What Is CIP Security for Ethernet/IP?

Have you ever had the experience of being so close to a thing that you really can’t explain it to other people? That often happens with experts. I have a cousin that graduated from the Massachusetts Culinary Institute. It’s the MIT of cooking. Listening to her tell me how easy it is to make a souffle is difficult because she finds it hard to talk to cooking novices. I’ve had the same kind of problems explaining simple protocols like Modbus TCP.

And I know that’s what’s happened to me in the past when I’ve tried to explain CIP Security for EtherNet/IP: I hadn’t really formed a clear definition that makes sense to the average control engineer. So here’s another attempt. Let me know if I’m successful.

What Is CIP Security?

CIP Security defines the security-related requirements and capabilities of CIP devices and specifically for EtherNet/IP. It provides three benefits to a manufacturing system using EtherNet/IP.

  1. Data integrity – It rejects data altered during transmission.
  2. Authentication – It rejects data transmitted by untrusted entities.
  3. Authorization – It rejects actions an entity is not allowed to perform.

To accomplish these objectives, CIP Security employs two standard IT cryptographic protocols.

  • Transport Layer Security (TLS) is the standard cryptographic protocol that secures internet communications and online traffic. CIP Security uses TLS to secure EtherNet/IP acyclic messages (explicit messages).
  • Datagram Transport Layer Security (DTLS) is a version of TLS designed to secure UDP (User Datagram Protocol) messages. CIP Security uses it to secure EtherNet/IP cyclic traffic (implicit messages).

But secure TLS and DTLS traffic is only possible if two entities trust one another. CIP Security for EtherNet/IP supports two mechanisms for entities to trust another: Pre-Shared Key and X.509 Certificates.

PRE-SHARED KEY (PSK)

PSK is an uncomplicated mechanism that works well in small systems. All the devices in a network know and share a private key. The key encrypts messages. Any device that knows the private key is authenticated and is able to encrypt and decrypt messages. For added protection, the key is typically changed at some set interval, sometimes as part of a maintenance cycle.

X.509 CERTIFICATES

X.509 Certificates are a standard way for two devices to securely communicate. The devices share their certificates. Each certificate identifies the entity authenticating the certificate, which could be the device itself (self-signed certificate), the vendor who manufactures the device or some outside authority that is trusted by all the devices in a network. The public key in a certificate sends encrypted messages to the certificate owner that then decrypts the message with its private key. The private key associated with the certificate is never disclosed.

A fundamental design tenet of CIP Security is that not all devices on an EtherNet/IP network need the same level of protection. Some devices are less critical and some are more critical to an automation system. Their required protection is not identical. CIP Security defines two security profiles to provide these different levels of protection.

  1. The EtherNet/IP Confidelity Profile provides secure communications by requiring authentication and data integrity for all EtherNet/IP messages. Authentication means that an EtherNet/IP device identity is verified to be the device it claims to be. Data integrity means that the data within the EtherNet/IP message is reliably accurate and consistent. Devices not authenticated can’t make a secure connection. Messages that fail the integrity check are rejected.
  2. The EtherNet/IP Authorization Profile goes one step further than the Confidentiality Profile by providing user authorization. With the Authorization Profile, an application requesting an action (like opening or closing a valve) must be authorized to take that action. The EtherNet/IP Authorization Profile is not currently part of CIP Security, and the specification describing how to accomplish this wasn’t available at the time of this writing.

Devices that do not support CIP Security can coexist with devices that support the Confidentiality Profile or the Authorization Profile.

How’d I Do?

Hopefully, that’s a more clear and concise definition. Check out more of our blogs on CIP Security here.