Security
Motivation
Driven by legal requirements like EU Cyber Resilience Act (CRA), security for industrial
communication systems is more and more playing a crucial role. The RTC Testbench
can also be
used to measure and optimize the performance of a particular security implementation for
authentication and/or encryption of each processed frame.
The RTC Testbench
demonstrates one exemplary Profinet security implementation. The Profinet
security specification is still under development. This implementation is to be used only for
performance measurements. For instance, what impact does real time frame encryption and decryption
have on quantity structures? Key management, updates, rotation etc. and other mechanisms are not
covered.
Configuration parameters
The parameters which allow to configure frame authentication or encryption are shown below:
Option |
Description |
---|---|
SecurityMode (String) |
One of |
SecurityAlgorithm (String) |
One of |
SecurityKey (String|Hex) |
Key to be used for crypto functions either 16 or 32 bytes depending on selected algorithm |
SecurityIvPrefix (String|Hex) |
Prefix of the IV which is 6 bytes in size |
These options are valid for classes TSNHigh, TSNLow, RTC and RTA.
Implementation
The current implementation uses OpenSSL v3 or later. This means the authentication and encryption work is performed in software. Therefore, enabling security can have a significant performance impact.
Future hardware like ASIC(s) or newer generation NIC(s) may provide Profinet security hardware offloading with the goal of zero performance impact. This is not covered yet.
Example
There are examples for Profinet Authentication only and Authentication and Encryption:
tests/profinet_auth
tests/profinet_crypt
For measuring the security performance impact the CPU run times of the involved real time tasks can
be traced. See scripts/trace_rtc.bt
for an example.