Ethernet POWERLINK - open source industrial Ethernet. Architecture and security

Ethernet POWERLINK (EPL) is a deterministic industrial communication protocol based on Ethernet, governed by the Ethernet POWERLINK Standardization Group (EPSG). Unlike PROFINET (PI) and EtherCAT (ETG), POWERLINK has an open specification available without licensing fees, and the reference implementation openPOWERLINK is published under the BSD license.

POWERLINK has gained a significant position in industrial automation - it is developed by B&R Industrial Automation (now part of ABB’s portfolio) and is present in packaging, printing, textile and CNC machining machines. In Poland it appears less frequently than PROFINET, but wherever the technology provider is B&R, Hirschmann (infrastructure manufacturer) or other EPSG partners.

Cyclic architecture

POWERLINK divides time into communication cycles, in which data exchange takes place in strictly scheduled phases. This model provides determinism without requiring modifications to standard Ethernet hardware - ordinary switches or hubs with regular ports are sufficient.

A POWERLINK cycle consists of three phases:

Phase	Function
Isochronous Phase	Cyclic I/O data exchange between the Managing Node (MN) and Controlled Nodes (CN)
Asynchronous Phase	Asynchronous communication (configuration, diagnostics)
Idle Phase	Time reserve, buffer to the next cycle

The Managing Node (MN) - exactly one on the network - controls the cycle, sends a Start of Cycle (SoC) to all CNs, then sequentially sends PReq (Poll Request) queries to individual CNs. Each CN responds with a broadcast PRes (Poll Response), which allows other CNs to receive the frames (producer-consumer model).

Typical cycles: 200 µs to 10 ms, depending on the number of CNs and the data size. Jitter: <1 µs.

Physical layer

POWERLINK requires a star or bus topology with hubs (hub) or switches. A key rule: a POWERLINK segment cannot carry traffic other than POWERLINK during the Isochronous phase. If a switch is used, it must be a switch with prioritized forwarding (PriorityFlex) or a hub (repeater) is recommended.

Typical network components:

• Hubs - typically B&R, Hirschmann - guarantee deterministic propagation delay
• Cut-through switches - modern solutions with low latency

Frame structure

POWERLINK encapsulates data directly in an Ethernet frame with EtherType 0x88AB:

POWERLINK field	Length	Purpose
Message Type	1 byte	SoC, PReq, PRes, SoA, ASnd
Destination	1 byte	Target node ID
Source	1 byte	Source node ID
Data	0-1490 bytes	Payload (depends on frame type)

Frame types:

• SoC (Start of Cycle) - MN → all CNs, start of cycle
• PReq (Poll Request) - MN → a specific CN, data query
• PRes (Poll Response) - CN → all, broadcast response
• SoA (Start of Asynchronous) - MN → all, start of the asynchronous phase
• ASnd (Asynchronous Send) - one asynchronous message per cycle

CANopen over POWERLINK

POWERLINK uses CANopen as the application layer - the same object model and device profiles (DS-401 I/O, DS-402 Drives, DS-403 HMI) familiar from the CAN bus. This allows manufacturers to migrate devices from CAN to Ethernet POWERLINK without changing the application layer.

POWERLINK security

Attack vectors (analogous to EtherCAT):

Attack	Impact
MITM between MN and CN	Modification of PReq/PRes - changes to drive setpoints
Frame injection	Injection of forged SoC/SoA - disruption of cycle determinism
CN impersonation	Spoofing a CN - acceptance of forged I/O data by the MN
Cycle desynchronization	Disruption of the cycle sequence can halt the entire network

openSAFETY - the safety layer

Unlike other industrial protocols, POWERLINK has a defined safety layer as openSAFETY - standardized in IEC 61784-3-13 (FSCP 13, formerly EPSG DS 304). openSAFETY is agnostic to the transport medium - it can run over POWERLINK, EtherCAT, PROFINET, Modbus/TCP, and even serial buses.

openSAFETY mechanisms:

• Sequence number + timeout (protection against loss, replay, delay)
• Safety CRC (independent of the medium CRC)
• IDs unique to a sender-receiver pair
• Safety Level up to SIL 3

Architectural recommendations

1. Physical isolation of the POWERLINK network - like EtherCAT, POWERLINK should operate in a closed machine segment with no connectivity to the IT network
2. openSAFETY for safety functions - mandatory for SIL elements, independent of the transport layer
3. Firewall at the MN boundary - communication with the upper layer (SCADA, MES) through the MN with TCP/IP control, rather than open access to the POWERLINK network
4. Cycle integrity monitoring - anomalies in cycle times or missing PRes may indicate manipulation
5. Firmware updates via a controlled channel - openPOWERLINK supports CN update, which must be performed while maintaining a chain of trust

Analysis tools

Wireshark supports POWERLINK (filter: epl).

Open source:

• openPOWERLINK - reference MN and CN implementation under a BSD license
• automayt/ICS-pcap - ICS PCAP collection
• Orange-Cyberdefense/awesome-industrial-protocols - POWERLINK references

Production monitoring:

• Nozomi Guardian, Dragos Platform, Claroty CTD/xDome - POWERLINK support within their dissectors, with varying levels of semantic coverage

Summary

Ethernet POWERLINK is an example of a well-designed, open industrial Ethernet protocol with deterministic properties. The EPSG open specification and the openPOWERLINK open source implementation make it a protocol accessible for analysis and integration, but, like other L2 protocols, it lacks native cybersecurity mechanisms. The defensive architecture rests on physical isolation and on openSAFETY mechanisms for critical functions.

Related articles: EtherCAT (IEC 61158), PROFINET.

Sources

• Ethernet POWERLINK Standardization Group (EPSG) - official organization
• openPOWERLINK (SourceForge) - open source implementation
• IEC 61784-3-13 - openSAFETY - safety layer specification
• Wireshark POWERLINK dissector - analytical documentation