CIP Security™ encompasses security-related requirements and capabilities for CIP devices, specifically EtherNet/IP™ devices.
Control system security has historically been addressed by adoption of a defense-in-depth security architecture, which has been recommended for many years. This architecture is based on the idea that multiple layers of security are more resilient to attack. The expectation is that any one outer layer could be compromised at some point in time while the automation devices at the innermost layer would remain secure.
However, as IT/OT convergence accelerates and attackers become more sophisticated, it is more important for the CIP-connected device — the final layer of defense — to defend itself. Consider the situation where a piece of malware is, unknown to control system personnel, delivered to a compromised PC via USB drive. The malware could contain code to issue malicious CIP services to devices. However if the device were able to reject such services from untrusted sources, the threat would be mitigated.
The goal of CIP Security is to enable the CIP-connected device to protect itself from malicious CIP communications. A fully self-defending CIP device would be able to:
- Reject data that has been altered (integrity)
- Reject messages send by untrusted people or untrusted devices (authenticity)
- Reject messages that request actions that are not allowed (authorization)
Recognizing that every CIP device does not need to provide the same level of support for all defined security features, CIP Security defines the notion of a Security Profile. A Security Profile is a set of well-defined capabilities to facilitate device interoperability and end-user selection of devices with the appropriate security capability.
CIP Security for EtherNet/IP devices makes use of the IETF-standard TLS (RFC 5246) and DTLS (RFC 6347) protocols in order to provide a secure transport for EtherNet/IP traffic. TLS is used for the TCP-based communications (including encapsulation layer, UCMM, transport class 3), and DTLS for the UDP-based transport class 0/1 communications. This approach is analogous to the way that HTTP uses TLS for HTTPS.
The secure EtherNet/IP transport provides the following security attributes:
- Authentication of the endpoints — ensuring that the target and originator are both trusted entities. End point authentication is accomplished using X.509 certificates or pre-shared keys.
- Message integrity and authentication — ensuring that the message was sent by the trusted endpoint and was not modified in transit. Message integrity and authentication is accomplished via TLS message authentication code (HMAC).
- Message encryption — optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake.
The initial CIP Security specification was published in 2015, providing vendors with the ability to improve the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity, and data confidentiality.
In 2019, CIP Security was enhanced to allow:
- Devices to perform certificate enrollment directly for easier initial commissioning
- Increased efficiency with timeout responses
- Improved protection by allowing for a mandatory CIP Security connection for changes
- Expanded behaviors for certificate verification
Work on the next phase of development of CIP Security is underway, which will add support for user authentication, non-repudiation, and device authorization.
The ultimate roadmap for CIP Security development is to enable EtherNet/IP devices to become autonomous, taking responsibility for their own security and effectively securing themselves from attack.