CIP Security adds trust to device communications

By Jim Montague

Nov 14, 2018

Everyone wants to visit the wonderland of the Industrial IoT and digitalization and gain all of its improved decision-making and optimization benefits. However, just as moms advise umbrellas on rainy days and rollercoasters come with restraints, it's important to take safety  and security precautions to minimize the risk that goes with all that added connectivity.

"There are all kinds of technologies and efforts enabling our customers' digital transformation journeys, but it's crucial to recognize the inherent risks that go with all that added connectivity," said Steven Ludwig, commercial program manager, safety and security, Rockwell Automation. "When you drop a machine into a facility and it needs connections, or just increase the number of access points in an application, you've got to manage their risk, and address the security and safety they need. This can involve everything from protecting data and intellectual property (IP) on the IT side and people and assets on the OT side. Either way, risk must be managed as connected enterprises expand and multiply."

Ludwig and several colleagues are conducting tours of the safety and security exhibit in the Integrated Architecture booth at this week’s Automation Fair in Philadelphia.

Best defense in layers

Ludwig reported that attacks on industrial control systems (ICS) are vastly increasing, but addressing security and safety within the Rockwell Automation Integrated Architecture control systems can enable them to jointly reduce and manage risk for customers to a greater extent than if they tried to do it on their own.
Michael Bush, technology manager, Common Architecture and Technology (CAT), Rockwell Automation, reported that many industrial communication protocols were developed 20 years ago without inherent security.

To help remedy this situation, Rockwell Automation has integrated transport layer security (TLS) included in the new CIP Security standard with its EtherNet/IP-based communications. CIP Security was released two years ago by ODVA, which manages EtherNet/IP and the other CIP-based protocols.

"This added layer makes having cybersecurity transparent to controllers, drives and other devices—and to each other—by setting up cryptographic checks, which allows these devices to trust each other," explained Bush. "And, to keep up as cyber threats continue to evolve, we're adding user authentications and establishing secure events. All of this security is built in, rather than bolted on."

Ludwig reported that Rockwell Automation has already been integrating security and safety capabilities into its products for years, complying with the IEC 62443 standard, and securing certifications from TÜV Rhineland and other organizations. Bush added that Rockwell Automation is taking a top-down approach with its latest security and safety efforts.

"We began with the most vulnerable areas, such as the PCs and software above EtherNet/IP," said Bush. "Now we're adding CIP Security to our FactoryTalk Linx software, ControlLogix 5580 controller and Kinetix 5700 drive, which will launch in the first quarter of 2019. After adding CIP Security to the controllers, we're going add it to the I/O devices."

Human element

Beyond adding technical security capabilities, Ludwig emphasized it's crucial for users to settle on sufficient security policies and procedures, practice good security hygiene, and train their personnel to carry it out. Once basic security has been established, he added that users can use what they've learned to enhance their safety efforts, too.

"Decreased risk doesn't mean less productivity," said Ludwig.

Kevin Tambascio, engineering manager, Rockwell Automation, added, "You've got to have defense-in-depth, which is usually done by segmenting networks, applications and endpoints into segments and zones, but all of them also need to work together to reduce risk, too. You can't just slap on a firewall. Fortunately, we now have security embedded in our devices, wires and protocols."

For example, the safety and security exhibit included a winding and slitting machine from Catbridge, which was outfitted with an Allen-Bradley Compact GuardLogix safety controller, Kinetix 5900 drives and SafeZone safety scanner with EtherNet/IP. It measures the distance of workers from the machine and slows to a safe speed when they get too close.

"In the past, implementing lockout/tagouts and other safety functions like this would mean significant downtime," added Ludwig. "Now, we can do high-integrity safety control, but keep equipment powered up. This takes a lot less time, and means much less lost productivity.

"These solutions mean users can gain all the terrific benefits of connectivity, digitalization and connected enterprises, but still successfully reduce and manage their inherent risks."

Want to get content like this in your inbox?  Subscribe to our Enewsletters here!