Device-Based Firewall Profile Added to CIP Security to Further Protect EtherNet/IP Networks

December 4, 2023

The CIP Security device-based firewall is a mechanism to filter traffic based on IP address, port, and protocol.

ODVA has announced that CIP Security^TM, the cybersecurity network extension for EtherNet/IP^TM, has added a new device-based firewall for enhanced intrusion deterrence. The CIP Security device-based firewall provides users with a simple traffic filter similar to how the IP Tables program enables a firewall to be setup in Linux. The device-based firewall is enabled via a new CIP Security Device-Based Firewall Profile, which allows for flexibility to enable or disable this feature as desired. CIP Security now offers even more robust device level protections with a device-based firewall to help discourage bad actors from infiltrating EtherNet/IP industrial networks.

The CIP Security device-based firewall is a mechanism to filter traffic based on IP address, port, and protocol. The device-based firewall is implemented via a new CIP object called the Ingress Egress Object, which enables an allow list of known IP addresses, configuration of available cipher suites, and routing rule definitions based on IP addresses and port numbers. 

This means that EtherNet/IP devices with CIP Security can determine what nodes can be safely communicated with and whether TLS or DTLS encryption is required. Additionally, the user can decide whether other devices can route CIP communications through the configured CIP Security device. The new device-based firewall adds another layer of deterrence as a part of a defense in depth approach to help protect physical and digital assets from harm.

“CIP Security continues to add additional security capabilities such as the new device-based firewall to help protect EtherNet/IP devices from misuse that could lead to critical system damage or information loss,” stated Jack Visoky, EtherNet/IP System Architecture Special Interest Group (SIG) vice-chair. 

Dr. Al Beydoun, President and Executive Director of ODVA concurred saying “The prevention of unauthorized IP address and port numbers from accessing CIP Security enabled EtherNet/IP devices allows for another layer of protection for critical industrial automation applications as a part of a defense in depth approach. The addition of the device-based firewall profile for CIP Security is another important update to continue the fight against malicious cyber intrusions that can lead to financial and reputational loss.”

The new CIP Security Device-Based Firewall Profile allows for only known IP addresses to communicate using standard EtherNet/IP. Additionally, permitted CIP routing can be configured based on a set of trusted IP addresses, ports, and encryption. As a result of implementing the device-based firewall, data packets without matching IP address and/or ports will be dropped and therefore won’t be able to complete intended malicious tasks. ODVA is focused on ensuring that EtherNet/IP users have robust and continuously updated device security options available to them via CIP Security as a part of a defense in depth approach. Visit odva.org to obtain the latest version of The EtherNet/IP Specification including CIP Security.

About ODVA

ODVA is an international standards development and trade organization with members from the world’s leading automation suppliers. ODVA’s mission is to advance open, interoperable information and communication technologies for industrial automation. Its standards include the Common Industrial Protocol or “CIP™,” ODVA’s media independent network protocol – and industrial communication technologies including EtherNet/IP, DeviceNet^® and others.  For interoperability of production systems and their integration with other systems, ODVA embraces the adoption of commercial-off-the-shelf, standard Internet and Ethernet technologies as a guiding principle. This principle is exemplified by EtherNet/IP – today’s leading industrial Ethernet network. Visit ODVA online at www.odva.org.

Source

More Information

ODVA

Related Story

ODVA’S 2023 Industry Conference Spotlights Latest in Single Pair Ethernet, 5G, Security, Process Automation, TSN, and Data Science

ODVA held its Industry Conference and 22^nd Annual Meeting of Members in Europe for the first time in El Vendrell, Spain from October 17 – 19, 2023. Over 125 industry professionals from approximately 50 different companies hailing from all around the world were in attendance. Attendees were able to learn from a diverse set of presentations, including developments for Single Pair Ethernet (SPE), 5G, cybersecurity, process automation, TSN, and data science.