A Review of PROFIBUS Protocol Vulnerabilities - Considerations for Implementing Authentication and Authorization Controls

PROFIBUS is a standard for fieldbus communication, used in industrial networks to support real-time command and control. Similar to network protocols developed then, availability is the security objective prioritized in the PROFIBUS design. Confidentiality and integrity were of lesser importance, as industrial protocols were not intended for public access. However, the publicized weaknesses in industrial technologies, including the inclusion of publicly available technology and protocols in industrial networks, presents major risks to industrial networks. This paper investigates the security risks of and provides suggested security solutions for PROFIBUS. The objective is to review the PROFIBUS protocol, to establish the purposefulness of the design and its suitability for the applications where it forms a core part of the infrastructure. The security risks of this protocol are then assessed from successful and possible attacks, based on the vulnerabilities. Proposed security solutions are reviewed and additional recommendations made concerning the use of OPC UA, accompanied by an analysis of the cost of these solutions to the efficiency and safety of the PROFIBUS. The findings of this paper indicate that a defense-in-depth approach is more feasible security solution, with strong security controls being implemented at networks interconnecting with the PROFIBUS networks.