Foundation Fieldbus - H1/HSE protocol and process network security

Foundation Fieldbus (FF) is a communication protocol for process automation developed by the Fieldbus Foundation (now FieldComm Group) as a successor to the analog 4-20 mA current loop. This standard is distinguished by unique features - it is fully digital, supports distributed control at the field device level (control in the field), and defines unified function blocks for different device types. Foundation Fieldbus is an IEC 61158 standard (types 1 and 5) and is used primarily in large process installations - refineries, petrochemical plants, power stations, and LNG facilities.

The protocol exists in two layers: H1 (field level) and HSE (plant level), which together create a hierarchical communication architecture within a process plant.

Architecture - H1 and HSE

Parameter	Foundation Fieldbus H1	Foundation Fieldbus HSE
Physical layer	IEC 61158-2 (MBP, Manchester)	Ethernet 100 Mbps
Speed	31.25 kbps	100 Mbps
Topology	Bus, point-to-point, tree	Star, ring (Ethernet)
Power	From the bus (2-wire, like HART)	Separate
Authentication	None	No native
Encryption	None	No native
Ex zone	Yes - intrinsically safe (FISCO)	No (plant level)
Range	Up to 1900 m (with repeaters)	Standard Ethernet
Control	In devices (control in the field)	In controller or devices

H1 is the field layer - it connects pressure, temperature, flow, and level transmitters and control valves on a single pair of wires that simultaneously delivers power and data. The key feature of H1 is the ability to execute control algorithms (PID, cascade) directly in field devices, without the DCS controller as an intermediary. The LAS (Link Active Scheduler) - usually a controller or dedicated device - manages bus access by assigning time slots to devices.

HSE (High Speed Ethernet) is the plant layer - it connects DCS controllers, linking devices (H1/HSE bridges), operator workstations, and historian servers over a 100 Mbps Ethernet network. HSE carries the same function blocks and data model as H1, but on a faster medium.

Function blocks and control in the field

The distinguishing feature of Foundation Fieldbus is the function block model:

• Transducer Block - interface with the physical sensor (e.g. reading pressure from the membrane)
• Function Block - control algorithm (AI, AO, PID, characterizer) executed in the field device
• Resource Block - device diagnostics and configuration

Function blocks in different devices can be linked together - e.g. an AI (Analog Input) block in a pressure transmitter linked to a PID block in a control valve creates a control loop without the DCS controller. This “control in the field” increases reliability - the loop operates even when communication with the controller fails.

Security assessment

Foundation Fieldbus H1 has no security mechanisms:

• No authentication - any device connected to the H1 segment can participate in communication, including modifying function blocks of other devices
• No encryption - process values, configuration parameters, and control algorithms are transmitted in plaintext
• LAS spoofing - an attacker can take over the Link Active Scheduler role, controlling the communication schedule on the bus and potentially blocking communication of selected devices
• Function blocks as attack vector - the ability to remotely reconfigure PID blocks (changing setpoints, limits) has direct impact on the physical process

Foundation Fieldbus HSE runs on Ethernet, which means it inherits both the capabilities and the threats of IP networks:

• Susceptible to standard network attacks (ARP spoofing, MAC flooding, VLAN hopping)
• No native authentication and encryption in the FF application layer
• But: standard network security mechanisms can be applied (firewalls, IDS, VLAN segmentation)

Specific risk of control in the field:

In a classic DCS architecture (with HART or Modbus RTU), the field device is a sensor/actuator, and the control algorithm runs in the DCS controller. Compromising the device means a false measurement or improper valve behavior, but the control loop in the controller can detect the anomaly.

In Foundation Fieldbus H1 with control in the field, compromising the field device means compromising the control algorithm - an attacker can change PID setpoints, limits, and regulation mode. This is a higher risk level requiring stronger physical protection of H1 segments.

Segmentation and protection

Protecting H1 segments (analogous to HART and PROFIBUS PA):

1. Physical bus protection - junction boxes, intrinsic safety barriers, and junction box enclosures secured against unauthorized access
2. Linking device as zone boundary - the device connecting H1 to HSE is a natural segmentation point. One linking device typically serves 2-4 H1 segments
3. LAS monitoring - alert on changes to the device serving as Link Active Scheduler (potential attempt to take over bus schedule control)
4. Reconfiguration lockout - after plant commissioning, function blocks should be protected against changes (write protection in DCS configuration)

HSE (Ethernet) segmentation:

1. Dedicated HSE network - Foundation Fieldbus HSE should run on a physically separate Ethernet network or at least in a dedicated VLAN with ACLs
2. Firewall at HSE/IT boundary - traffic control between the HSE network and the plant IT network, with FF protocol inspection
3. Linking device separation - separate HSE segments for different process areas (e.g. distillation, reactors, storage)
4. Redundancy - HSE supports network redundancy (ring topology) - use it to increase resilience against DoS attacks

Detailed guidelines for zones and conduits in process networks are described in our article on OT network segmentation.

Sources

• FieldComm Group - Foundation Fieldbus - official documentation
• IEC 61158 - Industrial Communication Networks - Fieldbus Specifications - international standard
• NIST SP 800-82 Rev. 3 - Guide to OT Security
• Ethernet-APL - successor to Foundation Fieldbus H1
• IEC 62443-3-3 - security requirements for automation systems