Advancing CIP Security to Anticipate and Manage Cybersecurity Threats

  Enquiry / contact me

At Hannover Messe 2019, ODVA announced new enhancements to the CIP Security Specification to increase protection and efficiency and deliver advanced cyber security for industrial automation. Dr. Al Beydoun from ODVA tells us more

Automation, Industry 4.0

Dr. Al Beydoun, President and Executive Director at ODVA
Dr. Al Beydoun, President and Executive Director at ODVA
Advancing CIP Security to Anticipate and Manage Cybersecurity Threats
Advancing CIP Security to Anticipate and Manage Cybersecurity Threats

EtherNet/IP continues to evolve to meet the needs of users by expanding 3 key areas: Applications; Network connectivity and Information access. The first round of specification enhancements for 2019, was announced at Hannover Messe and included key updates to the CIP Security technology. Published for the first time in 2015, the CIP Security specification features a pulling functionality, called the ‘’Pull Model’’, which allows devices to actively request certificates, resulting in improved productivity. The latest edition of the CIP Security Specification continues the progression of the technology towards increased efficiency and security. Let’s discover more with the help of Dr. Al Beydoun, President and Executive Director of ODVA.

IEN Europe: Going into detail, what’s the scope of the enhancement of the CIP Security Specification?

Dr. Beydoun: The April 2019 edition of the CIP Security Specification is a continuation of ODVA’s roadmap to advance the technology to increase efficiency with timeout responses, increase protection by allowing for a mandatory CIP Security connection for changes, and expand behaviors for certificate verification. These updates are addressing issues noted during vendor implementation and offer further flexibility for vendors using the CIP Security technology.


IEN Europe: Looking at the roadmap, what has changed from the initial CIP Security specification launched in 2015 up to now?

Dr. Beydoun: When CIP Security was first published in 2015, the initial publication focused on improving the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity and data confidentiality. This was achieved by taking advantage of proven-in-use open security technologies to deliver these key security properties including X.509v3 Digital Certificates that are used to provide cryptographically secure identities to users and devices; TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security) cryptographic protocols used to provide secure transport of EtherNet/IP traffic;  hashes or HMAC (keyed-Hash Message Authentication Code) as a cryptographic method of providing data integrity and message authenticity to EtherNet/IP traffic whilst keeping the delays and load on existing devices minimized; and data encryption as a means of encoding messages or information in such a way as to prevent reading or viewing of EtherNet/IP data by unauthorized parties when required.

A key enhancement after the initial publication was the publication of the “Pull Model.”  CIP Security now offers two models for initial configuration of certificates. The initial model was the Push Model, where the device is configured by a configuration tool simply as a server that reacts to the commands sent by the tool. The additional model, published in 2018, is the Pull Model, where the device actively attempts to find an EST (Enrollment over Secure Transport, defined in RFC 7030) server and requests a certificate from that server. The Pull Model is the default mechanism for obtaining a certificate. The addition of this functionality will help streamline the commissioning of devices and will ease the integration of IT and OT systems. 

IEN Europe: Which kind of new industrial applications is it possible to address thanks to this latest update?

Dr. Beydoun: CIP Security is applicable anywhere EtherNet/IP is used. This means that any discrete, hybrid and process installations are able to take advantage of this technology especially as it relates to the integration of IT and OT systems. Other feature enhancements like the Pull Model will enable seamless commissioning and device replacement.

IEN Europe: What challenges still need to be solved to fulfill industrial cybersecurity?

Dr. Beydoun: The next stage of CIP Security development is to enable EtherNet/IP devices, and potential other types of devices using CIP, to become autonomous and take responsibility for their own security and effectively securing themselves from attack.  This includes addressing STRIDE threat types such as Repudiation, Denial of Service, and Elevation of Privilege.   Ongoing development is underway in ODVA’s technical working groups towards flexible user authentication and authorization.

IEN Europe: Do you think that a zero-threat scenario will be possible one day?

Dr. Beydoun: When it comes to security, we view it as a continuous effort to evolve and manage risks in the face of new types of threats and attacks. ODVA and its members will continue to proactively enhance and advance EtherNet/IP and CIP Security with the goal to anticipate and manage cybersecurity threats. 
 

Posted on May 6, 2019 - (333 views)
ODVA Open DeviceNet Vendors Association
4220 Varsity Drive, Suite A
48108 Ann Arbor - USA
+1-734 975 8840
+1-734 922 0027
View full company profile
Location
Related articles
Covid-19: What Has Been and Will Be the Impact on the Food and Beverage Sectors?
Flowserve Corporation Joins FDT Group Board of Directors
Pepperl+Fuchs Organizes First Free Online Summit from July 20 to 24
Phoenix Contact, Quectel and Ericsson Jointly Develop the First Industrial 5G Router for Private Networks
Virtual Round Table - Business Transformation in Critical Times: Xilinx
Deutsche Messe Launches Hannover Messe Digital Days to be Held from 14 to 15 July 2020
Harting Earned the golden German Brand Award
Introduction to Risk Management Software
Industrial Communication Gateway ECU-1251
Monitoring the Equipment Performance Remotely
Unique IR Solutions
Open Standards Platforms
Achema 2021
Co-creating the Future of the IoT World
Two/four-channel Process and Program Controller
Tailor-made Automation Solutions
Co-creating the Future of the IoT World
Procentec: Industry 4.Human
Fastener Fair France
Robot Tools RFID Identifications