CIP security enhanced to support resource-constrained Ethernet/IP devices

April 21, 2021

ODVA announced that CIP Security, the cybersecurity network extension for EtherNet/IP, has added support for resource-constrained EtherNet/IP devices. CIP Security can now provide device authentication, a broad trust domain, device identity via Pre-Shared Keys (PSKs), device integrity, and data confidentiality for resource-constrained devices such as contactors and push-buttons. Additionally, a narrow trust domain, user authentication, and policy enforcement via a gateway or a proxy are available options. 

Despite the progress brought about by Industry 4.0 and the Industrial Internet of Things (IIoT), a large portion of the installed nodes in automation applications are still not using Ethernet. Limitations including cost, size and power have historically been a hindrance to EtherNet/IP pushing out to the edge of the network. The recent integration of single pair Ethernet has opened the door to overcoming lower-level device constraints and ultimately to expanding the footprint of EtherNet/IP. Adding simpler devices to EtherNet/IP allows for the benefits of additional remote diagnostics, asset information and parameterization capability. The addition of more nodes to the network within the context of IT/OT convergence makes device-level security a fundamental need to ensure that indispensable assets and people are protected from physical harm and monetary loss. 

The new CIP Security specification has added a Resource-Constrained CIP Security Profile in addition to the EtherNet/IP Confidentiality and the CIPTM User Authentication Profiles. The Resource-Constrained CIP Security Profile is similar to the EtherNet/IP Confidentiality Profile, but is streamlined for resource-constrained devices. The same basic security aspects of endpoint authentication, data confidentiality, and data authenticity remain. Access policy information is also included to allow a more capable device, such as a gateway, to be used as a proxy for user authentication and authorization of the resource constrained device. Implementation of CIP Security for resource constrained devices requires only DTLS (Datagram Transport Layer Security) support instead of DTLS and TLS (Transport Layer Security), as it is used only with low-overhead UDP communication. 

“The continuous updating of CIP Security, including the recent addition of new security features for resource constrained devices, provides EtherNet/IP devices an enhanced defensive posture to help protect against malicious industrial network intrusion,” said Jack Visoky, EtherNet/IP System Architecture Special Interest Group (SIG) vice-chair.

Dr. Al Beydoun, president and executive director, ODVA added, “The availability of CIP Security across more portions of the EtherNet/IP network helps end users to better safeguard vital automation applications. The addition of CIP Security for resource constrained EtherNet/IP devices is an essential step in securing the edge."

The protections offered by CIP Security are now available for EtherNet/IP networks via a resource-constrained version of CIP Security that includes fewer mandatory features. This ensures that devices with the smallest power, size and cost budgets can be secure and enjoy the communication and control advantages of being connected to an EtherNet/IP network. The latest CIP Security updates demonstrate the deep commitment of ODVA to maintain its position of device security leadership within the automation community.

Visit to obtain the latest version of The EtherNet/IP Specification including CIP Security.