- data that has been altered
- messages sent by untrusted people or untrusted devices
- messages that request actions that are not allowed
But, how exactly does CIP Security protect your devices? How does it help you maintain data integrity, device authenticity, and data confidentiality?
The simple answer is CIP Security adds secure connection and encryption capabilities to your devices that allow it to communicate with other devices in a secure manner. However, the technical answer requires us to go a little more in-depth. But before I explain exactly how CIP Security provides more protection, let’s start with the possible threats your devices need protection from.
Potential EtherNet/IP Threats
EtherNet/IP does not have built-in security, meaning there is no protection from “actors” attempting to spoof devices and make/respond to connections on your network. For example, if your EtherNet/IP Adapter does not have a current exclusive owner connection with a Scanner, a spoofed Scanner can connect to your Adapter and assert the Adapter outputs.
This is just one of the possible scenarios that threaten the security of your EtherNet/IP devices. And when these scenarios are brought to life, it could wreak havoc on your networks.
Here’s a high-level overview of the different threats that can take place on your domain:
- IP and MAC addresses can be spoofed
- Devices can be hacked to run code that’s not their own
- Scanners can be spoofed; any capable entity can act as a Scanner and connect to your device if they have the IP address and connection point information for an unprotected Adapter
- Adapters can be spoofed; any capable entity can act as an Adapter device if it has the IP address, connection point information, and the connection points are exposed
- Connection data can be injected and monitored on the wire
Remember, it’s not always bad actors that can cause harm. We’re all human and good people can make mistakes. Someone may accidentally connect to the wrong device by just a simple slip of the fingers or honest misunderstanding.
How CIP Security Protects Your Devices
Well, connections are secured using a Secure Socket Layer (SSL) that ensures integrity, authenticity, and authorization.
To get even more specific let’s go into what is being used inside the SSL. The Transport Layer Security (TLS) is being used as the tunnel for Transmission Control Protocol (TCP) messages, which for EtherNet/IP is explicit messages. For User Datagram Protocol (UDP) messages, the tunnel is Datagram Transport Layer Security (DTLS). In the case of EtherNet/IP, that’s implicit messaging.
To authenticate devices, CIP Security ensures communications are coming from valid devices by using Digital Certificates (Certs) or pre-shared keys (PSKs).
For example, here’s a high-level version of how the TLS process acts as a tunnel for explicit messages:
Protect Your EtherNet/IP Devices with CIP Security
Security breaches are an ever-increasing threat with bad actors looking for ways to cause disruption and destruction. CIP Security enables EtherNet/IP devices to protect themselves from malicious communications. CIP Security enabled devices can maintain data integrity by rejecting data that has been altered, cultivate device authenticity by rejecting messages sent by untrusted people or devices, and manage authorization by rejecting messages that request actions that aren’t allowed.
To learn more about how CIP Security protects your devices, watch our on-demand webinar Defend Your Automation Networks with CIP Security. In addition to explaining how CIP Security works, it also discusses the basics of CIP Security and how to add CIP Security to your devices.