CIP Security Updated to Support User Level Authentication

By David Humphrey

Category:
Company and Product News

ODVA announces that user level authentication has been added to CIP Security, the cybersecurity network extension for EtherNet/IP.  Previous publications of the specifications for CIP Security included key security properties including a broad trust domain across a group of devices, data confidentiality, device authentication, device identity, and device integrity.  CIP Security now adds a narrow trust domain by user and role, an improved device identity including the user, and user authentication.

The CIP Security User Authentication Profile will provide user level authentication with a fixed user access policy based on well-defined roles and basic authorization via both local and central user authentication.  CIP Security’s ability to authenticate via the device or through a central server allows for simplicity in smaller, simple systems and efficiency in large, complicated installations.

 CIP Security already included proven, and open security technologies including TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security); cryptographic protocols used to provide secure transport of EtherNet/IP traffic, hashes or HMAC (keyed-Hash Message Authentication Code) as a cryptographic method of providing data integrity and message authentication to EtherNet/IP traffic; and encryption as a means of encoding messages or information in such a way as to prevent reading or viewing of EtherNet/IP data by unauthorized parties.  The new CIPTM User Authentication Profile provides user-level authentication for CIP communication at the application layer.  In the future, CIP Security may make use of a CIP authorization profile that will enhance CIP to provide additional security properties, such as general, flexible authorization where access policy can be based on any attribute of the user and/or system and potentially extending CIP Security to support other non-EtherNet/IP networks.

 The new User Authentication Profile makes use of several open, common, ubiquitous technologies, including OAuth 2.0 and OpenID Connect for cryptographically protected token-based user authentication, JSON Web Tokens (JWT) as proof of authentication, usernames and passwords, and already existing X.509 certificates to provide cryptographically secure identities to users and devices.  It uses a cryptographically secure user authentication session ID, generated by the target on presentation of a valid JWT by the user, to map between an authentication event and the messages sent by a user for CIP communications.  The user authentication session ID is transmitted over EtherNet/IP using (D)TLS and a confidentiality-enabled cipher suite per CIP Security’s EtherNet/IP confidentiality profile.

Through this update, CIP Security now offers even stronger device level security with a narrow trust domain by user and role, an improved device identity including the user, and fixed user authentication.  ODVA continues to work to make sure that CIP Security stays on the cutting edge of device defense to best protect critical industrial automation assets to make sure that the promise of IIoT and Industry 4.0 can be fully achieved. Visit odva.org to obtain the latest version of The EtherNet/IP Specification including CIP Security.

Engage with ARC Advisory Group