9.2 PROFINET installation guidelines
n
The topic of data security and access protection have become increasingly important
in the industrial environment. The increased networking of entire industrial systems to
the network levels within the company together with the functions of remote mainte-
nance have all served to increase vulnerability.
n
Threats can arise from internal manipulation like technical errors, operator and pro-
gram errors respectively from external manipulation like software viruses and worms,
trojans and password phishing.
The most important precautions to prevent manipulation and loss of data security in the
industrial environment are:
n
Encrypting the data traffic by means of certificates.
n
Filtering and inspection of the traffic by means of VPN - "Virtual Private Networks".
n
Identification of the nodes by "Authentication" via save channels.
n
Segmenting in protected automation cells, so that only devices in the same group can
exchange data.
n
With the "VDI/VDE 2182 sheet 1", Information Security in the Industrial Automation -
General procedural model, VDI guidelines, the VDI/VDE society for measuring and
automation engineering has published a guide for implementing a security architec-
ture in the industrial environment. The guideline can be found at www.vdi.de
n
PROFIBUS & PROFINET International (PI) can support you in setting up security
standards by means of the "PROFINET Security Guideline". More concerning this can
be found at the corresponding web site e.g. www.profibus.com
n
Due to the open standard of PROFINET standard Ethernet components may be used.
For industrial environment and due to the high transfer rate of 100MBit/s you
PROFINET system should consist of Industrial Ethernet components.
n
All the devices interconnected by switches are located in one and the same network.
All the devices in a network can communicate directly with each other.
n
A network is physically limited by a router. If devices need to communicate beyond
the limits of a network, you have to configure the router so that it allows this communi-
cation to take place.
n
With the linear structure all the communication devices are connected via a linear bus
topology. Here the linear bus topology is realized with switches that are already inte-
grated into the PROFINET device.
n
If a communication member fails, communication across the failed member is no
longer possible.
n
If you connect communication devices to a switch with more tan 2 PROFINET ports,
you automatically create a star network topology.
n
If an individual PROFINET device fails, this does not automatically lead to failure of
the entire network, in contrast to other structures. It is only if a switch fails that part of
the communication network will fail as well.
In order to increase the availability of a network the both open ends of a linear bus top-
ology may be connected by a switch. By configuring the switch as redundancy manager
on a break in the network it ensures that the data is redirected over an intact network
connection.
Generals to data security
Precautions
Guidelines for information
security
Industrial Ethernet
Topology
Linear
Star
Ring
System 300S
+
Deployment Ethernet communication - PROFINET
PROFINET installation guidelines
HB140 | CPU | 315-4PN23 | en | 18-02
122