November 15, 2018, can now be formally marked in the history books as the day security in a control protocol became real. Yes, I know, the CIP security standard was released back in November of 2015. We can refer to that day as the date of conception if you like. November 15, 2018, is the day of CIP Security’s true birth. Why? Because on this date Rockwell released support for CIP security in the ControlLogix and FactoryTalk products. For the first time in the history of the world, there is a practical solution with device support for a customer to implement a secure Ethernet-based control system!
Why This is a Such a Big Deal:
Before November 15, 2018 security on any leading control protocol was a joke of best practices advising complete segregation of the control network from the outside world. None of the control protocols were designed with security in mind. The market continues to push for access to completely insecure networks. EtherNet/IP and CIP Security will be the first solution available with the market moving power of a leading PLC manufacturer.
That’s huge! The chicken and egg are no longer arguing about who goes first. A leading PLC now supports standard open security. The market device manufacturers have been waiting for was just created.
How Secure is Secure?
I firmly believe the biggest reason security standards have taken so long to reach control networks is because of “Secure Enough Syndrome.” There hasn’t been an industry event hosted since 2000 that didn’t feature a fear mongering expert letting you know that no device is secure. I won’t argue. There is no such thing as an unbreakable lock, but that does mean there aren’t good practical steps to greatly improve security. Houses are full of brittle glass windows, that doesn’t make locks on doors a dumb idea!
I applaud the committee for getting to market with a practical standard that addresses the lion share of security concerns. CIP Security will be an evolving standard, security has to be, and will continue to be more secure profiles released by the committee. The first two security profiles; EtherNet/IP Confidentiality Profile and CIP Authorization Profile are great places to start.
The two CIP Security profiles currently specified cover the Big-Three security concerns.
1. Device Authentication – Do all devices have the credentials to talk to each other? This is done with X.509 certificates or pre-shared keys.
2. Message Integrity – Is the message I received exactly what was sent? This is accomplished with HMAC.
3. Message Encryption – I don’t want anyone with Wireshark to see my IO packet data.
Authenticated devices communicating with authenticated data packets offered with the option of encryption. What more could a guy ask for? It’s a great place to start.
How Do I Add Security to My EtherNet/IP Device?
If your device is based on a Linux or Windows platform the addition of CIP Security is going to be a fairly straight forward affair. You’ll pair a CIP security implementation with a TLS library like OpenSSL or SharkSSL, and you’re on your way to offering a secure CIP product.
If you have an embedded device, adding CIP Security is going to a bigger challenge. There are TLS libraries available for many embedded platforms and, the resource requirements are efficient, but you’re still adding a lot of extra technology to devices that are typically tight on space and low on processing power. CIP security can be implemented on any device including Bare-Metal implementations, but you’d want a compelling use case to attempt the exercise.
When will other Protocol offer Security?
EtherNet/IP and CIP security will not be the only secure protocol in the game for long. Profinet will be out with a competing specification shortly, and they will no doubt have the support of one or more leading PLC manufactures when they do. They won’t be the first to the game, but you can bet they will have a more technically advanced security solution.
You’d also be foolish not to acknowledge that OPC UA has had these security features supported for some time. The difference here is that it’s still a stretch to call OPC UA a control protocol. That will be an incendiary comment to some, but I don’t care. When I see an entire bottling or packaging line running on UA devices, I’ll be happy to amend my statement.
How Can RTA Help?
We’ve been a leading developer of EtherNet/IP Solutions since day 1. The first device to ever pass ODVA Ethernet/IP conformance was our code. RTA’s founder John Rinaldi just wrote the book on EtherNet/IP.
We won’t be the first to market with a CIP Security solution, but it’s in the works. We’ve spent the last few years tempering customers expectations for CIP security as we waited for AB PLC’s to support the standard. That day is here!
If you are interested in adding CIP security to your EtherNet/IP devices, we should talk. We’ll likely have our solution released in the second half of 2019. In the meantime, we can evaluate your current device implementation to see if it’s CIP Security ready.