Skip to main content
SpringerLink
Log in

Detecting and preventing replay attacks in industrial automation networks operated with profinet IO

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Modern industrial facilities consist of controllers, actuators and sensors that are connected via traditional IT equipment. The ongoing integration of these systems into the communication network yields to new threats and attack possibilities. In industrial networks, often distinct communication protocols like Profinet IO (PNIO) are used. These protocols are often not supported by typical network security tools. In this work, we present two attack techniques that allow to take over the control of a PNIO device, enabling an attacker to replay previously recorded traffic. We model attack detection rules and propose an intrusion detection system (IDS) for industrial networks which is capable of detecting those replay attacks by correlating alerts from traditional IT IDS with specific PNIO alarms. As an additional effort, we introduce defense in depth mechanisms in order to prevent those attacks from taking effect in the physical world. Thereafter, we evaluate our IDS in a physical demonstrator and compare it with another IDS dedicated to securing PNIO networks. In a conceptual design, we show how network segmentation with flow control allows for preventing some, but not all of the attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. This means that such a PNIO network should ideally be operated in a completely separated environment without any link to the outside.

  2. For obvious reasons, attacks causing irreversible damages and possibly injuring people are not allowed to be performed in our laboratory.

  3. PNIO supports up to 5 ms cycle time (1 ms in the isochronous real-time class).

  4. In tests, we discovered answer times less than 1 ms.

  5. In order to eliminate false positives, we expect the operator receiving alerts from the IDS will be aware of any maintenance work.

  6. caused by the “best effort” delivery approach in networking devices

References

  1. Åkerberg, J., Björkman, M.: Exploring network security in profisafe. In: International Conference on Computer Safety, Reliability, and Security, pp. 67–80. Springer (2009)

  2. Åkerberg, J., Björkman, M.: Exploring security in profinet io. In: Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference, COMPSAC ’09, vol. 01, pp. 406–412. IEEE Computer Society, Washington, DC (2009). https://doi.org/10.1109/COMPSAC.2009.61

  3. Åkerberg, J., Björkman, M.: Introducing security modules in profinet io. In: 2009 IEEE Conference on Emerging Technologies & Factory Automation, pp. 1–8. IEEE (2009)

  4. Bass, T., Robichaux, R.: Defense-in-depth revisited: qualitative risk analysis methodology for complex network-centric operations. In: 2001 MILCOM Proceedings Communications for Network-Centric Operations: Creating the Information Force (Cat. No. 01CH37277), vol. 1, pp. 64–70 (2001). https://doi.org/10.1109/MILCOM.2001.985765

  5. Baud, M., Felser, M.: Profinet io-device emulator based on the man-in-the-middle attack. In: 2006 IEEE Conference on Emerging Technologies and Factory Automation, pp. 437–440 (2006). https://doi.org/10.1109/ETFA.2006.355228

  6. Biondi, P.: Scapy documentation. http://www.secdev.org/projects/scapy/doc/ (2010). Accessed 08 Dec 2016

  7. BSI: Opc ua security analysis (2016)

  8. Claise, B.: Specification of the IP flow information export (IPFIX) protocol for the exchange of IP traffic flow information. RFC 5101 (2015). https://doi.org/10.17487/rfc5101. https://rfc-editor.org/rfc/rfc5101.txt

  9. Ferrari, P., Flammini, A., Vitturi, S.: Performance analysis of profinet networks. Comput. Stand. Interfaces 28(4), 369–385 (2006)

    Article  Google Scholar 

  10. Fullmer, M., Romig, S.: The osu flowtools package and cisco netflow logs. In: Proceedings of the 2000 USENIX LISA Conference (2000)

  11. Haag, P.: Watch your flows with nfsen and nfdump. In: 50th RIPE Meeting (2005)

  12. HMS Industrial Networks: Feldbusse heute. http://www.feldbusse.de/trends/status-feldbusse.shtml (2016). Accessed 08 Dec 2016

  13. HMS Industrial Networks: Variantenvielfalt bei Kommunikationssystemen. http://www.feldbusse.de/Trends/trends.shtml (2016). Accessed 08 Dec 2016

  14. IEC: 61158-6-10 Industrial Communication Networks—Fieldbus Specifications—Part 6–10: Application Layer Protocol Specification—Type 10 Elements. Standard, International Electrotechnical Commission, Geneva (2007)

  15. IEC: 62443-1-1 Industrial Communication Networks—Network and System Security—Part 1–1: Terminology, Concepts and Models. International Electrotechnical Commission (IEC), Geneva (2009)

  16. McHugh, J.: Sets, bags, and rock and roll. In: European Symposium on Research in Computer Security, pp. 407–422. Springer (2004)

  17. McLaughlin, S., Konstantinou, C., Wang, X., Davi, L., Sadeghi, A.R., Maniatakos, M., Karri, R.: The cybersecurity landscape in industrial control systems. Proc. IEEE 104(5), 1039–1057 (2016)

    Article  Google Scholar 

  18. Mo, Y., Sinopoli, B.: Secure control against replay attacks. In: 47th Annual Allerton Conference on Communication, Control, and Computing, 2009. Allerton 2009, pp. 911–918. IEEE (2009)

  19. Paul, A., Schuster, F., Knig, H.: Towards the protection of industrial control systems: conclusions of a vulnerability analysis of profinet IO. In: Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA’13, pp. 160–176. Springer, Berlin (2013). https://doi.org/10.1007/978-3-642-39235-1_10

    Chapter  Google Scholar 

  20. Pfrang, S., Kippe, J., Meier, D., Haas, C.: Design and architecture of an industrial IT security lab. In: Testbeds and Research Infrastructures for the Development of Networks and Communities, pp. 114–123. Springer (2016)

  21. Pfrang, S., Meier, D.: On the detection of replay attacks in industrial automation networks operated with profinet IO. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy, pp. 683–693 (2017). https://doi.org/10.5220/0006288106830693

  22. Pfrang, S., Meier, D., Kautz, V.: Towards a modular security testing framework for industrial automation and control systems: Isutest. In: Proceedings of the 22nd IEEE International Conference on Emerging Technologies and Factory Automation, ETFA 2017 (2017)

  23. Popp, M.: Industrial Communication with PROFINET. PROFIBUS Nutzerorganisation e.V., Karlsruhe (2014)

    Google Scholar 

  24. Roesch, M., et al.: Snort: lightweight intrusion detection for networks. In: LISA, vol. 99, pp. 229–238 (1999)

Download references

Author information

Authors and Affiliations

  1. Fraunhofer IOSB, Karlsruhe, Germany

    Steffen Pfrang & David Meier

Authors
  1. Steffen Pfrang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Meier
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steffen Pfrang.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Pfrang, S., Meier, D. Detecting and preventing replay attacks in industrial automation networks operated with profinet IO. J Comput Virol Hack Tech 14, 253–268 (2018). https://doi.org/10.1007/s11416-018-0315-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-018-0315-0

Keywords

Search

Navigation