Detecting and preventing replay attacks in industrial automation networks operated with profinet IO

Original Paper


Modern industrial facilities consist of controllers, actuators and sensors that are connected via traditional IT equipment. The ongoing integration of these systems into the communication network yields to new threats and attack possibilities. In industrial networks, often distinct communication protocols like Profinet IO (PNIO) are used. These protocols are often not supported by typical network security tools. In this work, we present two attack techniques that allow to take over the control of a PNIO device, enabling an attacker to replay previously recorded traffic. We model attack detection rules and propose an intrusion detection system (IDS) for industrial networks which is capable of detecting those replay attacks by correlating alerts from traditional IT IDS with specific PNIO alarms. As an additional effort, we introduce defense in depth mechanisms in order to prevent those attacks from taking effect in the physical world. Thereafter, we evaluate our IDS in a physical demonstrator and compare it with another IDS dedicated to securing PNIO networks. In a conceptual design, we show how network segmentation with flow control allows for preventing some, but not all of the attacks.


Industrial networks Replay attacks Intrusion detection and prevention Attack detection modeling Defense in depth 


  1. 1.
    Åkerberg, J., Björkman, M.: Exploring network security in profisafe. In: International Conference on Computer Safety, Reliability, and Security, pp. 67–80. Springer (2009)Google Scholar
  2. 2.
    Åkerberg, J., Björkman, M.: Exploring security in profinet io. In: Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference, COMPSAC ’09, vol. 01, pp. 406–412. IEEE Computer Society, Washington, DC (2009).
  3. 3.
    Åkerberg, J., Björkman, M.: Introducing security modules in profinet io. In: 2009 IEEE Conference on Emerging Technologies & Factory Automation, pp. 1–8. IEEE (2009)Google Scholar
  4. 4.
    Bass, T., Robichaux, R.: Defense-in-depth revisited: qualitative risk analysis methodology for complex network-centric operations. In: 2001 MILCOM Proceedings Communications for Network-Centric Operations: Creating the Information Force (Cat. No. 01CH37277), vol. 1, pp. 64–70 (2001).
  5. 5.
    Baud, M., Felser, M.: Profinet io-device emulator based on the man-in-the-middle attack. In: 2006 IEEE Conference on Emerging Technologies and Factory Automation, pp. 437–440 (2006).
  6. 6.
    Biondi, P.: Scapy documentation. (2010). Accessed 08 Dec 2016
  7. 7.
    BSI: Opc ua security analysis (2016)Google Scholar
  8. 8.
    Claise, B.: Specification of the IP flow information export (IPFIX) protocol for the exchange of IP traffic flow information. RFC 5101 (2015).
  9. 9.
    Ferrari, P., Flammini, A., Vitturi, S.: Performance analysis of profinet networks. Comput. Stand. Interfaces 28(4), 369–385 (2006)CrossRefGoogle Scholar
  10. 10.
    Fullmer, M., Romig, S.: The osu flowtools package and cisco netflow logs. In: Proceedings of the 2000 USENIX LISA Conference (2000)Google Scholar
  11. 11.
    Haag, P.: Watch your flows with nfsen and nfdump. In: 50th RIPE Meeting (2005)Google Scholar
  12. 12.
    HMS Industrial Networks: Feldbusse heute. (2016). Accessed 08 Dec 2016
  13. 13.
    HMS Industrial Networks: Variantenvielfalt bei Kommunikationssystemen. (2016). Accessed 08 Dec 2016
  14. 14.
    IEC: 61158-6-10 Industrial Communication Networks—Fieldbus Specifications—Part 6–10: Application Layer Protocol Specification—Type 10 Elements. Standard, International Electrotechnical Commission, Geneva (2007)Google Scholar
  15. 15.
    IEC: 62443-1-1 Industrial Communication Networks—Network and System Security—Part 1–1: Terminology, Concepts and Models. International Electrotechnical Commission (IEC), Geneva (2009)Google Scholar
  16. 16.
    McHugh, J.: Sets, bags, and rock and roll. In: European Symposium on Research in Computer Security, pp. 407–422. Springer (2004)Google Scholar
  17. 17.
    McLaughlin, S., Konstantinou, C., Wang, X., Davi, L., Sadeghi, A.R., Maniatakos, M., Karri, R.: The cybersecurity landscape in industrial control systems. Proc. IEEE 104(5), 1039–1057 (2016)CrossRefGoogle Scholar
  18. 18.
    Mo, Y., Sinopoli, B.: Secure control against replay attacks. In: 47th Annual Allerton Conference on Communication, Control, and Computing, 2009. Allerton 2009, pp. 911–918. IEEE (2009)Google Scholar
  19. 19.
    Paul, A., Schuster, F., Knig, H.: Towards the protection of industrial control systems: conclusions of a vulnerability analysis of profinet IO. In: Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA’13, pp. 160–176. Springer, Berlin (2013).
  20. 20.
    Pfrang, S., Kippe, J., Meier, D., Haas, C.: Design and architecture of an industrial IT security lab. In: Testbeds and Research Infrastructures for the Development of Networks and Communities, pp. 114–123. Springer (2016)Google Scholar
  21. 21.
    Pfrang, S., Meier, D.: On the detection of replay attacks in industrial automation networks operated with profinet IO. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy, pp. 683–693 (2017).
  22. 22.
    Pfrang, S., Meier, D., Kautz, V.: Towards a modular security testing framework for industrial automation and control systems: Isutest. In: Proceedings of the 22nd IEEE International Conference on Emerging Technologies and Factory Automation, ETFA 2017 (2017)Google Scholar
  23. 23.
    Popp, M.: Industrial Communication with PROFINET. PROFIBUS Nutzerorganisation e.V., Karlsruhe (2014)Google Scholar
  24. 24.
    Roesch, M., et al.: Snort: lightweight intrusion detection for networks. In: LISA, vol. 99, pp. 229–238 (1999)Google Scholar

Copyright information

© Springer-Verlag France SAS, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Fraunhofer IOSBKarlsruheGermany

Personalised recommendations