- Data that has been altered
- Messages sent by untrusted people or untrusted devices
- Messages that request actions that are not allowed
But, how exactly does CIP Security protect your devices? How does it help you maintain data integrity, device authenticity and data confidentiality?
The simple answer is CIP Security adds secure connection and encryption capabilities to your devices that allow it to communicate with other devices in a secure manner, however, the technical answer requires us to go a little more in-depth.
Potential EtherNet/IP Threats
EtherNet/IP does not have built-in security — meaning there is no protection from “actors” attempting to spoof devices and make/respond to connections on your network. For example, if your EtherNet/IP adapter does not have a current exclusive owner connection with a scanner, a spoofed scanner can connect to your adapter and assert the adapter outputs. This is just one of many scenarios that threaten the security of your EtherNet/IP devices, and when these scenarios are brought to life, it could wreak havoc on your networks.
Here’s a high-level overview of the different threats that can take place on your domain:
- Spoofed IP and MAC addresses
- Hacked devices running code that’s not their own
- Spoofed scanners; any capable entity can act as a Scanner and connect to your device if they have the IP address and connection point information for an unprotected Adapter
- Spoofed adapters; any capable entity can act as an Adapter device if it has the IP address, connection point information, and the connection points are exposed
- Injected connection data which is monitored on the wire
Keep in mind too, sometimes it’s not always bad actors that can cause harm. We’re all human and good people can make mistakes. Someone may accidentally connect to the wrong device by just a simple slip of the fingers or honest misunderstanding.
How CIP Security Protects Your Devices
Inside the SSL, the Transport Layer Security (TLS) is being used as the tunnel for Transmission Control Protocol (TCP) messages, which for EtherNet/IP is explicit messages. For User Datagram Protocol (UDP) messages, the tunnel is Datagram Transport Layer Security (DTLS). In the case of EtherNet/IP, that’s implicit messaging.
To authenticate devices, CIP Security ensures communications are coming from valid devices by using Digital Certificates (Certs) or pre-shared keys (PSKs).
Protect Your EtherNet/IP Devices with CIP Security
Security breaches are an ever-increasing threat with bad actors looking for ways to cause disruption and destruction. CIP Security enables EtherNet/IP devices to protect themselves from malicious communications. CIP Security enabled devices can maintain data integrity by rejecting data that has been altered, cultivate device authenticity by rejecting messages sent by untrusted people or devices, and manage authorization by rejecting messages that request actions that aren’t allowed.
To learn more about how CIP Security protects your devices, watch our on-demand webinar Defend Your Automation Networks with CIP Security. In addition to explaining how CIP Security works, it also discusses the basics of CIP Security and how to add CIP Security to your devices.