ODVA have announced that CIP Security, the cybersecurity network extension for EtherNet/IPTM, has added support for resource-constrained EtherNet/IP devices. CIP Security can now provide device authentication, a broad trust domain, device identity via Pre-Shared Keys (PSKs), device integrity and data confidentiality for resource-constrained devices such as contactors and push-buttons. A narrow trust domain, user authentication and policy enforcement via a gateway or a proxy are available options.
The new specification has added a Resource-Constrained CIP Security Profile in addition to the EtherNet/IP Confidentiality and the CIPTM User Authentication Profiles. The Resource-Constrained CIP Security Profile is similar to the EtherNet/IP Confidentiality Profile, but is streamlined for resource-constrained devices. The same basic security aspects of endpoint authentication, data confidentiality and data authenticity remain. Access policy information is also included to allow a more capable device to be used as a proxy for user authentication and authorization of the resource constrained device. Implementation of CIP Security for resource-constrained devices requires only DTLS support instead of DTLS and TLS, as it is used only with low-overhead UDP communication.
The protections offered by CIP Security are now available for EtherNet/IP networks via a resource-constrained version of CIP Security that includes fewer mandatory features.