News

ODVA Updates CIP Security to Support User Level Authentication for Industrial Applications

January 07, 2021 by Robin Mitchell

Recently, ODVA announced that it has updated CIP Security to include user-level authentication.

According to the press release, the update improves security measures for solutions utilizing EtherNet/IP. The user-level authentication narrows the trust domain by user and role. The press release from the Open DeviceNet Vendors Association (ODVA) discusses policies and tokens.

 

CIP Security Supports User-level Authentication

Messages sent over CIP are secured using TLS and DTLS. However, the device itself is not protected and can be communicated with by other devices on the network (this encryption only protects data in transit between a device and a controller). The latest edition means that only authorized devices can communicate on the network with other devices.

 

CIP Security. Image courtesy of ODVA

 

A user's authorization to connect to a device can be given a profile that defines what that user can and cannot do. For example, a user could have read-only access, which prevents that device from writing anything. 

This authorization is done either through the device itself or a central server. This is highly advantageous because it can make simple systems more simple to integrate. It also allows for large-scale databases that can be updated by key staff.

The new update makes use of OAuth 2.0 and OpenID with cryptographically protected token-based authentication. Devices can have authorization using a token without being given usernames and passwords. 

 

Ethernet/IP

Industrial systems have continued to increase in complexity. The integration of microcontrollers and processors into the simplest sensors creates the need for a network. While there are custom solutions, off-the-shelf solutions can be cheaper and more established.

As a result, many industrial equipment developers have turned to Ethernet for connecting PLCs and process to networks. LAN networks' use provides industrial systems with major advantages, including the ability to connect systems using readily available cables, easy communication, and internet access for devices that may require maintenance from a remote source.

 

What is CIP Security?

Common Industrial Protocol (CIP) is an industrial protocol for industrial automation applications backed by ODVA. 

CIP supports a range of networks, including DeviceNet, EtherNet/IP, CIP Safety, and CIP Sync. 

 

 

CIP aims to provide industrial systems with networks that can provide a common protocol for messaging, interaction, and control. 

CIP Security is the act of applying security measures to both devices and the network itself. Typically, industrial systems are protected from the outside with firewalls and servers, but the internal network is typically unprotected. Once a piece of malicious code enters the internal network, it can connect any connected device with little to no resistance, communicate with any connected server, and essentially allow an attacker to wreak havoc.

CIP security deploys encryption to the messages, including TLS for TCP messages and DTLS for UDP messages. TCP is generally used by explicit messages (i.e., when a controller requests data from a sensor). UDP is generally used by I/O messages (i.e., when a device is broadcasting its status).

The use of a security to these messages prevents third-parties on the network from performing man-in-the-middle attacks.