PROFIBUS DP has no native security (no encryption, no authentication); defence relies entirely on the physical isolation of the bus (dedicated RS-485 segment, not connected to a general-purpose network).

PROFIBUS security relies on physical defence in depth: the RS-485 bus is dedicated and never exposed on general-purpose Ethernet, physical access requires access control to the electrical cabinets, intrusive diagnostics demands dedicated tooling and trained operators (it is not accessible to a random attacker), and there is no remote network exposure at all (in contrast with Modbus TCP which is routinely found on the open Internet). The remaining weakness is that an insider with physical access can manipulate everything. The modern remediation is migration to PROFINET, where Security Classes (including encryption) are available.

On a PROFIBUS audit, focus the security review on physical access (cabinets, network rooms, contractor badges): there is no other meaningful security layer to assess.