EtherNet/IP Security – Part 1

EtherNet/IP Security

Security is more of a concern to OT (Operational Technology) people now than ever before. The implications of a security breach can be significant, including loss of revenue, damage to reputation and – in serious incidents – loss of life. Security is now an essential topic for executive management at all manufacturing companies.

EtherNet/IP, the Ethernet implementation of CIP (the Common Industrial Protocol), was never designed as a secure communications transport. It is designed for ease of use and flexibility. Anyone can make connections to an EtherNet/IP Adapter and execute any operation including a reset of the device. This makes EtherNet/IP a very insecure communications protocol.

In light of this, ODVA recently introduced Secure Transport for EtherNet/IP. This standard provides a secure standard for the transportation of EtherNet/IP messages. It allows communication between trusted entities and disallows communication between untrusted entities on an EtherNet/IP network.

This first article (more to come) describes the types of threats addressed by this specification:

Eavesdropping – An attacker attempts to access information in an EtherNet/IP message that is transporting proprietary information or information that might provide clues that can be used for additional, more sophisticated attacks.

Eavesdropping violates the confidentiality objective of a secure system.

Message Flooding (Denial of Service) – An attacker sends a large volume of messages attempting to overwhelm the EtherNet/IP device. One of its components – the CPU, TCP/IP stack, operating system, or other components of the device – becomes unable to work because of the volume of messages. Attackers may use either message that is well-formed or messages that are malformed.

Message Flooding violates the availability objective of a secure system.

Message Alteration – An attacker attempts to alter messages as they travel across the network with the intent to disrupt operation or execute unauthorized operations. An attacker could misinform the Scanner as to the status of a device or modify the content of a message to disable a device like a pump or a valve.

Message Alteration violates authorization objectives of a secure system.

Malformed Messages – An attacker crafts messages that are slightly malformed and sends them to EtherNet/IP Adapters. If the device isn’t thoroughly tested, it is possible that those malformed messages can cause havoc on that device or cause it to crash. Many early EtherNet/IP device vendors never tested what happens to their devices when partial messages or messages with surplus data bytes are received.

Message Alteration violates the integrity and availability objectives of a secure system.

Server Profiling – An attacker inspects messages to learn the Adapter type, specific identity, major revision and minor revision of the Adapter with the intent to use that information to mount a more damaging and intrusive attack. Once a device in one facility becomes known as an easy target, attackers can use that identity information to search for that device type in other facilities.

Server Profiling violates all the objectives of a secure system.

Spoofing – An attacker attempts to create messages that appear to originate from a legitimate Scanner device with the intent to access sensitive information or disrupt operation by executing unauthorized operations.

Spoofing violates the integrity and authorization objectives of a secure system.

 

These are just some of the types of attacks that are protected by the processes and procedures built into the Secure EtherNet/IP Transport specification. Further articles in this series will explore the specifics of how Secure EtherNet/IP Transport is going to change how end users will use EtherNet/IP and how developers can implement it.