Advancing CIP Security to Anticipate and Manage Cybersecurity Threats

  Enquiry / contact me

At Hannover Messe 2019, ODVA announced new enhancements to the CIP Security Specification to increase protection and efficiency and deliver advanced cyber security for industrial automation. Dr. Al Beydoun from ODVA tells us more

Automation, Industry 4.0

Dr. Al Beydoun, President and Executive Director at ODVA
Dr. Al Beydoun, President and Executive Director at ODVA
Advancing CIP Security to Anticipate and Manage Cybersecurity Threats
Advancing CIP Security to Anticipate and Manage Cybersecurity Threats

EtherNet/IP continues to evolve to meet the needs of users by expanding 3 key areas: Applications; Network connectivity and Information access. The first round of specification enhancements for 2019, was announced at Hannover Messe and included key updates to the CIP Security technology. Published for the first time in 2015, the CIP Security specification features a pulling functionality, called the ‘’Pull Model’’, which allows devices to actively request certificates, resulting in improved productivity. The latest edition of the CIP Security Specification continues the progression of the technology towards increased efficiency and security. Let’s discover more with the help of Dr. Al Beydoun, President and Executive Director of ODVA.

IEN Europe: Going into detail, what’s the scope of the enhancement of the CIP Security Specification?

Dr. Beydoun: The April 2019 edition of the CIP Security Specification is a continuation of ODVA’s roadmap to advance the technology to increase efficiency with timeout responses, increase protection by allowing for a mandatory CIP Security connection for changes, and expand behaviors for certificate verification. These updates are addressing issues noted during vendor implementation and offer further flexibility for vendors using the CIP Security technology.


IEN Europe: Looking at the roadmap, what has changed from the initial CIP Security specification launched in 2015 up to now?

Dr. Beydoun: When CIP Security was first published in 2015, the initial publication focused on improving the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity and data confidentiality. This was achieved by taking advantage of proven-in-use open security technologies to deliver these key security properties including X.509v3 Digital Certificates that are used to provide cryptographically secure identities to users and devices; TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security) cryptographic protocols used to provide secure transport of EtherNet/IP traffic;  hashes or HMAC (keyed-Hash Message Authentication Code) as a cryptographic method of providing data integrity and message authenticity to EtherNet/IP traffic whilst keeping the delays and load on existing devices minimized; and data encryption as a means of encoding messages or information in such a way as to prevent reading or viewing of EtherNet/IP data by unauthorized parties when required.

A key enhancement after the initial publication was the publication of the “Pull Model.”  CIP Security now offers two models for initial configuration of certificates. The initial model was the Push Model, where the device is configured by a configuration tool simply as a server that reacts to the commands sent by the tool. The additional model, published in 2018, is the Pull Model, where the device actively attempts to find an EST (Enrollment over Secure Transport, defined in RFC 7030) server and requests a certificate from that server. The Pull Model is the default mechanism for obtaining a certificate. The addition of this functionality will help streamline the commissioning of devices and will ease the integration of IT and OT systems. 

IEN Europe: Which kind of new industrial applications is it possible to address thanks to this latest update?

Dr. Beydoun: CIP Security is applicable anywhere EtherNet/IP is used. This means that any discrete, hybrid and process installations are able to take advantage of this technology especially as it relates to the integration of IT and OT systems. Other feature enhancements like the Pull Model will enable seamless commissioning and device replacement.

IEN Europe: What challenges still need to be solved to fulfill industrial cybersecurity?

Dr. Beydoun: The next stage of CIP Security development is to enable EtherNet/IP devices, and potential other types of devices using CIP, to become autonomous and take responsibility for their own security and effectively securing themselves from attack.  This includes addressing STRIDE threat types such as Repudiation, Denial of Service, and Elevation of Privilege.   Ongoing development is underway in ODVA’s technical working groups towards flexible user authentication and authorization.

IEN Europe: Do you think that a zero-threat scenario will be possible one day?

Dr. Beydoun: When it comes to security, we view it as a continuous effort to evolve and manage risks in the face of new types of threats and attacks. ODVA and its members will continue to proactively enhance and advance EtherNet/IP and CIP Security with the goal to anticipate and manage cybersecurity threats. 
 

Posted on May 6, 2019 - (389 views)
ODVA Open DeviceNet Vendors Association
4220 Varsity Drive, Suite A
48108 Ann Arbor - USA
+1-734 975 8840
+1-734 922 0027
View full company profile
Location
Related articles
Distributive IIoT Architecture
Ultra-rugged Computer-on-module for the Transportation Sector
Leeds Digital Festival: Specialist Sessions Target Application of Digital Technologies in Manufacturing and Utilities
Cobot MELFA ASSISTA. Human Touch. Industrial Performance
Thermoplastic Polyurethane (TPU) Belt
Best Practices For Profitable Warehouse Management
Single Board Computer for Real-time Critical Applications
Managed Service Suite Platform for Plant Asset Performance
Looking Inside Real-Time Ethernet
Lilly Life Science Studio Automated Laboratory Goes Further in the Search For New Drugs
Ultra-rugged Computer-on-module for the Transportation Sector
Single Board Computer for Real-time Critical Applications
Global Survey Conducted by Molex Highlights Continued Progress in Industry 4.0
Semi-absolute Linear Encoder
JUMO variTRON 500 Central Processing Unit for an Automation System
Customized Membrane Switches for Demanding Applications
Versatile Industrial 5G Router
UniCloud – The Complete, No-Code, IIoT Cloud Platform for OEMs and Machine Builders by Unitronics
AC Servo Drives & Motors
Variable Frequency Drives
Distributive IIoT Architecture
Ultra-rugged Computer-on-module for the Transportation Sector
Managed Service Suite Platform for Plant Asset Performance
Lilly Life Science Studio Automated Laboratory Goes Further in the Search For New Drugs
IERA 2021 Awarded to ABB's PixelPaint Solution
More Machining and Less Programming: ESPRIT Keeps the Success Flowing for WET
PTC Leverages Spatial Computing Capabilities with Vuforia Engine Area Targets
AC Servo Drives & Motors
Unistream®, the Award-Winning Programmable Controllers Series With Integrated HMI by Unitronics
HMS Networks Releases the World’s First Industrial 5G Router and Starterkit