The purpose of CIP Security for an EtherNet/IP device is to protect itself from malicious communications. A CIP Security enabled device can reject: 

  • Data that has been altered 
  • Messages sent by untrusted people or untrusted devices 
  • Messages that request actions that are not allowed 

But, how exactly does CIP Security protect your devices? How does it help you maintain data integrity, device authenticity and data confidentiality 

The simple answer is CIP Security adds secure connection and encryption capabilities to your devices that allow it to communicate with other devices in a secure manner, however, the technical answer requires us to go a little more in-depth. 

Potential EtherNet/IP Threats  

EtherNet/IP does not have built-in security — meaning there is no protection from “actors attempting to spoof devices and make/respond to connections on your network. For example, iyour EtherNet/IP adapter does not have a current exclusive owner connection with a scanner, a spoofed scanner can connect to your adapter and assert the adapter outputsThis is just one of many scenarios that threaten the security of your EtherNet/IP devices, and when these scenarios are brought to life, it could wreak havoc on your networks 

Here’s a high-level overview of the different threats that can take place on your domain: 

  • Spoofed IP and MAC addresses 
  • Hacked devices running code that’s not their own  
  • Spoofed scanners; any capable entity can act as a Scanner and connect to your device if they have the IP address and connection point information for an unprotected Adapter 
  • Spoofed adapters; any capable entity can act as an Adapter device if it has the IP address, connection point information, and the connection points are exposed 
  • Injected connection data which is monitored on the wire 

Keep in mind too, sometimes it’s not always bad actors that can cause harm. We’re all human and good people can make mistakesSomeone may accidentally connecto the wrong device by just a simple slip of the fingers or honest misunderstanding.  

How CIP Security Protects Your Devices  

With CIP Security, Ethernet/IP connections are secured using a Secure Socket Layer (SSL) that ensures integrity, authenticity and authorization. 

Inside the SSL, the Transport Layer Security (TLS) is being used as the tunnel for Transmission Control Protocol (TCP) messages, which for EtherNet/IP is explicit messages. For User Datagram Protocol (UDP) messages, the tunnel is Datagram Transport Layer Security (DTLS). In the case of EtherNet/IP, that’s implicit messaging.  

To authenticate devices, CIP Security ensures communications are coming from valid devices by using Digital Certificates (Certs) or pre-shared keys (PSKs).  


Here’s a high-level version of how the TLS process acts as a tunnel for explicit messages:
To explain further, the Scanner makes a connection to the Adapter on the security side. Then the Adapter passes its Cert to the Scanner to ensure that it’s the correct Adapter. The Scanner passes its Cert to the Adapter to ensure that the Adapter knows the Scanner is real. They then go through an encryption handshake process, and once all of that has gone through and passes, then CIP messaging beginsThis also works very similarly for the DTLS process.  

Protect Your EtherNet/IP Devices with CIP Security  

Security breaches are an ever-increasing threat with bad actors looking for ways to cause disruption and destruction. CIP Security enables EtherNet/IP devices to protect themselves from malicious communications. CIP Security enabled devices can maintain data integrity by rejecting data that has been altered, cultivate device authenticity by rejecting messages sent by untrusted people or devices, and manage authorization by rejecting messages that request actions that aren’t allowed.  

To learn more about how CIP Security protects your devices, watch our on-demand webinar Defend Your Automation Networks with CIP SecurityIn addition to explaining how CIP Security works, it also discusses the basics of CIP Security and how to add CIP Security to your devices. 

Related Articles:
What is CIP Security for Ethernet/IP? 
Tools to Debug and Test CIP Security
What Should You Consider When Choosing a CIP Security (D)LTS Library?