PROFIBUS - Siemens fieldbus protocol and industrial network security

PROFIBUS (Process Field Bus) is a communication protocol developed in 1989 as part of a German research project that became an international standard under IEC 61158/IEC 61784. Maintained by PROFIBUS & PROFINET International (PI), it is one of the most widely deployed fieldbus protocols in the world - with over 50 million installed devices. PROFIBUS dominates in Siemens environments (SIMATIC S7-300/400/1500) but is supported by thousands of field device manufacturers.

Although newer installations increasingly use PROFINET (Ethernet), PROFIBUS DP remains the standard in existing manufacturing plants, refineries, power plants, and water utilities worldwide.

Protocol variants

PROFIBUS comes in two main variants, optimized for different applications:

Parameter	PROFIBUS DP	PROFIBUS PA
Physical layer	RS-485 (EIA-485)	MBP (Manchester Bus Powered, IEC 61158-2)
Speed	9.6 kbps - 12 Mbps	31.25 kbps (fixed)
Topology	Bus, up to 126 devices	Bus, power + data on a single pair
Range	100 m (12 Mbps) - 1200 m (9.6 kbps)	Up to 1900 m (with repeaters)
Authentication	None	None
Encryption	None	None
Application	Factory - PLC communication with drives, I/O	Process - sensors and actuators in Ex zones
Hazardous area	No (requires additional safeguards)	Yes - intrinsically safe (Ex ia/ib)

PROFIBUS DP (Decentralized Peripherals) is the “factory” variant - fast communication between PLCs and distributed I/O modules, variable frequency drives, and robots. It runs on RS-485, offering speeds up to 12 Mbps.

PROFIBUS PA (Process Automation) is the “process” variant - communication with field instruments (pressure, temperature transmitters, flow meters) in process environments, including hazardous areas. MBP delivers power and data on a single wire pair, which is critical for intrinsically safe installations.

Communication architecture

PROFIBUS DP uses a multi-master model with token passing between masters (class 1 - PLC, class 2 - engineering stations) and slave polling:

• Class 1 master (PLC) - cyclic data exchange with slaves at deterministic intervals
• Class 2 master (engineering station, HMI) - acyclic diagnostic and configuration access
• Slave (I/O module, drive) - responds only to master queries

The PROFIBUS frame contains source and destination addresses, a function code, and data - with no authentication or encryption fields whatsoever.

Security assessment

PROFIBUS has no native security mechanisms:

• No authentication - any device with an address on the bus can participate in communication. Connecting an unauthorized class 2 master to the RS-485 segment provides full diagnostic access to all slaves
• No encryption - process data (measurement values, output states, configuration parameters) is transmitted in the clear
• No cryptographic integrity - the FCS (Frame Check Sequence) protects against transmission errors, not against manipulation
• Token passing without verification - the token-passing mechanism between masters relies on addresses without authentication. An attacker can inject themselves into the token ring
• GSD files as an attack vector - GSD (General Station Description) files describing device parameters are loaded into the engineering station. A manipulated GSD file can alter device configuration

PROFIBUS-specific threats:

Since RS-485 is a shared medium, every device on the bus sees all traffic. An attacker with physical access to any point on the bus can:

1. Passively monitor process values and identify system configuration
2. Inject frames impersonating a master or slave
3. Conduct a denial-of-service attack by disrupting the token passing mechanism

Segmentation and protection

Protecting PROFIBUS networks requires combining physical safeguards with segmentation at the controller and supervisory network levels.

Physical protection:

1. Access control for cabinets and cable routes - the RS-485/MBP bus must be physically protected. Every access point to the cable is a potential attack vector
2. Unauthorized device detection - monitoring the number of devices on the bus (comparison with reference configuration in the PLC)
3. Connector security - use lockable DB9/M12 connectors where possible

Controller-level segmentation:

1. PLC as zone boundary - the PLC is a natural segmentation point. PROFIBUS DP/PA on one side, PROFINET/Ethernet on the other. The PLC should filter data passed between layers
2. Separation of PROFIBUS DP and PA networks - the DP/PA link/coupler should be treated as a security zone boundary
3. Restricting class 2 masters - engineering stations with diagnostic access to PROFIBUS should be in a dedicated zone with controlled access

Supervisory network segmentation:

1. Firewall between PROFINET and PROFIBUS - when the PLC communicates upstream via PROFINET/Ethernet, the network interface requires firewall protection with DPI
2. Traffic monitoring - OT IDS/NMS systems can analyze PROFIBUS traffic (via port mirror on a converter or gateway) and detect anomalies

Detailed guidelines for zones and conduits in industrial networks are described in the article on OT network segmentation.

Sources

• PROFIBUS Technology and Application - System Description - official PI documentation
• IEC 61158 - Industrial Communication Networks - Fieldbus Specifications - international standard
• NIST SP 800-82 Rev. 3 - Guide to OT Security
• PI White Paper - PROFINET Security - security in the PI ecosystem
• IEC 62443 - industrial automation system security