Expanded CIP security for improved productivity

15 April 2019

ODVA has released the first round of specification enhancements to its technologies for 2019, which included specific enhancements to The EtherNet/IP specification, including key updates to the CIP Security technology.

The goal of cybersecurity enhancements to EtherNet/IP is to extend a defense-in-depth architecture to network communications with and between ICS systems, and with and between ICS systems and edge devices.  ODVA’s realisation of this goal is the enhancement of the potential defensive capability of ICS systems and devices using EtherNet/IP by providing cybersecurity mechanisms that are native to EtherNet/IP and the Common Industrial Protocol (CIP).  

The initial CIP Security specification was published in 2015, providing vendors the ability to improve the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity, and data confidentiality.  Since then there have been several key updates.  Most notably – to continue to fulfill the desire from end users for easier initial commissioning of devices – CIP Security was enhanced to allow devices to perform certificate enrollment directly.  In contrast to the practice of pushing certificates out from a configuration tool, this pulling functionality will allow devices to actively request certificates, resulting in improved productivity.  

The pulling of a certificate is accomplished using standard and proven IT technologies, furthering the ability to integrate IT and OT systems.  
Work is ongoing for the next phase of development of CIP Security, which will add support for user authentication, non-repudiation, and device authorisation, strengthening secure end-to-end communications between CIP endpoints.  

Contact Details and Archive...

Related Articles...

Print this page | E-mail this page