Technik News

Security information on PROFINET applications

Precautionary measures when using PROFINET devices — PROFINET Security Advisory PISA-001

Under certain circumstances, if an attacker with direct (physical) access to the PROFINET network attacks the devices using the DCP services of the PROFINET protocol, this can lead to a permanent loss of communication capability between the PROFINET controller and the PROFINET device. The reason for this lies in the nature of the DCP service provided by the PROFINET protocol. This DCP service can be used to change or reset device parameters via DCP command. Examples of this are DCP-Set (NameOfStation) or DCP-Set (Reset-to-Factory). No safety functions are provided for the use of DCP in the existing PROFINET specification.

Under certain conditions, an attacker - with direct access to the OT network - can prevent the PROFINET controller from establishing communication with a PROFINET device and thus disrupt the operation of the device. Manual intervention by the user is required. The device is not destroyed by an attack, it is simply no longer accessible to the CPU. A new assignment of the PROFINET name or IP address can restore device operation.

Helmholz recommends that its customers introduce or review a strict access policy for the network. Access from other zones to the PROFINET network must be restricted, in particular DCP services must be blocked. This can be achieved using a firewall or a suitable VLAN configuration.

Newer versions of the PROFINET specification address this problem by introducing PROFINET security in security class 1. Helmholz will successively implement PROFINET security class 1 for all active PROFINET components and make new firmware versions available.

Further Information
PROFINET Security Advisory: Improper Access Control for DCP Services (PNO Identifier: PISA-001).