Using CIP Security to Strengthen Your Defense In Depth Strategy

PB 25 Rockwell newlogo 400

May 11, 2020

By Oliver Haya, Business Development Manager, EtherNet/IP Technology Adoption, Rockwell Automation

Industrial operations are increasingly becoming the target of cybersecurity attacks. There are new devices adding network connectivity as they migrate from traditional fieldbuses and standalone operation. Additional connections are being created between the IT and OT space and machine builders increasingly offer analytics if their machine can be connected to the cloud. International standards for cybersecurity, known as IEC 62443, are being updated and expanded, including requirements for end users, system integrators, and device manufacturers. These standards require defense in depth strategies to reduce the risk of attacks that cause harm considering the additional connectivity.

As you advance the cybersecurity of your operations, you need more capability at deeper levels of the defense in depth strategy. Have you performed cybersecurity assessments, minimized your attack surface with cybersecurity essentials and implemented best network segmentation practices? If you’re ahead of all these, you’re on the right track!

Even once you have strong security policies and protections, adding security at each layer improves your resilience against attacks. For example, how will you protect your process if a malicious actor has access behind your firewall? You may be susceptible to various attacks that need additional measures to mitigate.

What do you mean, a firewall isn’t enough?

A malicious actor could create an unauthorized connection to hardware in your system by pretending to be another kind of device. This has been demonstrated recently in industrial automation, with an imposter computer improperly configuring devices and injecting code based on insecure identification credentials.

Another attack type that’s possible without communication integrity is the man-in-the-middle attack and a variant of that – the replay attack. During these attacks, someone would intercept and modify data between two devices, sometimes after collecting data that can be used to mimic normal operation. That could mask abnormal behavior that can cause equipment damage or endanger human safety.

Cybercriminals could also gain proprietary information by snooping on the network traffic between industrial devices. Whether those are secret recipes going from the MES to the PLCs, analytic data that could be used to steal manufacturing best practices, or production volume information that could be used to short stocks, data transmitted without confidentiality could be used for harm.

Every layer of defense helps, so get to the devices

To bolster security at the device level and reduce the risk of those attacks, IEC 62443-3-3 and IEC 62443-4-2 include common minimum requirements for device identity, integrity and authenticity of communications, and options for confidentially transmitting data. Four of the requirements in the standard (SR 1.2, SR 3.1, SR 3.13, SR 4.1) are almost impossible to implement at a system level without the right hardware and firmware at the device level. If you want to use devices from multiple vendors that meet those system requirements, standards and conformance testing are needed.

The CIP Security™ protocol is an open standard from ODVA, which helps solve important communication requirements that device vendors using industrial Ethernet cannot solve themselves. This standard is the only standard designed for securing communications between PLCs and devices. The CIP Security protocol provides mechanisms for validating device identity, device authentication, data integrity and data confidentiality. All three of the functional requirements and their requirement enhancements can be met using CIP Security and configured using FactoryTalk Policy Manager.

Rockwell Automation is releasing CIP Security on more products each year and other vendors are adopting this standard right now. Some of upcoming devices include retrofit opportunities to reduce the risk of cyber incidents with existing equipment too, so don’t think that you must wait for a greenfield plant to make improvements. Start considering when and how you will add more layers to your defense in depth.

Important Links Bar.jpg

https://www.rockwellautomation.com/en_NA/news/blog/detail.page?pagetitle=CIP-Security%3A-Strengthen-Defense-In-Depth-Strategy-%7C-Blog&content_type=blog&docid=649fda991beed739543a00e346550942

 

Related Articles

Network Infrastructure Featured Product Spotlight

PBUS 14 Panduit logo 400

This webinar presented by Beth Lessard and Keith Cordero will be highlighting three Panduit solutions that will optimize network equipment and cabling to ensure that your spaces are efficiently and properly managed to support ever-evolving business needs of today and beyond. Products that will be featured include PanZone TrueEdge Wall Mount Enclsoure, Cable Managers, and Adjustable Depth 4-Post Rack.

REGISTER HERE


Editor’s Pick: Featured Product News

Siemens: SIMOVAC Non-Arc-Resistant and SIMOVAC-AR Arc-Resistant Motor Controllers

The Siemens SIMOVAC medium-voltage non-arc-resistant and SIMOVAC-AR arc-resistant controllers have a modular design incorporating up to two 12SVC400 (400 A) controllers, housed in a freestanding sheet steel enclosure. Each controller is UL 347 class E2, equipped with three current-limiting fuses, a non-load-break isolating switch, and a fixed-mounted vacuum contactor (plug-in type optional for 12SVC400). The enclosure is designed for front access, allowing the equipment to be located with the rear of the equipment close to a non-combustible wall.

Read More


Sponsored Content
Electrify Your Enterprise

Power is vital to production, and well-designed control cabinets are key. Allied Electronics & Automation offers a comprehensive collection of control cabinet solutions including PLCs, HMIs, contactors, miniature circuit breakers, terminal block connectors, DIN-rail power supplies, pushbutton switches, motor starters, overloads, power relays, industrial Ethernet switches and AC drives engineered to keep your operations running safely, reliably and efficiently.

Learn more HERE.


Products for Panel Builders

  • icotek: Expansion of the KEL-DPZ-KX/KL Cable Entry Plate Series 

    icotek: Expansion of the KEL-DPZ-KX/KL Cable Entry Plate Series 

    KEL-DPZ cable entry plates are designed to route and seal a large number cables without connectors, hoses or fibre optics (from 1.5 mm to 22 mm in diameter) in limited space. The KEL-DPZ products are a cost and time saving alternative to traditional cable glands. The KEL-DPZ-KX/KL (IP65) size was created especially for Rittal KL/KX… Read More…

  • Pilz: PNOZ m ES 16DI PNOZmulti 2 Small Controller Input Module

    Pilz: PNOZ m ES 16DI PNOZmulti 2 Small Controller Input Module

    Have you selected the appropriate base unit for your application? Various expansion modules can be docked to a PNOZmulti 2 base unit, depending on the requirement: For example: I/O modules, motion monitoring modules and link modules. To monitor pushbuttons and other digital sensors, you can use the input module PNOZ m ES 16DI for standard applications. Configurable in the software… Read More…