HART-IP - industrial HART on IP networks. A bridge between process devices and the cloud
HART-IP - HART encapsulation in TCP/UDP on port 5094. FieldComm Group specification, applications and connection security in process automation networks.
HART (Highway Addressable Remote Transducer) is one of the oldest field-communication protocols in process automation - used in millions of devices (pressure and level transmitters, valves, analysers) across petrochemical, power, water and wastewater, and pharmaceutical industries. Traditional HART is modulated onto a 4-20 mA current loop (with Bell 202 FSK frequencies) and transmitted alongside the analogue measurement signal.
HART-IP is the encapsulation of the HART protocol in TCP/UDP transport, introduced by the FieldComm Group for IP networks. It allows HART messages to be sent to and from process devices over standard network infrastructure, eliminating the need for a physical 4-20 mA loop between the configuration tool and the device.
Architecture
HART-IP is designed as a bridge between traditional HART and IP networks - it does not replace HART at the end-device layer; instead, it wraps HART messages in a TCP/UDP header. Typical architecture:
[HART Field Device] <-- 4-20 mA HART --> [HART Multiplexer/Gateway] <-- HART-IP (TCP/UDP) --> [Asset Management System]The gateway role can be played by:
- HART Multiplexer - a device connected in parallel to the current loop, translating HART to HART-IP
- I/O Module with HART (e.g. Rosemount, Emerson, ABB) - native HART-IP interface in DCS I/O cards
- WirelessHART Gateway - a bridge between WirelessHART (IEEE 802.15.4 in the 2.4 GHz band) and HART-IP
The application layer is identical to traditional HART - the same universal commands (Common Practice Commands) and device-specific commands (Device-Specific Commands), the same parameter profiles. From the perspective of an Asset Management System (AMS, Emerson Plantweb, Yokogawa PRM, Siemens SIMATIC PDM) communication with the device via HART-IP looks identical to communication over a direct loop.
Ports and transport
HART-IP uses port 5094 for both transport protocols:
| Port | Protocol | Use |
|---|---|---|
| 5094/TCP | TCP | Configuration, diagnostics, non-synchronous operations |
| 5094/UDP | UDP | Real-time measurements and setpoints |
Transport split: UDP for real-time traffic (measurements, valve setpoints), TCP for non-real-time traffic (parameter configuration, diagnostics). This deliberate separation ensures that configuration operations do not disturb the measurement stream.
UDP detail: the first message (Initiate) is sent to port 5094, the response is sent from a dynamically chosen server port - the session continues on that port pair.
HART-IP messages
HART-IP defines a header that encapsulates standard HART frames:
| Header field | Length | Purpose |
|---|---|---|
| Version | 1 byte | HART-IP version (typically 1) |
| Message Type | 1 byte | Request, Response, Notification |
| Message ID | 1 byte | Message ID |
| Status | 1 byte | Status (for response) |
| Sequence Number | 2 bytes | Sequence number for request/response matching |
| Length | 2 bytes | Payload length |
| Payload | variable | Standard HART frame (PDU) |
The HART payload contains commands, device numbers and measurement parameters - identically to traditional HART on the current loop.
HART-IP security
WARNING
The baseline HART-IP specification does not require authentication or encryption. The FieldComm Group has published security guidance recommending a TLS layer, but adoption remains limited. In practice, most deployments rely on network segmentation as their sole protection mechanism.
Attack vectors:
| Attack | Effect |
|---|---|
| Command injection | Changing a valve setpoint, altering transmitter configuration |
| Measurement spoofing | False measurements reach the control system, causing incorrect decisions |
| MITM between gateway and AMS | Replacing firmware updates for field devices |
| Reconnaissance | Scanning port 5094 reveals the topology of the process installation |
In chemical or petrochemical plants, manipulation of a safety valve setpoint (SIS - Safety Instrumented System) can result in the release of a hazardous substance or in process parameters being exceeded. That is why separating the safety layer (SIS) from the DCS layer and from HART-IP is a fundamental principle aligned with IEC 61511 and IEC 62443.
HART-IP vs OPC UA
New deployments increasingly raise the question: HART-IP or OPC UA for process communication?
| Feature | HART-IP | OPC UA |
|---|---|---|
| Compatibility with HART field devices | Native (no translation) | Requires mapping in the gateway |
| Security | Weak (optional TLS) | Strong (native authentication, encryption) |
| Standardisation | FieldComm Group | IEC 62541 |
| Ecosystem maturity | Very high (legacy) | Growing |
In practice HART-IP remains the natural choice for modernising existing installations (one-to-one integration with field devices), OPC UA - for new integration layers between DCS, MES and cloud.
Implementation recommendations
- Dedicated network segment for HART-IP - traffic on port 5094 should not leave the process-automation zone
- Firewall controlling TCP/UDP 5094 - restrict HART-IP communication to known gateway-AMS pairs
- TLS wherever supported - newer gateways (Emerson, Endress+Hauser, Yokogawa) support HART-IP over TLS - enable it in the configuration
- SIS physically separated - safety systems do not use HART-IP; SIS instrumentation remains in a separate architecture
- Command-level anomaly monitoring - unusual SET commands on process devices should trigger alarms
Analysis tools
Wireshark decodes HART-IP (filter: hart_ip).
Zeek parsers (CISA ICSNPP):
- cisagov/icsnpp-hart-ip - HART-IP parser for Zeek
PCAP samples:
- automayt/ICS-pcap - ICS PCAP collection
- Orange-Cyberdefense/awesome-industrial-protocols - HART references
Production monitoring:
- Nozomi Guardian, Dragos Platform, Claroty CTD/xDome - HART-IP support as part of process-installation monitoring
Summary
HART-IP extends the life of the HART ecosystem in the IP era, enabling field-asset management to be deployed without having to replace devices with newer technology. The protocol is mature, widely deployed in batch and continuous processes, but carries the security limitations characteristic of older OT designs - the network layer remains the primary protective mechanism.
Related articles: HART (basics), OPC UA.
Sources
- FieldComm Group - HART-IP Technical Description - official specification
- FieldComm Group - HART Protocol Specifications - full HART specification library
- Wireshark HART-IP dissector - analysis documentation
- CISA ICSNPP - HART-IP parser - Zeek parser
Need help in this area?
Our experts will help you assess the risk and plan next steps.