Upgrade cybersecurity now with ODVA; SPE demo simplifies wiring

Networking organization ODVA, governing organization for EtherNet/IP, DeviceNet and other protocols, stepped up cybersecurity efforts and demonstrated single-pair Ethernet (SPE) capabilities.

By Mark T. Hoske January 27, 2024
Figure 4: ODVA members expressed interest in Single-pair Ethernet for ODVA’s EtherNet/IP, and Rockwell Automation and HMS helped ODVA with a demonstration at SPS, showing how SPE can reduce wiring. A separate effort improved cybersecurity. Courtesy: ODVA

 

Learning Objectives

  • See the ODVA upgrades to CIP Security that improve cybersecurity.
  • Understand how SPE is demonstrated for use with ODVA’s EtherNet/IP at SPS.
  • Review ODVA areas of interest at its annual meeting and ODVA briefing date for Hannover Messe.

EtherNet/IP CIP Security, SPE insights

  • ODVA upgraded CIP Security to improve cybersecurity.

  • SPE was demonstrated with ODVA’s EtherNet/IP at SPS.

  • ODVA outlined areas of interest at its annual meeting and shared the ODVA briefing date for Hannover Messe.


Industrial networking organization ODVA has provided advancements in device-level cybersecurity protections and demonstrated ability to reduce in-cabinet wiring reduction and device interchangeability with single-pair Ethernet (SPE). ODVA is the network organization governing EtherNet/IP, DeviceNet and other industrial communication protocols.

In a media briefing Nov. 14 at SPS, in Nuremberg, Germany, and online, ODVA representatives discussed advancements in device-level cybersecurity protections and new demonstrations illustrating in-cabinet wiring reduction and device interchangeability with SPE use.

CIP Security improvements explained

ODVA representatives explained how its CIP Security, the cybersecurity network extension for the ODVA EtherNet/IP protocol, has added a new device-based firewall for enhanced intrusion deterrence. The CIP Security device-based firewall provides users with a simple traffic filter similar to how the IP Tables program enables a firewall to be setup in Linux. The device-based firewall is enabled via a new CIP Security Device-Based Firewall Profile, which allows for flexibility to enable or disable this feature as desired. CIP Security now offers even more robust device level protections with a device-based firewall to help discourage bad actors from infiltrating EtherNet/IP industrial networks.

The CIP Security device-based firewall is a mechanism to filter traffic based on IP address, port, and protocol. The device-based firewall is implemented via a new CIP object called the Ingress Egress Object, which enables an allow list of known IP addresses, configuration of available cipher suites, and routing rule definitions based on IP addresses and port numbers. This means that EtherNet/IP devices with CIP Security can determine what nodes can be safely communicated with and if TLS or DTLS encryption is required. Additionally, the user can decide whether or not other devices can route CIP communications through the configured CIP Security device. The new device-based firewall adds another layer of deterrence as a part of a defense in depth approach to help protect physical and digital assets from harm.

Figure 1: ODVA improved cybersecurity with a device-based firewall, improving defense-in-depth efforts. Courtesy: ODVA

Figure 1: ODVA improved cybersecurity with a device-based firewall, improving defense-in-depth efforts. Courtesy: ODVA

“CIP Security continues to add additional security capabilities such as the new device-based firewall to help protect EtherNet/IP devices from misuse that could lead to critical system damage or information loss,” stated Jack Visoky, EtherNet/IP System Architecture Special Interest Group (SIG) vice-chair. Dr. Al Beydoun, president and executive director of ODVA concurred saying “The prevention of unauthorized IP address and port numbers from accessing CIP Security enabled EtherNet/IP devices allows for another layer of protection for critical industrial automation applications as a part of a defense-in-depth approach. The addition of the device-based firewall profile for CIP Security is another important update to continue the fight against malicious cyber intrusions that can lead to financial and reputational loss.”

The new CIP Security Device-Based Firewall Profile allows for only known IP addresses to communicate using standard EtherNet/IP. Additionally, permitted CIP routing can be configured based on a set of trusted IP addresses, ports, and encryption. As a result of implementing the device-based firewall, data packets without matching IP address and/or ports will be dropped and therefore won’t be able to complete intended malicious tasks. ODVA is focused on ensuring that EtherNet/IP users have robust and continuously updated device security options with CIP Security.

Figure 2: Multiple ODVA profiles help with cybersecurity, as the table shows. Courtesy: ODVA

Figure 2: Multiple ODVA profiles help with cybersecurity, as the table shows. Courtesy: ODVA

A revised ODVA CIP Security Technology Paper is available with the changes, under technical standards, CIP security.

SPE is demonstrated for use with ODVA’s EtherNet/IP

An ODVA in-cabinet demonstration at SPS (see Figure 5) with Rockwell Automation and HMS showed how EtherNet/IP and Single-pair Ethernet can reduce wiring and add constrained devices to the network.

Up to 40 devices, including constrained devices such as contactors and push buttons, provide wiring and cost savings, ODVA said.

Figure 3: ODVA has added more elements to CIP Security since 2014, as graphic shows. Courtesy: ODVA

Figure 3: ODVA has added more elements to CIP Security since 2014, as graphic shows. Courtesy: ODVA

Figure 4: ODVA members expressed interest in Single-pair Ethernet for ODVA’s EtherNet/IP, and Rockwell Automation and HMS helped ODVA with a demonstration at SPS, showing how SPE can reduce wiring. A separate effort improved cybersecurity. Courtesy: ODVA

Figure 4: ODVA members expressed interest in Single-pair Ethernet for ODVA’s EtherNet/IP, and Rockwell Automation and HMS helped ODVA with a demonstration at SPS, showing how SPE can reduce wiring. A separate effort improved cybersecurity. Courtesy: ODVA

ODVA reports last and next meetings

The ODVA annual meeting, was held Oct. 17-19, with more than 125 participants. Discussion included SPE, process, 5G communications, security, data science and Time-sensitive Networking (TSN).

At Hannover Messe, ODVA will have another briefing on April 22.

Mark T. Hoske is content manager, Control Engineering, CFE Media and Technology, mhoske@cfemedia.com, edited using information provided in a Nov. 14 media briefing.

CONSIDER THIS

Are you keeping up with cybersecurity updates?

ONLINE

www.odva.org

IO-Link and SPE differ, explained ODVA in a Control Engineering article.


Author Bio: Mark Hoske has been Control Engineering editor/content manager since 1994 and in a leadership role since 1999, covering all major areas: control systems, networking and information systems, control equipment and energy, and system integration, everything that comprises or facilitates the control loop. He has been writing about technology since 1987, writing professionally since 1982, and has a Bachelor of Science in Journalism degree from UW-Madison.