No Need to Marry to Change Your Name! Attacking Profinet IO Automation Networks Using DCP

Current developments in digitization and industry 4.0 bear new challenges for automation systems. In order to enable interoperability and vertical integration of corporate management systems, these networks have evolved from formerly proprietary solutions to the application of Ethernet-based communication and internet standards. This development is accompanied by an increase in the number of threats. Although the most critical IT protection objective for automation systems is availability, usually no security mechanisms have been integrated into automation protocols. Also Ethernet offers no protection by design for these protocols. One of the most popular real-time protocols for industrial applications is Profinet IO. In this paper, we describe a Denial-of-Service attack on Profinet IO that exploits a vulnerability in the Discovery and Basic Configuration Protocol (DCP) which interrupts the Application Relationship between an IO Controller and an IO Device, and thus prevents the system from being repaired by the operator. The attack combines port stealing with the sending of forged DCP packets and causes a system downtime, which in affected production networks probably lead to a serious financial damage and, in case of critical infrastructures, even represents a high risk for the supply of society. We demonstrate the practical feasibility of the attack using realistic hardware and scenarios and discuss its significance for also other setups.