Quite a few years ago now, elites in the hacker community started belittling and mocking hackers that focused on MS Windows systems. With all the information and tools available, it wasn’t respectable in that community to admit that you were hacking Windows machines. It became much more fashionable to attack government offices, sports teams or the factory down the street. And for a long time, factories down the street were easy pickings. Many had (and still do have) controllers and, when not directly on a public IP address, had readily accessible access from a public IP address.
But the stakes were raised over the years as most industries have toughened up defenses. Most companies now have defense in-depth strategies that make it much more difficult to get from mom’s basement into a machine controller. What’s often still open, though – if you can get to it – is the network side of controllers. If you can get access to an EtherNet/IP, Modbus TCP or PROFINET IO network, you can often have free reign to create all kinds of havoc. There’s generally nothing stopping you from turning pumps on or off, increasing motor speeds, or opening and closing valves.
In the past, there were a lot of barriers to getting access to these networks. You’d have to get past security gates and through guard houses and locked doors before you could plug into a control network. Happily, for those among us prone to mischief, it’s a lot easier with all the IoT devices being installed (often with little planning or forethought). Much of that IoT infrastructure has access to the I/O network side and to the cloud side, and it sometimes isn’t as rigorously protected by defense in-depth strategies. And once you’re there, you can not only play havoc with the I/O devices, you can attack the PLC from its soft underbelly.
And it’s not only people with malicious intent who cause problems. Device manufacturers, integrators and your own staff can plug things into any of these I/O networks and introduce viruses, malware, time bombs and worse.
What is CIP Security?
The ODVA (www.odva.org), the owners of CIP and EtherNet/IP technology, has taken a huge step toward solving this problem with the introduction of CIP Security, a mechanism for securing traffic on EtherNet/IP now and for all of CIP at a later date.
CIP Security is an architecture designed to counter the threats faced by factories the world over and described by the Microsoft STRIDE model:
Identity Spoofing – An untrusted entity assuming the identity of a trusted identity.
Data Tampering – An entity modifying the data intended for a legitimate recipient.
Repudiation – Devices denying an action [Not often associated with factory floor systems; usually associated with the transfer of funds or goods from one party to another.]
Information Disclosure – An untrusted entity getting access to some confidential information.
Denial of Service – An entity blocking another entity from receiving authorized messages and commands.
Elevation of Privilege – An untrusted entity gaining rights to resources that it should not have by illegally elevating its privilege.
EtherNet/IP, the most susceptible CIP network, is the first network to be secured with the CIP Security architecture. The proliferation of Ethernet devices, Ethernet communications with enterprise and cloud systems, and the growth of IoT infrastructure have all increased the vulnerability of EtherNet/IP networks.
What is the CIP Security specification?
The CIP Security specification defines a set of well-defined processes, mechanisms, and behaviors that use off-the-shelf technology to secure EtherNet/IP networks from the threats described by the STRIDE model. It offers flexibility to manufacturers who may want to phase in secure operation by first securing more important devices. It offers the flexibility to use networks that contain a mixture of both secured and unsecured devices.
CIP Security is a complex specification that is going to complicate the life of both device vendors and end users. Device vendors must choose how they will meet the requirements of the specification. They have the option of implementing selected portions of the technology, processes, mechanisms, and behaviors. For example, a vendor may desire to provide data integrity without providing confidentiality or authenticity. The specification is going to grow over time, and there may be vendors supporting only a portion of the specification.
Users will also find that the CIP Security introduces more complexity. They will find that it will make their automation networks much more IT-like. It will also require users to think long and hard about how they want to use CIP Security to secure their EtherNet/IP networks. To assist users with this, the specification groups security properties into profiles. Two profiles are current planned, with only one currently in place. The EtherNet/IP Confidentiality profile, offering Device Authentication, Data Integrity, and Confidentiality, is the only profile supported in the current specification. An Authorization profile, specifying mechanisms for users to authorize actions and access at the application and user level, is planned for some future date.
Is this supported by ControlLogix?
In November 2018, Rockwell Automation announced support for CIP Security in their ControlLogix controllers. It was a huge step forward in securing the infrastructure of the Logix architecture in systems all over North America. In their announcement they said:
“CIP Security can protect devices and systems that use EtherNet/IP from some of the top risks in connected operations, such as unauthorized PCs,” said Tony Baker, portfolio manager, security, for Rockwell Automation. “It does this in a few key ways. First, it limits device connectivity to only trusted PCs and devices. It also guards against packet tampering to protect data integrity. Finally, it encrypts communications to avert unwanted data reading and disclosure.”
This was a very exciting announcement. ControlLogix networks that implement CIP Security would, for the very first time, be able to:
- Reject messages with data that has been altered (integrity)
- Reject messages sent by untrusted devices or people (message authentication)
- Reject connection requests from unknown or unauthorized devices (device authorization)
What are the details?
This article was an introduction to CIP Security. In our next newsletter, Part II will examine the standards objects, technologies and commissioning strategies.