CIP Security For EtherNet/IP Has Arrived…Are You Ready?

CIP Security with EtherNet/IP

It’s difficult to go a minute without hearing something about security. If you watch TV, you’ll likely see an ad for an Amazon Ring. If you read the newspaper, you’ll likely see an article describing the latest way that Mark Zuckerberg is misusing Facebook data. On social media, you’ll hear all the creative ways that nefarious individuals are using the Internet to create novel PayPal, banking and debit card scams.

At the factory, it’s likely you’re also hearing a lot more about security. I can tell you for certain that there are more plants than you know whose servers have been locked, controllers hacked, and data were stolen. No one publicizes these events.

John Kelly, during his tenure as Director of Homeland Security, spoke to a large group of manufacturing executives and was blunt about the problem. In fact, he said three things that just stunned me. He said:

  1. If you think your manufacturing system hasn’t been hacked, YOU’RE WRONG.
  2.  If you think you can prevent your manufacturing system from being hacked, YOU’RE WRONG.
  3. You need to identify your most critical assets and take them offline. He went on to say that there are nation-states, willing to spend endless amounts of treasure, with very smart technologists who spend all day every day searching for vulnerabilities that they can catalog to exploit at some convenient time in the future.

Now, as you’ll read in my technical article, ODVA has added security to EtherNet/IP communications between its controllers and Adapter devices. I’m not happy about this for reasons that I’ll explain in a moment, but I do believe that it’s VERY important to all of us with EtherNet/IP products. Now that Rockwell ControlLogix supports this security mechanism, this standard, Secure Transport over EtherNet/IP, will soon become a checklist on the purchase specification for all EtherNet/IP Adapters devices. That means that everyone with an EtherNet/IP device is going to need to upgrade their EtherNet/IP Adapter to support secure transport.

I think this is unfortunate. I view it as a minor step towards a secure plant infrastructure. When I look at all the attack vectors that an intruder might use to disrupt a manufacturing system, the link between the controller and an Adapter is one of the least important. That link can very easily be secured using features available in many of the switches currently used on the factory floor. I believe there are other places that offer more bang for our security buck than I/O transports.

But now that the ControlLogix controllers support this feature, Real Time Automation will support it. Our engineering team has prepared an update path for all our customers with Adapters to add EtherNet/IP Security. You can contact us by phone on 800-249-1612 or by email at to learn how you can get your EtherNet/IP Adapter conformant with the ODVA Transport specification. Be sure to visit our website for other helpful resources including information on our upcoming training this fall on all things EtherNet/IP.