CIP Security™ for EtherNet/IP™ Devices: Industrial Cybersecurity Solutions
CIP Security is a cybersecurity solution designed to protect CIP and EtherNet/IP devices from an attack. It enables secure communication, authentication, and protection, which helps industrial organizations implement cybersecurity measures to safeguard critical systems and operations.
Industrial cybersecurity drivers
The ODVA cybersecurity approach follows a defense-in-depth architecture by providing guidance and technologies to strengthen industrial systems from top to bottom. CIP Security focuses primarily on EtherNet/IP devices and is designed for use in devices where the risk to life, property, and operations is the most critical. This means that CIP Security can be deployed in only those zones where workers could potentially be hurt by motion equipment, in devices that could reveal product recipes or manufacturing process secrets, or in lines that could cause great environmental damage.
As IT and OT convergence accelerates and more infrastructure and automation systems get connected to the internet as a part of the Industrial Internet of Things (IIoT) and Industry 4.0, CIP Security is more critical than ever. A strong defense-in-depth cybersecurity architecture relies on multiple layers of protection. Every connected device must be capable of protecting itself and that’s why CIP Security secures the device level. Even if one layer is compromised, others continue to protect the system which slows down attackers and reduces the impact of a breach.
- Reduce cybersecurity risks
- Protect critical infrastructure and connected devices at scale
- Maintain operational continuity
- Adhere to cybersecurity regulations including IEC 62443 and the EU Cyber Resilience Act (CRA)
As industrial systems become more connected, cyber risks increase. CIP Security helps organizations to protect valuable investments and production of essential products around the world from bad actors.
How CIP Security works
The goal of CIP Security is to enable the CIP-connected device to protect itself from malicious communications. Devices enabled with CIP Security ensure:
- Integrity – data cannot be altered without detection
- Authenticity – only trusted users and devices can send messages
- Authorization – only approved actions are allowed
CIP Security uses Security Profiles to ensure specific devices are equipped with the appropriate security features. These well-defined capabilities are used to facilitate device interoperability and end-user selection of devices. Security Profiles include:
- EtherNet/IP Confidentiality Profile – secures communication between EtherNet/IP endpoints to assure data integrity and confidentiality.
- CIP User Authentication Profile – adds user-level authentication for CIP communication.
- Resource-Constrained CIP Security Profile – provides lightweight version of the protections afforded by other CIP Security Profiles but is built specifically for resource-constrained devices.
- Pull Model Profile – enables secure, automated
Key cybersecurity capabilities
CIP Security leverages trusted industry-standard protocols, including the IETF-standard TLS (RFC 5246) and DTLS (RFC 6347) protocols to provide a secure transport for EtherNet/IP traffic.
- TLS is used for the TCP-based communications (including encapsulation layer, UCMM, transport class 3).
- DTLS for the UDP-based transport class 0/1 communications, which is analogous to the way that HTTP uses TLS for HTTPS.
The secure EtherNet/IP transport provides the following security attributes:
- Device authentication — ensures both the sender and receiver are trusted using X.509 certificates or pre-shared keys. Certificate enrollment can be done directly by the device for easier commissioning.
- Message integrity and authentication — confirms messages haven’t been altered in transit using TLS message authentication code (HMAC).
- Confidentiality via message encryption (optional) – encrypts communications using the encryption algorithm that is negotiated via the TLS handshake.
- Trust domain options — leverages the broad trust domain across a group of devices or narrow trust domain by user and role.
User authentication within CIP Security uses OpenID Connect, a widely adopted authentication technology used across IT and Internet environments. Besides integrating with an OpenID Connect Identity Provider, user authentication can also be managed completely within a device for smaller scale systems. The User Authentication Profile provides user level authentication. This creates a fixed user access policy based on well-defined roles and basic authorization via both local and central user authentication. With authentication flexibility via a device or through a central server, CIP Security allows for simplicity in smaller, simple systems and efficiency in large, complicated installations.
The industrial cybersecurity landscape is changing fast. The goal is to allow vendors to build interoperable EtherNet/IP devices that can defend themselves, the communications between them, and communications with third parties. For more detailed information on CIP Security, access our whitepaper.
Download CIP Security Resources
ODVA offers a free virtual online Introduction to CIP Security training course for product developers and end users interested in learning more about CIP Security. This course is available in both live (2x/year) and on-demand formats.