Precautionary measures when using PROFINET devices — PROFINET Security Advisory PISA-001
Background
Under certain circumstances, if an attacker with direct (physical) access to the PROFINET network attacks the devices using the DCP services of the PROFINET protocol, this can lead to a permanent loss of communication capability between the PROFINET controller and the PROFINET device. The reason for this lies in the nature of the DCP service provided by the PROFINET protocol. This DCP service can be used to change or reset device parameters via DCP command. Examples of this are DCP-Set (NameOfStation) or DCP-Set (Reset-to-Factory). No safety functions are provided for the use of DCP in the existing PROFINET specification.
Impact
Under certain conditions, an attacker - with direct access to the OT network - can prevent the PROFINET controller from establishing communication with a PROFINET device and thus disrupt the operation of the device. Manual intervention by the user is required. The device is not destroyed by an attack, it is simply no longer accessible to the CPU. A new assignment of the PROFINET name or IP address can restore device operation.
Measures
Helmholz recommends that its customers introduce or review a strict access policy for the network. Access from other zones to the PROFINET network must be restricted, in particular DCP services must be blocked. This can be achieved using a firewall or a suitable VLAN configuration.
Newer versions of the PROFINET specification address this problem by introducing PROFINET security in security class 1. Helmholz will successively implement PROFINET security class 1 for all active PROFINET components and make new firmware versions available.
Further Information
PROFINET Security Advisory: Improper Access Control for DCP Services (PNO Identifier: PISA-001).