- By Bill Lydon
- December 10, 2020
ODVA’s briefing included naming HARTING a new principal member, details on CIP Security enhancements for EtherNet/IP that enable user-level authentication, and the standard organization’s strategic priorities for 2021.
ODVA, the industrial automation standards development organization encompassing Common Industrial Protocol (CIP), EtherNet/IP, DeviceNet and others, kept with tradition this year by holding its annual fall media briefing to coincide with the Smart Production Solutions - SPS Conference in Nuremberg, Germany. The coronavirus pandemic has disrupted a lot of traditions including this one: the SPS Conference was a virtual event this year, as was ODVA’s press conference In fact, the last physical industrial automation event I attended in person was the March 2020 ODVA General Meeting in Palm Harbor, Florida, USA.
The ODVA briefing included an announcement of new principal member HARTING Technology Group, details on CIP Security enhancements including a cybersecurity network extension for EtherNet/IP that enables user-level authentication, and the organization’s strategic priorities for 2021.
Newest principal member
HARTING was introduced as ODVA’s newest principal member. The company joins the current principal members Cisco Systems, Endress+Hauser, Honeywell, Omron, Rockwell Automation and Schneider Electric. Dr. Al Beydoun, president and executive director of ODVA said, “ODVA welcomes the increased contribution of HARTING as a principal member, as well as their expertise in smart connectivity. Their participation … will grow ODVA’s ability to move the connectivity of the industrial enterprise forward to meet the increased demands of IIoT and Industry 4.0.”
The primary focus of HARTING’s activities in ODVA will be through HARTING Inc. of North America, which is a part of the global HARTING Technology Group. HARTING has helped drive the adoption of industrial Ethernet over the past years, especially with the launch of its T1 Industrial connector for Industrial Single Pair Ethernet (SPE). “EtherNet/IP is a critical communication network for the future of discrete and process industries, especially with the advent of Industrial Single Pair Ethernet and Ethernet-APL,” stated Jon DeSouza, president and CEO of HARTING Americas. “HARTING is looking forward to continuing to provide enhanced smart connectivity solutions for EtherNet/IP networks to drive faster decision making and error correction as well as error prevention. By joining ODVA as a principal member, HARTING is increasing its contribution to the advancement of EtherNet/IP and related ODVA technology and standards to prepare for OT and IT convergence.”
DeSouza described five major reasons for becoming a principal member:
- Furthering HARTING’s commit to the advancement of industrial Ethernet as part of the Industrial Internet of things (IIoT) and Industry 4.0.
- Contributing HARTING expertise and leadership in industrial Ethernet and productivity to the ODVA organization.
- Collaborating with ODVA and its members to identify and standardize the different technologies and devices that are required for the automation industry’s successful implement IIoT.
- Collaborating with ODVA and its members to promote the adoption of industrial automation communications network standards.
- Sponsoring ODVA technical development and enhancement activities as well as the promotion of conforming products.
EtherNet/IP CIP security enhancements
Jack Visoky, EtherNet/IP System Architecture Special Interest Group vice-chair, presented CIP Security enhancements including the cybersecurity network extension for EtherNet/IP that provides user-level authentication. Previous publications of CIP Security specifications for included key security properties including a broad trust domain across a group of devices, data confidentiality, device authentication, device identity, and device integrity. CIP Security now adds a narrow trust domain by user and role, an improved device identity including the user, and user authentication.
CIP Security is a key network extension of the complete EtherNet/IP industrial communication ecosystem and user authentication is another critical step in its development. “As a part of a defense-in-depth approach, CIP Security is designed as an effective deterrence to malicious cyber attackers who are looking for targets to disrupt plant operations,” Visoky said.
Beydoun said, “ODVA will continue to invest in the future development of CIP Security and EtherNet/IP. With connected infrastructure and automation systems, CIP Security is more critical than ever for protecting valuable investments and production of essential products around the world from malicious cybersecurity attacks.”
The goal of user-level authentication is to enable controls engineers, IT administrators, and maintenance operators to securely access and modify device parameters. Satisfying this requirement, the CIP Security User Authentication Profile will provide a fixed user-access policy based on well-defined roles and basic authorization via both local and central user authentication. CIP Security’s ability to authenticate via the device or through a central server allows for simplicity in smaller, simple systems and efficiency in large, complicated installations.
The new User Authentication Profile makes use of several open, common, ubiquitous technologies. These include OAuth 2.0 and OpenID Connect for cryptographically protected token-based user authentication, JSON Web Tokens (JWT) as proof of authentication, usernames and passwords, and already existing X.509 certificates to provide cryptographically secure identities to users and devices. The profile uses a cryptographically secure user authentication session ID, generated by the target on presentation of a valid JWT by the user, to map between an authentication event and the messages sent by a user for CIP communications. The user authentication session ID is transmitted over EtherNet/IP using DTLS (Datagram Transport Layer Security) and a confidentiality-enabled cipher suite per CIP Security’s EtherNet/IP confidentiality profile.
CIP Security already includes robust, proven, and open security technologies including TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security); cryptographic protocols used to provide secure transport of EtherNet/IP traffic, hashes or HMAC (keyed-Hash Message Authentication Code) as a cryptographic method of providing data integrity and message authentication to EtherNet/IP traffic; and encryption as a means of encoding messages or information in such a way as to prevent reading or viewing of EtherNet/IP data by unauthorized parties.
The new CIP User Authentication Profile provides user-level authentication for CIP communication at the application layer. In the future, CIP Security may make use of a CIP “authorization profile” that will enhance CIP to provide additional security properties such as general, flexible authorization where access policy can be based on any attribute of the user and/or system and a potential extension of CIP Security to support other non-EtherNet/IP networks.
ODVA 2021 strategic priorities
Beydoun discussed ODVA’s strategic priorities for 2021. He said they include:
- Execute strategy to expand the EtherNet/IP ecosystem and to support IIoT and Industry 4.0 initiatives.
- Continue to monitor emerging technologies in industrial automation and integrate into ODVA technologies where it makes sense.
- Collaborate with other organizations to expand and better address the challenges of tomorrow.
- Expand support for vendor development.
- Continue adaptation of EtherNet/IP to the Process Industries.
- Integration of Ethernet-APL into ODVA standards.
ODVA is actively engaged in industry-wide efforts to promote adoption of an Advanced Physical Layer (APL), known as Ethernet-APL for long-reach, single-pair Ethernet (SPE). Ethernet-APL will enable two-wire cable lengths up to 1,000 meters, reuse of existing infrastructure, and use in hazardous areas. These functions will fully open the process industry to the use of Ethernet.
ODVA is participating in an multivendor and multiprotocol APL demonstration along with FieldCommGroup, OPC Foundation, PI International, and 12 device manufacturers. The APL demonstration will be part of the at the 2021 ACHEMA event in Frankfurt Germany April 4-8, 2021.
For more information on Ethernet-APL, see ODVA’s whitepaper on the subject.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe