The purpose of CIP Security for an EtherNet/IP device is to enable it to protect itself from malicious communications. A fully CIP Security enabled device can reject: 

  • data that has been altered 
  • messages sent by untrusted people or untrusted devices 
  • messages that request actions that are not allowed 

But, how exactly does CIP Security protect your devices? How does it help you maintain data integrity, device authenticity, and data confidentiality 

The simple answer is CIP Security adds secure connection and encryption capabilities to your devices that allow it to communicate with other devices in a secure manner. However, the technical answer requires us to go a little more in-depth. But before I explain exactly how CIP Security provides more protection, let’s start with the possible threats your devices need protection from.  

Potential EtherNet/IP Threats  

EtherNet/IP does not have built-in security, meaning there is no protection from “actors attempting to spoof devices and make/respond to connections on your network. For example, iyour EtherNet/IP Adapter does not have a current exclusive owner connection with a Scanner, a spoofed Scanner can connect to your Adapter and assert the Adapter outputs  

This is just one of the possible scenarios that threaten the security of your EtherNet/IP devices. And when these scenarios are brought to life, it could wreak havoc on your networks 

Here’s a high-level overview of the different threats that can take place on your domain: 

  • IP and MAC addresses can be spoofed  
  • Devices can be hacked to run code that’s not their own  
  • Scanners can be spoofed; any capable entity can act as a Scanner and connect to your device if they have the IP address and connection point information for an unprotected Adapter 
  • Adapters can be spoofed; any capable entity can act as an Adapter device if it has the IP address, connection point information, and the connection points are exposed 
  • Connection data can be injected and monitored on the wire 

Remember, it’s not always bad actors that can cause harm. We’re all human and good people can make mistakesSomeone may accidentally connecto the wrong device by just a simple slip of the fingers or honest misunderstanding.  

How CIP Security Protects Your Devices  

Are you starting to get a little worried about your EtherNet/IP devices after reading that list? Don’t worry, that’s why CIP Security was developed and why it’s so important. So, how exactly does it protect your devices?  

Well, connections are secured using a Secure Socket Layer (SSL) that ensures integrity, authenticity, and authorization. 

To get even more specific let’s go into what is being used inside the SSLThe Transport Layer Security (TLS) is being used as the tunnel for Transmission Control Protocol (TCP) messages, which for EtherNet/IP is explicit messages. For User Datagram Protocol (UDP) messages, the tunnel is Datagram Transport Layer Security (DTLS). In the case of EtherNet/IP, that’s implicit messaging 

To authenticate devices, CIP Security ensures communications are coming from valid devices by using Digital Certificates (Certs) or pre-shared keys (PSKs).  

For example, here’s a high-level version of how the TLS process acts as a tunnel for explicit messages:  

To explain further, the Scanner makes a connection to the Adapter on the security side. Then the Adapter passes its Cert to the Scanner to ensure that it’s the correct Adapter. The Scanner passes its Cert to the Adapter to ensure that the Adapter knows the Scanner is real. They then go through an encryption handshake process, and once all of that has gone through and passes, then CIP messaging beginsThis also works very similarly for the DTLS process.  

Protect Your EtherNet/IP Devices with CIP Security  

Security breaches are an ever-increasing threat with bad actors looking for ways to cause disruption and destruction. CIP Security enables EtherNet/IP devices to protect themselves from malicious communications. CIP Security enabled devices can maintain data integrity by rejecting data that has been altered, cultivate device authenticity by rejecting messages sent by untrusted people or devices, and manage authorization by rejecting messages that request actions that aren’t allowed.  

To learn more about how CIP Security protects your devices, watch our on-demand webinar Defend Your Automation Networks with CIP SecurityIn addition to explaining how CIP Security works, it also discusses the basics of CIP Security and how to add CIP Security to your devices.