User-level authentication added to CIP Security

Dec. 11, 2020

ODVA announced Nov. 24 that user-level authentication has been added to CIP Security, the cybersecurity network extension for EtherNet/IP. Previous publications of the specifications for CIP Security included key security properties such as broad trust domain across a group of devices, data confidentiality, device authentication, device identity and device integrity. CIP Security now adds a narrow trust domain by user and role, an improved device identity including the user, and user authentication.

The new User Authentication Profile makes use of several open, common, ubiquitous technologies, including OAuth 2.0 and OpenID Connect for cryptographically protected, token-based user authentication, JSON Web Tokens (JWT) as proof of authentication, usernames and passwords, and already existing X.509 certificates to provide cryptographically secure identities to users and devices. It uses a cryptographically secure user authentication session ID, generated by the target on presentation of a valid JWT by the user, to map between an authentication event and the messages sent by a user for CIP communications. The user authentication session ID is transmitted over EtherNet/IP using (D)TLS and a confidentiality-enabled cipher suite per CIP Security’s EtherNet/IP confidentiality profile.

“User authentication is another critical step in the development of CIP Security, a key network extension that is a part of the complete EtherNet/IP industrial communication ecosystem,” said Rockwell Automation’s Jack Visoky, vice-chair of the EtherNet/IP System Architecture Special Interest Group (SIG). “CIP Security, as a part of a defense-in-depth approach, is designed as an effective deterrence to malicious cyber attackers who are looking for targets to disrupt plant operations.”