It’s not a panacea, but it is an (unavoidable) long-term solution.
At last year’s Rockwell Automation Fair, more than 100 people attended the CIP Security session. CIP Security was introduced by the ODVA a few years ago to secure factory floor EtherNet/IP networks. It defines the security-related requirements and capabilities of CIP devices and specifically for EtherNet/IP. It provides three benefits to a manufacturing system using EtherNet/IP:
- Data integrity – Rejecting data that has been modified during transmission.
- Authentication – Rejecting messages transmitted by untrusted entities.
- Authorization – Rejecting actions that an entity is not allowed to perform.
To accomplish these objectives, CIP Security employs standard IT cryptographic protocols: Transport Layer Security (TLS); and Datagram Transport Layer Security (DTLS). TLS is the standard cryptographic protocol used to secure Internet communications and CIP Security uses it to secure EtherNet/IP acyclic messages (explicit messages). DTLS is a version of TLS designed to secure UDP (User Datagram Protocol) messages, and it is used by CIP Security to secure EtherNet/IP cyclic traffic (implicit messages).
I hope that the impressive attendance at the CIP Security session implies that control engineers and manufacturers are taking security seriously. The facts are frightening:
- Manufacturing is one of the five most cyber-attacked industries.
- Small manufacturers are 60% more likely to be out of business within six months after an attack.
- The slow transformation to digital is creating massive vulnerabilities.
- Weakly secured IoT devices are increasing the threats and attack vectors.
- Attackers have much better tools (dark web) at their disposal enabling even unsophisticated attackers to steal process IP, cause physical destruction, and initiate ransomware attacks.
Some Troubling Questions
As much as I would like to promote CIP Security and describe how it solves this urgent machine security solution, there are troubling questions that aren’t resolved:
Where will keys be generated?
Key generation is a prickly issue. The randomness of the key generator, and the length of the key, are important factors in the strength of the key. If the key is generated by the vendor when the CIP Security device is built, the key will travel with the device to the distributor, the machine builder and, possibly, to other sites like a test facility. That provides opportunities for someone to steal the key and use it later or sell it to some nefarious entity. If it is generated during device commissioning, the device needs a hardware random number generator – not hard to get but necessitating an expensive upgrade to many low-end devices.
Who manages the Certificate Authority (CA)?
Is the CA something that manufacturing operations want to manage? Or will this be turned over to IT?
Will manufacturers use X.509 Certificates or Pre-shared Keys?
No matter which option (Trust Model) is selected, both add burdensome requirements to manufacturing operations. For certificates, a Certificate Authority must exist. The manufacturer can use the vendor’s certificate or provide their own certificates. How often will these certificates and keys be updated?
How much money will vendors spend to secure the key?
There is no good mechanism for a vendor to confidently secure a key inside their device in a way that can’t be stolen. Vendors may have to add special hardware and components to store the key, and if they generate keys at their factory, they may have to add penetration protection to their device. All this means CIP Secure devices will be more expensive than non-CIP Secure devices.
How will vendors update devices that have security updates?
In the past, a manufacturer could lock down a manufacturing operation, meaning no changes to any device on the line. That’s not possible with a secure device. Patches must be applied. That implies that they know the exact location of every instance of that device and its current firmware level. This kind of asset management is a huge, unsolved problem for many manufacturers.
How will vendors secure the update process?
Will every vendor have a custom application that connects to their device and securely pushes an update? Will every manufacturing operation have to be connected to the Internet so vendors can push updates? Neither of these options is practical.
How long will it take to roll out CIP Security? How many devices will be CIP secured in 10 years?
If a manufacturer chooses to use CIP Security, how long will it take them to replace 50% of their devices with equivalent CIP Security devices? How long will it take to get to 75% or 100%? It’s likely that it will be years before there are enough CIP Security devices in the marketplace for a manufacturer to even approach 25% secure devices.
What is the device replacement process? Who manages that?
Today, a trades worker can go to the storeroom and swap out a device. Can a failed CIP Secure device be replaced as easily? What’s the process to update the security profile for that device? Who can do that? With what tool? How easy will it be?
Despite these questions, I still support factory floor security in general, and CIP Security in particular. The I/O networks in factories are largely unprotected in most facilities. Most are understaffed and have under-trained people working in the plant who can make mistakes that, right now, we have no way to stop. We have scores of corporate engineers, technicians, and contractors coming and going, and no way to prevent one of them from accessing something they shouldn’t. We have disgruntled team members doing who knows what to systems they shouldn’t be accessing. And, of course, insecure IIoT devices are being added to manufacturing systems everywhere. Each one of these problems is a nightmare for manufacturers; CIP Security can go a long way to solving them. But how long will it take, and what will it cost?
Please don’t misinterpret this article as being negative about CIP Security. I like the technology and think it is valuable. I just don’t see how it is going to solve these problems in the short term. It’s not a panacea. It’s a longer-term solution; there are many impediments to its adoption, and a lot of operational issues to solve before it becomes a viable factory floor security solution.