Nuremberg, Germany

14.– 16.3.2023

CONFERENCE PROCEEDINGS
www.embedded-world.eu

Organized by

Conference Sponsors
embedded world Conference 2023
ISBN 978-3-645-50197-2

Conference Chair:
Prof. Dr.-Ing. Axel Sikora, Hochschule Offenburg / Hahn-Schickard-Gesellschaft

Steering Board:
Prof. Dr.-Ing. Peter Fromm, Hochschule Darmstadt
Dr.-Ing. Bernd Hense
Joachim Kroll, Editor-in-Chief DESIGN&ELEKTRONIK
Prof. Dr. Dirk Pesch, University College Cork

Copyright
©2023 WEKA FACHMEDIEN GmbH, Richard-Reitzner-Allee 2, 85540 Haar, Germany,
phone: + 49. (0) 89.255 56 – 1000, e-mail: info@weka-fachmedien.de
This special publication is licensed under CC BY 4.0.
You are free to:
Share – copy and redistribute the material in any medium or format.
Adapt – remix, transform, and build upon the material for any purpose, even commercially.
The publisher, his employees and agents exercise the customary degree of care in accepting and checking conference papers, but
are not liable for misleading or deceiving conduct by the client.
embedded world Conference 2023
Prof. Dr.-Ing. Axel Sikora
embedded.responsible.sustainable Chairman of embedded world Conference

Welcome to the 21st edition of embedded world Exhibition & • We will have three first-class keynotes from top notch industry
Conference held in Nuremberg in March 2023! The unique and academic leaders, including
combination of an exhibition for engineers and technical On Tuesday, Daniel Cooley, CTO of Silicon Labs, will talk on
management and a world-leading conference at the intersection “Charting the Connected Future”.
of applied research and industrial applications has proven extremely
successful. embedded world is driven by technology as well as Wednesday will see a keynote by Prof. Hessami, Chair IEEE
by applications with a strong focus on system and cross domain P7000 Technology Ethics Standard committee, on ethical and
aspects. responsibility engineering
In the embedded world, we see three mega-trends that are defining Prof. Dr. Albert Heuberger, director of the renowned Fraunhofer
the slogan of this year’s edition: IIS institute, will deliver a keynote on “Chip Design and
Production: Perspectives and role in Europe’s Competitiveness”
embedded: We are seeing an ongoing use of embedded systems in on Thursday.
all smart and connected applications. The complexity of dependable
electronic and software systems is ever increasing considering aspects • 18 half- or full day classes will enable an in-depth knowledge
such as reliability and resilience, safety and security, embedded transfer of relevant and actual embedded systems topics.
software architectures and hardware-software-co-design, RTOS • We will also feature six plenary panel discussions not only
integration and virtualization, value, production and supply chains, on hot technological topics, like embedded vision, but also about
and many many more. societal aspects such as “Sustainability and IoT”, “Responsible AI”,
responsible: With the continuous increase of complexity we are “EU Cyber Resilience Act”, and “Supply Chain Challenges”.
reaching new levels of dependability of embedded systems. Already Let me also highlight the positive and fruitful collaboration with
today many systems are so complex and have so many subsystems a range of communities, alliances, and interest groups. We
that individual stakeholders are not any longer able to grasp the organized and are running special sessions with alliances such as the
complexity of the overall system. Bluetooth SIG, HiPEAC, MIPI Alliance, MISRA, OSADL, or the RISC-V
Also, embedded systems can be used for beneficial purpose – like Foundation. This makes the embedded world truly a community of
sustainability, but also for malicious applications around societal communities. We are grateful for this collaboration.
and political supervision, criminal applications, and alike. We feel embedded world 2023 will cover all aspects of the development and
that the embedded community should be held responsible for these application of embedded systems, from fundamental technologies
applications …. to development processes and special fields of applications. It
sustainable: Sustainability is another mega-trend with two facets is one of the central strengths of the event to be cross-sectoral
for the embedded world: and interdisciplinary. The conference provides a platform to bring
together experts from different domains and application areas of
Embedded systems are a cornerstone for making their host systems embedded systems in order to promote a holistic system design
efficient and sustainable. Think of efficient combustion engines, perspective, to identify synergies and commonalities, and to
of electric cars, of smart grids, of home automation, of all these strengthen the exchange of knowledge and experience.
thousands of smart systems ….
The steering board of embedded world 2023 wishes all participants
On the other side, we need to think about how to make embedded stimulating discussions about new ideas and solutions enabling the
systems sustainable. This does not only include clean and efficient community to more easily and efficiently cope with the immense
production with minimum shipment, but also updatability, challenges that lie ahead for our industry and society. We welcome
repairability, and energy autonomy. you to gain great insights in a pulsating atmosphere.
The 21st edition of the embedded world delivers a thrilling
programme structured along 9 tracks. The programme features
a total duration of 200 nonstop hours of knowledge delivery and
exchange. Best regards & stay safe!
• All 65 sessions will not only include 195 presentations, but
also offer Q&A rounds in each session amongst speakers and
Prof. Dr.-Ing. Axel Sikora
participants. Chairman of embedded world Conference

3
 Security Extensions for PROFINET
Concepts, Status, and Prospects

Prof. Dr.-Ing. Karl-Heinz Niemann Andreas Walz, Prof. Dr.-Ing. Axel Sikora
Institute for Sensor Technology and Automation Institute of Reliable Embedded Systems and
Hannover University of Applied Sciences and Arts Communication Electronics (ivESK)
Hannover, Germany Offenburg University of Applied Sciences and Arts
karl-heinz.niemann@hs-hannover.de Offenburg, Germany
{andreas.walz, axel.sikora}@hs-offenburg.de

Abstract— Operators of production plants are increasingly PROFINET got developed in the 1990s. At this point in time,
emphasizing secure communication, including real-time IT Security for production systems (here called OT security) was
communication, such as PROFINET, within their control systems. not an issue. The main protective measure was the separation of
This trend is further advanced by standards like IEC 62443, which the OT network from the IT network, also known as “cell
demand the protection of realtime communication in the field. protection”. With the increasing integration of applications in
PROFIBUS and PROFINET International (PI) is working on the the context of industry 4.0 and the increasing number of cyber-
specification of the security extensions for PROFINET attacks in the automation domain [3–5], the protection of
(“PROFINET Security”), which shall fulfill the requirements of realtime communication protocols in the OT domain is key.
secure communication in the field.
PROFIBUS and PROFINET International (PI) works on
This paper discusses the matter in three parts. First, the roles security extensions for PROFINET to provide cryptographic
and responsibilities of the plant owner, the system integrator, and protection of PROFINET protocol exchanges, including
the component provider regarding security, and the basics of the realtime communication. This paper will provide an overview of
IEC 62443 will be described. Second, a conceptual overview of the security extensions for PROFINET, which shall be referred
PROFINET Security, as well as a status update about the PI to as “PROFINET Security” in the following. It reflects the
specification work will be given. Third, the article will describe activities of the working group CB/PG10 (“Security”) within PI.
how PROFINET Security can contribute to the defense-in-depth
approach, and what the expected operating environment is. We The work presented herein is the result of concerted effort of
will evaluate how PROFINET Security contributes to fulfilling the many experts and not just the authors of this article. The authors
IEC 62443-4-2 standard for automation components. would like to thank all involved persons for the fruitful and
inspiring cooperation and the valuable contributions.
Two of the authors are members of the PI Working Group
CB/PG10 Security. One of the main objectives of PROFINET Security is to
provide technical measures to address the security requirements
Keywords—industrial security; PROFINET laid out by IEC 62443, a series of standards focused on OT
security. Therefore, the main part of our article starts with an
I. INTRODUCTION (Heading 1) overview of IEC 62443 (Chapter II). It is followed by a
Ethernet-based realtime communication, like PROFINET, is conceptual overview of PROFINET Security (Chapter III).
becoming gradually prevalent in the automation domain and Chapter IV discussed how PROFINET Security can act as a
replaces fieldbus technology. In factory automation, realtime building block to implement secure industrial automation in
Ethernet is standard since many years. The process industry is accordance with IEC 62443. Finally, Chapter V provides a
catching up and increasingly uses realtime Ethernet like summary and concludes with an outlook.
PROFINET in chemical plants, the pharmaceutical industry,
water and waste water and other applications [1]. With the use II. IEC 62443 OVERVIEW
of two-wire Ethernet even the communication with single The IEC 62443 series of standards focuses on OT security.
sensors via Ethernet (Ethernet APL) [2] is possible. The use of In the final expansion it will consist of 15 parts, of which two
a single, converged network enables many other use cases, like are the most relevant for manufacturers.
direct access to sensors for computerized maintenance systems
(CMMS). These new integration features demand improved • Part IEC 62443-4-1 [6] defines a secure development
security features of the underlying communication protocol. workflow. It describes the organizational and procedural

www.embedded-world.eu

4
 Figure 1: Roles in the security process [8]

measures that a manufacturer of automation components

and systems has to observe, which encompass, among
other things: training of the staff, risk analysis, security
specification, security implementation, security test, user
documentation.
• Part IEC 62443-4-2 [7] defines the security specific Figure 2: PROFINET application relations [11]
requirements for components, such as: user
authentication, secure communication, software 1 features can be found in a dedicated PI Guideline [12]. We will
integrity, integrity of software updates, event logging and focus on Security Classes 2 and 3 in the following.
much more.
The major novelty introduced with Security Classes 2 and 3
The IEC 62443 series of standards defines different roles in is the option for built-in cryptographic protection of PROFINET
the security process. Figure 1 maps these roles to the different protocol exchanges. Between PROFINET components
building blocks of an automation system and the respective supporting at least Security Class 2, so-called Secure
stakeholder. Application Relations (secure ARs) can be established.
The PROFINET protocol specification constitutes the Figure 2 illustrates the PROFINET Application Relations
fundament of the security process. On this basis the other (AR) that Security Classes 2 and 3 allow to turn into secure ARs:
stakeholders build the protocol stacks, the components and the these are the so-called Controller ARs between a Controller and
systems. Each of these stakeholders has its own responsibility in a Devices (e.g. remote IOs) as well as so-called Supervisor ARs
this process, which goes beyond the pure view on the between a Supervisor and a Device. The following chapters will
communication. The following chapters will focus on focus on the application relations in Figure 2 marked in green.
PROFINET Security, which is the basis for secure realtime
communication in the field with PROFINET. Further Secure ARs differ from classical (plain) PROFINET ARs
Information can be found in [8]. mainly in the following ways:

III. PROFINET SECURITY: CONCEPTUAL OVERVIEW • The two involved PROFINET endpoints must mutually
authenticate using public-key certificates before relevant
In the following, we provide a conceptual overview of PROFINET communication may occur within the secure
PROFINET Security as defined and specified by PI [9–11]. AR.
A. PROFINET Security Classes and Secure Application • Traffic of all Communication Relations (CRs) occurring
Relations under the umbrella of the secure AR is protected using
With PROFINET Security, three so-called Security Classes state-of-the-art symmetric cryptography.
are defined, called Security Classes 1, 2 and 3. Security classes
classify PROFINET component and tool capabilities. Higher • The invocation of operations and services through the
security classes comprise the capabilities of lower security secure AR can be protected by role-based access control
classes. mechanisms.

Compared to classical PROFINET, Security Class 1 An illustration of a secure AR is provided in Figure 3.

introduces improved configuration capabilities for network Note that PROFINET Security does not cover non-
management (SNMP) and device discovery and configuration PROFINET interfaces. In particular, communication between an
(DCP) protocols. Additionally, it introduces a mechanism for engineering station and a Controller, just as authentication of
PROFINET component manufacturers to cryptographically sign human users is out-of-scope for PROFINET Security. The
device description (GSD) files. Its use is mandatory for Security respective manufacturer is responsible for addressing related
Class 1 components. However, Security Class 1 does not security requirements.
introduce any cryptographic mechanisms for protecting
PROFINET protocol exchanges. A summary of Security Class The cryptographic mechanisms offered by Security Classes
2 and 3 cover integrity protection and confidentiality for acyclic

5
 Figure 3: PROFINET secure application relation. Just like for plain ARs, a secure AR comprises multiple CRs. Each CR inside a
secure AR is cryptographically protected using symmetric cryptography. Certificate-based endpoint authentication and
cryptographic key establishment is integrated into the Record data CR.

TABLE I. SECURITY FUNCTIONS SUPPORTED BY PROFINET SECURITY (M: mandatory, –: not supported, √: enabled by default)
Highest
mutually GSD Record data CRs IO data CRs Alarm CRs
supported
Security Integrity Integrity Integrity Integrity
Confidentiality Confidentiality Confidentiality
Class protection protection protection protection
1 M – – – – – –
2 M √ √ √ – √ ??
3 M √ √ √ √ √ √

communication (i.e., Record data and Alarm CRs), and integrity PI has carefully selected an initial set of cryptographic
protection for cyclic realtime communication (i.e., IO data CRs). algorithms and protocols.
The key difference between Security Classes 2 and 3 is that
For endpoint authentication and cryptographic key
Security Class 3 additionally offers confidentiality for cyclic
establishment, PROFINET Security uses the Transport Layer
realtime communication. Table 1 summarizes the cryptographic
Security (TLS) protocol [13] wrapped into the Extensible
features of Security Classes 1 to 3.
Authentication Protocol (EAP) protocol [14]. EAP-TLS is part
While integrity protection is always enabled for all CRs of the IEEE 802.1X standard for Port-Based Network Access
within a secure AR, confidentiality may be enabled or disabled Control [15]. The public-key certificates for PROFINET
for CRs individually. The owner/operator actively needs to Security are based on the IEEE 802.1AR standard on Secure
disable confidentiality during engineering, if it is supported but Device Identity [16], using elliptic curve cryptography (ECC)
not desired. Reasons to do so may be the need to enable on-the- with curves Curve25519, Curve448, NIST P-256, or NIST P-
wire diagnosis or simply performance limitations possibly 521.
implied by confidentiality.
For integrity protection and confidentiality of
More generally speaking, enabling certain cryptographic communication relations within secure ARs, the Advanced
security feature may come with a degradation of the supported Encryption Standard (AES) with 256-bit keys in Galois Counter
cycle time on IO data CRs or the number of secure ARs Mode (GCM) is used. AES-GCM is a member of the
simultaneously manageable by a Controller. In case of Authenticated Encryption with Associated Data (AEAD) class
conflicting requirements, careful weighting must be done. In of algorithms [17]. It can be operated in both integrity-and-
practice, it can be assumed that confidentiality of cyclic IO data confidentiality as well as integrity-only mode.
is rarely required.
Note that, while PROFINET Security relies on the TLS
B. Cryptographic Algorithms and Protocols protocol as described above, it does so only for endpoint
PROFINET Security resorts to existing security standards authentication and cryptographic key establishment. This is a
and technology as much as technically possible. It uses strong, property intentionally inherited from the EAP-TLS protocol,
well-known, and widely accepted cryptographic algorithms and which is mainly driven by the handshake layer of TLS. For bulk
protocols. data exchanges occurring within the CRs of secure ARs,
PROFINET Security uses an approach that is similar, yet not
PROFINET Security is designed for extensibility and crypto identical, to the record layer of TLS.
agility: support for new cryptographic algorithms and protocols
may be added easily if, for instance, required by national
regulations or because today’s choices get broken.

www.embedded-world.eu

6
 ĞǀŝĐĞ
^ĞĐƵƌŝƚLJDŽĚĞ
сEz

^ĞĐƵƌŝƚLJDŽĚĞ
ŽŶƚƌŽůůĞƌ ĞǀŝĐĞ сWZKdd
^ƵƉĞƌǀŝƐŽƌ
^ƵƉ
^ĞĐƵƌĞZ

ŽŶƚƌŽůůĞƌZ
ĞǀŝĐĞ
^ƵƉĞƌǀŝƐŽƌZ

Figure 4: Coexistence example of secure and plain ARs. The figure shows a simple PROFINET IO system with one Controller
and three Devices. An optional Supervisor entity is also present. The Controller maintains secure and plain ARs to different
Devices in parallel. The Supervisor establishes secure and plain ARs to some Devices one after the other. A Device with its
Security Mode set to “ANY” accepts secure and plain ARs, otherwise only secure ARs.

C. Coexistence of Secure and Plain ARs supplied, refreshed, removed, or invalidated. The SIH role is
going to physically coincide with a PROFINET Controller in
Secure ARs and plain ARs (ARs without security
most cases, but engineering and diagnosis tools are possible
functionality) can coexists without interference. This holds true
hosts, too.
within a single network, within a single PROFINET IO system,
and at a single PROFINET endpoint. The certificates (“LDevIDs” in terms of IEEE 802.1AR) that
PROFINET components use to authenticate each other are
To prevent a PROFINET component from unintentionally
specific to the particular owner/operator. That is, no such
accepting plain AR establishment requests, a security
certificates are available on PROFINET components in factory
configuration parameter, called Security Mode, is introduced.
default state. Therefore, it is the owner/operator’s responsibility
The Security Mode is a binary and persistent parameter (= ANY
to issue, distribute, and manage these certificates, using the
or PROTECTED), which exists once for each PROFINET
technical provisions provided by the SIH role/tool.
component that supports Security Class 2 or 3. If set to
PROTECTED, the component will accept incoming ARs only if PROFINET Security supports using certificates issued to
they are secure ARs. It is the owner’s/operator’s responsibility components by their manufacturers (“IDevIDs” in terms of
to set the Security Mode of components appropriately. Setting IEEE 802.1AR) for an initial security setup. Manufacturers can
its value is subject to authorization as provided within secure ship their components with such IDevID certificates,
ARs. independent of PROFINET and PROFINET Security. IDevIDs
Figure 4 provides an example of the coexistence of secure
and plain ARs.
D. Security Configuration and Certificate Management
In order to allow for secure PROFINET communication
among the components of a PROFINET IO system, a
coordinated management of security configurations, public-key
certificates, keys, and trust anchors is necessary.
Note that, in the following, we use the term “certificate” as a
synonym for “public-key certificate”. It is not to be confused
with a certification of product compliance.
PROFINET Security Configuration Management (SCM),
introduced with PROFINET Security Classes 2 and 3, denotes
protocol extensions to PROFINET that facilitate such
management. A new functional role, called Security Figure 5: Possible integration of an SIH and a CA in a
Infrastructure Handler (SIH), is responsible to initiate and PROFINET Controller chassis. The combination of CA and
orchestrate corresponding PROFINET SCM protocol exchanges SIH located inside a physical Controller allows for seamless
with PROFINET components. In this course, their security certificate, key, and trust anchor management on related
configurations, certificates, keys, and trust anchors can be Devices.

7
 Figure 6: Building blocks for a secure production system

enable a cryptographic verification of the identity and origin organization of the manufacturers needs to work according the
claims of a component over the network. Using such certificates secure development lifecycle according to IEC 62443-4-1 [6].
for protecting operational PROFINET communication is not
A system integrator can design an automation system, based
supported by PROFINET Security, though.
on the compontens. The security requirements to be observed
As illustrated in Figure 5, an SIH can be joined with an during this planning process are described in IEC 62443-3-3
integrated Certificate Authority (CA) functionality. [19]. This work includes, for example, the implementation of a
Alternatively, it may also resort to external (e.g., on-premise or defense in depth approach, the implementation of access control,
third-party) CA services. A Controller with SIH role and the separation of the OT network and much more.
integrated CA functionality can enable a fully automated
After the commissioning phase, the plant owner/operator
certificate management for PROFINET components within its
assumes control of the system. During the operation phase,
PROFINET IO system. This includes, for example, one of the
security relevant tasks need to be processed. The plant operator
most challenging use cases: a fully automated and instantaneous
needs to implement an Information Security Management
certificate handling when a faulty PROFINET component
System (ISMS). Such an ISMS can be either implemented
unexpectedly needs to be replaced by a new one.
according the ISO 27001 standard [20] or according to the IEC
IV. PROFINET SECURITY AS BUILDING BLOCK FOR 62443-2-1 [21]. Guidance to use which of the two standards can
SECURE INDUSTRIAL AUTOMATION be found in [22].
The PROFINET Security concept is one of the cornerstones In addition, the plant operator needs to take care of the patch
to fulfill one of the key requirements of the IEC 62443-4-2 [7]. management of the system (see IEC TR 62443-2-3 [23]) and the
Chapter 7.3.1 of this standard defines that "[t]he automation secure handling of service providers according to IEC 62443-2-
system must have the capability to protect the integrity of the 4 [24].
transmitted information”. This integrity protection will be
possible by using the PROFINET protocol with the described V. SUMMARY, CONCLUSION AND OUTLOOK
extension. However, integrity protection is only one of the With PROFINET Security, an integration of cryptographic
building blocks for a secured automation system. protection into the PROFINET protocol has been achieved. It
constitutes an important step towards secure communication
Figure 6 shows the building blocks for a secure production
within PROFINET-powered automation systems. In this article,
system, from the IEC 62443 perspective. The PROFINET
we presented a high-level overview of the technical concept
Specification [9, 10], constituting the foundation of a
behind PROFINET Security. Additionally, we sketched how
PROFINET component, and includes the security extensions
PROFINET Security can help to address requirements imposed
described in Chapter 3. On this basis, component and
by IEC 62443.
automation system manufacturers can develop PROFINET
components. These components, in turn, are subject to the The concepts behind PROFINET Security are coined by the
security requirements of the IEC 62443-4-2 [7]. IEC 62443 demand to minimize disruption of PROFINET features as
imposes a number of requirements, some of which can directly known and appreciated by its wide user base today. Many
be addressed by PROFINET Security. This includes the integrity technical and integration challenges had to be solved on the way.
protection and optional confidentiality of PROFINET As a result, PROFINET Security promises to harmonize
communication. Further requirements need to be fulfilled by the ecosystem, automation, and security requirements in an
component and/or system manufacturer. For instance, the R&D effective way.

www.embedded-world.eu

8
 Currently, the process of integrating PROFINET Security [11] PROFIBUS Nutzerorganisation e.V. “Security Extensions for
into the specification is in progress. In parallel, the transfer into PROFINET - PI White Paper for PROFINET.”
https://www.profibus.com/download/pi-white-paper-security-
the IEC standard IEC 61158-5-10 [25] and IEC 61158-6-10 [26] extensions-for-profinet/ (accessed Sep. 7, 2019).
is ongoing. In a next step, PROFINET Protocol stacks need to [12] PROFIBUS Nutzerorganisation e.V. “Security Class 1 for PROFINET-
be updated to incorporate PROFINET Security features. This Security.” https://www.profibus.com/download/profinet-security-
will then serve as input to PROFINET components and systems. guideline
[13] Network Working Group. “The Transport Layer Security (TLS) Protocol:
PI strives to achieve a pre-certification of PROFINET RFC 5246.” https://www.ietf.org/rfc/rfc5246.txt
Security in accordance with IEC 62443-4-2 [7]. This shall [14] Network Working Group. “The EAP-TLS Authentication Protocol: RFC
support component manufacturers in their own IEC 62443 5216.” https://www.rfc-editor.org/rfc/pdfrfc/rfc5216.txt.pdf
certification process. [15] Network Working Group. “IEEE 802.1X Remote Authentication Dial In
User Service (RADIUS) - Usage Guidelines.” https://www.rfc-
ACKNOWLEDGMENT editor.org/rfc/pdfrfc/rfc3580.txt.pdf
The work presented herein is the result of concerted effort of [16] IEEE Standard for Local and Metropolitan Area Networks - Secure
many experts and not just the authors of this article. The authors Device Identity, IEEE 802.1AR-2018, IEEE Computer Society. [Online].
Available: https://1.ieee802.org/security/802-1ar/
would like to thank all involved persons for the fruitful and
[17] Network Working Group. “An Interface and Algorithms for
inspiring cooperation and the valuable contributions. Authenticated Encryption: RFC 5116.” https://www.rfc-
editor.org/rfc/pdfrfc/rfc5116.txt.pdf
REFERENCES [18] Internet X.509 Public Key Infrastructure Certificate and Certificate
[1] PROFIBUS Nutzerorganisation e.V. “PROFINET - The Solution Revocation List (CRL) Profile, RFC 5280, Network Working Group
Platform for Process Automation.” IETF, May. 2008. [Online]. Available:
https://www.profibus.com/index.php?eID=dumpFile&t=f&f=133940&t https://datatracker.ietf.org/doc/html/rfc5280
oken=60acf6a7451d29bcf233633412d644d58f109bbb [19] Security for industrial automation and control systems Part 3-3: System
[2] PROFIBUS and PROFINET International, Fieldcom Group, OPC- security requirements and security levels, IEC 62443-3-3:2013, IEC-
Foundation, and ODVA Inc. “Ethernet to the field: White Paper.” International Electrotechnical Commission, Jun. 2013.
https://www.profibus.com/download/apl-white-paper [20] Information security, cybersecurity and privacy protection — Information
[3] Claroty Ltd. “The Gobal State of Industrial Cybersecurity 2021: security management systems — Requirements, ISO/IEC 27001:2022,
Resilience amid Disruptions.” https://claroty.com/wp- International Organization for Standardisztion (ISO), Oct. 2022. [Online].
content/uploads/2022/02/Claroty_Report_State_of_Industrial_Cybersec Available: https://www.iso.org/standard/82875.html
urity_2021.pdf [21] Industrial communication networks - Network and system security - Part
[4] Dragos Inc. “ICS/OT Cybersecurity: Year in review 2021.” 2-1: Establishing an industrial automation and control system security
https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/202 program, IEC 62443-2-1-2010, IEC- International Electrotechnical
1%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20- Commission, Nov. 2010. [Online]. Available:
%20Dragos%202021.pdf?hsLang=en http://isa99.isa.org/ISA99%20Wiki/WP_List.aspx
[5] Fortinet inc. “2022 State of Operational Technology and Cybersecurity [22] K.-H. Niemann. “Differentiation of the IT security standard series ISO
Report.” https://www.fortinet.com/content/dam/fortinet/assets/analyst- 27000 and IEC 62443: Whitepaper.”
reports/report-2022-ot-cybersecurity.pdf https://library.e.abb.com/public/fc76636ebed845b88c640a613f0c95a0/3
[6] Security for industrial automation and control systems – Part 4-1: Secure ADR010839_Differentiation_ISO_27001_IEC_62443_REV_C_en_US.
product development lifecycle requirements, IEC 62443-4-1, IEC- pdf
International Electrotechnical Commission, Jan. 2018. [23] Security for industrial automation and control systems – Part 2-3: Patch
[7] Security for industrial automation and control systems – Part 4-2: management in the IACS environment: Technical Report, IEC TR 62443-
Technical security requirements for IACS components, IEC 62443-4-2, 2-3, IEC- International Electrotechnical Commission, Jun. 2015.
IEC- International Electrotechnical Commission, Feb. 2019. [Online]. Available: https://www.vde-verlag.de/iec-normen/221941/iec-
tr-62443-2-3-2015.html
[8] PROFIBUS Nutzerorganisation e.V. “OT security for production plants
with PROFINET: A classification of IEC 62443 for operators, integrators [24] Security for industrial automation and control systems - Part 2-4: Security
and manufacturers.” https://www.profibus.com/download/white-paper- program requirements for IACS service providers, IEC 62443-2-
ot-security-classification-of-iec62443 4:2015+AMD1:2017 CSV consolidated version, IEC- International
Electrotechnical Commission, Aug. 2017.
[9] PROFIBUS Nutzerorganisation e.V. “Application Layer protocol for
decentralized periphery Technical Specification for PROFINET IO: [25] Industrial communication networks - Fieldbus specifications - Part 5-10:
Version 2.4 MU3.” https://www.profibus.com/download/profinet- Application layer service definition - Type 10 elements, IEC_61158-5-
specification 10:2019, IEC- International Electrotechnical Commission, 2019.
[Online]. Available: https://webstore.iec.ch/publication/64836
[10] PROFIBUS Nutzerorganisation e.V. “Application Layer services for
decentralized periphery: Technical Specification for PROFINET IO, [26] Industrial communication networks - Fieldbus specifications - Part 6-10:
Version 2.4 MU3 – Oct. 2021.” Application layer protocol specification - Type 10 elements, IEC 61158-
https://de.profibus.com/downloads/profinet-specification/ 6-10:2019, IEC- International Electrotechnical Commission, 2019.
[Online]. Available: https://webstore.iec.ch/publication/59893

9
Contact

Project Manager:
Renate Ester
P + 49 (0)89 255 56-1349
E-Mail: REster@weka-fachmedien.de

Coordinator Conference Attendees:

Alexandra Feuerstein
P + 49 (0)89 255 56-1372
E-Mail: AFeuerstein@weka-fachmedien.de

WEKA FACHMEDIEN GmbH

Richard-Reitzner-Allee 2
85540 Haar, Germany
www.weka-fachmedien.de

www.embedded-world.eu