The "PROFINET Security Classes" introduced in 2022 codify three levels of native security: SC1 (authentication), SC2 (authentication + integrity), SC3 (authentication + integrity + payload encryption).

PROFINET Security Classes (Specification V2.4+) are defined as follows: SC1 provides mutual authentication between device and controller using cryptographic signatures, with no encryption and a light overhead; SC2 adds integrity protection (HMAC on every telegram) on top of SC1; SC3 adds payload encryption (AES-128) on top of SC2, with a significant cryptographic overhead that should be reserved for critical traffic. Adoption is progressive over 2024-2027 on new sensitive projects (OT cybersecurity, IEC 62443 SL2+).

Do not enable SC3 globally on a high-cycle motion network without measuring the impact first: the AES overhead can erode the very real-time margins you bought IRT hardware to obtain.