Expanding CIP Security with the CIP Authorization Profile

Technical Paper Abstract

Cyber security within Industrial Ethernet has exhibited rapid growth, with CIP Security and EtherNet/IPTM emerging as a leader. End users seek to take advantage of the features provided by the CIP Security Profiles today and related open ecosystem. Benefits include data integrity and data confidentiality, device identity and authentication, and user authentication. These features are provided by Security Profiles as defined today and serve as a base for CIP Security devices. Over time CIP Security has been extended with new optional Security Profiles targeting different applications and functionality.

Within this paper the idea of a new optional profile named “CIP Authorization Profile” is explored and evaluated. The CIP Security Authorization Profile will enhance CIP to provide additional security properties such as general, flexible authorization where access policy can be based on any attribute of the user and/or system. Concepts and open systems that might serve as a base for the CIP Authorization Profile are explored.

This paper will provide advanced insights regarding technology and requirements for the CIP Authorization Profile that will eventually be added to CIP Security. As the CIP Authorization Profile is officially developed within ODVA it may deviate from the scenarios described in this paper. However, the general application of the CIP Authorization Profile can be understood from this paper.

Paper and presentation from the 2022 ODVA Industry Conference  & 21st Annual Meeting

David Smith, Schneider Electric
Jack Visoky, Rockwell Automation
Joakim Wiberg, HMS Networks