Advancing CIP Security to Anticipate and Manage Cybersecurity Threats

  Enquiry / contact me

At Hannover Messe 2019, ODVA announced new enhancements to the CIP Security Specification to increase protection and efficiency and deliver advanced cyber security for industrial automation. Dr. Al Beydoun from ODVA tells us more

Automation, Industry 4.0

Dr. Al Beydoun, President and Executive Director at ODVA
Dr. Al Beydoun, President and Executive Director at ODVA
Advancing CIP Security to Anticipate and Manage Cybersecurity Threats
Advancing CIP Security to Anticipate and Manage Cybersecurity Threats

EtherNet/IP continues to evolve to meet the needs of users by expanding 3 key areas: Applications; Network connectivity and Information access. The first round of specification enhancements for 2019, was announced at Hannover Messe and included key updates to the CIP Security technology. Published for the first time in 2015, the CIP Security specification features a pulling functionality, called the ‘’Pull Model’’, which allows devices to actively request certificates, resulting in improved productivity. The latest edition of the CIP Security Specification continues the progression of the technology towards increased efficiency and security. Let’s discover more with the help of Dr. Al Beydoun, President and Executive Director of ODVA.

IEN Europe: Going into detail, what’s the scope of the enhancement of the CIP Security Specification?

Dr. Beydoun: The April 2019 edition of the CIP Security Specification is a continuation of ODVA’s roadmap to advance the technology to increase efficiency with timeout responses, increase protection by allowing for a mandatory CIP Security connection for changes, and expand behaviors for certificate verification. These updates are addressing issues noted during vendor implementation and offer further flexibility for vendors using the CIP Security technology.


IEN Europe: Looking at the roadmap, what has changed from the initial CIP Security specification launched in 2015 up to now?

Dr. Beydoun: When CIP Security was first published in 2015, the initial publication focused on improving the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity and data confidentiality. This was achieved by taking advantage of proven-in-use open security technologies to deliver these key security properties including X.509v3 Digital Certificates that are used to provide cryptographically secure identities to users and devices; TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security) cryptographic protocols used to provide secure transport of EtherNet/IP traffic;  hashes or HMAC (keyed-Hash Message Authentication Code) as a cryptographic method of providing data integrity and message authenticity to EtherNet/IP traffic whilst keeping the delays and load on existing devices minimized; and data encryption as a means of encoding messages or information in such a way as to prevent reading or viewing of EtherNet/IP data by unauthorized parties when required.

A key enhancement after the initial publication was the publication of the “Pull Model.”  CIP Security now offers two models for initial configuration of certificates. The initial model was the Push Model, where the device is configured by a configuration tool simply as a server that reacts to the commands sent by the tool. The additional model, published in 2018, is the Pull Model, where the device actively attempts to find an EST (Enrollment over Secure Transport, defined in RFC 7030) server and requests a certificate from that server. The Pull Model is the default mechanism for obtaining a certificate. The addition of this functionality will help streamline the commissioning of devices and will ease the integration of IT and OT systems. 

IEN Europe: Which kind of new industrial applications is it possible to address thanks to this latest update?

Dr. Beydoun: CIP Security is applicable anywhere EtherNet/IP is used. This means that any discrete, hybrid and process installations are able to take advantage of this technology especially as it relates to the integration of IT and OT systems. Other feature enhancements like the Pull Model will enable seamless commissioning and device replacement.

IEN Europe: What challenges still need to be solved to fulfill industrial cybersecurity?

Dr. Beydoun: The next stage of CIP Security development is to enable EtherNet/IP devices, and potential other types of devices using CIP, to become autonomous and take responsibility for their own security and effectively securing themselves from attack.  This includes addressing STRIDE threat types such as Repudiation, Denial of Service, and Elevation of Privilege.   Ongoing development is underway in ODVA’s technical working groups towards flexible user authentication and authorization.

IEN Europe: Do you think that a zero-threat scenario will be possible one day?

Dr. Beydoun: When it comes to security, we view it as a continuous effort to evolve and manage risks in the face of new types of threats and attacks. ODVA and its members will continue to proactively enhance and advance EtherNet/IP and CIP Security with the goal to anticipate and manage cybersecurity threats. 
 

Posted on May 6, 2019 - (306 views)
ODVA Open DeviceNet Vendors Association
4220 Varsity Drive, Suite A
48108 Ann Arbor - USA
+1-734 975 8840
+1-734 922 0027
View full company profile
Location
Related articles
The Virtual Engineering Center Hires Its First Graduate Intern
Machine Control Platform
UK Engineering Companies Are Not Taking Advantage of R&D Funding
JPB Système’s CEO Receives Manager of the Year Award
All-in-one Software and Hardware Dashboard
Online-configurable Lightweight Grippers
What Makes a Secure IoT Gateway Architecture?
Parker Hannifin to Showcase Electrification System Solutions
Hanna Hennig Appointed Siemens’ Chief Information Officer
''We Want to Create Synergies to Digitize the Globe''
Embedded Solutions for IoT Applications
Sensorik4.0®, a gateway to Industry 4.0
Advantech Co-creates the Future
Endress+Hauser, Expertise in Process Automation
Distrelec Webinar Series
Distrelec Webinar Series
Robot Tools RFID Identifications
Permanent monitoring solutions for downtime prevention
Find your answers to your needs on-site
Enhance your Productivity