CIP Security for EtherNet/IP Illustrates Increased IT/OT Integration

  • September 11, 2019
  • Feature
CIP Security for EtherNet/IP Illustrates Increased IT/OT Integration
CIP Security for EtherNet/IP Illustrates Increased IT/OT Integration

By Bill Lydon, Contributing Editor, 

Effective cybersecurity continues to get more complex for today’s manufacturing and process facilities, and many organizations are stepping up with solutions intended help these facilities to close the gaps. I attended one particular briefing at the 2019 Hannover Fair in April, where ODVA released its first round of 2019 specification enhancements to its technologies,  which included specific enhancements to The EtherNet/IP™ CIP Security™ technology.   The enhancements leveraged information industry standards, including the IETF-standard TLS (Transport Layer Security -RFC 5246) and DTLS (Datagram Transport Layer Security -FC 6347) protocols, in order to provide a secure transport for EtherNet/IP traffic. TLS is used for TCP-based communications, including the encapsulation layer, UCMM (Unconnected Message. Manager), transport class 3, and DTLS for the UDP (User Datagram Protocol)-based transport class 0/1 communications. This approach is analogous to the way that HTTP uses TLS for HTTPS.  


Facilitating An Effective Cybersecurity Strategy for Manufacturers

Leveraging the standards of the information industry is consistent with ODVA’s focus on using standard ethernet to achieve the goal of IT & OT information and computing integration, to facilitate an overall manufacturing organization cybersecurity strategy.   In a discussion with Dawn Cappelli, CISSP – the VP, Global Security and Chief Information Security Officer at Rockwell Automation – she noted that the first step a manufacturer should take in building a cyber security plan is to determine a leader of the cybersecurity effort. Specifically, Cappelli mentioned that while many manufacturing companies already have a chief information security officer (CISO) responsible for information technology (IT) security, operational technology (OT) security has traditionally been the responsibility of the OT engineers. "People are realizing now, due to the convergence of IT and OT, that it's important to have one security leader responsible for all cybersecurity for the company," emphasized Capelli. She went on to share that this should be someone who can work with both IT and OT to build and execute a holistic cybersecurity strategy that not only encompasses the entire ecosystem of IT and OT, but also of all external connections, including third parties and the supply chain.

A secure EtherNet/IP transport provides the following security attributes:

  • Authentication of the endpoints — ensuring that the target and originator are both trusted entities. End point authentication is accomplished using X.509 certificates or pre-shared keys.
  • Message integrity and authentication — ensuring that the message was sent by the trusted endpoint and was not modified in transit. Message integrity and authentication is accomplished via TLS message authentication code (HMAC). 
  • Message encryption — optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake.   

Inside ODVA’s Ethernet/IP Enhancements

The goal of ODVA’s cybersecurity enhancements to EtherNet/IP is to extend a defense-in-depth architecture to network communications with and between ICS systems and edge devices. ODVA is working to realize this goal through the enhancement of the potential defensive capability of ICS systems and devices using EtherNet/IP. They are doing this by providing cybersecurity mechanisms that are native to EtherNet/IP and the Common Industrial Protocol (CIP™). The initial CIP Security specification, which was published in 2015, provided vendors the ability to improve the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity, and data confidentiality. 

Since then, ODVA has made several key updates to CIP Security. Most notably, they continue working to fulfill the desire from end users for easier initial commissioning of devices, and because of this, CIP Security was enhanced to allow devices to perform certificate enrollment directly. In contrast to the practice of pushing certificates out from a configuration tool, this “pulling” functionality allows devices to actively request certificates. The pulling of a certificate is accomplished using standard and proven IT technologies, furthering the ability to integrate IT and OT systems. The April 2019 edition of the CIP Security Specification continues the progression of the technology, working to increase efficiency with timeout responses, increase protection by allowing for a mandatory CIP Security connection for changes, and expand behaviors for certificate verification.

Already, work is ongoing for the next phase of development of CIP Security, which will add support for user authentication, non-repudiation, and device authorization, with the goal of strengthening secure end-to-end communications between CIP endpoints. The ultimate roadmap of CIP Security development is to enable EtherNet/IP devices, and potential other types of devices using CIP, to become autonomous, take responsibility for their own security and effectively secure themselves from attack.

ODVA publishes its specifications within a group of publications, entitled The CIP Networks Library. Each specification is made up of one or more volumes of The CIP Networks Library.


The Evolution of Effective Cybersecurity

At the Hannover Fair briefing, ODVA explained how control system security has typically been addressed by adopting a defense-in-depth security architecture, a strategy which has been recommended for many years. This architecture is based on the idea that multiple layers of security would be more resilient to attack. With this strategy, the expectation is that any one layer could be compromised at some point in time, yet the automation devices at the innermost layer would remain secure.  

However, as attackers become more sophisticated, it becomes more important for the CIP-connected device — the final layer of defense — to defend itself. Consider the situation where a piece of malware is, unknown to control system personnel, delivered to a compromised PC via USB drive. The malware could contain code to issue malicious CIP services to devices. However, if the device were able to reject such services from untrusted sources, the threat would be mitigated.

The goal of CIP Security is to enable the CIP-connected device to protect itself from malicious CIP communications. A fully self-defending CIP device would be able to:

  • Reject data that has been altered (integrity)
  • Reject messages send by untrusted people or untrusted devices (authenticity)
  • Reject messages that request actions that are not allowed (authorization)

Recognizing that every CIP device does not need to provide the same level of support for all defined security features, CIP Security defines the notion of a Security Profile. A Security Profile is a set of well-defined capabilities to facilitate device interoperability and end-user selection of devices with the appropriate security capability.

Cybersecurity for manufacturing and process facilities is increasingly necessary, yet also increasingly complex and it is good to see the ODVA recognizing the need to provide solutions consistent with the overall enterprise computing architecture.

Related Articles

Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..