Home >ODVA expands CIP security for improved productivity
ODVA expands CIP security for improved productivity
11 April 2019
ODVA has released its first round of specification enhancements to its technologies for 2019, which included specific enhancements to The EtherNet/IP Specification, including key updates to the CIP Security technology. ODVA's biannual update of its network specifications helps enable end-users and OEMs to address an ever-increasing scope of industrial automation applications.
The goal of cybersecurity enhancements to EtherNet/IP is to extend a defense-in-depth architecture to network communications with and between ICS systems – and with and between ICS systems and edge devices. ODVA's realization of this goal is the enhancement of the potential defensive capability of ICS systems and devices using EtherNet/IP by providing cybersecurity mechanisms that are native to EtherNet/IP and the Common Industrial Protocol (CIP). The initial CIP Security specification was published in 2015, providing vendors the ability to improve the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity, and data confidentiality.
Since then, ODVA has made several key updates to CIP Security; most notably, to continue to fulfill the desire from end users for easier initial commissioning of devices, CIP Security was enhanced to allow devices to perform certificate enrollment directly. In contrast to the practice of pushing certificates out from a configuration tool, this 'pulling' functionality will allow devices to actively request certificates, resulting in improved productivity. The pulling of a certificate is accomplished using standard and proven IT technologies, furthering the ability to integrate IT and OT systems.
The April 2019 edition of the CIP Security Specification continues the progression of the technology to increase efficiency with timeout responses, increase protection by allowing for a mandatory CIP Security connection for changes, and expand behaviors for certificate verification.
Work is ongoing for the next phase of development of CIP Security, which will add support for user authentication, non-repudiation, and device authorisation, strengthening secure end-to-end communications between CIP endpoints. The ultimate roadmap of CIP Security development is to enable EtherNet/IP devices, and potential other types of devices using CIP, to become autonomous, taking responsibility for their own security and effectively securing themselves from attack.