Upon analyzing the network’s data traffic for Profinet communication, I discovered various types of packets. In order to better understand the traffic, I documented the details of each packet and attempted to develop corresponding actions.
Following are types of Profinet communication:
Profinet CBA
The PROFINET CBA is a component-based communication over TCP/IP used to establish communication between PLCs (Programmable Logic Controllers) in a modular way. PROFINET IO, in turn, describes communication from the standpoint of distributed or decentralise periphery I/Os.
It allows real time communication and isochronous real time communication (IRT), which takes into account data processing cycles and is based on a real time system cascade. The PROFINET IO is designed for a rapid exchange of data between Ethernet-based field devices, possessing, on master/slave fashion way.
NetBIOS Name Service
NBNS (NetBIOS Name Service) frames. These events stem from the fact that computer is running Windows operating system, which has a native WINS service (Windows Name Service). WINS Generates NBNS requests, similar to the DNS (Domain Name Service), though more restricted, since only operate in the Windows environment, for name resolution.
Some of the network packets can be shown here:
Case1: When the configuration download is ongoing
The configuration download like firmware transfer from some device to the controller is happening here and it can be seen that the PNIO-CM protocol is being used for this communication.
Case 2: When IO data exchange is happening
The IO data exchange is happening using the PNIO protocol and it can be seen from the network traffic. IO data exchange communication is a type of data transfer that occurs between S7 PLCs using a specific protocol. This protocol facilitates the exchange of input and output (IO) data between the PLCs, allowing them to communicate and coordinate their actions. The IO exchange communication typically involves the exchange of data packets between the PLCs, with each packet containing information about the state of the IO devices connected to the respective PLC
Case 3: Time synchronisation
Case 4: ICMP for network connection check
Case 5:LLDP From the traffic analysis
LLDP, which stands for Link Layer Discovery Protocol, is a networking protocol that enables devices connected to a local network to discover and communicate with each other. In the context of S7 PLCs, LLDP communication allows PLCs to automatically discover and establish connections with other devices on the same network. This is achieved through the exchange of LLDP packets, which contain information about the device, such as its identity, capabilities, and network location.
Cybersecurity Strategy
From the traffic analysis posted above it can be concluded that in the PROFINET communication for the different task there is a sub protocol is defined. As for the data exchange with the IO only the PNIO is used as this is real time (RT) protocol with dedicated time slot for data exchange.
For both IO exchange communication and LLDP communication in S7 PLCs, it is important to consider cybersecurity measures to protect against potential vulnerabilities and attacks. These protocols rely on the exchange of data packets, which can potentially be intercepted, manipulated or exploited by malicious actors.
To ensure the security of IO exchange and LLDP communication in S7 PLCs, it is recommended to implement measures such as network segmentation, access control, encryption, intrusion detection and prevention systems, and regular vulnerability assessments and security updates.
It is also important to follow best practices for password management, system configuration, and user training to minimize the risk of human error and social engineering attacks.
By implementing these measures, S7 PLCs can maintain the integrity, confidentiality, and availability of their IO and LLDP communication and minimize the risk of cyberattacks.
