EtherNet/IP Security – What Do You Need to Know?

EtherNet/IP Security: What Do You Need to Know?

Before we can begin a discussion of computer security in general and on ODVA’s new CIP Security, we need to understand some essential security terms:

Data Integrity – Data Integrity refers to the accuracy and consistency of a data set.

Data Confidentiality – Data Confidentiality refers to the privacy of a data set; protecting data from access by unauthorized parties.

Authentication – Authentication means to verify who the sender is. Usually, that means validating the sender’s X509 certificate and verifying that the certificate is currently valid, as well as signed by a reputable and trusted Certificate Authority.

Public Key – A Public Key is a series of bytes that form a key, which the owner makes available to everyone who requests it.

Private Key – A Private Key is a series of bytes that form a key that is kept private by the owner and never released to anyone else.

Digital Certificates – A sequence of data bytes that functions like your driver’s license. The Digital Certificate verifies that you are who you say you are. There are many components to a Digital Certificate, including the name of the algorithm and the organization that created it, the owner’s public key and the dates it is valid. X.509 refers to the most popular certificate standard. You can expect to encounter the term “X509 Certificates” or “DER Certificates,” which refers to the method for encoding certificates as a binary series of bytes.

Certification Authority (CA) – An organization that creates and distributes Digital Certificates. The CA creates the public and private keys that are associated with the certificate owner. The CA often encrypts a portion of the certificate with its private key (i.e., signs it) to assure anyone that the CA did create the certificate. Of course, sending a certificate to a receiver is only useful if the receiver knows the CA is an honest and reputable certificate provider.

Digital Signature – Also called “signing,” a digital signature is a small series of bytes that result from processing a larger series of bytes through an algorithm. The resulting smaller series of bytes are encrypted with the owner’s private key. Using the owner’s public key and validating the result with the sender’s same algorithm, the receiver can decode the encrypted result and verify that the true owner “signed” the document. Signing a document or message guarantees the integrity of the portion of the message signed with the owner’s private key.

Public Key Encryption – An encryption process in which private and public keys are exchanged to sign and encrypt messages.

PKI (Public Key Infrastructure) – The set of hardware, software, and policies needed to manage certificates, keys, access lists and keys used in Public Key Encryption.

Authorization – Authorization is the process of validating access to a resource. Once a sender is authenticated, the sender must be granted access to resources by the receiver. Authorization can be accomplished using a list of trusted names, a user name and password or any other reliable mechanism.

RSA – RSA is a well-known and widespread public key cryptography algorithm. RSA refers to the initials of the three designers of the algorithm: Rivest, Shamir, and Adleman. RSA, with its variously sized key lengths, is used in OPC UA and other popular and secure protocols.

SHA – SHA is a series of public key cryptography algorithms published by the National Institute of Standards and Technology (NIST). SHA algorithms are also used in OPC UA to sign and encrypt messages.

Auditing – The recording of all actions, activities, users, resources and more in a system. In EtherNet/IP Security, auditing is not a normative part of the specification, but it is valuable as a mechanism for system administrators to identify vulnerabilities and diagnose security breaches.

Symmetric Security – In Symmetric security, both the receiver and the sender hold the key to decrypt messages. One encrypts with the symmetric key, the other decrypts with it. It is called “symmetric” since both hold the same key.

Asymmetric Security – In Asymmetric security, both sender and receiver have a private key that they keep secret and a public key that they share with anyone. Messages to the key holder are encrypted with the public key and decoded by the key holder with the private key. Message segments that require verification of origin are signed with the private key and validated using the public key.

As you may have noted, these security terms apply to all Ethernet protocols including the ones that we work with daily: EtherNet/IP, PROFINET IO, Modbus TCP, MQTT, and others. Knowledge of these terms is a prerequisite for any discussion of computer security, and they form the basis of what you need to know to explore my other series of articles on EtherNet/IP Security, including this blog, EtherNet/IP Security Part 1.

Ready to read more? Don’t miss the second part of my EtherNet/IP Security series: EtherNet/IP Security Part 2: What It Does.