CIP Security™ encompasses security-related requirements and capabilities for CIP™ devices, specifically EtherNet/IP™ devices.
A defense-in-depth security architecture is an important part of control system security. This architecture is based on the idea that multiple layers of security are more resilient to attack. The expectation is that one or more layers could be compromised while the remaining layers can still provide protection. The multiple defensive layers can slow down an attacker enough to allow them to be stopped or can lead the bad actor to abandon the intrusion in favor of an easier target.
As IT/OT convergence accelerates and attackers become more sophisticated, it is more important than ever for the CIP-connected device — the final layer of defense — to defend itself. Consider the situation where a piece of malware is, unknown to control system personnel, delivered to a compromised PC via USB drive. The malware could contain code to issue malicious CIP services to devices. However, if the device were able to reject such services from untrusted sources, the threat would be mitigated. Device level security is a building block requirement of IIoT to protect critical assets and people from potential physical and increasingly likely financial harm.
The goal of CIP Security is to enable the CIP-connected device to protect itself from malicious CIP communications. Devices enabled with CIP Security can:
- Reject data that has been altered (integrity)
- Reject messages sent by untrusted people or untrusted devices (authenticity)
- Reject messages that request actions that are not allowed (authorization)
Recognizing that every CIP device does not need to provide the same level of support for all defined security features, CIP Security defines the notion of a Security Profile. A Security Profile is a set of well-defined capabilities to facilitate device interoperability and end-user selection of devices with the appropriate security capability.
- The EtherNet/IP Confidentiality Profile provides secure communication between EtherNet/IP endpoints to assure data integrity and confidentiality.
- The CIP User Authentication Profile provides user-level authentication for CIP communication.
- The Resource-Constrained CIP Security Profile provides a lightweight version of the protections afforded by other CIP Security Profiles, but is built specifically for resource-constrained devices.
- The Pull Model Profile allows for automatic and secure provisioning of certificate-based credentials to devices.
CIP Security for EtherNet/IP devices makes use of the IETF-standard TLS (RFC 5246) and DTLS (RFC 6347) protocols in order to provide a secure transport for EtherNet/IP traffic. TLS is used for the TCP-based communications (including encapsulation layer, UCMM, transport class 3), and DTLS for the UDP-based transport class 0/1 communications. This approach is analogous to the way that HTTP uses TLS for HTTPS. The secure EtherNet/IP transport provides the following security attributes:
- Authentication of the endpoints (devices) — ensuring that the target and originator are both trusted entities. End point authentication is accomplished using X.509 certificates or pre-shared keys. Certificate enrollment can be done directly by the device for easier commissioning.
- Message integrity and authentication — ensuring that the message was sent by the trusted endpoint and was not modified in transit. Message integrity and authentication is accomplished via TLS message authentication code (HMAC).
- Confidentiality via message encryption — optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake.
- Trust domain options — A broad trust domain across a group of devices or a narrow trust domain by user and role.
User authentication within CIP Security uses OpenID Connect, a common and robust technology for user authentication deployed in many IT and Internet environments. Besides integrating with an OpenID Connect Identity Provider, user authentication can also be managed completely within a device for smaller scale systems which don’t need to integrate with a centralized identity provider. The User Authentication Profile provides:
- User level authentication — A fixed user access policy based on well-defined roles and basic authorization via both local and central user authentication. CIP Security’s ability to authenticate via the device or through a central server allows for simplicity in smaller, simple systems and efficiency in large, complicated installations.
CIP Security is designed as an effective deterrence to malicious cyber attackers who are looking for targets to disrupt plant operations. With more infrastructure and automation systems becoming connected to the internet as a part of IIoT and Industry 4.0, CIP Security is more critical than ever before to protect valuable investments and production of essential products around the world from bad actors.
The ultimate roadmap for CIP Security development is to enable EtherNet/IP devices to become autonomous, taking responsibility for their own security and effectively securing themselves from attack.