CIP Security

CIP Security™ includes the definition of security-related requirements and capabilities for CIP devices, specifically EtherNet/IP devices. It is currently under development.

Control system security has typically been addressed by adoption a defense-in-depth security architecture has been recommended for many years. This architecture is based on the idea that multiple layers of security would be more resilient to attack. The expectation is that any one layer could be compromised at some point in time while the automation devices at the innermost layer would remain secure.  

However, as attackers become more sophisticated, it becomes more important for the CIP-connected device — the final layer of defense — to defend itself. Consider the situation where a piece of malware is, unknown to control system personnel, delivered to a compromised PC via USB drive. The malware could contain code to issue malicious CIP services to devices. However if the device were able to reject such services from untrusted sources, the threat would be mitigated.

The goal of CIP Security is to enable the CIP-connected device to protect itself from malicious CIP communications. A fully self-defending CIP device would be able to:

  • Reject data that has been altered (integrity)
  • Reject messages send by untrusted people or untrusted devices (authenticity)
  • Reject messages that request actions that are not allowed (authorization)

Recognizing that every CIP device does not need to provide the same level of support for all defined security features, CIP Security defines the notion of a Security Profile. A Security Profile is a set of well-defined capabilities to facilitate device interoperability and end-user selection of devices with the appropriate security capability.

CIP Security for EtherNet/IP devices makes use of the IETF-standard TLS (RFC 5246) and DTLS (RFC 6347) protocols in order to provide a secure transport for EtherNet/IP traffic. TLS is used for the TCP-based communications (including encapsulation layer, UCMM, transport class 3), and DTLS for the UDP-based transport class 0/1 communications. This approach is analogous to the way that HTTP uses TLS for HTTPS.

The secure EtherNet/IP transport provides the following security attributes:

  • Authentication of the endpoints — ensuring that the target and originator are both trusted entities. End point authentication is accomplished using X.509 certificates or pre-shared keys.
  • Message integrity and authentication — ensuring that the message was sent by the trusted endpoint and was not modified in transit. Message integrity and authentication is accomplished via TLS message authentication code (HMAC). 
  • Message encryption — optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake. 
In November 2015, the first edition of CIP Security was published as volume eight of The EtherNet/IP Specification.