New CIP Security Pull Model for Configuration Data Available
April 10, 2025
ODVA is pleased to announce that a new pull model for configuration data is now available for CIP Security, the cybersecurity network extension for EtherNet/IP. This new profile is in addition to the existing pull model for CIP Security certificates which allows for efficient distribution of device authenticity information. The CIP Security pull model for configuration information will allow for parameters in JSON format to be automatically available for EtherNet/IP network-capable devices.
This new configuration data will make it possible for non-CIP devices, such as mobile phones and tablets, to access secure EtherNet/IP information and for hierarchical metadata to be more readily available. CIP Security now includes a pull model for configuration data and device certificates along with security properties, including a broad trust domain across a group of devices, a narrow trust domain by user and role, data confidentiality, device and user authentication, device and user identity, and device integrity.
The CIP Security pull model for configuration defines a file encoded format for delivering CIP Security configuration as well as a mechanism for a device to pull or query this configuration. The pull model for configuration is valuable when the traditional CIP object/server/attribute mechanism of delivering the CIP Security configuration is not appropriate. Use cases for the new CIP Security pull model for configuration include software that does not have CIP target functionality, such as with a mobile device application and with devices that are on a private network with Network Address Translation (NAT) that has configuration software on the public network.
Additionally, the pull model for configuration can help improve device replacement by being able to automatically provide the needed communication configuration on top of automatically pulling the certificate. The CIP Security pull model for configuration can be delivered via a JSON file, which provides the advantage over the CIP object/service method of decoupling the configuration from the transport. The CIP configuration information structure is still retained when using a JSON format. The JSON file also includes a digital signature that allows for authenticity of the data, independent of the transport over which it is delivered.
“The addition of a CIP Security pull model for configuration makes it easier to replace devices to minimize downtime and allows for configuration data to be automatically provided to mobile devices and devices on a private network,” said Dr. Al Beydoun, President and Executive Director of ODVA. “CIP Security development is a continuous effort to help deter bad actors from accessing EtherNet/IP networks that enable efficient production in critical industries across the world.”
The importance of cybersecurity continues to grow as more devices than ever before are being connected by users to the network via wireless and Single Pair Ethernet (SPE) technologies. Additionally, the connection of the device level network to ERP and cloud systems to take advantage of the latest Artificial Intelligence (AI) analytics to optimize operations means that a defense in depth approach that includes device level security is imperative.
CIP Security already takes advantage of robust, proven, and open security technologies, including TLS and DTLS for secure transport, hashes or HMAC as a cryptographic method of providing data integrity and message authentication, X.509v3 digital certificates, OAuth 2.0, and, OpenID Connect for authentication, and encryption to prevent reading or viewing of EtherNet/IP data by unauthorized parties. CIP Security now includes a pull model for configuration data to enable mobile device and private network connectivity along with improved device replacement.
CIP Security is a robust device level security protection for EtherNet/IP that can help vendors and end users to prepare for regulations such as the European Union Cyber Resilience Act (CRA) and to achieve compliance with security standards such as IEC 62443. Visit odva.org to obtain the latest version of The EtherNet/IP Specification including CIP Security.
About ODVA
ODVA is an international standards development and trade organization with members from the world’s leading automation suppliers. ODVA’s mission is to advance open, interoperable information and communication technologies for industrial automation. Its standards include the Common Industrial Protocol or “CIP™,” ODVA’s media independent network protocol – and industrial communication technologies including EtherNet/IP, DeviceNet® and others.
For interoperability of production systems and their integration with other systems, ODVA embraces the adoption of commercial-off-the-shelf, standard Internet and Ethernet technologies as a guiding principle. This principle is exemplified by EtherNet/IP – today’s leading industrial Ethernet network.
More Information
Visit ODVA online at www.odva.org.
For more information, contact:
Steven Fales
ODVA
4220 Varsity Drive, Suite A, Ann Arbor, MI 48108-5006 USA
TEL +1 734 975 8840
Fax +1 734 922 0027
Email sfales@odva.org CIP, CIP Security, and EtherNet/IP are trademarks of ODVA, Inc. DeviceNet is a registered trademark of ODVA, Inc. Other trademarks are the property of their respective owners.
Related Story
Level Sensors Are the Latest Addition to EtherNET/IP Process Device Profiles
ODVA announced on March 31, 2025, that level sensors are the latest option for process device profiles to be added to The EtherNet/IP Specification. Process device profiles help users to reduce complexity and to more quickly install new devices in the event of an unplanned replacement. Standardized semantics and scaling for process variables and diagnostics that are made possible by process device profiles for EtherNet/IP significantly improve vendor interoperability and prepare process data for use with edge and cloud analytics.
