Webinar_Question wrote: ↑22 Aug 2025, 09:58 Is a specialized CA necessary to generate PROFINET-specific extensions in a certificate?

No, a special CA is not required (off-the-shelf OpenSSL does the job), despite the PN-specific extensions. Caveat: one has to accept that the CA signs extensions it cannot check semantically.

Is there a difference in execution performance or duration of the AES-GCM algorithm when using 'authentication only' compared to 'authentication AND encryption'? Yes, authenticated encryption is typically more costly than authentication only. Therefore, both options ae provided to be able to provid...

Webinar_Question wrote: ↑22 Aug 2025, 09:54 Does the now secure PROFINET connection also extend to device-embedded webservers or would this need to be secured separately?

PROFINET Security does not cover non-PROFINET connections/services (e.g., webservers).

It seems simpler to totally isolate your PROFINET network from external surroundings rather than implementing these complex security measures. In an ideal world, security mechanisms would be unnecessary. However, due to developments such as IIoT and IT/OT convergence, the number of devices in facto...

Is there a decision rule for determining which PROFINET Security Class (1, 2, or 3) a product must comply with? PROFINET Security is optional, and its implementation is highly dependent on threat and risk analysis, as well as the intended use and environment. This approach aligns with the standards...

When using an existing customer PKI to issue certificates, who is responsible for controlling the assignment of PROFINET roles to a certificate requestor? It seems this responsibility falls on the issuing CA, doesn't it? As those credentials will be managed by the operator/customer, they are respon...

Webinar_Question wrote: ↑22 Aug 2025, 09:58 Is an internet connection required for managing certificates?

No, an internet connection is not necessary.

Can we retrospectively add files to a signed GSDX container? No, it’s not possible to add files to a signed GSDX container after the signature has been created. GSDX containers are designed to secure the entire content at the time of signing. Any modifications, such as adding new files, would leave...

Webinar_Question wrote: ↑19 Dec 2024, 15:59 Will Security Class 1 be mandatory for all devices in the future?

Security Class 1 and higher are optional and depend on the manufacturer’s choice.

Is the PROFINET Security Class linked to the security levels defined in IEC 62443-4-2? PROFINET Security Class and the security levels defined in IEC 62443-4-2 are not directly linked. However, there is a whitepaper available that discusses the relationship between PROFINET Security and IEC 62443, ...

Webinar_Question wrote: ↑19 Dec 2024, 16:00 Will all engineering systems need to be modified to be able to import GSDX files, in addition to traditional GSDML files?

Yes, since GSDX is a new technology that requires signature validation, engineering systems will need to be updated.

Webinar_Question wrote: ↑19 Dec 2024, 16:01 Do the device manufacturers have to provide the GSDX files with a new signature after 3 years, as is the case with the signature card?

No, the GSDX files stay valid for a long period. Even when the certificate has expired, the GSDX file will remain valid.

Webinar_Question wrote: ↑19 Dec 2024, 16:01 What does the Engineering tool need to check the signature?

The exact behavior required for the Engineering tool to check the signature is described in the GSDX Specification. You can find more details in the document here: https://www.profibus.com/download/gsdml ... r-profinet