CIP Security is designed to protect not only EtherNet/IP Adapter devices (end devices) from access by unauthorized parties but also to protect programmable controllers. Attackers have noted that programmable controllers are more resilient to outside entities than to inside entities.
Outside entities are devices that don’t exist on a programmable controller’s I/O subnets but exist elsewhere in the manufacturing environment: the enterprise or on the internet. Inside entities are those on one of their I/O networks: EtherNet/IP, PROFINET IO, Modbus TCP, EtherCAT or other I/O network. Outside entities are often referred to as or devices to the “North.” Inside entities are now popularly called devices to the “South.”
What this means is that the programmable controller vendors have generally implemented stronger security and protection from those devices to the North than they have from devices to the South. Attackers, understanding that the weak spot is this southern exposure, have more and more focused their efforts on I/O networks, where they can attack programmable controllers from a more vulnerable direction with much less resistance.
The ODVA designed CIP Security to protect programmable controllers and devices on I/O networks from attacks originating on those networks. At first blush, attacks on the I/O network seem unlikely. I/O networks aren’t generally connected to the internet so what’s the concern? In practice, these kinds of attacks are not all that unlikely. For example, contractors come and go from a facility and connect to networks with laptops that may be compromised. Employees may fail to disable open ports on switches. Some employees knowingly engage in sabotage. There is a myriad of ways for attackers to get access to your I/O network. CIP Secure Transport is designed to increase the immunity to such attacks.
A fundamental design tenet is that not all devices on an EtherNet/IP network need the same level of protection. Some devices are less critical and some are more critical to an automation system. The required protection is not identical, and CIP Secure Transport defines two security profiles to offer that different level of protection.
The EtherNet/IP Confidentiality Profile provides secure communications by requiring authentication and data integrity for all EtherNet/IP messages. Authentication means that an EtherNet/IP device identity is verified to be the device it claims to be. Data integrity means that the data within the EtherNet/IP message can be relied upon to be accurate and consistent.
With the Confidentiality Profile, any device making secure connections to a programmable controller or device must be authenticated as an authorized entity. Devices that are not authorized are unable to make a secure connection.
The Data integrity component of the Confidentiality Profile ensures that senders and receivers of EtherNet/IP messages have valid data. It prevents a rogue device from corrupting EtherNet/IP messages.
The EtherNet/IP Authorization Profile goes one step further than the Confidentiality Profile. It provides User Authentication. With the Authorization profile, an application requesting an action like opening or closing a valve would have to be authorized to take that action. The EtherNet/IP Authorization profile is not currently part of CIP Security, and the specification describing how this is to be accomplished won’t be available for some time.
Future articles in this series of blogs will discuss how the authentication, integrity, and confidentiality of EtherNet/IP messages are implemented.
Be sure you read the first part of this series, EtherNet/IP Security Part 1.