you're asking about security on the Control Plane for Industrial Protocols, and not the data plane? where control plane for an Ethernet Switch is traffic that terminates or originates from the CPU on the Switch.
Profinet & CIP are just data to an IE switch.
If you want to use security ACLs on an Ethernet interface to impact the forwarding of Industrial Protocols between interfaces on an IE switch you can do that today.
The recent vulnerabilities / CVEs appear to affect the Control Plane implantation of CIP (Where CIP/EthernetIP tags in a Rockwell environment are enumerated from Cisco IOS[-XE] internal data structures)
back to your original question. CIP and/or Profinet protocols are on the IE switches are used to manage the switch as part of a larger solution. if the IE switch is deployed in a network using CIP, then it may be desirable for a CIP mgmt application (eg: Studio5000), to manage the IE Switch. same with Profinet.
Meaning, there's no point in an ACL to block CIP or Profinet on the Control plane when you want them to manage the switch.
when the IE switch is deployed in a scenario not using CIP or Profinet, or you do not want CIP or Profinet protocol to have access to the Switches control plane, then disable those features on the Switch. with those features disabled, the mgmt plane vulnerabilities are not exposed. when CIP is disabled, then the security password is not exposed. there is no security password to view.
if do need to use CIP or profinet and want prevent the documented exposure, then you'll need to update the SW Version.
1. "CSCvu58224 Privilege escalation from 1 to 15 using CIP", this has been fixed in the most recent releases. 17.3.3, 17.4.1 and 17.5.1 have a fix. if you cannot update IOS-XE SW versions then remove users with ReadOnly privileges, which is what Priv level 1 means.
2. CIP denial of Service was found to occur in IE2000/IE3000. its been fixed in 15.2.7 and later releases.
i may not have covered all the issues. I hope you get the point. if you're still confused just reply. i'll look for it.
Quick Reference: Cisco IE5000 IRIG-B Support
Cisco Industrial Ethernet 5000 series switches (IE 5000) have integrated hardware support for external time sources: GPS antenna and IRIG-B (analog and digital timing I/O) interfaces. These interfaces are compl...
This document helps the user deploy Cisco Edge Intelligence on Cisco Gateways, configure the gateways to support EI in IOX and assist the user in building an environment to demo the capabilities of EI for both monitoring Modbus (TCP or RTU) and OPC-UA de...
From low data rate wireless, such as low-power-wide area technologies that are designed for small devices running on batteries, to the emergence of high data rate wireless technologies, such as 5G, and Wi-Fi 6, decision makers and network experts ...