EtherNet/IP continues to evolve to meet the needs of users by expanding 3 key areas: Applications; Network connectivity and Information access. The first round of specification enhancements for 2019, was announced at Hannover Messe and included key updates to the CIP Security technology. Published for the first time in 2015, the CIP Security specification features a pulling functionality, called the ‘’Pull Model’’, which allows devices to actively request certificates, resulting in improved productivity. The latest edition of the CIP Security Specification continues the progression of the technology towards increased efficiency and security. Let’s discover more with the help of Dr. Al Beydoun, President and Executive Director of ODVA.
IEN Europe: Going into detail, what’s the scope of the enhancement of the CIP Security Specification?
Dr. Beydoun: The April 2019 edition of the CIP Security Specification is a continuation of ODVA’s roadmap to advance the technology to increase efficiency with timeout responses, increase protection by allowing for a mandatory CIP Security connection for changes, and expand behaviors for certificate verification. These updates are addressing issues noted during vendor implementation and offer further flexibility for vendors using the CIP Security technology.
IEN Europe: Looking at the roadmap, what has changed from the initial CIP Security specification launched in 2015 up to now?
Dr. Beydoun: When CIP Security was first published in 2015, the initial publication focused on improving the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity and data confidentiality. This was achieved by taking advantage of proven-in-use open security technologies to deliver these key security properties including X.509v3 Digital Certificates that are used to provide cryptographically secure identities to users and devices; TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security) cryptographic protocols used to provide secure transport of EtherNet/IP traffic; hashes or HMAC (keyed-Hash Message Authentication Code) as a cryptographic method of providing data integrity and message authenticity to EtherNet/IP traffic whilst keeping the delays and load on existing devices minimized; and data encryption as a means of encoding messages or information in such a way as to prevent reading or viewing of EtherNet/IP data by unauthorized parties when required.
A key enhancement after the initial publication was the publication of the “Pull Model.” CIP Security now offers two models for initial configuration of certificates. The initial model was the Push Model, where the device is configured by a configuration tool simply as a server that reacts to the commands sent by the tool. The additional model, published in 2018, is the Pull Model, where the device actively attempts to find an EST (Enrollment over Secure Transport, defined in RFC 7030) server and requests a certificate from that server. The Pull Model is the default mechanism for obtaining a certificate. The addition of this functionality will help streamline the commissioning of devices and will ease the integration of IT and OT systems.
IEN Europe: Which kind of new industrial applications is it possible to address thanks to this latest update?
Dr. Beydoun: CIP Security is applicable anywhere EtherNet/IP is used. This means that any discrete, hybrid and process installations are able to take advantage of this technology especially as it relates to the integration of IT and OT systems. Other feature enhancements like the Pull Model will enable seamless commissioning and device replacement.
IEN Europe: What challenges still need to be solved to fulfill industrial cybersecurity?
Dr. Beydoun: The next stage of CIP Security development is to enable EtherNet/IP devices, and potential other types of devices using CIP, to become autonomous and take responsibility for their own security and effectively securing themselves from attack. This includes addressing STRIDE threat types such as Repudiation, Denial of Service, and Elevation of Privilege. Ongoing development is underway in ODVA’s technical working groups towards flexible user authentication and authorization.
IEN Europe: Do you think that a zero-threat scenario will be possible one day?
Dr. Beydoun: When it comes to security, we view it as a continuous effort to evolve and manage risks in the face of new types of threats and attacks. ODVA and its members will continue to proactively enhance and advance EtherNet/IP and CIP Security with the goal to anticipate and manage cybersecurity threats.