CIP Security Enhanced to Support Resource-Constrained Ethernet/IP Devices

April 14, 2021
Open Devicenet Vendor Association Odva Vector Logo 60774427209bf

ODVA is pleased to announce that CIP SecurityTM, the cybersecurity network extension for EtherNet/IPTM, has added support for resource-constrained EtherNet/IP devices. CIP Security can now provide device authentication, a broad trust domain, device identity via Pre-Shared Keys (PSKs), device integrity, and data confidentiality for resource-constrained devices such as contractors and push-buttons. Additionally, a narrow trust domain, user authentication, and policy enforcement via a gateway or a proxy are available options. 

Despite the progress brought about by Industry 4.0 and the Industrial Internet of Things (IIoT), a large portion of the installed nodes in automation applications are still not using Ethernet. Limitations including cost, size, and power have historically been a hindrance to EtherNet/IP pushing out to the edge of the network. The recent integration of single pair Ethernet has opened up the door to overcoming lower-level device constraints and ultimately to expanding the footprint of EtherNet/IP. Adding simpler devices to EtherNet/IP allows for the benefits of additional remote diagnostics, asset information, and parameterization capability. The addition of more nodes to the network within the context of IT/OT convergence makes device level security a fundamental need to ensure that indispensable assets and people are protected from physical harm and monetary loss.

The new CIP Security specification has added a Resource-Constrained CIP Security Profile in addition to the EtherNet/IP Confidentiality and the CIPTM User Authentication Profiles. The Resource-Constrained CIP Security Profile is similar to the EtherNet/IP Confidentiality Profile, but is streamlined for resource-constrained devices. The same basic security aspects of endpoint authentication, data confidentiality, and data authenticity remain. Access policy information is also included to allow a more capable device, such as a gateway, to be used as a proxy for user authentication and authorization of the resource constrained device. Implementation of CIP Security for resource-constrained devices requires only DTLS (Datagram Transport Layer Security) support instead of DTLS and TLS (Transport Layer Security), as it is used only with low-overhead UDP communication.

“The continuous updating of CIP Security, including the recent addition of new security features for resource-constrained devices, provides EtherNet/IP devices an enhanced defensive posture to help protect against malicious industrial network intrusion,” stated Jack Visoky, EtherNet/IP System Architecture Special Interest Group (SIG) vice-chair. “The availability of CIP Security across more portions of the EtherNet/IP network helps end users to better safeguard vital automation applications. The addition of CIP Security for resource constrained EtherNet/IP devices is an essential step in securing the edge,” said Dr. Al Beydoun, President and Executive Director of ODVA.

The protections offered by CIP Security are now available for EtherNet/IP networks via a resource-constrained version of CIP Security that includes fewer mandatory features. This ensures that devices with the smallest power, size, and cost budgets can be secure and enjoy the communication and control advantages of being connected to an EtherNet/IP network. The latest CIP Security updates demonstrate the deep commitment of ODVA to maintain its position of device security leadership within the automation community. Visit odva.org to obtain the latest version of The EtherNet/IP Specification including CIP Security.

Companies in this Article

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...

AVEVA™ System Platform: Smarter, Faster Operations for Enhanced Industrial Performance

AVEVA System Platform (formerly Wonderware) delivers a responsive, modern operations visualization framework designed to enhance performance across all devices with context-aware...