CIP Security Trust Models

Trust Models for CIP Security (EtherNet/IP)

A trust model is a very important consideration in manufacturing system security. The trust model is the collection of rules that govern how a device decides to trust another device. Like Goldilocks and the three bears, the trust model has to be just right. A trust model that is too soft (flexible) isn’t able to provide the integrity, confidentiality, and authenticity that you need. A trust model that is too hard (inflexible) becomes such a burden on daily operations that it actually lowers your productivity. But a trust model that is just right provides you with that integrity, confidentiality, and authenticity without impeding legitimate entities that need to communicate and keep product flowing out the door.

CIP Security and its EtherNet/IP implementation support two trust models: Pre-Shared Key (PSK) and X.509 Certificates. Both are useful. Both have their advantages and disadvantages.

PRE-SHARED KEY (PSK) – Pre-Shared Key is an uncomplicated system that works well in small systems. Private Key Sharing operates very simply. A private key is known and shared by all the devices in a network. The key is used to encrypt messages. Any device that knows the private key is authenticated and able to encrypt and decrypt messages. For added protection, the key is changed at some set interval, sometimes as part of a maintenance cycle.

This trust model is now often used in home electronics. Some internet modems arrive with a label containing a private key on the back of the modem. To add a device to the network, you connect it and enter the key. When Aunt Emily comes over, you can give her the key and she can access the home network. This can work well in an automation system if you can keep the private key secure and you aren’t constantly adding devices to the network.

Advantages: Simplicity. No management. Fast commissioning. No extra infrastructure required. Very clean, simple and efficient. Fast connection establishment.

Disadvantages: PSK is subject to brute-force attack to compromise the key. Any transitory personnel like integrators, contractors, corporate engineers and the rest must be provided with the key. The more people have the key, the likelier it is to be compromised. The security of the enterprise could also be compromised if any vendor’s device does not sufficiently protect the security of the private key in its memory. If the key is ever compromised from a brute force attack, not just one device is compromised – every device on the network is compromised. With PSK, your operation is only as secure as the least secure device on the network.

X.509 CERTIFICATES – X.509 Certificates are a standard way for two devices to communicate securely. Each device has a certificate identifying the entity issuing the certificate. That entity can be the device itself (self-signed certificate), the vendor who manufactures the device or some outside authority that is trusted by other devices with which it wants to communicate. Other information on the X.509 certificate includes the serial number, the name of the device identity to which it was issued, the public key for the device and the expiration date. The device receiving the certificate can send encrypted messages to the originator by encrypting the message with the public key in the certificate. The private key, which is never disclosed outside of the device, is used to decrypt messages encoded with the public key.

Advantages: Very scalable to large numbers of devices. Very secure when long keys are used. A well-understood and standard IT technology. Devices can trust a small set of entities that issue certificates. Access can be centrally controlled. Revocation lists – certificates of devices no longer allowed to connect – can be used to disallow access.

Disadvantages: Requires a PKI – Public Key Infrastructure – including Certificate Authorities (CA), Enrollment Servers and Device Name Servers (DNS). Many more IT components – critical to the security of the system – to properly maintain to ensure secure operation.

CIP Security vendors are required to support both trust models. End users can decide which makes more sense for their facility and commission their device appropriately.

For more resources on CIP Security, be sure to read our blogs and technology page to learn more.