Automatic CIP Security via Pull Policy

Technical Paper Abstract

The CIP Security Pull Model Profile provides a major benefit of allowing a device to automatically discover a certificate enrollment server and request a certificate for secure communication. However, secure communication with CIP Security requires additional configuration beyond just the certificate. Additional value could be realized by defining a mechanism for a device to request not just a certificate, but also the associated configuration for enabling CIP Security. This configuration includes things like allowed cipher suites, trust anchors, certificate revocation lists, etc. One benefit of this ability would be the seamless application of device replacement, where a replaced device could automatically discover a security configuration server and request all of the configurations needed for CIP Security. Furthermore, this would also enable devices to work in network architectures where a configuration tool could not reach the device, like a NAT with the device on the private network and the configuration tool on the public network. This session will explore use cases and requirements for a feature such as this, as well as potential technology choices.

Paper and presentation from the 2023 ODVA Industry Conference & 22nd Annual Meeting

Joakim Wiberg, HMS Networks
David Smith, Schneider Electric
Jack Visoky, Rockwell Automation