CIP Security extension updated to support user-level authorization

Automation standards association ODVA has announced user-level authentication is now available for CIP Security, the cybersecurity network extension for EtherNet/IPTM.

Previous publications of the specifications for CIP Security included key security properties including a broad trust domain across a group of devices, data confidentiality, device authentication, device identity and device integrity.

CIP Security now adds a narrow trust domain by user and role, an improved device identity including the user, and user authentication.

Device-level security is a building block requirement of IIoT to protect critical assets and people. To meet this requirement, the CIP Security User Authentication Profile will provide user-level authentication with a fixed user access policy based on well-defined roles and basic authorization via both local and central user authentication.

CIP Security’s ability to authenticate via the device or through a central server allows for simplicity in smaller, simple systems and efficiency in large, complicated installations.

CIP Security already included open security technologies including:

• TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security)
• Cryptographic protocols used to provide secure transport of EtherNet/IP traffic
• Hashes or HMAC (keyed-Hash Message Authentication Code) as a cryptographic method of providing data integrity and message authentication to EtherNet/IP traffic
• Encryption as a means of encoding messages or information in such a way as to prevent reading or viewing of EtherNet/IP data by unauthorized parties.

The new CIPTM User Authentication Profile provides user-level authentication for CIP communication at the application layer. In the future, CIP Security may make use of a CIP authorization profile that will enhance CIP to provide additional security properties such as general, flexible authorization where access policy can be based on any attribute of the user and/or system and potentially extending CIP Security to support other non-EtherNet/IP networks.

The new User Authentication Profile makes use of several open, common, ubiquitous technologies, including OAuth 2.0 and OpenID Connect for cryptographically protected token-based user authentication, JSON Web Tokens (JWT) as proof of authentication, usernames and passwords, and already existing X.509 certificates to provide cryptographically secure identities to users and devices.

It uses a cryptographically secure user authentication session ID, generated by the target on presentation of a valid JWT by the user, to map between an authentication event and the messages sent by a user for CIP communications.

The user authentication session ID is transmitted over EtherNet/IP using (D)TLS and a confidentiality-enabled cipher suite per CIP Security’s EtherNet/IP confidentiality profile.