Cybersecurity Added to The EtherNet/IP Specification
December 2, 2015 – ODVA announced that it has achieved a major milestone with the pending publication of a new volume in its specifications specifically dedicated to cybersecurity. This body of work will be released under the name of CIP Security and will join the family of distinctive CIP services which includes CIP Safety, CIP Energy, CIP Sync and CIP Motion. CIP Security will be initially applicable to EtherNet/IP.
Because EtherNet/IP relies on commercial-off-the-shelf (COTS) technologies for Ethernet and the Internet, users have been able to deploy traditional defense-in-depth techniques in EtherNet/IP systems for some time, explained by ODVA as early as 2011 in its publication “Securing EtherNet/IP Networks.” CIP Security will help users take additional steps to protect their industrial control systems with industry-proven techniques for securing transport of messages between EtherNet/IP devices and systems and thus reduce their exposure to cybersecurity threats.
The initial release of CIP Security includes mechanisms to address spoofing of identity, tampering with data and disclosing of information. Mechanisms supported in the initial release of CIP Security include device authorization, integrity of message transport and confidentiality of messages. To support these mechanisms, ODVA has adapted encryption standards from the Internet Engineering Task Force (IETF) for encryption based on Transport Layer Security (TLS), Data Transport Layer Security (DTLS) and authentication based on the X.509v3 standard for certificate handling. Details of ODVA’s initial implementation of CIP Security and outlook for the future were presented in a technical paper at ODVA’s 2015 Industry Conference and 17th Annual Meeting of Members.
“The publication of the volume dedicated to cybersecurity in The EtherNet/IP Specification is the next step in providing users with methods to help them manage threats and vulnerabilities in EtherNet/IP systems,” said Katherine Voss, ODVA president and executive director. “Following this publication will be the realization of the mechanisms provided by CIP Security in ODVA CONFORMANT EtherNet/IP products.”
ODVA’s focus on cybersecurity is not only a function of increased emphasis on cybersecurity for industrial control systems but also because of the widespread adoption of EtherNet/IP in broad range of applications from manufacturing to critical infrastructure. As a result of the breadth of applications, the next edition of The EtherNet/IP Specification will expand support for IEC 62439-3 “Industrial
communication networks – high availability automation networks – part 3” to include High Availability Seamless Redundancy (HSR) in addition to Parallel Redundancy Protocol (PRP). HSR is commonly used in electrical substation automation as specified in IEC-61850. Other high reliability techniques supported in The EtherNet/IP Specification include Rapid Spanning Tree (RSTP) and Device Level Ring (DLR).
The specification enhancements for cybersecurity and high availability are part of a larger group of enhancements that ODVA has approved for publication in the next editions of its specifications scheduled for release in December 2015. In total ODVA publishes five specifications, two times per year, encompassing the EtherNet/IP, DeviceNet, CompoNet, ControlNet and CIP Safety technologies and standards.
Founded in 1995, ODVA is a global association whose members comprise the world’s leading automation companies. ODVA’s mission is to advance open, interoperable information and communication technologies in industrial automation. ODVA recognizes its media independent network protocol, the Common Industrial Protocol or “CIP” – and the network adaptations of CIP – EtherNet/IP, DeviceNet, CompoNet and ControlNet – as its core technology and the primary common interest of its membership. ODVA’s vision is to contribute to the sustainability and prosperity of the global community by transforming the model for information and communication technology in the industrial ecosystem. For future interoperability of production systems and the integration of the production systems with other systems, ODVA embraces the adoption of commercial-off-the-shelf (COTS) and standard, unmodified Internet and Ethernet technologies as a guiding principle wherever possible. This principle is exemplified by EtherNet/IP – the world’s number one industrial Ethernet network.