET components with added value, e.g., web or OPC communication, thereby ensures increased, direct communication with higher-level systems outside of the security zone. At the same time, it is becoming increasingly difficult to separate PROFINET networks.
Moreover, the networks are becoming larger, meaning that more and more components are connected together to form a network and interact with one another. A successful attack on a single (PC) system within such a cell therefore bypasses upfront security measures. Widely distributed plants also hinder the physical protection of networks and access points. Unauthorized persons could possibly gain access to the PROFINET network.
Additional measures for end-to-end security
For this reason, previous concepts, which rely primarily on isolating the production plants, must be supplemented with new concepts that enable protection within the cell. PI, therefore, expanded the previous measures with further-reaching protective measures. This includes a credential management system, e.g., for authentication of the devices and an end-to-end security expansion for PROFINET communication as a configuration option. As not every application has the same security requirements, three security classes were defined for PROFINET.
Further technical details and practical examples can be found in the Industry 4.0 Highlight "Security" here. In this section on the PI website, current topics, issues and trends from Industry 4.0 applications are addressed so that the user can easily implement and realize them in practical work.