SCADA Hacking: SCADA/ICS Protocols (Profinet/Profibus)

One of the challenges of hacking/pentesting SCADA/ICS has been that the protocols employed by this industry are different and distinct from "normal" IT. SCADA/ICS installations use a wide variety of protocols that often share little with the well-known Ethernet and TCP/IP protocols. For years, this difference has shielded these installations from security issues as a result of "security by obscurity". Now that these protocols are becoming better known and understood, security concerns in these facilities have been heightened.


PROFIBUS (Process Fieldbus) is an open standard for industrial communication originally developed in Germany. It began from a group of 21 companies and institutions named the Central Association for Electrical Industry (ZVEI). This group has been led by the Germain industrial giant, Seimens. As a result, PROFIBUS is widely used in Seimens products (in fact, the Seimens controllers that were exploited by Stuxnet in the Iranian nuclear facility at Natanz were running PROFIBUS).

PROFIBUS is a smart, bi-directional protocol where many devices are all connected to one cable or bus. The data can represent analog or discrete ON/OF values. ALL PROFIBUS devices are inter-operable. It is a low cost, simple and high speed protocol. PROFIBUS uses a two-wire connection for both power and data.

PROFIBUS is a master-slave protocol (similar to many other SCADA/ICS protocols) that supports master nodes through the use of token sharing. Similar to IBM's legacy token-ring protocol, only when the master has the token can it communicate to the slaves. The PROFIBUS slave can only communicate with one master. The master PROFIBUS node is usually a PLC or RTU and the slaves are sensors, motors, or other control devices.

PROFIBUS DP supports several different physical layer media including RS-485 similar to the original MODBUS. This configuration enables PROFIBUS to operate at needs up to 12 Mbps.



This was the initial PROFIBUS protocol. It was designed to communicate between PLC's and PC's. Unfortunately, this simple protocol was not very flexible and, as result, it could not work in a more complex and complicated network. Although still in use, the vast majority PROFIBUS networks use one of the newer versions.

PROFIBUS DP (Decentralized Periphery)

PROFIBUS DP is probably the most most common of the PROFIBUS protocols. It is simpler and faster than the other types of PROFIBUS. It comes in three separate versions, DP-V0 (cyclic data exchange), DP-V1(acyclic data exchange) and DP-V2 (isochronous slave-to-slave mode and data exchange) with each new version offering additional features.

PROFIBUS PA (Process Automation)

PROFIBUS PA, as the name implies, was developed for Process Automation. PROFIBUS PA standardizes the process of transmitting measured data. In addition, it was designed for use in hazardous environments by using Manchester Bus Powered (MBS) technology that uses lower power and thus reduces the chance of sparks and explosions.

PROFIBUS Security Concerns

Like many of the SCADA/ICS protocols, PROFIBUS lacks authentication. This means that any node can spoof a master node. Since only the master node can control the slaves, this is a major security concern. A spoofed master node would be capable capture the token, disrupt node functions and even cause a denial of service (DoS). PROFIBUS DP uses a serial connection so that physical access would be required. Unfortunately, most master nodes in a PROFIBUS DP network are connected to an Ethernet network making them susceptible to nearly any type of Ethernet based attack.

PROFINET (Process Field Net)

PROFINET (Process Field Net) is another open standard for industrial automation designed for scalability. Instead of exchanging data using the field bus (serial), it uses Ethernet (IEEE802.3) as a medium. It is included as part of IEC61158 and IEC61784. Initially, it employed standard TCP/IP packets.

PROFINET has a particular strength in delivering data under tight time constraints. PROFINET uses IT standards such as TCP/IP and XML to communicate, configure and diagnose machines and devices. PROFINET operates at 100Mbit/s over twisted pair or fiber optic cables.

PROFINET is NOT PROFIBUS over Ethernet, but they are compatible with the use of proxy to bridge them (see below).

PROFINET has two function classes;

(1) PROFINET I/O (Input/Output)

(2) PROFINET CBA (component based automation)

PROFINET I/O connects the distributed field devices and uses real-time (RT) and non real-time (TCP/IP) communications.

The real-time (RT) channel is used for time critical data, such as cyclic process data, alarms, and communication monitoring and is capable of cycle times of 10ms.

The non real-time channel is used for downloading configuration and parameters,diagnostics, device management information and other non time critical communication with reaction times in the range of 100ms.

In addition, PROFINET IRT (isochronous real-time) is used in drive systems with cycles times of less than 1 ms. As PROFINET IRT is a hardware-based, Layer 2 technology, it is not routeable.

PROFINET CBA is designed for distributed industrial automation applications. PROFINET CBA is built on the standard DCOM (Distributed Component Model) and RPC (Remote procedure Call) as thus inherits the vulnerabilities of both DCOM and RPC.

Profinet I/O uses default TCP/UDP Ports 34962, 34963 and 34964

Port 34964 is the connectionless RPC

Profinet CBA uses default TCP port 135

Address Resolution

A PROFINET IO device is identified by its station name. After identifying a PROFINET IO device by its station name, the controller assigns an IP address to the device.

PROFINET and PROFIBUS can be easily integrated into a single facility with a transparent interface referred as a "proxy". The proxy is connected to PROFINET IO device on one side and a PROFIBUS master on the other side.

PROFINET Security Concerns

As an Ethernet protocol, it is susceptible to any of the vulnerabilities of Ethernet. Since there are different technologies in the PROFINET suite of protocols, the risk is dependent upon the technology employed. The PROFINET IRT uses non-routeable addresses, so if safer than than those using IP which would be susceptible to the many IP vulnerabilities.