This release has been sitting in my Dropbox for a month or so. It’s still worth noting especially since security became news a couple of times in the past few weeks.
ODVA announces that user level authentication has been added to CIP Security, the cybersecurity network extension for EtherNet/IP. Previous publications of the specifications for CIP Security included key security properties including a broad trust domain across a group of devices, data confidentiality, device authentication, device identity, and device integrity. CIP Security now adds a narrow trust domain by user and role, an improved device identity including the user, and user authentication.
As IT and OT converge in industrial automation, the ability for controls engineers, IT administrators, and maintenance operators to securely access and modify device parameters grows even more critical. Device level security is a building block requirement of IIoT to protect critical assets and people from potential physical and increasingly likely financial harm. To meet this requirement, the robust CIP Security User Authentication Profile will provide user level authentication with a fixed user access policy based on well-defined roles and basic authorization via both local and central user authentication. CIP Security’s ability to authenticate via the device or through a central server allows for simplicity in smaller, simple systems and efficiency in large, complicated installations.
CIP Security already included robust, proven, and open security technologies including TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security); cryptographic protocols used to provide secure transport of EtherNet/IP traffic, hashes or HMAC (keyed-Hash Message Authentication Code) as a cryptographic method of providing data integrity and message authentication to EtherNet/IP traffic; and encryption as a means of encoding messages or information in such a way as to prevent reading or viewing of EtherNet/IP data by unauthorized parties. The new CIPTM User Authentication Profile provides user-level authentication for CIP communication at the application layer. In the future, CIP Security may make use of a CIP authorization profile that will enhance CIP to provide additional security properties such as general, flexible authorization where access policy can be based on any attribute of the user and/or system and potentially extending CIP Security to support other non-EtherNet/IP networks.
The new User Authentication Profile makes use of several open, common, ubiquitous technologies, including OAuth 2.0 and OpenID Connect for cryptographically protected token-based user authentication, JSON Web Tokens (JWT) as proof of authentication, usernames and passwords, and already existing X.509 certificates to provide cryptographically secure identities to users and devices. It uses a cryptographically secure user authentication session ID, generated by the target on presentation of a valid JWT by the user, to map between an authentication event and the messages sent by a user for CIP communications. The user authentication session ID is transmitted over EtherNet/IP using (D)TLS and a confidentiality-enabled cipher suite per CIP Security’s EtherNet/IP confidentiality profile.
“User authentication is another critical step in the development of CIP Security, a key network extension that is a part of the complete EtherNet/IP industrial communication ecosystem. CIP Security, as a part of a defense in depth approach, is designed as an effective deterrence to malicious cyber attackers who are looking for targets to disrupt plant operations,” stated Jack Visoky, EtherNet/IP System Architecture Special Interest Group (SIG) vice-chair. “With connected infrastructure and automation systems, CIP Security is more critical than ever before to protect valuable investments and production of essential products around the world from malicious cybersecurity attacks” said Dr. Al Beydoun, President and Executive Director of ODVA. “ODVA will continue to invest in the future development of CIP Security and EtherNet/IP to ensure that end users are protected from physical and financial harm perpetrated by bad actors.”
Through this update, CIP Security now offers even stronger device level security with a narrow trust domain by user and role, an improved device identity including the user, and fixed user authentication. ODVA continues to work to make sure that CIP Security stays on the cutting edge of device defense to best protect critical industrial automation assets to make sure that the promise of IIoT and Industry 4.0 can be fully achieved. Visit odva.org to obtain the latest version of The EtherNet/IP Specification including CIP Security.