CIP Security™ encompasses security-related requirements and capabilities for CIP devices, specifically EtherNet/IP™ devices.Control system security has historically been addressed by adoption of a defense-in-depth security architecture, which has been recommended for many years. This architecture is based on the idea that multiple layers of security are more resilient to attack. The expectation is that any one outer layer could be compromised at some point in time while the automation devices at the innermost layer would remain secure.

However, as IT/OT convergence accelerates and attackers become more sophisticated, it is more important for the CIP-connected device — the final layer of defense — to defend itself. Consider the situation where a piece of malware is, unknown to control system personnel, delivered to a compromised PC via USB drive. The malware could contain code to issue malicious CIP services to devices. However if the device were able to reject such services from untrusted sources, the threat would be mitigated.The goal of CIP Security is to enable the CIP-connected device to protect itself from malicious CIP communications. A fully self-defending CIP device would be able to:

• Reject data that has been altered (integrity)
• Reject messages sent by untrusted people or untrusted devices (authenticity)
• Reject messages that request actions that are not allowed (authorization)

Recognizing that every CIP device does not need to provide the same level of support for all defined security features, CIP Security defines the notion of a Security Profile. A Security Profile is a set of well-defined capabilities to facilitate device interoperability and end-user selection of devices with the appropriate security capability.CIP Security for EtherNet/IP devices makes use of the IETF-standard TLS (RFC 5246) and DTLS (RFC 6347) protocols in order to provide a secure transport for EtherNet/IP traffic. TLS is used for the TCP-based communications (including encapsulation layer, UCMM, transport class 3), and DTLS for the UDP-based transport class 0/1 communications. This approach is analogous to the way that HTTP uses TLS for HTTPS.The secure EtherNet/IP transport provides the following security attributes:

• Authentication of the endpoints — ensuring that the target and originator are both trusted entities. End point authentication is accomplished using X.509 certificates or pre-shared keys.
• Message integrity and authentication — ensuring that the message was sent by the trusted endpoint and was not modified in transit. Message integrity and authentication is accomplished via TLS message authentication code (HMAC).
• Message encryption — optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake.

Safety application coverage in CIP provides the ability to mix safety devices and standard devices on the same network or wire for seamless integration and increased flexibility. CIP Safety™ provides fail-safe communication between nodes such as safety I/O blocks, safety interlock switches, safety light curtains and safety controllers in both machine and process automation safety applications up to Safety Integrity Level (SIL) 3 according to IEC 61508 standards. CIP Safety has also been adopted by Sercos International.

CIP Safety is made up of high integrity safety services and diagnostics in the application layer and doesn’t require special communications hardware. CIP Safety can also coexist with other application layer standards like CIP Motion and CIP Security. CIP Safety does not prevent communication errors from occurring, but instead it ensures transmission integrity by detecting errors and allowing devices to take appropriate actions as follows:

• All CIP Safety data is produced with a timestamp which allows safety consumers to determine the age of the produced data.
• A Production Identifier is encoded in each data production to ensure that each received message arrives at the correct consumer.
• All safety transfers on CIP Safety use Safety CRCs or checksums to ensure the integrity of the transfer of information.
• Data and CRC or checksum redundancy with cross checking provides an additional measure of protection by detecting possible corruption of transmitted data.
• The CIP Safety protocol is present only in safety devices; this prevents standard devices from masquerading as safety devices.

CIP Safety packets are made up of the following four sections (note that no packet has all four): data, timestamp, time correction and time coordination. When configuring a CIP Safety device over the network, there are measures to ensure integrity of the configuration, such as:

• Safety Network Number which identifies each network path in the system individually, allowing each device to be uniquely identified.
• Configuration Ownership can be enforced to ensure that safety configurations cannot be changed by other devices in the network.

CIP Safety has been certified by TÜV Rheinland as a “black channel” protocol, which means that the safety integrity is not dependent on the physical media. As a black channel protocol, CIP Safety can be communicated with over different wired Ethernet platforms (10, 100 Mbps and 1 Gbps), fiber optics, and wireless systems such as existing WiFi (802.11a/b/g/n/ac). CIP Safety is expected to be forward compatible to new standards like WiFi 6 (802.11ax) and 5G.

CIP Sync™ provides the increased control coordination mechanism needed for industrial automation control applications where absolute time synchronization is vital to achieve real-time synchronization between distributed intelligent devices and systems. CIP Sync™ is compliant with the IEEE-1588™ standard, and allows synchronization accuracy between two devices of fewer than 100 nanoseconds. Real-time synchronization can be achieved over conventional Ethernet systems with a switch-based architecture.

CIP Sync consists of a Time Sync object and associated services that allows users to synchronize devices, including motion axes, using “time.” This synchronization method provides a more flexible and scalable network architecture, ideal for large-scale motion systems. CIP Sync is not restricted by many of the constraints imposed by event-based or time-sliced implementations.

EtherNet/IP™ is a best-in-class Ethernet communication network that provides users with the tools to deploy standard Ethernet technology (IEEE 802.3 combined with the TCP/IP Suite) in industrial automation applications while enabling Internet and enterprise connectivity…data anytime, anywhere. The Industrial Internet of Things (IIoT) and Industry 4.0 are providing manufacturers with significant opportunity for innovation. To capitalize on this opportunity and be able to connect all devices – not just those connected to controllers – industrial users must invest in networks that support the Internet Protocol. Through its reliance on standard Internet and Ethernet standards, EtherNet/IP is proven, complete and ready for Industry 4.0 and IIoT both today and tomorrow.

EtherNet/IP offers various network topology options including star or linear with standard Ethernet infrastructure devices, or device level ring (DLR) with specially enabled EtherNet/IP devices. QuickConnect™ functionality allows devices to be exchanged rapidly (e.g., a tool changer on a robot arm) while the network is running. Compliance with IEEE Ethernet standards provides users with a choice of network interface speeds — e.g., 10, 100 Mbps and 1 Gbps — and a flexible network architecture compatible with commercially available Ethernet installation options including copper, fiber, fiber ring and wireless. Options for industrially rated devices incorporating IP67 or better rated connectors with module and network status LEDs with device labeling provide ease of use.

Like all CIP Networks, EtherNet/IP utilizes the Common Industrial Protocol (CIP™) for its upper layers. CIP Networks follow the Open Systems Interconnection (OSI) model, which defines a framework for implementing network protocols in seven layers: physical, data link, network, transport, session, presentation and application. Networks that follow this model define a complete suite of network functionality from the physical implementation through the application or user interface layer.

CIP encompasses a comprehensive suite of messages and services for a variety of manufacturing automation applications, including control, safety, security, energy, synchronization & motion, information and network management. As a truly media-independent protocol that is supported by hundreds of vendors around the world, CIP provides users with a unified communication architecture throughout the manufacturing enterprise.

CIP Security™ encompasses security-related requirements and capabilities for CIP devices, specifically EtherNet/IP™ devices.Control system security has historically been addressed by adoption of a defense-in-depth security architecture, which has been recommended for many years. This architecture is based on the idea that multiple layers of security are more resilient to attack. The expectation is that any one outer layer could be compromised at some point in time while the automation devices at the innermost layer would remain secure.

However, as IT/OT convergence accelerates and attackers become more sophisticated, it is more important for the CIP-connected device — the final layer of defense — to defend itself. Consider the situation where a piece of malware is, unknown to control system personnel, delivered to a compromised PC via USB drive. The malware could contain code to issue malicious CIP services to devices. However if the device were able to reject such services from untrusted sources, the threat would be mitigated.The goal of CIP Security is to enable the CIP-connected device to protect itself from malicious CIP communications. A fully self-defending CIP device would be able to:

• Reject data that has been altered (integrity)
• Reject messages sent by untrusted people or untrusted devices (authenticity)
• Reject messages that request actions that are not allowed (authorization)

Recognizing that every CIP device does not need to provide the same level of support for all defined security features, CIP Security defines the notion of a Security Profile. A Security Profile is a set of well-defined capabilities to facilitate device interoperability and end-user selection of devices with the appropriate security capability.CIP Security for EtherNet/IP devices makes use of the IETF-standard TLS (RFC 5246) and DTLS (RFC 6347) protocols in order to provide a secure transport for EtherNet/IP traffic. TLS is used for the TCP-based communications (including encapsulation layer, UCMM, transport class 3), and DTLS for the UDP-based transport class 0/1 communications. This approach is analogous to the way that HTTP uses TLS for HTTPS.The secure EtherNet/IP transport provides the following security attributes:

• Authentication of the endpoints — ensuring that the target and originator are both trusted entities. End point authentication is accomplished using X.509 certificates or pre-shared keys.
• Message integrity and authentication — ensuring that the message was sent by the trusted endpoint and was not modified in transit. Message integrity and authentication is accomplished via TLS message authentication code (HMAC).
• Message encryption — optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake.

Safety application coverage in CIP provides the ability to mix safety devices and standard devices on the same network or wire for seamless integration and increased flexibility. CIP Safety™ provides fail-safe communication between nodes such as safety I/O blocks, safety interlock switches, safety light curtains and safety controllers in both machine and process automation safety applications up to Safety Integrity Level (SIL) 3 according to IEC 61508 standards. CIP Safety has also been adopted by Sercos International.

CIP Safety is made up of high integrity safety services and diagnostics in the application layer and doesn’t require special communications hardware. CIP Safety can also coexist with other application layer standards like CIP Motion and CIP Security. CIP Safety does not prevent communication errors from occurring, but instead it ensures transmission integrity by detecting errors and allowing devices to take appropriate actions as follows:

• All CIP Safety data is produced with a timestamp which allows safety consumers to determine the age of the produced data.
• A Production Identifier is encoded in each data production to ensure that each received message arrives at the correct consumer.
• All safety transfers on CIP Safety use Safety CRCs or checksums to ensure the integrity of the transfer of information.
• Data and CRC or checksum redundancy with cross checking provides an additional measure of protection by detecting possible corruption of transmitted data.
• The CIP Safety protocol is present only in safety devices; this prevents standard devices from masquerading as safety devices.

CIP Safety packets are made up of the following four sections (note that no packet has all four): data, timestamp, time correction and time coordination. When configuring a CIP Safety device over the network, there are measures to ensure integrity of the configuration, such as:

• Safety Network Number which identifies each network path in the system individually, allowing each device to be uniquely identified.
• Configuration Ownership can be enforced to ensure that safety configurations cannot be changed by other devices in the network.

CIP Safety has been certified by TÜV Rheinland as a “black channel” protocol, which means that the safety integrity is not dependent on the physical media. As a black channel protocol, CIP Safety can be communicated with over different wired Ethernet platforms (10, 100 Mbps and 1 Gbps), fiber optics, and wireless systems such as existing WiFi (802.11a/b/g/n/ac). CIP Safety is expected to be forward compatible to new standards like WiFi 6 (802.11ax) and 5G.

CIP Sync™ provides the increased control coordination mechanism needed for industrial automation control applications where absolute time synchronization is vital to achieve real-time synchronization between distributed intelligent devices and systems. CIP Sync™ is compliant with the IEEE-1588™ standard, and allows synchronization accuracy between two devices of fewer than 100 nanoseconds. Real-time synchronization can be achieved over conventional Ethernet systems with a switch-based architecture.

CIP Sync consists of a Time Sync object and associated services that allows users to synchronize devices, including motion axes, using “time.” This synchronization method provides a more flexible and scalable network architecture, ideal for large-scale motion systems. CIP Sync is not restricted by many of the constraints imposed by event-based or time-sliced implementations.