Device-based Firewall Profile Added to CIP Security to Further Protect EtherNet/IP Networks

ODVA announced that CIP Security, the cybersecurity network extension for EtherNet/IP, has added a new device-based firewall to provide a more enhanced intrusion deterrence. The CIP Security device-based firewall provides users with a more simple traffic filter similar to how the IP Tables program enables a firewall to be setup in Linux. This device-based firewall is enabled via a new CIP Security Device-Based Firewall Profile, which allows for greater flexibility to enable or disable this feature as desired. CIP Security now offers more robust device level protection with a device-based firewall to help discourage incidents that could infiltrate EtherNet/IP industrial networks. 

The CIP Security device-based firewall is a mechanism to filter traffic based on IP address, port, and protocol. This device-based firewall is implemented via a new CIP object called the Ingress Egress Object, which enables an allow list of known IP addresses, configuration of available cipher suites, and routing rule definitions based on IP addresses and port numbers. This means that EtherNet/IP devices with CIP Security can determine what nodes can be safely communicated with and whether TLS or DTLS encryption is required. Additionally, the user can decide whether other devices can route CIP communications through the configured CIP Security device. This new device-based firewall adds another layer of deterrence as a part of a defense in depth approach to help protect physical and digital assets from damage.

The new CIP Security Device-Based Firewall Profile allows for only known IP addresses to communicate using standard EtherNet/IP. Additionally, permitted CIP routing can be configured based on a set of trusted IP addresses, ports, and encryption. As a result of implementing this device-based firewall, data packets without matching IP address and/or ports will be dropped and therefore won’t be able to complete intended malicious tasks. ODVA is focused on ensuring that EtherNet/IP users have more robust and continuously updated device security options available to them via CIP Security as a part of a defense in depth approach.

The latest version of The EtherNet/IP Specification including CIP Security can be found at odva.org .