Industry NewsMay 27, 2019
ODVA expands CIP security for improved productivity
The goal of cybersecurity enhancements to EtherNet/IP is to extend the CIP security defense-in-depth architecture to network communications with and between ICS systems, and also edge devices.
Key updates to CIP Security technology are included in enhancements to The EtherNet/IP Specification that ODVA has released its first round of specification enhancements to its technologies for 2019. ODVA’s biannual update of its network specifications helps enable end-users and OEMs to address an ever-increasing scope of industrial automation applications.
Cybersecurity enhancements
The goal of cybersecurity enhancements to EtherNet/IP is to extend a defense-in-depth architecture to network communications with and between ICS systems – and with and between ICS systems and edge devices. ODVA’s realization of this goal is the enhancement of the potential defensive capability of ICS systems and devices using EtherNet/IP by providing cybersecurity mechanisms that are native to EtherNet/IP and the Common Industrial Protocol (CIP).
The initial CIP Security specification was published in 2015, providing vendors the ability to improve the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity, and data confidentiality.
Since then, ODVA has made several key updates to CIP Security. Most notably, to continue to fulfill the desire from end users for easier initial commissioning of devices, CIP Security was enhanced to allow devices to perform certificate enrollment directly. In contrast to the practice of pushing certificates out from a configuration tool, this “pulling” functionality will allow devices to actively request certificates, resulting in improved productivity.
The pulling of a certificate is accomplished using standard and proven IT technologies, furthering the ability to integrate IT and OT systems. The April 2019 edition of the CIP Security Specification continues the progression of the technology to increase efficiency with timeout responses, increase protection by allowing for a mandatory CIP Security connection for changes, and expand behaviors for certificate verification.
Ongoing developments
Work is ongoing for the next phase of development of CIP Security, which will add support for user authentication, non-repudiation, and device authorization, strengthening secure end-to-end communications between CIP endpoints. The ultimate roadmap of CIP Security development is to enable EtherNet/IP devices, and potential other types of devices using CIP, to become autonomous, taking responsibility for their own security and effectively securing themselves from attack.
ODVA publishes specifications within a group of publications, The CIP Networks Library. Each specification is made up of one or more volumes of The CIP Networks Library.