Cyber-attacks are becoming common, with some highly publicized examples (think Stuxnet) showing up in recent times. Yet often we turn a blind eye in the hope that risks to our plants are either non-existent or will go away! “That thinking must change,” says Hilscher North America CEO Phil Marshall. Fortunately, enabling technologies are available to help. EtherNet/IP is among the first industrial communications protocol to have critical features added with CIP Security. Says Marshall: “With IEC 62443 now a critical factor in product design, I believe that in as little as 12 months CIP Security will become a byword throughout our industry. I urge everyone to react quickly. Our netX 90 communications controller chip was designed with security in mind and can support CIP Security right down to the device level.”
“Because security is directly related to data communications, our Industrial networks are critically involved,” says Marshall. “This is something that networking experts must take seriously. We realized this some years ago and have been able to create two controller chips well ahead of the market. netX 90 chips incorporate advanced security technologies and are fully capable of supporting IEC 62443-compliant architectures.”
“Cybersecurity is ultimately a shared responsibility in industry from all stakeholders in the industrial ecosystem.”— Dr. Al Beydoun, ODVA
ODVA, the organization tasked with developing, maintaining and evolving CIP technologies, said that CIP Security goes beyond traditional defense-in-depth approaches by providing inherent cybersecurity mechanisms to defend the automation networks themselves – for example, the ability for devices to know that the sender or receiver of a message is a trusted entity, or to have cryptographic proof that a message has not been maliciously tampered with while in transit. To help industry close this gap, ODVA and its members have developed CIP Security in order to integrate cybersecurity mechanisms into EtherNet/IP.
“Cybersecurity is ultimately a shared responsibility in industry from all stakeholders in the industrial ecosystem – vendors, OEMs, system integrators, end users – all of whom must take steps to provide an overall secure system,” says Dr. Al Beydoun, ODVA President. “Vendors who integrate CIP Security into their products provide their customers the ability to mitigate threats and reduce the risk of costly downtime.”
“Only IEC 62443-compliance will allow vendors to stay in the Industrial Ethernet architectures of the future.” – Oliver Haya, Rockwell Automation
Oliver Haya, Business Development Manager, Rockwell Automation, agrees that the IEC 62443 standard impacts everyone - end users, system integrators, and device manufacturers alike. “Defense-in-depth is layered like an onion,” he says, “and it starts with policies and procedures, physical protections, and network implementations, then continues further down to the computers, applications, and devices in the architecture.”
Haya believes that end users are now recognizing that strong security policies, access control, and network firewalls/IDMZs aren't enough. “As end users increase their security maturity, they are requiring more adherence to IEC 62443 at deeper levels. Put simply, automation device vendors must produce components that meet the requirements of IEC 62443-4-2, and system integrators must combine those components using IEC 62443-3-3 principles.”
The result is that automation vendors must address the requirements today and start developing products to meet the demand. However, device vendors will need to decide what security levels (SLs) make the most market sense for each functional requirement. “For example, Security Level 1 Capability for System Integrity at the Component requires that the integrity of communications can be verified, while Level 2 requires authenticity of communications as well.”
These goals are not easily reached. There are three requirements from IEC 62443 that are particularly hard for a device vendor in isolation: the unique identification of devices; verifying the integrity and authenticity of communications; and support for confidentiality of data in transit. Haya says that these require close coordination among multiple devices. “To achieve that, you need agreed standards for interfacing devices, potentially from many independent vendors. Additionally, you need provisions to establish asset owner ‘roots of trust.’”
CIP Security is an open standard from ODVA which helps meet these requirements, Haya states, adding: “As end-user specifications evolve to include more security specific content, device vendors must evolve their design practices in line. Frankly, only by using product development processes that are compliant with IEC 62443, and creating products that can communicate securely will it be possible for vendors to stay in the industrial Ethernet architectures of the future.”
“netX 90 chips provide a toolkit for device communications and security.” - Marshall
netX 90 is a unique communications controller that is fully equipped to support IEC 62443-compliant products and systems. Says Phil Marshall: “netX 90 is essentially a tool-kit for the future of industrial communications. As well as having the flexible communications capability that is typical of all Hilscher products, it is an advanced and versatile interface for almost any field device.” The chip has two parts, each with an ARM-based CPU to separate the communications and application functions (see diagram). This means that attacks over the network are shielded from the application. netX 90 also includes the technology to ensure that devices boot up securely and that a “root of trust” is established to ensure that applications software is never compromised. Data transmissions can be fully authenticated and their integrity guaranteed. Powerful encryption technologies are also supported in order that confidentiality can be protected.
To find out how Hilscher can support your next-generation CIP Security developments with the netX 90 chip please contact PHIL MARSHALL.
More about the netX 90 chip HERE
For easy deployment check out the netRAPID 90 MODULE (pictured left)
There’s a CIP Security page on the ODVA WEB SITE