ODVA Announces CIP Security Enhancements to Support Resource-constrained ETHERNET/IP Devices

CIP Security can now provide device authentication, a broad trust domain, device identity via Pre-Shared Keys (PSKs), device integrity, and data confidentiality for resource-constrained devices such as contactors and push-buttons.

  • ODVA Announces CIP Security Enhancements to Support Resource-constrained ETHERNET/IP Devices
    ODVA Announces CIP Security Enhancements to Support Resource-constrained ETHERNET/IP Devices

On April 12, following the ODVA press conference, the organization announced a batch of three exciting news including the extension of EtherNet/IP network to in-cabinet resource-constrained devices, CIP Security Enhancements for resource-constrained devices, and ODVA moves to inclusive network and device terminology.

Despite the progress brought about by Industry 4.0 and the Industrial Internet of Things (IIoT), a large portion of the installed nodes in automation applications are still not using Ethernet. Limitations including cost, size, and power have historically been a hindrance to EtherNet/IP pushing out to the edge of the network. The recent integration of single pair Ethernet has opened up the door to overcoming lower-level device constraints and ultimately to expanding the footprint of EtherNet/IP. Adding simpler devices to EtherNet/IP allows for the benefits of additional remote diagnostics, asset information, and parameterization capability. The addition of more nodes to the network within the context of IT/OT convergence makes device level security a fundamental need to ensure that indispensable assets and people are protected from physical harm and monetary loss
The new CIP Security specification has added a Resource-constrained CIP Security Profile in addition to the EtherNet/IP Confidentiality and the CIP User Authentication Profiles. The Resource-constrained CIP Security Profile is similar to the EtherNet/IP Confidentiality Profile, but is streamlined for resource-constrained devices. The same basic security aspects of endpoint authentication, data confidentiality, and data authenticity remain. Access policy information is also included to allow a more capable device, such as a gateway, to be used as a proxy for user authentication and authorization of the resource constrained device. Implementation of CIP Security for resource-constrained devices requires only DTLS (Datagram Transport Layer Security) support instead of DTLS and TLS (Transport Layer Security), as it is used only with low-overhead UDP communication. 
"The continuous updating of CIP Security, including the recent addition of new security features for resource-constrained devices, provides EtherNet/IP devices an enhanced defensive posture to help protect against malicious industrial network intrusion", stated Jack Visoky, EtherNet/IP System Architecture Special Interest Group (SIG) vice-chair. "The availability of CIP Security across more portions of the EtherNet/IP network helps end users to better safeguard vital automation applications. The addition of CIP Security for resource constrained EtherNet/IP devices is an essential step in securing the edge", said Dr. Al Beydoun, President and Executive Director of ODVA.
The protections offered by CIP Security are now available for EtherNet/IP networks via a resource-constrained version of CIP Security that includes fewer mandatory features. This ensures that devices with the smallest power, size, and cost budgets can be secure and enjoy the communication and control advantages of being connected to an EtherNet/IP network. The latest CIP Security updates demonstrate the deep commitment of ODVA to maintain its position of device security leadership within the automation community. 

EtheNet/IP Network Extended to In-cabinet Resource-constrained Devices

Besides, ODVA announced that the EtherNet/IP Specification has been enhanced to allow vendors to bring the network to resource-constrained devices in-cabinet, including push buttons and contactors. Cost, size, and power restrictions have historically limited the usage of EtherNet/IP at the edge, where many nodes are still hardwired. However, the continued decrease in the cost of semiconductor chips has enabled increased connectivity of simple devices, as evidenced by the rapid expansion of the Industrial Internet of Things (IIoT). The sustained, strong growth of EtherNet/IP combined with accelerating IT/OT convergence has made it possible to deploy EtherNet/IP within cabinets on lower-level automation devices such as contactors and push buttons
The inclusion of resource-constrained devices within cabinets on an EtherNet/IP network is enabled by recently published enhancements to the EtherNet/IP Specification including the physical layer In-Cabinet Profile for EtherNet/IP along with low overhead UDP-only resource-constrained EtherNet/IP communication. Resource requirements have been reduced via enhancements such as an IT friendly LLDP node topology discovery mechanism, auto-commissioning support, and auto-device replacement support. Additionally, a specification for a new select line circuit facilitates the efficient delivery of system wide sequential commands. 
The EtherNet/IP in-cabinet bus solution reduces interface components through use of single pair Ethernet (IEEE Std 802.3cg-2019 10BASE-T1S) and reduces node cost via multidrop cabling that spans a single cabinet with one interface per device and one switch port that supports many devices. Cost is further reduced via cables that use composite network and control power to eliminate separate parallel runs. The select line for topology eliminates configuration switches by enabling discovery based on relative position and allows for direct connection with programming tools during assembly for parameterization. Assembly time is lowered by eliminating most wire or cable preparation with insulation displacement (piercing) connectors. Nodes will also be able to be replaced with compatible nodes of the same type during normal system operation without any engineering tools in a plug and play manner. 
"Expanding the connectivity of EtherNet/IP to include devices with the smallest physical footprint and most limited hardware resources opens up tremendous opportunity for further digital transformation within automation at the edge. The ability to obtain diagnostic, prognostic, and asset identity information remotely from more devices will further drive down incidents of unplanned downtime and improve the efficiency of existing assets", said Dr. Al Beydoun, President and Executive Director of ODVA. "The connection of resource-constrained devices to EtherNet/IP increases the value of existing networks for end users and reduces the need for secondary lower-level networks and associated gateways."
The extension of EtherNet/IP for in-cabinet resource-constrained devices will critically increase the return-on-investment of adding the simplest of in-panel devices to the digital network. This will be made possible through reduced hardware requirements enabled by UDP-only EtherNet/IP communication, usage of single pair Ethernet, and shared in-cabinet external power and cabling. Adding low-level in-panel devices to the network will allow the benefits of additional remote diagnostics, asset information and parameterization capability, automatic node topology discovery, and plug and play device replacement. The lowered cost and improved value of these devices along with the ability to use one seamless network for both constrained and non-constrained devices is a clear win for automation end users. 

ODVA Updates Terminology in Specifications to Help Create a more Inclusive Industry

Last, ODVA announced that the April 2021 publication of the DeviceNet® and ControlNet® Specifications have replaced the usage of the words 'master' and 'slave' within ODVA references. Developers of devices for ODVA networks will now utilize the words 'client' and 'server' (EtherNet/IP, including the integration of Modbus® devices), 'controller' and 'device' (DeviceNet), and 'system time supervisor' or 'active keeper' (ControlNet) to describe these functions. With the goal of eliminating terminology that is hurtful, these changes are the first in a series to update the entire library of ODVA specifications and documents to rectify the use of these terms. 
"ODVA strives to be on the cutting edge of open, interoperable information and communication technologies in industrial and process automation", said Dr. Al Beydoun, President and Executive Director of ODVA. "ODVA's intentional movement toward inclusive and accurate language throughout its specifications is a positive step in ensuring that industrial automation is a first choice for all professionals."
As other organizations update terminology included in their publications, ODVA will update any normative references in the ODVA library of specifications. To obtain the April 2021 publication of any of the ODVA library of specifications and know more about CIP Security enhancements, visit www.odva.org.

Graduated in political sciences and international relations in Paris, Anis joined the team in early 2019. Editor for IEN Europe and the new digital magazine AI IEN, he is a new tech enthusiast. Also passionate about sports, music, cultures and languages. 

More articles Contact