PROFINET Reset to Factory – an underestimated OT security risk

The “Reset to Factory” function on PROFINET devices is a legitimate tool for servicing. It is based on DCP (Discovery and Configuration Protocol) and resets device parameters such as the device name, IP address, and application data to factory defaults. Engineers typically trigger this reset using engineering tools such as Siemens TIA Portal or Siemens PRONETA.

Overview of the network setup

Why is this security-critical?

DCP operates at Layer 2 and does not require authentication. Anyone with access to the PROFINET network can send a reset command. An attacker can reset devices to factory defaults, remove configured device names (“nameless” devices), and interrupt PROFINET communication. The malicious use of “Reset to Factory” results in a denial-of-service attack in the OT network that may cause production downtime, unsafe process states, or manual re-commissioning.

Particularly critical: local network access is sufficient, no credentials are required.

The Attack

An attacker can trigger the “Reset to Factory” function using readily available engineering tools such as Siemens PRONETA.

PROFINET reset to factory via PRONETA

In PRONETA, the attacker simply selects the device and executes “Reset to Factory.”

How to Detect if a Device Was Reset?

To verify whether a PROFINET device reset was successful, inspect the traffic in Wireshark. In a Layer-2 capture, the device will respond to the reset command. If the response contains: Set OK the device has accepted the command and was reset to factory defaults.

PROFINET reset to factory in wireshark

This response confirms that the device executed the reset and cleared its configuration (e.g., device name, IP settings, and parameters). Because the reset is performed via Layer-2 PROFINET DCP, it can typically be executed by any host within the network segment.

What helps?

  • Enable PROFINET Security Class 1 (e.g., DCP write protection during operation)
  • Network segmentation (VLANs, restrict access)
  • Monitoring of DCP traffic to detect malicious actions

Conclusion

“Reset to Factory” can be a two-edged sword. In unprotected OT networks, it represents an availability risk. Only through protective mechanisms, segmentation, and monitoring does a service function avoid becoming an attack vector. Operators should therefore review their PROFINET networks, verify DCP protections, and reassess who can access the OT network.

📚 Read more interesting articles on our blog.