With the advent of the intelligent information age, industrial control systems are facing security threats from all aspects. There are threats from within industrial control systems, as well as from corporate information networks and the Internet. These include deliberate destruction and attacks, theft of programs and key data, irresistible natural disasters and accidental operations caused by unprofessional staff safety precautions.

In addition, security threats also exist in unauthorized access and unauthorized operations, and some devices are accessed illegally due to unauthorized access mechanisms. Therefore, the existence of security risks will increase the normal operation of industrial control systems, security accidents and intellectual property rights violations and other problems.

In the face of various threats in industrial control systems, we need to use more intelligent and efficient methods to deal with them. Rockwell Automation delves deeper into the field of industrial control security to explore better practices to address security threats. In security practice, in order to protect industrial control systems from internal and external threats, it is necessary to implement a defense-in-depth security strategy. The scope includes physical security, network security, computer hardening, application security, and device hardening.

The basic idea of this idea is that if an attacker strips away one layer of defense, there will always be another layer to block their efforts, so an industrial control system based on this practice should be more secure and can avoid or mitigate threats. In addition to these technical measures, in order to protect the safety of industrial control systems, the most important thing is that the management of industrial enterprises should have security awareness, formulate corporate security policies and procedures, and organize security awareness and industrial control system security knowledge training for employees.

1783-NATR

A “protective net” against security threats

Information security communication protocols have been widely used in the IT field. With the continuous integration of industrial automation control systems and enterprise information technology networks, secure communication protocols must also be used in industrial automation sites to resist existing security threats. That’s why Rockwell Automation and ODVA introduced the CIP Security™ Industrial network Security communication protocol in 2015.

CIP Security™ is a well-known standard transport layer security protocol and a CIP extension protocol that encapsulates CIP communications through the TLS secure Transport Layer protocol and the DTLS datagram Secure Transport Layer protocol. Secure EtherNet/IP transport can also help with CIP Security™. Standard CIP protocols use TCP and UDP for package encapsulation, but secure CIP communications use TLS and DTLS for package encapsulation, for example: we are familiar with and commonly used Https also uses TLS for package encapsulation.

At the same time, CIP Security™ is also highly applicable, not only conventional CIP protocols can be used, CIP Security™ and CIP Motion can be used, etc. In other words, the transmission of CIP Safety and CIP Motion packets can also be wrapped through TLS and DTLS. Moreover, the protocol is based on the mature and widely used open security standard in the IT field. The device identity adopts X.509 v3 digital certificate, which can be used to provide encrypted security identity for the device, that is, encrypted identity information, and authenticate the device through TLS transmission. TLS and DTLS are also used for later integrity checks and encrypted transmission of device data. The key hash message authentication code (HMAC) is used for data integrity.

Using CIP Security™ helps secure EtherNet/IP transport so that devices connected to EtherNet/IP can protect themselves, CIP Security™ protects against three security threats.

One is to reject messages sent by non-trusted personnel or non-trusted devices, that is, to identify the authenticity of the identity of the device
The second is to reject the data tampered with by the middleman, that is, to ensure the integrity of the data
The third is to prevent the data from being illegally viewed in the process of communication, that is, to ensure the confidentiality of the data
CIP Security™ is the security hardening of devices as part of Defense in Depth, implementing a multi-layer security solution that is more resistant to attacks.