• About US
  • Terms of use
  • Cookie Policy
  • Privacy Policy
  • Advertising guide
No Result
View All Result
BBG Architecture Life
  • Architecture
  • Design
  • Interiors
  • Technology
  • Trends
  • Projects
  • Collections
  • Education
  • House
  • Restaurant
  • Greenhouse
  • Hotel
BBG Architecture Life
  • Interiors

    Miami Beach residence by SAOTA takes indoor-outdoor living to the extreme

    Vision unveiled for London school powered by Thames tide

    Erasmus exchange programme could remain open to UK students after Brexit

    Sou Fujimoto creates ornate bookshelves for Basel installation

    Frank Lloyd Wright merged eastern and western architecture at Tokyo’s Imperial Hotel

    Drone footage captures brutalist Robin Hood Gardens ahead of imminent demolition

    Dan Brunn renovates Frank Gehry-designed LA house for an illustrator

  • Design
    Screen Shot 2019-10-14 at 8.49.03 AM

    The Design Spark 2019 Product Showcase Set to Show Innovations Around Independent Living | Best Brothers Group of Companies

    Ho (left) and Chang sharing EcoWorld’s future plans at the Eco Sanctuary Gallery. (Photos by Low Yen Yeing/EdgeProp.my)

    Malaysia: Universal Design for EcoWorld’s Future Projects | Best Brothers Group of Companies

    A computer model of one of the accessible homes.

    How Gaming Technology is Helping Design More Accessible Homes | Best Brothers Group of Companies

    New Universal Design Guide Aims to make Public Spaces Pleasant for All | Best Brothers Group of Companies

    New Universal Design Guide Aims to make Public Spaces Pleasant for All | Best Brothers Group of Companies

    University Students Design Wheelchair Hand Warmer for Persons with Muscular Dystrophy | Best Brothers Group of Companies

    University Students Design Wheelchair Hand Warmer for Persons with Muscular Dystrophy | Best Brothers Group of Companies

    The Home Innovation Challenge

    UK-based Design Council Focuses on Accessible Home Innovation   | Best Brothers Group of Companies

    Private Transport Provider to Offer an Inclusive Experience in Malta   | Best Brothers Group of Companies

    Autonomous Vehicle Design Should Benefit Broader Group of Potential Drivers   | Best Brothers Group of Companies

    Ikea to Use 3-D Printing to Make Furniture More Accessible for Persons with Disabilities   | Best Brothers Group of Companies

    Ikea to Use 3-D Printing to Make Furniture More Accessible for Persons with Disabilities   | Best Brothers Group of Companies

    Toyota Improves Universal Design Taxicab for Quicker Wheelchair Access   | Best Brothers Group of Companies

    Toyota Improves Universal Design Taxicab for Quicker Wheelchair Access   | Best Brothers Group of Companies

  • Technology
    Dahua USA Releases New LincX2PRO Line Linking Homes with Professional Systems – Dahua Technology USA Inc | Best Brothers Group of Companies

    Dahua USA Releases New LincX2PRO Line Linking Homes with Professional Systems – Dahua Technology USA Inc | Best Brothers Group of Companies

    Dahua Helps Retail Operations Run Smoothly – Dahua Technology USA Inc | Best Brothers Group of Companies

    two people seated on a table and signing agreements Two people standing behind them on a stage.

    Mada Assistive Technology Centre Signs MoU with Korea Trade Promotion Agency | Best Brothers Group of Companies

    A computer model of one of the accessible homes.

    How Gaming Technology is Helping Design More Accessible Homes | Best Brothers Group of Companies

    Government of Canada Announces New Accessible Technology Program Funding Recipients | Best Brothers Group of Companies

    Dahua Technology USA Announces Product Lineup for GSX 2019 – Dahua North America | Best Brothers Group of Companies

    Dahua Technology Partners with Pepper to Bring Heightened Security to Its Video IoT Devices – Dahua North America | Best Brothers Group of Companies

    Dahua Technology Partners with Pepper to Bring Heightened Security to Its Video IoT Devices – Dahua North America | Best Brothers Group of Companies

    India: Assistive Technology for All 2030 Conference Focuses in Infrastructure, Assistive Devices | Best Brothers Group of Companies

    India: Assistive Technology for All 2030 Conference Focuses in Infrastructure, Assistive Devices | Best Brothers Group of Companies

    Private Transport Provider to Offer an Inclusive Experience in Malta   | Best Brothers Group of Companies

    National Federation of the Blind Applauds Introduction of Greater Access and Independence through Nonvisual Access Technology (GAIN) Act | Best Brothers Group of Companies

  • Projects
    Ho (left) and Chang sharing EcoWorld’s future plans at the Eco Sanctuary Gallery. (Photos by Low Yen Yeing/EdgeProp.my)

    Malaysia: Universal Design for EcoWorld’s Future Projects | Best Brothers Group of Companies

    European Commission Provides 20 Cities with Funding for Innovative Projects on Inclusion  | Best Brothers Group of Companies

    European Commission Provides 20 Cities with Funding for Innovative Projects on Inclusion  | Best Brothers Group of Companies

    The Portland Art & Learning Studio Encourages Diverse Projects by Artists with Disabilities | Best Brothers Group of Companies

    The Portland Art & Learning Studio Encourages Diverse Projects by Artists with Disabilities | Best Brothers Group of Companies

    Yoocan Seeks Collaborative Partners, Highlights Projects at Naidex 2019   | Best Brothers Group of Companies

    Yoocan Seeks Collaborative Partners, Highlights Projects at Naidex 2019   | Best Brothers Group of Companies

    Vision unveiled for London school powered by Thames tide

    Climate change forces emergency repairs to “failsafe” Arctic seed vault

    Grenfell Tower fire deaths raise questions about safety of post-war renovations

    Santiago Calatrava’s World Trade Center Oculus continues to leak

    Note Design and Afteroom hack IKEA kitchens to make living room furnishings for Reform

No Result
View All Result
BBG Architecture Life
No Result
View All Result
Home BBG

CIP Security for EtherNet/IP Illustrates Increased IT/OT Integration

Admin by Admin
September 11, 2019
in BBG
0 0
0
CIP Security for EtherNet/IP Illustrates Increased IT/OT Integration
334
SHARES
2k
VIEWS
Share on FacebookShare on TwitterShare on Google Share on Linkedin
CIP Security for EtherNet/IP Illustrates Increased IT/OT Integration


By Bill Lydon, Contributing Editor, Automation.com 


Effective cybersecurity continues to get more complex for today’s manufacturing and process facilities, and many organizations are stepping up with solutions intended help these facilities to close the gaps. I attended one particular briefing at the 2019 Hannover Fair in April, where ODVA released its first round of 2019 specification enhancements to its technologies,  which included specific enhancements to The EtherNet/IP™ CIP Security™ technology.   The enhancements leveraged information industry standards, including the IETF-standard TLS (Transport Layer Security -RFC 5246) and DTLS (Datagram Transport Layer Security -FC 6347) protocols, in order to provide a secure transport for EtherNet/IP traffic. TLS is used for TCP-based communications, including the encapsulation layer, UCMM (Unconnected Message. Manager), transport class 3, and DTLS for the UDP (User Datagram Protocol)-based transport class 0/1 communications. This approach is analogous to the way that HTTP uses TLS for HTTPS.  


 


Facilitating An Effective Cybersecurity Strategy for Manufacturers


Leveraging the standards of the information industry is consistent with ODVA’s focus on using standard ethernet to achieve the goal of IT & OT information and computing integration, to facilitate an overall manufacturing organization cybersecurity strategy.   In a discussion with Dawn Cappelli, CISSP – the VP, Global Security and Chief Information Security Officer at Rockwell Automation – she noted that the first step a manufacturer should take in building a cyber security plan is to determine a leader of the cybersecurity effort. Specifically, Cappelli mentioned that while many manufacturing companies already have a chief information security officer (CISO) responsible for information technology (IT) security, operational technology (OT) security has traditionally been the responsibility of the OT engineers. “People are realizing now, due to the convergence of IT and OT, that it’s important to have one security leader responsible for all cybersecurity for the company,” emphasized Capelli. She went on to share that this should be someone who can work with both IT and OT to build and execute a holistic cybersecurity strategy that not only encompasses the entire ecosystem of IT and OT, but also of all external connections, including third parties and the supply chain.




A secure EtherNet/IP transport provides the following security attributes:


  • Authentication of the endpoints — ensuring that the target and originator are both trusted entities. End point authentication is accomplished using X.509 certificates or pre-shared keys.

  • Message integrity and authentication — ensuring that the message was sent by the trusted endpoint and was not modified in transit. Message integrity and authentication is accomplished via TLS message authentication code (HMAC). 

  • Message encryption — optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake. 

     


Inside ODVA’s Ethernet/IP Enhancements


The goal of ODVA’s cybersecurity enhancements to EtherNet/IP is to extend a defense-in-depth architecture to network communications with and between ICS systems and edge devices. ODVA is working to realize this goal through the enhancement of the potential defensive capability of ICS systems and devices using EtherNet/IP. They are doing this by providing cybersecurity mechanisms that are native to EtherNet/IP and the Common Industrial Protocol (CIP™). The initial CIP Security specification, which was published in 2015, provided vendors the ability to improve the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity, and data confidentiality. 


Since then, ODVA has made several key updates to CIP Security. Most notably, they continue working to fulfill the desire from end users for easier initial commissioning of devices, and because of this, CIP Security was enhanced to allow devices to perform certificate enrollment directly. In contrast to the practice of pushing certificates out from a configuration tool, this “pulling” functionality allows devices to actively request certificates. The pulling of a certificate is accomplished using standard and proven IT technologies, furthering the ability to integrate IT and OT systems. The April 2019 edition of the CIP Security Specification continues the progression of the technology, working to increase efficiency with timeout responses, increase protection by allowing for a mandatory CIP Security connection for changes, and expand behaviors for certificate verification.


Already, work is ongoing for the next phase of development of CIP Security, which will add support for user authentication, non-repudiation, and device authorization, with the goal of strengthening secure end-to-end communications between CIP endpoints. The ultimate roadmap of CIP Security development is to enable EtherNet/IP devices, and potential other types of devices using CIP, to become autonomous, take responsibility for their own security and effectively secure themselves from attack.


ODVA publishes its specifications within a group of publications, entitled The CIP Networks Library. Each specification is made up of one or more volumes of The CIP Networks Library.


 


The Evolution of Effective Cybersecurity


At the Hannover Fair briefing, ODVA explained how control system security has typically been addressed by adopting a defense-in-depth security architecture, a strategy which has been recommended for many years. This architecture is based on the idea that multiple layers of security would be more resilient to attack. With this strategy, the expectation is that any one layer could be compromised at some point in time, yet the automation devices at the innermost layer would remain secure.  


However, as attackers become more sophisticated, it becomes more important for the CIP-connected device — the final layer of defense — to defend itself. Consider the situation where a piece of malware is, unknown to control system personnel, delivered to a compromised PC via USB drive. The malware could contain code to issue malicious CIP services to devices. However, if the device were able to reject such services from untrusted sources, the threat would be mitigated.


The goal of CIP Security is to enable the CIP-connected device to protect itself from malicious CIP communications. A fully self-defending CIP device would be able to:


  • Reject data that has been altered (integrity)

  • Reject messages send by untrusted people or untrusted devices (authenticity)

  • Reject messages that request actions that are not allowed (authorization)


Recognizing that every CIP device does not need to provide the same level of support for all defined security features, CIP Security defines the notion of a Security Profile. A Security Profile is a set of well-defined capabilities to facilitate device interoperability and end-user selection of devices with the appropriate security capability.


Cybersecurity for manufacturing and process facilities is increasingly necessary, yet also increasingly complex and it is good to see the ODVA recognizing the need to provide solutions consistent with the overall enterprise computing architecture.


Related Articles

Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now

CIP Security for EtherNet/IP Illustrates Increased IT/OT Integration


By Bill Lydon, Contributing Editor, Automation.com 


Effective cybersecurity continues to get more complex for today’s manufacturing and process facilities, and many organizations are stepping up with solutions intended help these facilities to close the gaps. I attended one particular briefing at the 2019 Hannover Fair in April, where ODVA released its first round of 2019 specification enhancements to its technologies,  which included specific enhancements to The EtherNet/IP™ CIP Security™ technology.   The enhancements leveraged information industry standards, including the IETF-standard TLS (Transport Layer Security -RFC 5246) and DTLS (Datagram Transport Layer Security -FC 6347) protocols, in order to provide a secure transport for EtherNet/IP traffic. TLS is used for TCP-based communications, including the encapsulation layer, UCMM (Unconnected Message. Manager), transport class 3, and DTLS for the UDP (User Datagram Protocol)-based transport class 0/1 communications. This approach is analogous to the way that HTTP uses TLS for HTTPS.  


 


Facilitating An Effective Cybersecurity Strategy for Manufacturers


Leveraging the standards of the information industry is consistent with ODVA’s focus on using standard ethernet to achieve the goal of IT & OT information and computing integration, to facilitate an overall manufacturing organization cybersecurity strategy.   In a discussion with Dawn Cappelli, CISSP – the VP, Global Security and Chief Information Security Officer at Rockwell Automation – she noted that the first step a manufacturer should take in building a cyber security plan is to determine a leader of the cybersecurity effort. Specifically, Cappelli mentioned that while many manufacturing companies already have a chief information security officer (CISO) responsible for information technology (IT) security, operational technology (OT) security has traditionally been the responsibility of the OT engineers. “People are realizing now, due to the convergence of IT and OT, that it’s important to have one security leader responsible for all cybersecurity for the company,” emphasized Capelli. She went on to share that this should be someone who can work with both IT and OT to build and execute a holistic cybersecurity strategy that not only encompasses the entire ecosystem of IT and OT, but also of all external connections, including third parties and the supply chain.




A secure EtherNet/IP transport provides the following security attributes:


  • Authentication of the endpoints — ensuring that the target and originator are both trusted entities. End point authentication is accomplished using X.509 certificates or pre-shared keys.

  • Message integrity and authentication — ensuring that the message was sent by the trusted endpoint and was not modified in transit. Message integrity and authentication is accomplished via TLS message authentication code (HMAC). 

  • Message encryption — optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake. 

     


Inside ODVA’s Ethernet/IP Enhancements


The goal of ODVA’s cybersecurity enhancements to EtherNet/IP is to extend a defense-in-depth architecture to network communications with and between ICS systems and edge devices. ODVA is working to realize this goal through the enhancement of the potential defensive capability of ICS systems and devices using EtherNet/IP. They are doing this by providing cybersecurity mechanisms that are native to EtherNet/IP and the Common Industrial Protocol (CIP™). The initial CIP Security specification, which was published in 2015, provided vendors the ability to improve the security of EtherNet/IP-connected devices by adding support for device authentication, data integrity, and data confidentiality. 


Since then, ODVA has made several key updates to CIP Security. Most notably, they continue working to fulfill the desire from end users for easier initial commissioning of devices, and because of this, CIP Security was enhanced to allow devices to perform certificate enrollment directly. In contrast to the practice of pushing certificates out from a configuration tool, this “pulling” functionality allows devices to actively request certificates. The pulling of a certificate is accomplished using standard and proven IT technologies, furthering the ability to integrate IT and OT systems. The April 2019 edition of the CIP Security Specification continues the progression of the technology, working to increase efficiency with timeout responses, increase protection by allowing for a mandatory CIP Security connection for changes, and expand behaviors for certificate verification.


Already, work is ongoing for the next phase of development of CIP Security, which will add support for user authentication, non-repudiation, and device authorization, with the goal of strengthening secure end-to-end communications between CIP endpoints. The ultimate roadmap of CIP Security development is to enable EtherNet/IP devices, and potential other types of devices using CIP, to become autonomous, take responsibility for their own security and effectively secure themselves from attack.


ODVA publishes its specifications within a group of publications, entitled The CIP Networks Library. Each specification is made up of one or more volumes of The CIP Networks Library.


 


The Evolution of Effective Cybersecurity


At the Hannover Fair briefing, ODVA explained how control system security has typically been addressed by adopting a defense-in-depth security architecture, a strategy which has been recommended for many years. This architecture is based on the idea that multiple layers of security would be more resilient to attack. With this strategy, the expectation is that any one layer could be compromised at some point in time, yet the automation devices at the innermost layer would remain secure.  


However, as attackers become more sophisticated, it becomes more important for the CIP-connected device — the final layer of defense — to defend itself. Consider the situation where a piece of malware is, unknown to control system personnel, delivered to a compromised PC via USB drive. The malware could contain code to issue malicious CIP services to devices. However, if the device were able to reject such services from untrusted sources, the threat would be mitigated.


The goal of CIP Security is to enable the CIP-connected device to protect itself from malicious CIP communications. A fully self-defending CIP device would be able to:


  • Reject data that has been altered (integrity)

  • Reject messages send by untrusted people or untrusted devices (authenticity)

  • Reject messages that request actions that are not allowed (authorization)


Recognizing that every CIP device does not need to provide the same level of support for all defined security features, CIP Security defines the notion of a Security Profile. A Security Profile is a set of well-defined capabilities to facilitate device interoperability and end-user selection of devices with the appropriate security capability.


Cybersecurity for manufacturing and process facilities is increasingly necessary, yet also increasingly complex and it is good to see the ODVA recognizing the need to provide solutions consistent with the overall enterprise computing architecture.


Related Articles

Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now

© 2019, Best Brothers Group. All rights reserved.

Tags: CIPEtherNetIPIllustratesIncreasedIntegrationITOTsecurity
Admin

Admin

Canada 🇨🇦

0
Confirmed
0
Deaths
0
Recovered

Stay Connected

  • 1.4k Fan
  • 3 Follower
  • 35 Follower
  • 131 Follower

Popular Post

    Follow Our Page


    For all queries regarding print editions of BBG Architecture Life, including change of address, change of payment details requests and back issues, please contact +1-888-224-8688. Email: [email protected]
    • About US
    • Terms of use
    • Cookie Policy
    • Privacy Policy
    • Advertising guide

    Recent News

    Accessibility advocates say Peggy’s Cove viewing deck will ensure safe access for all - Halifax

    Accessibility advocates say Peggy’s Cove viewing deck will ensure safe access for all – Halifax

    January 24, 2021
    • Best Brothers Group
    • BBG Security Cameras
    • BBG Hub Home Automation
    • BBG Renovations
    • BBG Construction
    • BBG Business Partnership
    • BBG I/O Marketing
    • Security Cameras GK
    • Automatic Door Depot
    • About US
    • Terms of use
    • Cookie Policy
    • Privacy Policy
    • Advertising guide

    © 2018 BBG Architecture Life - supports the architecture industry on a daily news by Best Brothers Group.

    No Result
    View All Result
    • Interiors
    • Design
    • Technology
    • Projects

    © 2018 BBG Architecture Life - supports the architecture industry on a daily news by Best Brothers Group.

    Login to your account below

    Forgotten Password?

    Fill the forms bellow to register

    All fields are required. Log In

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In