Bridge me if you can! Evaluating the latency of securing profinet

Fieldbusses have been the backbone of inter-device communication in both industrial and home automation settings for a few decades. The underlying assumption is the availability of reliable and low-latency communication for all busses. This often implies that the busses are confined to a single physical location. With the advent of the 'Internet of Things' (IoT) and succinctly the 'Industrial Internet of Things' (IIoT) and the increased demand for control logic to be pushed into the 'Cloud', that assumption can no longer be upheld. Since no (I)IoT protocol exists to provide remote control, let alone in a secure fashion, while providing low latency at the same time, we are left with the problem of routing fieldbusses from, say, data-centres to shop-floors. This presents a challenge, because those busses have been designed for safety rather than security. In this paper, we elaborate on the viability of routing layer two fieldbus traffic while providing both: low latency to fulfil real-time requirements and security through cryptographic tunnels. We design and implement a network topology where Profinet traffic is routed through a VXLAN over Wireguard overlay to control a SoftPLC instance. We evaluate our implementation in a realistic test-bed and our measurements indicate that bridging Profinet over VXLAN and Wireguard induces a latency low enough for running time-critical applications.