The “Reset to Factory” function on PROFINET devices is a legitimate tool for commissioning and service. Technically, it is usually based on DCP (Discovery and Configuration Protocol) and resets device parameters such as the device name, IP address, and in some cases application data back to factory defaults, either via engineering tools like Siemens TIA Portal or directly through a DCP command on the network.
Why is this security-critical?
DCP operates at Layer 2 without authentication. An attacker with access to the PROFINET segment can trigger unauthorized resets, render devices “nameless,” and interrupt communication with the controller, effectively a classic denial-of-service attack in the OT network. Depending on the process, such interruptions can lead to production downtime, unsafe states, or costly manual re-commissioning.
Particularly critical: local network access is sufficient, no credentials are required.
What helps?
- Enable PROFINET Security Class 1 (e.g., DCP write protection during operation)
- Network segmentation (VLANs, access restricted to engineering stations)
- Monitoring of DCP traffic to detect unauthorized actions
Conclusion
“Reset to Factory” is not a security feature. In unprotected OT networks, it represents a real availability risk. Only through technical protective mechanisms, segmentation, and monitoring does a service function avoid becoming an attack vector. Operators should therefore review their PROFINET setups, verify DCP protections, and reassess who can physically or logically access the OT network.
📚 Read more interesting articles on our blog.