Fight Cyber Threats With CIP Security

Implementing CIP Security, as part of your defense-in-depth system, is one way to harden your industrial control systems from cyber attacks.

Securing control systems and their communications can help protect your operations from an evolving-threat landscape.

By Jack Visoky, Rockwell Automation

There’s a growing demand in boardrooms and beyond to protect industrial control systems (ICS) from cyber threats. The 2021 SANS ICS/OT survey (SANS Institute, N. Bethesda, MD, sans.org) found that 7 in 10 respondents said the risk to their environment was high or severe, while about 3 in 10 said unprotected devices were a major concern. This past year we’ve also seen high-profile incidents that involved food, water, and energy supplies.

The White House even put out a statement this past summer addressing the need to strengthen control-system cybersecurity in critical infrastructure. It stated, “The cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our nation.”

When it comes to protecting your ICS devices and your overall operations from cyber attacks, a defense-in-depth security approach is considered to be a best practice. Within that approach is an opportunity to strengthen the device layer by embracing CIP Security, a security mechanism in ICS devices.

Self-Defending Devices

ICS communication protocols inherently lack security properties such as authentication, integrity, and confidentiality. This can make ICS devices vulnerable to threats such as denial-of-service attacks, that can leave devices inoperable, and man-in-the-middle attacks, that can alter communications. 

CIP Security helps address these risks. It uses modern, standard, and proven IT technology to help minimize potential vulnerabilities in ICS devices and their communications.

CIP Security helps devices defend against cyberattacks using three security properties:

Device identification and authentication helps prevent a threat actor from connecting to a device. It does this by requiring that devices confirm that each other’s identities are authentic before they are allowed to communicate with each other. Devices can perform this confirmation using digital certificates or pre-shared keys. 

Data integrity helps prevent ICS device communications from being tampered with or modified while in transit by attaching an authentication code to every message. This capability is becoming a higher priority as companies recognize the interrelated nature of safety and security. For example, a threat actor that tampers with ICS communications, such as by making a configuration and program change, can have potentially dangerous consequences. They can change product recipes, damage equipment, and threaten human or environmental safety. Protecting against ICS tampering with data integrity can help reduce these risks.

Data confidentiality helps prevent unauthorized viewing of data by encrypting communications while they’re in transit. This can help protect sensitive or confidential data.

CIP Security-Enabled Systems

CIP Security is deployed at the device level, specifically the device port, using CIP Security-enabled devices. A growing number of devices are now available with CIP Security, including controllers, servo drives, and AC drives. More are on the way.

There are also ways to deploy CIP Security using legacy devices. For example, certain control systems can be retrofitted with CIP Security using special-purpose communication modules. Many devices that aren’t CIP Security-capable can also be connected to your system using a CIP Security proxy device. Secure server and communication software can also create secure communications between PC-based tools such as ICS design software and CIP Security-enabled devices.

Of course, exactly how and where you deploy CIP Security depends on your security posture and the level of mitigation you need to reach an acceptable risk state. To understand this, you need to conduct a security assessment.

Security Assessments

A security assessment should be a collaborative process between operational technology (OT) and information technology (IT) personnel. The goal is to maximize the confidentiality, integrity, and availability protection, while maintaining functionality and usability. The process involves performing three sub assessments:

First, a threat assessment considers the range of threats that could attack your production sites, including criminal, terrorist, natural, and accidental threats. Your threat assessment should evaluate the likelihood of each threat based on your specific business requirements.

Second, a vulnerability assessment identifies methods by which the threats can be exploited and provides recommendations on how to address these vulnerabilities. You can establish a risk score for each vulnerability by rating their probability or ease of exploitation, as well as the resulting impact in terms of cost or injury if the exploit is successful.

Third, a risk assessment evaluates your risk scores and assigns actions that should be taken for each of them. 

These three steps help you understand your risks and how you can mitigate them.

Simplifying Deployment

Configuration software can play a big role in helping reduce the time it takes to design and deploy CIP Security in your operations. 

For starters, administrators can use the software to create and deploy security policies to many devices, all at once, from a central location. The ability to centrally deploy CIP Security configurations helps reduce the risk of human error because it allows the configurations to be modeled, validated, and deployed consistently.

The software can also hide some of the complex techniques that CIP Security employs, such as certificate authorities and encryption algorithms. This allows administrators to focus on creating more secure communications between trusted devices.

Within the software, administrators create security models that are structured with zones and conduits. Zones create smaller domains of trust and are comprised of ICS devices based on common functionality and security requirements. A zone, for example, could include a production cell or a group of supervisory PCs.

Conduits control communications between zones. You can also create conduits between non-CIP Security devices and CIP Security-enabled devices using CIP Security configuration software that has a “Trusted IP” feature. 

Performance considerations

Threat mitigation is the goal when you use CIP Security. But there are times when you also need to factor device performance into your security policies.

The first is when you’re considering using data confidentiality. Not all ICS communications need to be protected with encryption, which affects network adapter capacity. Because of this, you shouldn’t use data confidentiality for ICS communications that are sensitive to latency.

Also consider device performance when you’re determining how trusted devices will identify and authenticate each other. The two options you have for this security property—certificates and pre-shared keys—come with some trade-offs. Certificates offer a higher level of security. But pre-shared keys have less impact on performance when establishing connections because they don’t require certificate parsing and signature verification.

Another consideration is whether you should back up your CIP Security model. Creating back-ups isn’t a requirement, but it is a good practice and critical for system operations. It helps make sure your files are synchronized with your current security policy. It can also reduce downtime should a software issue occur, and you need to reset devices to factory settings.

CIP Security can play an important role in your defense-in-depth strategy by helping to fortify the last level of the control system. But you may not be confident deploying this relatively new security mechanism in your facilities. 

Freely available resources can help. For example, application technique manuals explain the implementation process and standards-aligned design guides provide use cases for designing and deploying CIP Security across sitewide applications. EP

Jack Visoky is a Principal Engineer and Security Architect at Rockwell Automation, Milwaukee (rockwellautomation.com). His responsibilities focus on product-security technology, including security protocols such as CIP Security.