Exploring Security in PROFINET IO

Abstract: In this paper we show that it is possible to attack and gain control over PROFINET IO nodes and also that this can be done without any of the communicating peers detecting the attack. Analysis of attacks in both shared and packet switched networks show that the attacker can control the process data and thus the state of the machines connected to the I/O modules.As the security risks are increasing in automation with the level of vertical and horizontal integration, the concept of security modules is proposed t… Show more

“…having a lower concern for confidentiality, and with the adoption of Ethernetbased devices at level zero, technical vulnerabilities are introduced. Akerberg and Bjorkman (2009) show how it is possible to gain control of Ethernet-based devices operating over the Profinet protocol. With this, an organisation's lack of guidance from a security perspective at level zero, could lead to the technically unsecure adoption of Profinet devices, and the added potential for social engineering, further aiding attackers.…”

Socio-Technical Security Analysis of Industrial Control Systems (ICS)

“…having a lower concern for confidentiality, and with the adoption of Ethernetbased devices at level zero, technical vulnerabilities are introduced. Akerberg and Bjorkman (2009) show how it is possible to gain control of Ethernet-based devices operating over the Profinet protocol. With this, an organisation's lack of guidance from a security perspective at level zero, could lead to the technically unsecure adoption of Profinet devices, and the added potential for social engineering, further aiding attackers.…”

Socio-Technical Security Analysis of Industrial Control Systems (ICS)

“…First, packet-based analysis of automation traffic does not require extensive resources, because the amount of data is far below [5] what a conventional deep packet inspection can process (>100 Mbit/s). Second, flow-based monitoring generally omits payload analysis which is essential for detecting protocolspecific attacks, such as Man-in-the-Middle attacks on Profinet IO [6] or false data injection in general [7] [8]. Without a deep packet inspection it is not possible to distinguish between packet types of the automation protocol used (e.g., read requests from write requests) and thus communication cannot be analyzed regarding anomal packet sequences between automation devices.…”

“…Whereas singlepacket anomaly detection can help to detect content-based attacks, such as false data injection attacks, identification of sequence-based attacks requires to monitor sequences of packets. Examples for such sequence-based attacks are the aforementioned Man-in-the-Middle attack on a Profinet IO setup [6] or Denial-ofService attacks by packet flooding on the Modbus TCP protocol [9] and DNP3 over TCP [10]. Since these attacks can be triggered by packets that satisfy the protocol-specific packet formats and contain ordinary data, these attacks cannot be detected by a single-packet analysis.…”

“…Based on features (1-4), the concrete sequence of packet types exchanged between these devices can be monitored. This is sufficient for detecting, for instance, the Man-in-the-Middle attack presented in [6] as anomaly from learned normal sequences. By the use of detailled features contained in the complex feature (5), an anomaly detection based on learned normal operation data can be realized.…”

Towards Learning Normality for Anomaly Detection in Industrial Control Networks

“…Otherwise an attacker could corrupt the communication and could pretend proper operation of the network. [3] Therefore besides the decentralized supervision measures to secure the communication between the devices are needed. [4] III.…”

Automated decentralized IT security supervision in automation networks