Hilscher's implementation of the CIP Security extensions for EtherNet/IP are nearing the pre-release stage. It'll be the first of the industrial networking security extensions to approach full market availability via Hilscher. Once fully certified, Hilscher devices using EtherNet/IP will be able to deploy CIP Security in Hilscher's netX90 SoC. The CIP Security profile leverages the low-level hardware-based security features of netX 90, such as secure boot (to assure that only authentic, unmanipulated firmware is executed on the device,) and secure communications (to prevent unauthorized persons/parties from reading or manipulating the contents of data transmissions.
In the network context, CIP Security supports the concepts of (from ODVA web site):
- Authentication of the endpoints — ensuring that the target and originator are both trusted entities. End point authentication is accomplished using X.509 certificates or pre-shared keys.
- Message integrity — ensuring that the message was sent by the trusted endpoint and was not modified in transit. Message integrity and authentication is accomplished via TLS message authentication code (HMAC).
- Message encryption — optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake.
Another advantage of the netX 90 is that security processes like encryption are very processor intensive. The hardware acceleration available in netX 90 ensures that there's no degradation in a product’s performance when implementing these features.
The CIP Security extensions will be deployed in loadable firmware, exactly like Hilscher's other standard protocol firmware. CIP Security will quickly be follwed by a release for PROFINET Security.