PROFINET - industrial real-time Ethernet. RT and IRT classes, security and segmentation

PROFINET (Process Field Network) is an industrial communication standard based on Ethernet, governed by the PROFIBUS & PROFINET International (PI) organisation. The protocol is standardised under IEC 61158 (Type 10) and IEC 61784 and is one of the two dominant industrial Ethernet protocols in Europe (alongside EtherCAT), as well as the primary communication technology in the Siemens ecosystem.

PROFINET’s key design decision - using Ethernet frames directly with a dedicated EtherType 0x8892 for real-time traffic - means the protocol bypasses the TCP/IP stack and achieves deterministic cycle times, but at the same time few layer 3/4 security mechanisms are applicable to it.

Communication classes

PROFINET IO defines three communication classes with increasing levels of determinism:

Class	Transport channel	Typical cycle	Use
NRT (Non-Real-Time)	TCP/IP (UDP)	≥100 ms	Configuration, diagnostics, parameter files
RT (Real-Time)	Ethernet L2, EtherType 0x8892	250 µs - 512 ms	Cyclic I/O data exchange
IRT (Isochronous Real-Time)	Ethernet L2 with reserved time slots	31.25 µs - 1 ms	Multi-axis synchronisation, Motion Control

RT skips the TCP/IP stack, reducing overhead and transmission time. IRT additionally requires switches supporting bandwidth reservation and a common clock - the maximum cycle jitter is 1 µs.

RT packet structure

A PROFINET RT packet is encapsulated directly in an Ethernet frame without IP/UDP headers. After the Ethernet header (with EtherType 0x8892) comes:

Field	Length	Purpose
FrameID	2 bytes	Frame type identifier (RT, alarm, DCP, PTCP)
IO Data	variable	I/O exchange data
IOPS (Provider Status)	1 byte per submodule	Sender status
IOCS (Consumer Status)	1 byte per submodule	Receiver status
Cycle Counter	2 bytes	Cycle counter
Data Status	1 byte	Data validity
Transfer Status	1 byte	Transmission status

Device roles

PROFINET IO distinguishes three roles:

• IO Controller - typically a PLC, initiates communication, reads inputs and writes outputs
• IO Device - peripheral device (I/O module, drive, sensor) with cyclically exchanged data
• IO Supervisor - engineering workstation (e.g. TIA Portal) for configuration and diagnostics

Device configuration is based on a GSDML file (XML describing modules, parameters and diagnostic messages).

PROFIsafe

PROFIsafe (PROFIsafe Specification / IEC 61784-3-3) is an extension of PROFINET for functionally safe communication (Safety Integrity Level up to SIL 3 per IEC 61508). The protocol uses a black channel - the safety layer is independent of transport medium reliability, allowing the same network to carry both standard and safety traffic.

PROFIsafe mechanisms:

• Sequence number (protection against loss and replay)
• Timeout (protection against delay)
• Unique sender and receiver ID (protection against incorrect addressing)
• Safety layer CRC (in addition to the Ethernet CRC)

DCP - Discovery and Configuration Protocol

PROFINET DCP uses FrameIDs in the range 0xFEFC-0xFEFF (0xFEFC = Hello, 0xFEFD = Get/Set, 0xFEFE = Identify Request, 0xFEFF = Identify Response). The protocol discovers devices on the segment and assigns network parameters (name, IP address), but provides no authentication - any device on the segment can send a DCP Set demanding a change of another device’s name or IP.

PROFINET Security

PI released the PROFINET Security specification in 2020 (updated in 2024), introducing three security classes:

Class	Scope
Security Class 1	Integrity of DCP and RPC communication via HMAC-SHA2
Security Class 2	Class 1 + configuration encryption (AES-GCM)
Security Class 3	Class 2 + encryption of RT traffic

Deployment requires devices compliant with the specification. At the end of 2025, support is mainly limited to the latest controller generations (typically SIMATIC S7-1500 with the newest firmware) - the precise list of supported hardware should be verified with the vendor. Most of the installed PROFINET base does not support any security class and will not do so without hardware replacement.

Attack vectors

Attack	Effect
DCP SET spoofing	Change of device name/IP, loss of communication with the PLC
Alarm injection	Injection of forged alarms into the PLC, forcing an HMI reaction
IO Data manipulation	Modification of cyclic values between PLC and I/O (without PROFIsafe)
Profinet-IO scanning	Enumeration of PROFINET topology (e.g. Metasploit scripts, PROFIshark)
PTCP abuse	Manipulation of time synchronisation (IRT) - degradation of determinism

An attack on RT cyclic data between a PLC and a drive (without PROFIsafe) can, for example, craft the control frame so the drive receives a full-speed rotation command while reporting normal values to the PLC. The operator sees no anomaly while the machine operates outside specification.

Segmentation recommendations

1. Dedicated OT zone for PROFINET - physical or logical separation from the IT network. PROFINET running directly at layer 2 is not filterable by a standard layer 3/4 firewall.
2. No routing of PROFINET RT outside the segment - frames with EtherType 0x8892 should not leave the production zone. This is a simple rule on the edge switch.
3. PROFIsafe for safety traffic - mandatory for SIL-rated elements. The black channel allows coexistence with standard traffic.
4. Industrial IDS monitoring - Claroty, Nozomi and Dragos can decode PROFINET and detect anomalies (DCP SET, PLC mode change, unknown devices).
5. PROFINET Security where possible - in new installations with controllers supporting the specification, enabling Security Class 1 is worth doing as a minimum.
6. Engineering workstations on a separate VLAN - PLC access through TIA Portal should be restricted to specific IPs and authorised stations.

Analysis and monitoring tools

Wireshark decodes PROFINET natively:

Wireshark filter	Use
pn_rt	All PROFINET Real-Time traffic
pn_dcp	Discovery and Configuration Protocol
pn_io	PROFINET IO (cyclic data + alarms)
pn_ptcp	Precision Transparent Clock Protocol (IRT synchronisation)

PROFINET traffic samples for learning and dissector testing:

• automayt/ICS-pcap - PCAP collection for ICS protocols (requires Git LFS), PROFINET directory
• ITI/ICS-Security-Tools - PROFINET samples from substations and production lines
• Orange-Cyberdefense/awesome-industrial-protocols - catalogue of resources, tools and dissectors for PROFINET and other OT protocols

Zeek parsers (CISA ICSNPP):

• cisagov/icsnpp-profinet-io-cm - official PROFINET IO Context Manager parser for Zeek

Production anomaly monitoring supporting PROFINET (passive OT IDS):

• Nozomi Networks Guardian - 200+ protocols, including PROFINET IO/DCP
• Dragos Platform - 600+ protocols with deep layer 7 analysis
• Claroty CTD / xDome - 450+ CPS protocols, operational anomaly detection

Open source passive mapping tools:

• nsacyber/GRASSMARLIN - NSA Cybersecurity tool for passive mapping of ICS/SCADA topology (note: repository archived in April 2023, last release v3.2.1 from June 2017 - compatibility with newer protocols should be verified)

Summary

PROFINET is a mature protocol, dominant in European industrial installations and, in its typical configuration, almost entirely without security mechanisms. PROFINET Security from 2020 changes this, but adoption is slow. Until Security Classes 1-3 are widely deployed, the main line of defence remains physical segmentation and anomaly monitoring.

Related articles: EtherCAT (IEC 61158), PRP/HSR (IEC 62439-3).

Sources

• PI - PROFINET Specification - official PROFIBUS & PROFINET International site
• IEC 61158 - Industrial communication networks - base standard
• PI - PROFINET RT vs IRT - comparison of communication classes
• PI - PROFINET Security - security guidelines
• IEC 61784-3-3 - PROFIsafe - safety specification
• CISA ICSNPP - PROFINET parser - Zeek parser