Blog > Automation > What is CIP Security?

What is CIP Security?

9/17/19  |  Joe Amorese, Rexel Technical Consultant

Recently, Rockwell Automation® released the first phase of their CIP secure enabled products. With the trend of embedding IP addresses in all industrial automation devices (IACs) for a connected enterprise, Internet of things (IoT), or industry 4.0, more and more plant floors are networked. While there are many advantages, this trend exposes facilities to greater security risks. The good news with CIP security, there is a way to implement security at the device level.

Common Industrial Protocol

The Common Industrial Protocol (CIP) is an open industrial protocol governed by the ODVA. There are subsets of standards in the CIP protocol, CIP sync, CIP safety, CIP motion, CIP energy, and recently, CIP security. Referring to the cybersecurity onion model with the defense in layers concept, CIP security is at the core of the onion or the IAC level.

HOW CIP SECURITY WORKS

CIP security protects data using transport layer security (TLS) for explicit messages and datagram transport layer security (DTLS) for implicit I/O messages. As an Internet user, you are using TLS every time you go to a secure web site, just look for the lock icon in the URL. TLS and DTLS use encryption and certificates to reject data that has been altered (integrity), messages sent by untrusted people or untrusted devices (authenticity), and messages that request actions that are not allowed (authorization).

CIP SECURE ENABLED DECEIVES

Today Rockwell Automation’s 5580 family of ControlLogix® and GuardLogix® with V32 release, FactoryTalk® Linx V6.11, 1756-EN4TR Ethernet scanner, Kinetix® 5700, and the soon to be released PowerFlex® 755T drives are CIP secure enabled. To secure legacy products, a whitelist function is also available. To manage this technology, Rockwell Automation has embedded FactoryTalk Policy Manager into FactoryTalk Services Platform V 6.11. Policy Manager manages the configuration of the system, and once deployed, it is then no longer required unless changes to the system are necessary.

Effective network security requires a Defense in Depth (DiD) model. And protecting the manufacturing zone from the outside world demands the use of firewalls at the DMZ (demilitarized zone). In the manufacturing zone, the implementation of FactoryTalk Security for authentication and rights protect against unauthorized access with role- or user-based privileges. And now, with CIP security, we can keep unauthorized devices from making a connection, deny data snooping, and disallow tampering or modification of data.

Click Here to Download our FREE ABCs of Industrial Networking eBook