Secure At001 - en P

CIP Security with Rockwell
Automation Products
Application Technique Original Instructions

CIP Security with Rockwell Automation Products Application Technique
Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use
or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software
described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is
prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to
personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or
economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be
present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous
temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc
Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work
practices and for Personal Protective Equipment (PPE).
2 Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021

Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Summary of Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 1
Industrial Security Overview Industrial Automation Control Systems Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Vulnerability and Exploits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Security Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Defense-in-Depth Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
CIP Security is an ODVA Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Device Identity/Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Secure Data Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2
CIP Security-capable Rockwell Software and Hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Automation Products CIP Security Software Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
CIP Security-capable Hardware Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Benefits of Using Rockwell Automation Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
CIP Security Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Security Profile and Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
CIP Security Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Zone Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Conduit Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Limitations and Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Dual-port Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Initial Security Model Deployment Fails If ControlLogix 5580 Controller
is in Run Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Cannot Download to ControlLogix 5580 Controller from
Unsecure Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Workstation Cannot Connect to a Secure ControlLogix 5580 Controller
if Security Profiles Do Not Match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
CIP Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Use of Multicast Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Automatic Device Replacement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
RSLinx Classic Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021 3

Table of Contents
Chapter 3
CIP Security Design and Install the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Implementation Process Identify, Organize, and Create Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Create a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configure the Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Identify, Organize, and Create Conduits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Create a Conduit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configure the Conduit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Identify and Create Security Features/Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Deploy Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Back Up the Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Save Security Model Backup to Another Secure Location . . . . . . . . . . . . . . . . . . . . . . 47
Different From FactoryTalk Directory Backup File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Restore FactoryTalk System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Remove the Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Remove the Security Policy From a Software Application . . . . . . . . . . . . . . . . . . . . . . 49
Remove the Security Policy From a Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Replace a CIP Security-enabled Device in the System . . . . . . . . . . . . . . . . . . . . . . . . . 56
Chapter 4
CIP Security Implementation Phase One of Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Example Architecture Create Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Create Zone-to-Zone Conduits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configure Conduit Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Deploy Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Phase Two of Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Create a Device-to-Device Conduit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Create a Zone-to-Device Conduit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Create Conduit Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Deploy Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Preface
This manual explains how to implement the Common Industrial Protocol (CIP™) Security standard in your industrial automation control system
(IACS). The term CIP Security™ is used throughout the rest of this manual.
Make sure that you are familiar with the following before you use this manual:
• Basic understanding of EtherNet/IP™ networking fundamentals
• Basic understanding of network security terminology and concepts
• Use of Rockwell Automation® software, for example:
- FactoryTalk® Policy Manager
- FactoryTalk Linx
- Studio 5000 Logix Designer®
Summary of Changes
This table contains the changes that are made to this revision of the publication. Change bars indicate changes throughout the publication.
Topic Page
Added information about the following products that you can use with CIP Security
• 1783-CSP CIP Security Proxy
Throughout
• Kinetix 5300 drives
• PowerFlex® 755T drives
Description of how to migrate an application from using FactoryTalk Policy Manager, 15
version 6.11, to FactoryTalk Policy Manager, version 6.20
Updated the description of Studio 5000 Logix Designer application 16
Updated the description of ControlLogix® 5580 controllers 17
Added a description of an initial security model deployment failure if a ControlLogix 5580 24
controller is in Run Mode
Added a description of conditions in which you cannot download to a ControlLogix 5580 25
controller from an unsecure workstation
Added a PowerFlex 755T drive to the CIP Bridging graphic 27
Updated the description of the Automatic Device Replacement limitation 29
Added a description of the different security model deployment types 45
Updated the description of how to back up the security model 47
Added a description of how to restore FactoryTalk System Services 48
Added a description of how to replace a CIP Security-enabled device 56
Updated graphics to show a 1783-CSP CIP Security Proxy Chapter 4

Preface
Notes:

Chapter 1
Industrial Security Overview
This section provides an overview of CIP Security™.
Industrial Automation Control Systems Environment

Historically, industrial automation control systems (IACS) have been air-gapped environments, isolated systems that are running proprietary control
protocols. But IACS networks are evolving toward smart manufacturing.
Smart manufacturing represents a gateway to digital transformation that connects plant-level and enterprise networks, and securely connects
people, processes, and technologies.
Collectively, this opens new windows to connected smart devices for visibility into processes, data, and analytics. The visibility enables better and
faster decision-making and seamless connectivity for remote locations.
As EtherNet/IP™ becomes a growing standard, evolving these isolated IACS networks towards smart manufacturing, network convergence, and
industrial security become a necessity.
Security Threats
As IACS networks transition to open standards of Ethernet-media and Internet Protocol (IP) to meet the needs of end-to-end connectivity of entities,
the threat landscape broadens.
With an increase of smart devices and end-to-end connectivity come more assets to protect and a greater risk of security threats.
Security risks can take many forms, for example:

• Threat actors that try to gain unauthorized, and undetected, access to an IACS network with the intention to commit malicious acts.
• Well-intentioned personnel with no malicious intention but who make mistakes that can result in unintended consequences.
IMPORTANT This publication focuses on threat actors with malicious intentions, also called attackers. The word attacker is used
throughout the rest of the publication.
In this publication, attacker refers to one individual or to an Advanced Persistent Threat (APT), or a group of attackers
working collectively.

Chapter 1 Industrial Security Overview
Vulnerability and Exploits

By default, IACS communication protocols are proprietary and insecure. They lack the security properties such as authentication, integrity, and
confidentiality. As a result, data and endpoints are at risk. These security properties are necessary for IACS devices to defend themselves against a
network-based attack.
Insecure communication protocols can be exploited to make data accessible for anyone to collect, and vulnerable endpoints can become open
targets for denial-of-service (DoS) and other types of attacks.
When attackers access a system, they use many ways to exploit the IACS communication protocol vulnerabilities.
Table 1 - Attack Types
Attack Type Description
DoS An attacker executes a DoS attack that

renders the CIP™ device inoperable.
(Unauthorized Open Access)
EtherNet/IP Logix5585 TM
DC INPUT
SAFETY ON
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK
The attacker eavesdrops on data in transit

Man-in-the-Middle to alter the communication between CIP
devices.
DC INPUT
SAFETY ON
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK
The attacker monitors or views sensitive or

Monitor Data classified data that is exchanged between
CIP devices.
DC INPUT
SAFETY ON
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK

Security Assessment
Getting a security assessment is the starting point for any security implementation. An assessment provides a picture of your current security
posture and what mitigation techniques you must achieve a preferred acceptable risk state.
An assessment is a collaborative process, between Operational Technology (OT) and Information Technology (IT) personnel to maximize the
protection of confidentiality, integrity, and availability while still providing functionality and usability.
There are three steps to perform a security assessment.

1. Conduct a threat assessment.
A threat assessment considers a range of threats from natural, criminal, terrorist, to accidental for a given facility/location. Based on
business requirements, a company should evaluate the likelihood for each threat.
2. Perform a vulnerability assessment.
A vulnerability assessment is designed to identify methods by which the threats can be exploited and to provide recommendations on how
to address these vulnerabilities.
Each vulnerability should be rated for the probability or ease of exploitation and the resulting impact in terms of cost or injury should the
exploit be successful. This establishes a risk score for each vulnerability.
3. Perform a risk assessment.
A risk assessment evaluates the risk scores and assigns responses to each risk. One of the following actions should be taken for each risk:
- Mitigated - A mitigated risk requires an explanation of what was done to prevent the vulnerability from being exploited.
- Terminated - A terminated risk requires an explanation of what was removed or disabled to prevent the vulnerability from being
exploited.
- Transferred - A transferred risk requires an explanation of what is being done outside this system to prevent or respond to the
vulnerability being exploited.
- Accepted - An accepted risk requires notation of the authority accepting the risk.
Accurately assessing threats and identifying vulnerabilities is critical to understanding the risk to your IACS assets.

Defense-in-Depth Architecture
Industrial security is best implemented as a complete system across your operations. The defense-in-depth (DiD) approach is common to
security standards.
The DiD security approach establishes multiple layers of protection that are based on diverse technologies through physical, electronic, and
procedural safeguards.
For example, you restrict physical access to managed switches with port locks. Then you position edge industrial firewalls to restrict access and
block unapproved traffic flows. Finally, you employ an industrial demilitarized zone (IDMZ) as a perimeter buffer zone between the Industrial and
Enterprise zones. The IDMZ lets secure data sharing and services take place without direct connection.
The following are key tenets of the DiD security approach:

• Multiple layers of security are more resilient to attack
• Each layer adds to the one above it
• It does not replace the need for firewalls or other security infrastructure in a system.
The expectation of the DiD approach is that in the event an attacker breaches one layer of defense, there is always an additional layer that thwarts
their effort.
Figure 1 - Defense-in-Depth Architecture
Policies,
Procedures,
Physical
Physical
Network
Computer
Application
Device

CIP Security is an ODVA Standard

As attackers become more sophisticated and network convergence opens more potential gateways to industrial zones, CIP-connected devices
must be able to defend themselves.
Recognizing the need for CIP-connected device protection, ODVA developed CIP Security. It is an open-standard secure communication mechanism
for EtherNet/IP networks.
The following CIP Security properties are countermeasures that address the security risks:
• Device identity and authentication
• Data integrity and authentication
• Data confidentiality (encryption)
Positioned at the device-level in the DiD architecture, CIP Security enables CIP-connected devices to authenticate each other before transmitting
and receiving data. Device connectivity is limited to only trusted devices.
Optionally, to increase the overall device security posture, it can be combined with data integrity to guard against packet tampering and message
encryption to avert unwanted data reading and disclosure.
Figure 2 - CIP Security As Part of Defense-in-Depth Architecture
Policies,
Procedures,
Physical
Physical
Network
CIP Security is positioned at

Computer
the device-level of the DiD
architecture.
Application
CIP Security-
enabled Device

Device Identity/Authentication
Before devices start communicating, each device must be able to verify that the identity of the device with which it wants to communicate is
authentic. This protects legitimate devices from a rogue device gaining access to the system by pretending to be a system component.
To build this endpoint trust, a certificate or pre-shared (secret) key can be used to provide identity to the device:
• Certificate is used to provide identity based on the X.509v3 standard.
Certificates are an agreement between communicating parties and a common entity that is called a Certificate Authority (CA). A trusted CA
signs and issues certificates to requesters to prove their identities. Mutual trust can be established when communicating parties exchange
certificates signed by a common CA.
FactoryTalk® System Services is the certificate authority. It is the service that signs and issues certificates to give assurance for a
communicating party's authenticity.
An advantage to using certificates is that they provide a greater level security than pre-shared keys.
• Pre-shared keys are used to prove identity that is based on keys that are shared in advance among the communicating parties.
Pre-shared keys are agreement between two entities to the parameters that determine identity and authentication. The entities are the
devices that communicate with each other.
An advantage to using pre-shared keys is that they provide less performance impact on when establishing connections.
IMPORTANT Devices can only use one pre-shared key, as a result, any conduits that are required between any Zones that are configured
with pre-shared key must be created using Trusted IP.

Secure Data Transport
CIP Security is based on Transport Layer Security (TLS) (RFC 5246) and Datagram Transport Layer Security (DTLS) (RFC 6347) protocols to protect
EtherNet/IP data while in transit.
TLS and DTLS are network protocols that facilitate data transfer privately and securely between an originator and a target device.
TLS provides the following security properties:

• Authentication - Allows each device to confirm their identity through certificate exchange or pre-shared keys
• Integrity - Makes sure that the data has not been tampered with, or falsified, while in transit, with TLS Hash-based Message Authentication
Code (HMAC)
• Confidentiality - Data is encrypted while being transmitted between the originator and target device. Encrypting the data prevents
unauthorized parties from reading it.
DTLS is based on TLS but is used for User Datagram Protocol (UDP) connections instead of Transmission Control Protocol (TCP) connections.
For complete descriptions of the security properties, see the ODVA home page available at: https://www.odva.org/.
Table 2 defines the icons that are used in Table 3 on page 14.
Table 2 - CIP Security Icons

Name Symbol Definition
An electronic representation of an identity. A certificate binds the identity’s public key to its identifiable information, such as,
name, organization, email, user name, and/or a device serial number.
Certificate
This certificate is used to authenticate a connection to a zone or device. Selected by default when CIP Security is enabled.
A secret that is shared among trusted entities to represent identities. FactoryTalk Policy Manager can create a key that can be
Pre-shared key shared.
Integrity Checks whether data was altered and whether the data was sent by a trusted entity. Altered and/or untrusted data is rejected.
Check mark Symbol used to indicate that the endpoints for communication between devices have been authenticated and can be trusted.
Encryption Encodes messages or information to help prevent reading or viewing of EtherNet/IP data by unauthorized parties.

Table 3 describes how secure data transport enables a CIP-connected device to help protect itself from malicious communication.
Table 3 - CIP Security Properties
Security Properties Description
FactoryTalk® Linx
Method of providing secure identity for a device. The

following methods can be used:
• Certificates (recommended)
• Pre-shared keys Threat actor cannot
Device Identity and
connect to the
Authentication Together, these properties help the device take the
following actions: CIP-connected device.
• Reject messages that are sent by untrusted devices.

• Prevent unauthorized devices from establishing
DC INPUT
SAFETY ON
NET
0000 LINK
connections.
LNK1 LNK2 NET OK
RUN FORCE SD OK
1756-EN4TR
FactoryTalk Linx
Method of providing data integrity and message

authentication to EtherNet/IP network communication.
Data Integrity and Lets the device take the following actions: Attacker can see the data
Authentication but cannot change
• Reject data that has been altered. the data.
• Prevent tampering or modification of
communication.
DC INPUT
SAFETY ON
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK
1756-EN4TR
FactoryTalk Linx
Means of using encryption to encode messages or

information that is exchanged across an EtherNet/IP
network.
Lets the device take the following actions:
• Prevent viewing of EtherNet/IP data by unauthorized

Data Confidentiality parties. Attacker cannot see the
• Prevent snooping or data disclosure. data.
IMPORTANT: This security property is optional. Some

IACS network communication do not need to be secure;
data integrity and authentication is typically the goal.
DC INPUT
SAFETY ON
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK
Encryption typically affects network adapter capacity. 2
1756-EN4TR

Chapter 2
CIP Security-capable Rockwell Automation Products
This section describes the components and concepts that are part of the Rockwell Automation method of implementing CIP Security™ in an IACS.
For information on the tasks that are required to use CIP™ Security-capable products in an IACS, see the following table:
• Chapter 3, CIP Security Implementation Process on page 31
• Chapter 4, CIP Security Implementation Example Architecture on page 57
• Publications listed in Additional Resources on page 71
Software and Hardware

The list of CIP Security-capable Rockwell Automation® products includes software and hardware products, for example, FactoryTalk® Policy
Manager software and ControlLogix® 5580 controllers, respectively, to define the security policy.
CIP Security Software Applications
IMPORTANT You download software at the Rockwell Automation Product Compatibility and Download Center (PCDC).
To visit the PCDC, go to: http://compatibility.rockwellautomation.com/Pages/home.aspx
• FactoryTalk® Policy Manager, version 6.11, and FactoryTalk System Services, version 6.11, are components of FactoryTalk
Services Platform, version 6.11.
When you install FactoryTalk Services Platform, version 6.11, you must select Customize from the installation wizard and
check the boxes for installation of FactoryTalk Policy Manager and FactoryTalk System Services components.
For more information, see the FactoryTalk Policy Manager Getting Results Guide, publication FTALK-GR001.
• FactoryTalk Policy Manager, version 6.20 or later, is an independent installation package. FactoryTalk System Services,
version 6.20 or later, is part of the FactoryTalk Policy Manager installation.
FactoryTalk Services Platform, version 6.20 or later, do not include FactoryTalk Policy Manager or FactoryTalk System
Services.
• Before you migrate from version 6.11 to version 6.20 or later, we recommend that you see the following Rockwell Automation
Knowledgebase articles that are available at https://rockwellautomation.custhelp.com/app/home:
– Backup and restore CIP Security models of FactoryTalk Policy Manager and FactoryTalk System Services, click here
– Fail to migrate existing FactoryTalk System Service data with CIP Security policy models, click here
– FactoryTalk Policy Manager download and install, click here
We recommend that you use the latest version of FactoryTalk Policy Manager.

Chapter 2 CIP Security-capable Rockwell Automation Products
Software Application Description Minimum Version Required

FactoryTalk Policy Manager is a secure software application that you use to configure, deploy, and
view the system communication security policies.
The security policies are divided into different components, that is, devices, zones, and conduits.
You use these components to design security models that control the permissions and usage of
FactoryTalk Policy Manager devices within the system. For more information, on security models and how components are Version 6.11
used to design the models, see page 18.
The security policies are distributed to the devices at once. You are not required to make changes
at the device level and face the risk of human error that results in inconsistent configuration
among the devices.
FactoryTalk System Services is a secure EtherNet/IP™ client that runs in the background to deploy
the security policies that are configured in FactoryTalk Policy Manager. You do not take action in
the client.
FactoryTalk System Services provides the following in the FactoryTalk Directory to enforce
security policies that are based on the ODVA CIP Security standard:
• Identity/Authentication Service - Authenticates users and validates user resource requests.
Validate user credentials against the FactoryTalk Directory and FactoryTalk Security policy
FactoryTalk System Services settings to obtain privileges associated with the user. Version 6.11
• Certificate Service - Issues and manages certificates for devices in the FactoryTalk Policy
Manager model.
• Deployment Service - Translates the security policy to CIP™ configurations that are delivered to
endpoints.
• Policy Service - Build and manages CIP network trust models and defines security policy for the
CIP endpoints.
• Diagnostic Service - Makes FactoryTalk audit and diagnostic logs available as a web service.
FactoryTalk Linx is a secure EtherNet/IP client that initiates connections over a secure EtherNet/IP
network with CIP Security-enabled devices.
FactoryTalk Linx This server and communication service that lets devices communicate with the FactoryTalk Version 6.11
software portfolio and Studio5000 Logix Designer application.
IMPORTANT: You cannot use RSLinx® Classic software to implement CIP Security in an IACS.
Version 31.00.00
Logix Designer application is a comprehensive programming software that you use with When you implement CIP Security with a
Logix 5000™ controllers. In a system with CIP Security implemented, the software is used with ControLogix 5570 or 5580 controller and
ControlLogix 5580 controllers and with ControlLogix 5570 or 5580 controllers that use a version 31, you must use a 1756-EN4TR
1756-EN4TR communication module in the same chassis. communication module in the chassis.
Studio 5000 Logix Designer® IMPORTANT: Logix Designer application is not required to implement CIP Security.
However, Logix Designer application functions as CIP Security-capable software because it To implement CIP Security with a
supports the CIP protocol and uses FactoryTalk Linx software to communicate with other devices ControlLogix 5580 controller and avoid the
via the CIP protocol. need for a 1756-EN4TR communication
module, you must use version 32.00.00
or later.

CIP Security-capable Hardware Devices
The following hardware devices are CIP Security-capable.
IMPORTANT The table represents products that are CIP Security-capable at the time of this publication.
Over time, new products will be released that are CIP Security-capable. New versions of existing products that are not CIP
Security-capable will be released in the future to make them CIP Security-capable.
To see if a product is CIP Security-capable, see the product documentation.
Minimum Firmware
Hardware Product Description Revision Required
Firmware revision 31.011
If you use revision 31.xxx, you

ControlLogix 5580 controllers use a common Logix control engine and common development environment must also include a 1756-EN4TR
to control large control systems. communication module in the
The controllers communicate with, and can control, local and remote devices. For example, the devices can same chassis as the controller.
be I/O modules, network communication modules, drives, and operator interfaces.
ControlLogix 5580 Controllers You use the Logix Designer application to configure ControlLogix 5580 controllers. The Logix Designer To implement CIP Security with a
application version must be compatible with the firmware revision on the controllers. ControlLogix 5580 controller and
IMPORTANT: You do not use the Logix Designer application to define the security policy. You use avoid the need for a 1756-EN4TR
FactoryTalk Policy Manager to define the security policy. communication module, you
must use firmware revision
32.011 or later.
The 1756-EN4TR communication module performs the following functions:
1756-EN4TR ControlLogix • Facilitate high-speed data transfer between ControlLogix 5580 controllers and devices on an EtherNet/IP Any
EtherNet/IP Communication Module network.
• Connect Logix 5000 control systems to multiple EtherNet/IP network topologies.
Kinetix 5300 drives are entry level Integrated Motion on EtherNet/IP servo drives that are designed for small
Kinetix® 5300 Drives Firmware revision 13.003
to medium machines for various motion control applications.
Kinetix 5700 drives are single and dual-axis inverters that you can use to expand the use of Integrated
Kinetix 5700 Drives Motion on EtherNet/IP to large, custom machines with high axis counts and power requirements. Firmware revision 11.001
The drives have built-in dual Ethernet ports that let you connect the drives directly to EtherNet/IP networks.
PowerFlex 755T drives, bus supplies, and common bus inverters provide common bus, regenerative, and
high performance variable frequency motor control 10...6000 Hp.
PowerFlex 755T Drives PowerFlex 755T drives have built-in dual Ethernet ports that let you connect the drives directly to EtherNet/ Firmware revision 10.001
IP networks. CIP Security requires use of the built-in Dual EtherNet/IP ports that are provided on PowerFlex
755T Main Control Boards. This feature is not compatible with network option cards.
The 1783-CSP Proxy is a standalone device that lets you connect a device that is not CIP™ Security-capable,
1783-CSP CIP Security Proxy Any
also known as the proxied device, to an IACS that has CIP Security enabled.

Benefits of Using Rockwell Automation Products

Implementing CIP Security with Rockwell Automation products has the following benefits:
• Centralized System Management - Use FactoryTalk Policy Manager software to easily create and deploy security policies to many devices
at once.
• Micro-segmentation - Segment the automation application into smaller cell/zones, thus, reducing the attack surface.
• HTTP ports - You can enable or disable unsecure (HTTP) ports/protocols of devices in a system with CIP Security configured.
• Legacy system support - The following options are available to use for products that are not CIP Security-capable in a specific unsecured
communication network that deploys the CIP Security feature:
- Use the 1783-CSP CIP Security Proxy to connect a device that is not CIP Security-capable to an IACS that has CIP Security™ enabled.
- Retrofit ControlLogix 5570-based systems with the new 1756-EN4TR communication module.
- Allowed - Authorize specific communication based on IP address.
In FactoryTalk Policy Manager, the Authentication Method property for a conduit uses the term Trusted IP to represent Allowed.
IMPORTANT Make sure that you are aware of the limitations of allowed as a security measure before its use.
CIP Security Properties

CIP Security is comprised of a security profile, attributes, and components. These key mechanisms facilitate the security requirements for the
resource you are trying to protect.
Security Profile and Attributes
CIP Security defines the concept of a security profile. A security profile is a set of well-defined capabilities to facilitate device interoperability and
end-user selection of devices with the appropriate security capability. A security profile describes what security features a given device supports.
The device enforces the security policy based on its security profile.
Understanding that security is a balance and not every CIP-connected device requires the same level of security, FactoryTalk Policy Manager lets
administrators enable only the desired attributes when they create a security profile.
The Device Identity/Authentication attribute must be enabled before the options for enabling Data Integrity and Data Confidentiality can occur.
Rockwell Automation CIP Security-capable products support the following security attributes:
Property Description
Certificate base on the X.509 v3 standard is used to provide identity.
Device Identity and Pre-shared keys are shared secrets that are shared among trusted entities that are used to provide identity.
Authentication The TLS protocol facilitates mutual authentication to create trusted endpoints.
Keyed-Hash Message Authentication Code (HMAC) is used as a cryptographic method of providing data integrity and message authenticity to
Data Integrity EtherNet/IP traffic.
Data Confidentiality Data encryption is used to encode messages or information to help prevent reading or viewing of EtherNet/IP data by unauthorized parties.
IMPORTANT The rest of this section describes each component and, for zones and conduits, steps to create and configure them.
However, the descriptions are not exhaustive.
For more detailed information on security models, including the tasks that you must complete to configure them, see the
FactoryTalk Policy Manager Getting Results Guide, publication FTALK-GR001.

CIP Security Components
FactoryTalk Policy Manager divides the system security policies into different components. The following components are used to design security
models:
• Devices
• Zones
• Conduits
Devices
Devices are the modules, drives, controllers, HMI panels, computers, and servers that work together to create an IACS network. You add devices that
share security requirements for a particular function to the same zone.
Considerations with devices in the security model when you use devices in an IACS network:
• The lists of current CIP Security-capable Rockwell Automation products are on page 15 and page 17.
More CIP Security-capable Rockwell Automation products are in development.

• Just because a device is CIP Security-capable, you are not required to enable CIP Security on that device in an IACS network.
• You can use non CIP Security-capable devices in an IACS that includes CIP Security-enabled devices.

Zones
Zones are groups to which devices are added. Zones establish the rules for data integrity, data privacy, and the authentication method that is used
to authenticate trusted devices.
• You can have multiple zones in a system and set security policy on a zone-by-zone basis. By using zones, you simplify management of large
sets of devices in a system.
• Zones can include devices that are CIP Security-capable and devices that are not. There can be multiple zones in an IACS network, but a
device can only belong to one zone.
• Once a CIP Security-capable device is added to a zone, the device uses the policy settings of that zone.
Communication between devices in the same zone is implied and mutually trusted. Therefore, you do not have to create conduits between
devices in the same zone.
Figure 3 shows a zone that includes devices that are CIP Security-capable, for example, a ControlLogix 5580 controller, and devices that are not, for
example, a PanelView™ Plus terminal.
Figure 3 - Security Model - Zones
Zone MOD MOD MOD MOD MOD

NET NET NET NET NET
2 2 2 2 2
1 1 1 1 1
1 I/O I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B

1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
UFB UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
MF-A MF-B MF-A MF-B MF-A MF-B
-
MBRK
+
OK
DC INPUT
SAFETY ON
LINK 1
NET LINK 2
0000 LINK DEVICE
PORT
LNK1 LNK2 NET OK
RUN FORCE SD OK
F1 F9
F2 F10
F3 F11
F4 F12
F5 F13
F6 F14
F7 F15
F8 F16 1783-CSP
2 1 2
(rear) (front)

Conduits
Conduits create trusted communication pathways outside of zones. You must have at least two endpoints, that is, zones or devices, to create a
conduit.
Conduits facilitate secure communication in the following ways:

• Zone to zone
• Device to device
• Device to zone
Conduits let you configure trust beyond individual zones using the following methods:
• Trusted IP authentication method - Assigns a trust relationship to an asset based on its IP address. Also known as Allowing.
• Certificate authentication method - Establishes the identity of the device by using a certificate from a trusted authority.
IMPORTANT Currently, a device cannot use multiple pre-shared keys.

If you require communication between a zone that is configured with a pre-shared key and other zones, you must configure
a conduit that uses the Trusted IP authentication method to the other zones.
Figure 4 shows conduits in a system with multiple zones.
Figure 4 - Security Model - Conduits
PC Zone
Conduit 1
Conduit 2
Zone 1 Zone 2
MOD MOD MOD MOD MOD MOD MOD MOD MOD MOD
NET NET NET NET NET NET NET NET NET NET
2 2 2 2 2 2 2 2 2 2
1 1 1 1 1 1 1 1 1 1
1 I/O I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B 1 I/O I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B
1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
4 4
I/O I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
UFB UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B UFB UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
MF-A MF-B MF-A MF-B MF-A MF-B MF-A MF-B MF-A MF-B MF-A MF-B
- -
MBRK MBRK
+ +
DC INPUT EtherNet/IP Logix5585 TM
DC INPUT
SAFETY ON SAFETY ON
NET NET
0000 LINK
OK
0000 LINK
OK
LINK 1 LINK 1
LNK1 LNK2 NET OK LINK 2 LNK1 LNK2 NET OK LINK 2
RUN FORCE SD OK RUN FORCE SD OK
DEVICE DEVICE
PORT PORT
2 1783-CSP 2 1783-CSP
1 2 1 2
(rear) (front) (rear) (front)
1 1

Security Model
The security model is a fully configured instance of zones, devices, and conduits, along with their respective CIP Security properties, in FactoryTalk
Policy Manager software. The zones and conduits structure the security model. The security model is deployed to the devices in the IACS via
security profiles for individual devices.
If multiple devices use the same security policies and are in the same zone, we recommend that you configure the security policies at
the zone level.
The advantage to configuring security policies at the zone level is that you can configure the policies once and apply them to multiple
devices. This method avoids the possibility of differences in security policies across devices that should use the same policies.
Zone Properties
Table 4 lists the configurable fields that are available when you configure zone properties.
Table 4 - Zone Security Properties

Property Available Choices Example FactoryTalk Policy Manager Screen
Name User configurable
Description User configurable
• Enable
Enable/Disable CIP Security
• Disable
• Certificate
Authentication Method
• Pre-Shared Key
• None
I/O Data Security • Integrity Only
• Integrity + Confidentiality
• Integrity Only
Messaging Security
• Enable
Disable Ports - HTTP (80)
• Disable
IMPORTANT For more information on the Zone Properties, see the FactoryTalk Policy Manager Getting Results Guide, publication
FTALK-GR001.

Conduit Properties
Table 5 lists the configurable fields that are available when you configure conduit security policy.
Table 5 - Conduit Security Properties

Property Available Choices Example FactoryTalk Policy Manager Screen
Name User configurable
Description User configurable
Connection
Can be any of the following based on how you
assign each Endpoint: • Endpoint 1 (Device or Zone)
• Device-to-Device • Endpoint 2 (Device or Zone)
• Device-to-Zone
• Zone-to-Zone
• Trusted IP
Authentication Method
• Certificate
• None
I/O Data Security • Integrity Only
• Integrity Only
Messaging Security
IMPORTANT For more information on the Conduit Properties, see the FactoryTalk Policy Manager Getting Results Guide, publication
FTALK-GR001.

Limitations and Considerations

The following are limitations and considerations of the solution from Rockwell Automation to implement CIP Security in an IACS:
• Dual-port Devices
• Initial Security Model Deployment Fails If ControlLogix 5580 Controller is in Run Mode
• Cannot Download to ControlLogix 5580 Controller from Unsecure Workstation
• Workstation Cannot Connect to a Secure ControlLogix 5580 Controller if Security Profiles Do Not Match
• CIP Bridging
• Network Address Translation
• Use of Multicast Connections
• Automatic Device Replacement
• RSLinx Classic Software
Dual-port Devices
Some CIP Security-capable products have dual built-in Ethernet ports. On these devices, the two physical Ethernet ports share one IP address.
You configure CIP Security based on IP address, not physical port. On CIP Security-capable devices with dual built-in Ethernet ports, it does not
matter which physical port is connected to a network. When a security model is deployed, the security policy applies to either port, depending on
which port is connected to the network.
For example, a 1756-EN4TR communication module has dual built-in Ethernet ports with one IP address. Once you configure CIP Security for the
module, port 1 or port 2 can physically be connected to the network and the security policy still applies.
On devices with dual built-in Ethernet ports that are CIP Security-capable, you cannot configure separate security policies for the different
Ethernet ports on the same device.
IMPORTANT Some Rockwell Automation products with dual built-in Ethernet ports let you configure separate IP addresses for each port,
for example, CompactLogix™ 5380 controllers. However, those products are currently not CIP Security-capable devices.
Initial Security Model Deployment Fails If ControlLogix 5580 Controller is in Run Mode
If a ControlLogix 5580 controller is in Run mode, that is, the key switch is in the RUN position, the first time that you attempt to deploy the security
model in FactoryTalk Policy Manager software, the deployment fails. The initial security model deployment is successful if the controller is in
Remote Run, Remote Program, or Program mode.
IMPORTANT This designed limitation protects the controller from a DoS attack by an attacker.
The asset owner is the only party with physical access to the controller. Confirm that the controller mode is Remote Run,
Remote Program or Program so the initial security deployment is successful. If desired, you can change the controller to Run
mode after the initial deployment and future security model deployments are successful.
After a ControlLogix 5580 controller has a security profile, the controller mode does not affect future security model deployments.

Cannot Download to ControlLogix 5580 Controller from Unsecure Workstation
This limitation is only present in the following conditions:

• FactoryTalk Policy Manager, version 6.11
• FactoryTalk System Services, version 6.11
• Logix Designer application, version 32
• ControlLogix 5580 controller, firmware revision 32.xxx
To avoid this limitation, upgrade the software and controller firmware that is listed above to the next major versions and
revision, respectively.
After you enable CIP Security in the ControlLogix 5580 controller, you cannot download a Logix Designer application project to the controller after it
has been removed from the zone without first resetting the controller to its factory default settings.
Unsecured Workstation
Studio 5000 Logix Designer, version 32
Cannot download because the security policy has

not been cleared via FactoryTalk Policy Manager.
DC INPUT
SAFETY ON
MOD MOD MOD MOD MOD
NET NET NET NET NET
NET
0000 LINK
ControlLogix 5580 controller,

LNK1 LNK2 NET OK
RUN FORCE SD OK
2 2 2 2 2
1 1 1 1 1

1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
firmware revision 32.xxx

5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
1 +
Zone
F1 F9
F2 F10
F3 F11
F4 F12
F5 F13
F6 F14
F7 F15
F8 F16

Workstation Cannot Connect to a Secure ControlLogix 5580 Controller if Security Profiles Do Not Match
A workstation running Logix Designer application that is configured for permitted communication, that is, Authentication Method = Trusted IP,
cannot connect to a ControlLogix 5580 controller that is configured for secure communication, that is, uses the Authentication Method = Certificate
or Authentication Method = Pre-shared Key (PSK).
IMPORTANT Consider the following:

• This designed limitation enforces a high security standard to protect the controller because the controller is the most
valuable asset in the IACS.
• The example below shows the ControlLogix 5580 controller and workstation in the same zone. This limitation applies whether
the controller and workstation are in the same zone or in separate zones but connected via a conduit.
Workstation
configured for
permitted
Cannot connect communication.
between controller
and workstation.
DC INPUT
ControlLogix 5580
SAFETY ON
MOD MOD MOD MOD MOD
NET NET NET NET NET
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK
2 2 2 2 2
1 1 1 1 1
controller configured for

1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
secure communication.
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
1 +
Zone F1
F2 F10
F9
F3 F11
F4 F12
F5 F13
F6 F14
F7 F15
F8 F16
To avoid this limitation, update the workstation security profile to use secure communication.
Workstation
configured for
secure
Can connect communication.
between controller
and workstation.
DC INPUT
ControlLogix 5580
SAFETY ON
MOD MOD MOD MOD MOD
NET NET NET NET NET
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK
2 2 2 2 2
1 1 1 1 1
controller configured for

1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
secure communication.
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
1 +
Zone F1
F2 F10
F9
F3 F11
F4 F12
F5 F13
F6 F14
F7 F15
F8 F16

CIP Bridging
You cannot configure CIP Security through a CIP bridge. For example, in the following graphic, you can configure Kinetix 5700 Drives_1 and Kinetix
5700 Drives_2 for CIP Security because the Stratix® 5400 switch is transparent.
You cannot configure Kinetix 5700 Drive_3 for CIP Security because it is accessed through a 1756-EN4TR communication module, across the
ControlLogix backplane and out the other 1756-EN4TR communication module. The backplane is a bridge between the communication modules.
You also cannot configure any of the devices on the linear network that is connected to the 1756-EN4TR communication module in slot 3 of the
lower ControlLogix chassis.
1756-L85E 1756-EN4TR 1756-EN4TR
FactoryTalk Policy Manager

FactoryTalk System Services
FactoryTalk Linx MOD
NET
MOD
NET
MOD
NET
MOD
NET
MOD
NET
2 2 2 2 2
1 1 1 1 1

1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
+
Stratix 5400 Kinetix 5700 Drives_2
1756-EN4TR 1756-EN4TR
MOD MOD MOD MOD MOD
NET NET NET NET NET
2 2 2 2 2
1 1 1 1 1

1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
FactoryTalk Linx PowerFlex 755TDrives_1

D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
Studio 5000 Logix Designer -

MBRK
+
Kinetix 5700 Drives_1
5069-AEN2TR 5094-AENTR
X100
FLEX 5000 I/O FLEX 5000 I/O
TM TM
POWER STATUS POWER STATUS
FLEX 5000 I/O
TM
EtherNet/IP™ Adapter
X10 STATUS
NET
LINK 1 5094-IB16 DIGITAL 16 INPUT 24 VDC 1 1 TB3 5094-OB16 DIGITAL 16 OUTPUT 24 VDC 1 2 TB3
Compact 5000™ I/O FLEX 5000™ I/O

X1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
IP ADDRESS LINK 2
5094-AENTR
POWER
PRP
DLR
MOD MOD MOD MOD

NET NET NET NET
1734-AENTR Kinetix 5700 Drives_3 2
1
2
1
2
1
2
1734 POINT I/O™

1 I/O I/O-A I/O-B I/O-A I/O-B
1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10
UFB UFB-A UFB-B UFB-A UFB-B
D+ D+ D+ D+
D- D- D- D-
MF-A MF-B MF-A MF-B
-
MBRK
+
Network Address Translation
Network Address Translation (NAT) is supported with CIP Security only if the computer/server with FactoryTalk Policy Manager can access the CIP
Security endpoint via an IP address. That is, the devices behind the NAT have IP addresses that are accessible from devices on the outside.

In this example, the 1756-EN4TR in M1 Zone (Machine 1) can use CIP Security because the Stratix 5700 switch performing the NAT contains a NAT
translation for the 1756-EN4TR and a Gateway Translation. When NAT with routing is configured correctly in a network, the outside computer/server
with FactoryTalk Policy Manager can access the CIP Security endpoint via the Outside translated IP address that is configured in the Stratix 5700
switch.
It is important that NAT is properly configured before you apply any CIP Security implementation. For more information, see Deploying Network
Address Translation within a CPwE Architecture Design and Implementation Guide, publication ENET-TD007.
VLAN ID - Description IP Address

10 - M1 Zone 10.10.10.1
Routing Table 20 - M2 Zone 10.10.20.1 VLAN 40
30 - Main Zone 10.10.30.1
PC Zone
40 - PC Zone 10.10.40.1
10.10.40.100 FactoryTalk Policy Manager Outside
FactoryTalk Linx
VLAN 30
Layer 3 10.10.40.200
MAIN Zone Switch
Outside FactoryTalk Linx
Studio 5000®
Line Controller
10.10.30.15
VLAN 10 VLAN 20
M1 Zone M2 Zone
Inside Inside IES
IES
192.168.1.x/24 192.168.1.x/24 Stratix 5700
Stratix 5700
NAT
NAT
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
.10 .10
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
.17 .17
.11 - .13 .11 - .13
.14 - .16
.14 - .16
Machine 1 Machine 2
Device Inside Outside Device Inside Outside

Inside to Outside NAT Inside to Outside NAT
M1 1756-EN4TR 192.168.1.10 10.10.10.10 M2 1756-EN4TR 192.168.1.10 10.10.20.10
Table Table
Outside Inside Outside Inside
Gateway Transition Gateway Transition
10.10.10.1 192.168.1.1 10.10.20.1 192.168.1.1
(Outside) Device to (Inside) Device
Conduit Types (Inside) Device to (Inside) Device

(Outside) Device to (Inside) Device and (Outside) Zone to (Outside) Zone

Use of Multicast Connections
Currently, you cannot use Multicast connections with CIP Security. As a result, you cannot use CIP Security in a ControlLogix Redundancy system.
Automatic Device Replacement

Currently, you cannot use Automatic Device Replacement (ADR) to replace devices in an IACS that uses CIP Security. If you replace a device, you
must redeploy the security model manually.
IMPORTANT This restriction does not apply when you use a 1783-CSP Proxy to connect a proxied device to an IACS that uses CIP Security.
If you replace a proxied device that is connected to a 1783-CSP Proxy with an identical device, that is, same device type,
catalog number, firmware revision, and IP address, you are not required to redeploy the security model.
For more information on how to use a 1783-CSP Proxy in an IACS that has CIP Security implemented, see the CIP Security
Proxy User Manual, publication 1783-UM013.
RSLinx Classic Software
You cannot use RSLinx Classic software to implement CIP Security in an IACS network. You must use FactoryTalk Linx, version 6.11 or greater.

Notes:

Chapter 3
CIP Security Implementation Process
This section describes the overall process of implementing CIP Security™ with Rockwell Automation® products in a simple IACS.
For information on a more complex IACS, see Chapter 4, CIP Security Implementation Example Architecture on page 57.
You can use the security assessment process to assign security levels to zones and conduits. We recommend that you assign zone and conduit
security levels based on the potential consequences should an attack objective be achieved in that zone.
For more information, see Security Assessment on page 9.
Design and Install the System

You must install software on specific computers and connect hardware devices to EtherNet/IP™ networks.
IMPORTANT You download software at the Rockwell Automation Product Compatibility and Download Center (PCDC).
To visit the PCDC, go to: http://compatibility.rockwellautomation.com/Pages/home.aspx
• FactoryTalk® Policy Manager, version 6.11, and FactoryTalk System Services, version 6.11, are components of FactoryTalk
Services Platform, version 6.11.
When you install FactoryTalk Services Platform, version 6.11, you must select Customize from the installation wizard and
check the boxes for installation of FactoryTalk Policy Manager and FactoryTalk System Services components.
For more information, see the FactoryTalk Policy Manager Getting Results Guide, publication FTALK-GR001.
• FactoryTalk Policy Manager, version 6.20 or later, is an independent installation package. FactoryTalk System Services,
version 6.20 or later, is part of the FactoryTalk Policy Manager installation.
FactoryTalk Services Platform, version 6.20 or later, do not include FactoryTalk Policy Manager or FactoryTalk System
Services.
• Before you migrate from version 6.11 to version 6.20 or later, we recommend that you see the following Rockwell Automation
At a minimum, the IACS design should include the following information:

• Verification of the system components required to implement CIP Security into the IACS network.
• Inventory of existing devices and software, including firmware revisions.
• Detailed observation and documentation of intended system functions and operation.
• Detailed observation and documentation of required data flows between devices.

Chapter 3 CIP Security Implementation Process
Remember, the system can include products that are CIP™ Security-capable and products that are not. The list of CIP Security-capable products
that are currently available from Rockwell Automation are listed at the following:
• CIP Security Software Applications on page 15
• CIP Security-capable Hardware Devices on page 17
IMPORTANT Before you implement CIP Security, verify that all devices in the system are installed, configured, and operating as expected.
For example, update firmware revisions as necessary, configure the Logix Designer application project with the devices, and
download the project to the devices.
Identify, Organize, and Create Zones

Zones are groups to which devices are added. Devices that share security requirements for a particular function, and you want to trust each other,
can be added to the same zone.
When devices are added to the zone, communication between the devices is implied while still letting mutual trust be established through an
exchange of certificates or pre-shared keys. It is worth noting that any device in a zone that is deemed to be ‘trusted’ is only trusted by other
devices in the same zone, not all devices in the IACS.
For example, if a ControlLogix® 5580 controller and Kinetix® 5700 drives are added to Zone 1 and certificates are used with integrity, the devices are
authenticated by exchanging certificates with each other.
Devices that are not CIP Security-capable in the same zone as CIP Security-enabled devices can communicate through standard 44818 TCP
connections and 2222 UDP connections. As a result, you are not required to create an allowed list between the devices that are not CIP Security-
capable.
You can create zones and add other computers/servers that do not use FactoryTalk Linx software but still require communications to IACS devices.
The devices that do not use FactoryTalk Linx are added as generic devices. This lets you easily create Trusted IP conduits between the computers/
servers to the IACS devices.
Figure 5 - System Implementation - Zones
PC Zone
Zone 1 Zone 2
2 2 2 2 2 2 2 2 2 2
1 1 1 1 1 1 1 1 1 1
1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
4 4
I/O I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK
+ +
DC INPUT
SAFETY ON SAFETY ON
NET NET
0000 LINK 0000 LINK
LNK1 LNK2 NET OK LNK1 LNK2 NET OK

F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
2 2
1 1

After you identify and organize the zones, create a detailed security matrix that lists what devices occupy each zone.
Table 6 is a security matrix with zones and devices.

Table 6 - Security Matrix - Zones and Devices
PC Zone Zone 1 Zone 2
FactoryTalk Linx(1)
FactoryTalk Policy Manager ControlLogix® 5580 controller ControlLogix 5580 controller
1756-EN4TR EtherNet/IP communication module 1756-EN4TR EtherNet/IP communication module
Studio 5000 Logix Designer(2) Kinetix 5700 servo drives Kinetix 5700 servo drives
FactoryTalk View PowerFlex® 755T drive PowerFlex 755T drive
PanelView™ Plus terminal(3) PanelView Plus terminal(3)
(1) This group of software is installed on the same server/computer.
(2) This software is installed on a separate computer than FactoryTalk Linx, FactoryTalk Policy Manager, and FactoryTalk System Services.
(3) This device is not CIP Security-capable.
Create a Zone
1. In the FactoryTalk Policy Manager navigation bar, choose Zones.
2. On the toolbar next to ZONES, click [+].

A zone is added to the list with the following default values:

• Name - Zone #
• Description - None
• Enable CIP Security - Not selected by default. Check Enable CIP Security to configure CIP Security-related settings.
3. Add devices to the zone. You can add devices in three ways:
• Discover devices via FactoryTalk Linx.
• Manually add devices.
• Add all devices in an IP address range.

Configure the Zone

1. In the FactoryTalk Policy Manager navigation bar, choose Zones.
The ZONES column displays a list of the configured zones.
2. In the ZONES column, choose a zone.
3. Change the properties of the zone as appropriate.
If a zone includes devices that are not CIP Security-capable, a warning notification appears in the zone properties. An allowed list is not needed,
however. All CIP Security-capable devices in the zone automatically allow this device.
The yellow triangle

indicates that there are
non-CIP Security-capable
devices are in the zone.
For more information on zones, see the following:

• FactoryTalk Policy Manager software online help
• FactoryTalk Policy Manager Getting Results Guide, publication FTALK-GR001
Identify, Organize, and Create Conduits

Conduits create explicit trusted communication pathways between zones, zones and devices, and between devices in separate zones. After you
create, identify, and organize the conduits, update the security matrix to detail the conduits.
Figure 6 - System Implementation - Conduits
PC Zone
Conduit 1
Conduit 2
Zone 1 Zone 2
2 2 2 2 2 2 2 2 2 2
1 1 1 1 1 1 1 1 1 1
1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
4 4
I/O I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK
+ +
DC INPUT
SAFETY ON SAFETY ON
NET NET
0000 LINK 0000 LINK

F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
2 2
1 1
Table 7 is an example of an updated security matrix after conduits are identified and organized.
In the table, the Source row and Destination column cell intersections represent the endpoints of the Conduit between the zones. For example, cell
at column 2/row 3 indicates that Conduit 2 uses a Zone-to-Zone pathway between PC Zone and Zone 2.
Table 7 - Security Matrix - Conduits
Destination
Source
PC Zone Zone 1 Zone 2
PC Zone Permit(1) Conduit 1: Zone-to-Zone Conduit 2: Zone-to-Zone
Zone 1 Conduit 1: Zone-to-Zone Permit Denied
Zone 2 Conduit 2: Zone-to-Zone Denied Permit
(1) Default permits pathway.

Create a Conduit
1. In the FactoryTalk Policy Manager navigation bar, choose Conduits.
2. On the toolbar, click [+].
The CONDUIT PROPERTIES pane opens.

3. In Endpoint 1, next to Select an endpoint, choose Browse for Endpoint [...].

4. Select the endpoint.
You can choose a zone or device to assign as the first endpoint of the conduit.
In Filter, you can type part of the name to list only endpoints that match that criteria.
5. Click OK.

6. In Endpoint 2, next to Select an endpoint, choose Browse for Endpoint [...].
7. To assign as the second endpoint of the conduit, choose a zone or device.
You can choose a zone or device to assign as the second endpoint of the conduit.
In Filter, you can type part of the name to list only endpoints that match that criteria.

8. Click OK.
9. Click Next.

The first conduit appears in the Conduits list.
If you must create another conduit, repeat the process, starting at step 2 on page 37.
Configure the Conduit

1. In the FactoryTalk Policy Manager navigation bar, choose Conduits, and choose the conduit that you want to configure.
CONDUIT PROPERTIES is automatically opened to the most recently configured conduit.

To edit another conduit, select a conduit from the list to display its properties.

2. Change the conduit properties as needed.
If both endpoints are CIP Security capable, configure CIP Security Communication.
• In I/O Data Security and Messaging Security choose one of the following:
- Integrity only - Use to check if the data or message was altered and reject altered information.
- Integrity & Confidentiality - Use to check integrity plus encrypt the data or message so the corresponding decryption key is required to
read the information. Rejects altered and/or untrusted information while also protecting the confidentiality of the information.
• In I/O Data Security, click None to stop using additional security checks on I/O data.
For more information on conduits, see the following:

• FactoryTalk Policy Manager software online help
• FactoryTalk Policy Manager Getting Results Guide, publication FTALK-GR001

Identify and Create Security Features/Policies

Security policies are created based on device capabilities and operational functions of automation applications.
Figure 7 - System Implementation - Security Policies
PC Zone
Conduit 1
Conduit 2
Zone 1 Zone 2
2 2 2 2 2 2
1 1 1 1 1 1
I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B
1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK
+ +
Logix5585 TM
DC INPUT DC INPUT
SAFETY ON
E
NET
0000 LINK
N
RUN FORCE SD OK
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
2 2
1 1
After you identify and create security features/policies, update the security matrix that details applicable security policies between conduits. For
example, enable certificates or pre-shared keys, enable/disable confidentiality and allowing.
Table 8 is an updated security matrix with security features and policies defined.
Table 8 - Security Matrix - Security Features and Policies
Conduit 1 Zone to Zone Security Policy
Secure FactoryTalk Linx Communication
Zone to Zone • Certificates
PC Zone Zone 1 • Integrity
(Secure communication with FactoryTalk Linx.) • Confidentiality
Conduit 2 Zone to Zone Security Policy

Secure FactoryTalk Linx Communication
Zone to Zone • Certificates
PC Zone Zone 2 • Integrity
(Secure communication with FactoryTalk Linx.) • Confidentiality
Trusted IP (allowed) Zone/Device to Zone/Device

• Kinetix 5700 drive (IP address: xxx.xxx.xxx.xxx)
• ControlLogix 5580 controller (IP address: xxx.xxx.xxx.xxx0
Zone 1 - Devices • 1756-EN4TR module (IP address: xxx.xxx.xxx.xxx)
PC Zone • PanelView Plus terminal: (IP address: xxx.xxx.xxx.xxx)
Device - FactoryTalk • PowerFlex 755T drive (IP address: xxx.xxx.xxx.xxx)
(Non-CIP Security-capable devices) Network Manager • Kinetix 5700 drive (IP address: xxx.xxx.xxx.xxx)
(IP address: xxx.xxx.xxx.xxx) • ControlLogix 5580 controller (IP address: xxx.xxx.xxx.xxx0
Zone 2 - Devices • 1756-EN4TR module (IP address: xxx.xxx.xxx.xxx)
• PanelView Plus terminal: (IP address: xxx.xxx.xxx.xxx)
• PowerFlex 755T drive (IP address: xxx.xxx.xxx.xxx)

Deploy Security Model

After the zones, conduits, and devices security policies have been configured, the resulting security model can be deployed.
You click the Deploy button in FactoryTalk Policy Manager software to trigger FactoryTalk System Services to deploy the security model. FactoryTalk
System Services runs in the background. You do not take action in the client.
IMPORTANT Before a deployed security model becomes active, communication must be reset to all configured devices, resulting in a
short loss of connectivity.
Once the security model is deployed and active, that is, communication is reset on a device, the device only accepts communication from other
devices in the same zone or using conduits that are configured to enable communication with other security zones or devices.
Before deploying a security model, make sure that all devices are operational and have network access.
After the security model is deployed and active on all affected devices, FactoryTalk Policy Manager and FactoryTalk System Services are no longer
required for real-time operations. They are required again if changes to the security model must be deployed.
To deploy the model, complete the following steps.

1. On the FactoryTalk Policy Manager toolbar, select Deploy.
2. Review the Deploy dialog box.
The list of devices identifies the devices to be configured when this model is deployed.
IMPORTANT If the list contains unexpected devices, click CANCEL and then change the model as needed.

3. Complete the following steps.

a. Choose the Deployment scope based on your application.
• Select Changed device communication ports only for differential deployment.
• Select All device communication ports in the model for full deployment.
We recommend that you use the default option. That is, Changed device communication ports only.
b. Choose one of the following options for when to reset the communication channels for the items included in the security model.
The following types of deployment are available:

• During deployment - The CIP connection is closed and reopened on the device during the deployment process.
Similar to when the network card on a computer is reset, the device stays functional but is disconnected from the network for a few
moments. This option applies the new policy to the device when the policy is deployed.
• After deployment - Security policy changes are applied to devices with existing connections only after those connections are closed and
reopened. For example, you can close and reopen existing connections by cycling power to a device, or by inhibiting and uninhibiting the
connection.
IMPORTANT With the After deployment option, the security policy is applied to each connection individually. If the connection reset
is postponed and an unexpected connection drop occurs, the system can enter a state in which the security policy
operates only in parts of the system.
In this case, unexpected connection outages can occur. Connection outages are difficult to track. We recommend that
you use extreme caution when using the After deployment option.

This option is useful if there is a scheduled maintenance reset process in your environment that can be relied upon to perform this
function.
4. Click DEPLOY.
The Results pane updates with the results of the deployment as it occurs. After deployment is complete a summary report is provided listing the
successes, failures, and errors encountered during the process.
For information on how to deploy a security model, see the FactoryTalk Policy Manager Getting Results Guide, publication FTALK-GR001.

Back Up the Security Model

You are not required to back up the security model. However, we strongly recommend that you back it up after each policy deployment to keep
the backup files synchronized with the current security policy.
Back up FactoryTalk System Services to save a copy of the security model and its associated certificates. After the model has been created, the
FactoryTalk System Services backup file is included with the FactoryTalk Services Platform backup when it is performed.
IMPORTANT You must have Administrator privileges to back up FactoryTalk System Services.
To back up the security model, complete the following steps.

1. Open a command prompt as an Administrator.
2. In the command prompt window type:
cd C:\Program Files (x86)\Rockwell Software\FactoryTalk System Services

3. Run the backup utility by typing one of the following commands:
• FTSSBackupRestore -B -PW "password" (FactoryTalk System Services, version 6.11)
• FtssBackupRestore -B -P "password" (FactoryTalk System Services, version 6.20 or later)
Creates an encrypted backup of the data using the password that is supplied in quotation marks. This password must be supplied to
restore the data.
4. The file backup.zip file is created. The file is included in the FactoryTalk Services Platform Backup.
Verify that the file is present in the following location:
C:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup
The ProgramData folder is hidden by default in Windows File Explorer.
Save Security Model Backup to Another Secure Location

We recommend that you save the backup.zip file to another secure location and the FTSS_Backup folder described previously.
Different From FactoryTalk Directory Backup File
FactoryTalk Directory provides a central lookup service for all products participating in an application, including FactoryTalk System Services
application. We recommend that you create FactoryTalk backup files to preserve and restore a FactoryTalk system if there is a systems failure.
To be clear, a FactoryTalk Directory backup does not include product backup files. You must back up individual applications separately from a
FactoryTalk Directory backup. However, once you create a backup of the Security Model (FTSS_Backup folder), this folder is included in the
FactoryTalk Directory Backup when performed.
For more information on how to back up the FactoryTalk Directory, see the FactoryTalk Security System Configuration Guide,
publication FTSEC-QS001.

Restore FactoryTalk System Services

Restore FactoryTalk System Services to return the FactoryTalk System Services databases to a known good state.
IMPORTANT Consider the following:

• If you restore FactoryTalk System Services, the security model backup folder is automatically deleted. For this reason, we
recommend that you save the security model backup file in a separate location, as described on page 47.
• Restoring FactoryTalk System Services requires administrator privileges.
To restore a FactoryTalk System Services database, complete the following steps.

1. Verify the backup.zip file is present in the following location:
C:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup
2. Open a command prompt as an Administrator.
3. In the command prompt window type:
cd C:\Program Files (x86)\RockwellSoftware\FactoryTalk System Services.

4. Run the FactoryTalk System Services Backup & Restore Utility by typing one of these commands:
• FTSSBackupRestore -R -PW "password" (FactoryTalk System Services, version 6.11)
or
• FTSSBackupRestore -R -P “password” (FactoryTalk System Services, version 6.20 or later)
Restores an encrypted backup of the databases that is decrypted using the password that is supplied after the -P parameter. Quotation
marks are optional.
You can restore a FactoryTalk System Services database backup in a later revision of software. For example, you can open a backup of a
FactoryTalk System Services database, version 6.11 with version 6.20 or later.
IMPORTANT Before you migrate from version 6.11 to version 6.20 or later, we recommend that you see the following Rockwell Automation

Remove the Security Policy

If necessary, you can remove the security policy from software applications and hardware devices.
Remove the Security Policy From a Software Application

You can use the following to remove the security policy from FactoryTalk Linx:
• FactoryTalk Policy Manager
When you use the FactoryTalk Policy Manager method, you not only remove the security policy from FactoryTalk Linx. The computer with
FactoryTalk Linx on it also no longer appears in FactoryTalk Policy Manager.
The FactoryTalk Policy Manager method only works if the computer with FactoryTalk Policy Manager is accessible to the computer with
FactoryTalk Linx on it.
• FactoryTalk Administration Console
If the computer with FactoryTalk Policy Manager is not accessible to the computer with FactoryTalk Linx on it, you must use the FactoryTalk
Administration Console method.
When you use the FactoryTalk Administration Console method, you remove the security policy from FactoryTalk Linx.
You must then return to FactoryTalk Policy Manager to delete the computer with FactoryTalk Linx, and then you redeploy the model so that
other devices can update their trust models.
Remove Security Policy From FactoryTalk Linx Via FactoryTalk Policy Manager
1. In the FactoryTalk Policy Manager navigation bar, select Devices, and then select the device.

2. Above the list of devices, click Delete.
After you click Delete, the device stays in the table but is crossed out. The device no longer appears in the list after you deploy the updated
security model and state in the next step.
3. Deploy the security model as described starting on page 44, and choose to reset the communication channels During deployment.

Remove Security Policy From FactoryTalk Linx Via FactoryTalk Administration

1. Start FactoryTalk Administration Console for an IACS that is online and has a security policy in place.
2. At the bottom of the Explorer pane, click the Communications tab.
3. Right-click the FactoryTalk Linx and choose Properties.
The Device Properties dialog box appears.

4. Complete the following steps.

a. Click the CIP Security tab.
b. Click the Reset CIP Security.
c. Click OK.
For more information on how to use FactoryTalk Administration Console, see the software online help.

Remove the Security Policy From a Device
You can use the following ways to remove the security policy from a device:
• Via FactoryTalk Policy Manager - Two methods with this option.
- Option 1 - Change the device security policy.
- Option 2 - Delete the device from the security model.
The FactoryTalk Policy Manager methods only work if the computer with FactoryTalk Policy Manager is accessible to the device.
• Reset device to factory default settings
If the computer with FactoryTalk Policy Manager is not accessible to the device, you can use this method.
Remove Security Policy From a Device Via FactoryTalk Policy Manager - Option 1
PORT PROPERTIES are displayed.

2. In the Policies area, change the security policies for the device.
In Zone, choose either Unassigned or a zone that is not CIP Security enabled.
The device security policy is reset to none.
Remove Security Policy From a Device Via FactoryTalk Policy Manager - Option 2

2. Above the list of devices, click Delete.
After you click Delete, the device stays in the table but is crossed out. After you deploy the updated security model and state, the device no
longer appears in the list.
IMPORTANT If the device cannot be reached when the Deploy attempts to clear the security policy from the device, the attempt fails and
the security policy remains in the device.

Remove Security Policy From a Device By Resetting Device to Factory Default State
You can remove the security policy from a device by resetting the device to its factory default state.
IMPORTANT The methods by which you reset devices to their factory default, and the conditions of each device when it is in its factory
default state, vary.
Before you reset a device to its factory default state to remove the security policy, be aware of the impact the reset can have
on your IACS in general.
Resetting a device to its factory default state can affect the overall system in ways unrelated to CIP Security.
For information on how to reset a device to its factory default state, see the technical documentation for the device.
Replace a CIP Security-enabled Device in the System
Complete the following steps to replace a CIP Security-enabled device in an IACS with CIP Security implemented in it. In this scenario, the
replacement device is the same type and has the same configuration, for example, same IP address, as the original device.
Complete the following steps.

1. Disconnect the original device from the network.
2. Connect the new device to the network.
3. In the FactoryTalk Policy Manager navigation bar, Replace Device.
4. When the following dialog box appears, choose when to reset device communication on ports included in the model, and click Deploy.

Chapter 4
CIP Security Implementation Example Architecture
This section describes an example IACS with CIP Security™ implemented.
Phase One of Implementation

In the first phase of the CIP Security implementation, you secure communication between the Computer (PC) zone and each IACS zone. The degree
to which you secure communication depends on your system needs.
For more information on the CIP™ Security properties that you can use to secure communication, see Secure Data Transport on page 13.
We recommend that you secure communication between the Computer zone to each IACS zone because it presents the most vulnerabilities from
Windows-based operating systems.
In this phase, you complete the following tasks:

• Create Zones
• Create Zone-to-Zone Conduits
• Deploy Security Policies
Create Zones
Create zones and all applicable devices including CIP Security-capable and non-CIP Security-capable devices.
• PC Zone (FactoryTalk® Site servers and engineering workstations [EWS])
• Cell Zone A (Controller zone)
• Cell Zone B (I/O zone)
• Cell Zone C (Controller zone)
IMPORTANT The example zones shown in this section are all in the same subnet/VLAN.

Chapter 4 CIP Security Implementation Example Architecture
Figure 8 - CIP Security Architecture - Zones
PC Zone

FactoryTalk System Services Studio 5000 Logix Designer®
FactoryTalk Linx FactoryTalk View
Cell Zone A Cell Zone B Cell Zone C

Logix5585 TM
DC INPUT EtherNet/IP
SAFETY ON SAFETY ON
NET NET
0000 LINK 0000 LINK

OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
2 I/O I/O
2
1 I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B 1 I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
1 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
1
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
L85_Line1 L85_Motion
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK
1756-EN4TR module 1756-EN4TR module

+ +
1783-CSP
1 2
(rear) (front)
1734-AENTR
Kinetix® 5700 Kinetix 5700
1783-CSP Proxy module
servo drives_1 servo drives__2
POINT I/O™
modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
PanelView™ Plus PanelView Plus terminal

terminal_1
PowerFlex® 755T PowerFlex 755T PowerFlex 755T PowerFlex 755T
drive drive drive drive
Table 9 is a security matrix with zones and devices.

Table 9 - Security Matrix - Zones
PC Zone Software Cell Zone A Cell Zone B Cell Zone C
(1)
FactoryTalk Linx
FactoryTalk Policy Manager L85_Line1 Kinetix 5700 servo drives_1 L85_Motion
1783-CSP proxy PanelView Plus terminal(2)
1734-AENTR module(2) PowerFlex 755T drive
Studio 5000 Logix Designer(1) (2) Kinetix 5700 servo drives_2
FactoryTalk View PanelView Plus terminal_1 PowerFlex 755T drive
PowerFlex 755T drive
PowerFlex 755T drive
(1) This group of software is installed on the same server/computer.

(2) This device is not CIP Security-capable.

Create Zone-to-Zone Conduits

1. Create zone-to-zone conduits for secure CIP-connection from the FactoryTalk Linx data server and engineering workstation in the PC zone
to each of the respective Controller zones named Cell Zone A, B, and C.
• PC Zone to Cell Zone A
• PC Zone to Cell Zone B
• PC Zone to Cell Zone C
Figure 9 - CIP Security Architecture - Conduits
PC Zone

FactoryTalk System Services Studio 5000 Logix Designer

Logix5585 TM
SAFETY ON SAFETY ON
NET NET
0000 LINK 0000 LINK

OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
2 I/O I/O
2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
1 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
1
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK

+ +
1783-CSP
1 2
(rear) (front)
1734-AENTR
1783-CSP Proxy module Kinetix 5700 Kinetix 5700
POINT I/O servo drives_1 servo drives_2
modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
PanelView Plus PanelView Plus terminal

terminal_1
PowerFlex 755T PowerFlex 755T PowerFlex 755T PowerFlex 755T
Table 10 - Security Matrix - Conduits
Destination
Source
PC Zone Cell Zone A Cell Zone B Cell Zone C
PC Zone Permit(1) Conduit 1: Zone-to-Zone Conduit 2: Zone-to-Zone Conduit 3: Zone-to-Zone
Cell Zone A Conduit 1: Zone-to-Zone Permit Denied Denied
Cell Zone B Conduit 2: Zone-to-Zone Denied Permit Denied
Cell Zone C Conduit 3: Zone-to-Zone Denied Denied Permit
(1) Default pathway.

Configure Conduit Security Policies
Configure the conduit security policies that use certificates and message integrity in the following ways:
• Between the FactoryTalk Linx software to the ControlLogix® 5580 controller in Cell Zone A (Controller zone).
• Between the FactoryTalk Linx software and the Kinetix 5700 drives in Cell Zone B (I/O zone).
• From the FactoryTalk Linx software to the ControlLogix 5580 controller in Cell Zone C (Controller zone) through a 1756-EN4TR communication
module.
Optionally, you can establish an allowed list from the PC zone to each IP address of the non-CIP Security-capable devices.
Figure 10 - CIP Security Architecture - Conduit Security Policies
PC Zone


Logix5585 TM
SAFETY ON SAFETY ON
NET NET
0000 LINK 0000 LINK

OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
2 I/O I/O
2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
1 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
1
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK

+ +
1783-CSP
1 2
(rear) (front)
1734-AENTR
modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16

terminal_1
Integrity
Zone to Zone Conduit
Certificate
Allowed

Table 11 is an example of an updated security matrix after the conduit security policies are configured.
Table 11 - Security Matrix - Conduit Security Policies Matrix
Secure Linx Communication: Conduits 1, 2, and 3 Zone to Zone Security Policy
PC Zone Cell Zone A • Certificates
Zone to Zone PC Zone Cell Zone B • Integrity
(Secure communication with FactoryTalk Linx.)
PC Zone Cell Zone C • Confidentiality
Trusted IP (allowed) Zone Device-to-Zone Device

• L85_Line1 (192.168.1.8)
• 1756-EN4TR module (192.168.1.9)
• 1783-CSP proxy (192.168.1.10)
Cell Zone A - Devices • 1734-AENTR module (192.168.11)
PC Zone • PanelView Plus terminal_1 (192.168.1.12)
Device: FactoryTalk® • PowerFlex 755T drive (192.168.1.13)
(Non-CIP Security-capable devices) • PowerFlex 755T drive (192.168.1.14)
Network Manager™
IP address: 192.168.1.100 • L85_Motion (192.168.3.8)
• 1756-EN4TR module (192.168.3.9)
Cell Zone C - Devices • PanelView Plus terminal (192.168.3.10)
• PowerFlex 755T drive (192.168.3.11)
Deploy Security Policies
Deploy the security policies to the devices as described on page 44.

Phase Two of Implementation

In the second phase of the CIP Security implementation, you secure communication between device to device for micro-segmentation. You use the
existing zones that are created in the first phase.
Create a Device-to-Device Conduit
Create a device-to-device conduit for secure CIP-connection from the ControlLogix 5580 controller in Cell Zone A (Controller zone) to the
ControlLogix 5580 controller in Cell Zone C (Controller zone).
Figure 11 - CIP Security Architecture - Device-to-Device Conduit Added
PC Zone


Logix5585 TM
SAFETY ON SAFETY ON
NET NET
0000 LINK 0000 LINK

OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
2 I/O I/O
2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
1 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
1
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK

+ +
1783-CSP
1 2
(rear) (front)
1734-AENTR
module Kinetix 5700 Kinetix 5700
1783-CSP Proxy
servo drives_1 servo drives_2
POINT I/O
modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16

terminal_1
Integrity
Certificate
Device to Device Conduit
Allowed

Create a Zone-to-Device Conduit
Create a zone-to-device conduit from the Kinetix 5700 drives in Cell Zone B (I/O zone) to the ControlLogix 5580 controller in Cell Zone C
(Controller zone).
Figure 12 - CIP Security Architecture - Zone-to-Device Conduit Added
PC Zone


Logix5585 TM
SAFETY ON SAFETY ON
NET NET
0000 LINK 0000 LINK

OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
2 I/O I/O
2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
1 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
1
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK

+ +
1783-CSP
1 2
(rear) (front)
1734-AENTR
modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16

terminal_1
Integrity
Certificate
Allowed Zone to Device Conduit
Table 12 - Security Matrix - Device-to-Device and Zone-to-Zone Conduits Added
Destination
Source
PC Zone Cell Zone A Cell Zone B Cell Zone C
PC Zone Permit(1) Conduit 1: Zone-to-Zone Conduit 2: Zone-to-Zone Conduit 3: Zone-to-Zone
Cell Zone A Conduit 1: Zone-to-Zone Permit Denied Conduit 4: Device-to-Device
Cell Zone B Conduit 2: Zone-to-Zone Denied Permit Conduit 5: Zone-to-Device
Cell Zone C Conduit 3: Zone-to-Zone Denied Denied Permit
(1) Default pathway.

Create Conduit Security Policies
Create the conduit security policies that use certificates, message integrity, and data encryption between endpoints in Conduit 4 and Conduit 5.
Figure 13 - CIP Security Architecture - Conduit Security Policies
PC Zone


Logix5585 TM
SAFETY ON SAFETY ON
NET NET
0000 LINK 0000 LINK

OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
2 I/O I/O
2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
1 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
1
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK

+ +
1783-CSP
1 2
1734-AENTR
(rear) (front)

modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16

terminal_1
Integrity
Certificate
Allowed
Zone to Device Conduit
Encryption

Table 13 is an example of an updated security matrix after the conduit security policies are configured.
Table 13 - Security Matrix - Conduit Security Policies Matrix
Secure Linx Communication: Conduits 1, 2, and 3 Zone-to-Zone Security Policy
PC Zone Cell Zone A • Certificates
Zone to Zone PC Zone Cell Zone B • Integrity
(Secure communication with FactoryTalk Linx.)
PC Zone Cell Zone C • Confidentiality
Secure Controller Communication: Conduit 4 Device-to-Device Security Policy

• Certificates
(Secure communication with originator and target) L85_Line1 L85_Motion • Integrity
• Confidentiality
Secure I/O Communication: Conduit 5 Zone-to-Device Security Policy

• Certificates
(Secure communication with originator and L85_Motion Cell Zone B • Integrity
target)
• Confidentiality
Trusted IP (allowed) Zone Device to Zone Device

• L85_Line1 (192.168.1.8)
• 1756-EN4TR module (192.168.1.9)
• 1783-CSP proxy (192.168.1.10)
Cell Zone A - Devices • 1734-AENTR module (192.168.11)
PC Zone • PanelView Plus terminal_1 (192.168.1.12)
Device: FactoryTalk • PowerFlex 755T drive (192.168.1.13)
(Non-CIP Security-capable devices) • PowerFlex 755T drive (192.168.1.14)
Network Manager
IP address: 192.168.1.100 • L85_Motion (192.168.3.8)
• 1756-EN4TR module (192.168.3.9)
Cell Zone C - Devices • PanelView Plus terminal (192.168.3.10)
Deploy Security Policies
Deploy the updated security policies to the devices as described on page 44.

Notes:

Index
Numerics
1783-CSP CIP Security Proxy
description 17
A
attack types
denial of service 8
man-in-the-middle 8
monitor data 8
automatic device replacement 29
B
back up
FactoryTalk Directory 47
security model 47
C
certificates 12
CIP bridging 27
CIP Security components 19 - 21
conduits 21
devices 19
zones 20
CIP Security properties
data confidentiality 14
data integrity and authentication 14
device identity and authentication 14
CIP Security-capable
hardware 17
1783-CSP CIP Security Proxy 17
ControlLogix 5580 controllers 17
ControlLogix EtherNet/IP communication module (1756-EN4TR) 17
Kinetix 5300 drives 17
Kinetix 5700 drives 17
PowerFlex 755T drives 17
software 15
FactoryTalk Linx 16
FactoryTalk Policy Manager 16
FactoryTalk System Services 16
Studio 5000 Logix Designer 16
conduits 21, 36 - 42
configure 41
create 37 - 41
security matrix 59
security policy properties 23

Index
connections
multicast 29
ControlLogix 5580 controllers
description 17
ControlLogix EtherNet/IP communication module (1756-EN4TR)
description 17
countermeasures
data confidentiality 11
data integrity and authentication 11
D
data confidentiality
description 14
data integrity and authentication
description 14
defense-in-depth architecture 10
denial-of-service attack 8
deploy
no deploy to controller in run mode 24
security model 44 - 46
certificates 12
description 14
pre-shared keys 12
dual-port devices
limitations with CIP Security 24
F
FactoryTalk Administration Console
remove security configuration from FactoryTalk Linx 51
FactoryTalk Directory
back up 47
FactoryTalk Linx
description 16
description 16
remove security policy from a device 49 - 56
back up 47
description 16
restore 48
K
Kinetix 5300 drives
description 17
Kinetix 5700 drives
description 17

Index
L
limitations
automatic device replacement 29
CIP bridging 27
multicast connections 29
no connection between workstation and controller 26
no deployment to controller in run mode 24
no download from unsecure workstation 25
using dual-port devices 24
using network address translation 27
M
man-in-the-middle attack 8
monitor data attack 8
multicast connections 29
N
network address translations
limitations with CIP Security 27
P
PowerFlex 755T drives
description 17
pre-shared keys 12
R
remove security policy
from a device 53 - 56
from a software application 49 - 52
restore
FactoryTalk System Services 48
risk assessment 9
S
security assessment
conduct threat assessment 9
perform risk assessment 9
perform vulnerability assessment 9
security matrix
conduits 59
zones and devices 33, 58
security model
back up 47
deploy 44 - 46

Index
security policy
remove from a device 49 - 56
security policy properties
conduits 23
zones 22
Studio 5000 Logix Designer
description 16
T
threat assessment 9
V
vulnerability assessment 9
Z
zones 20, 32 - 35
configure 35
create 33
security matrix 33
security policy properties 22

CIP Security with Rockwell Automation Products Application Technique
Additional Resources
These documents contain additional information concerning related products from Rockwell Automation.
Resource Description
Describes how to install and use FactoryTalk System Services and FactoryTalk Policy
FactoryTalk Policy Manager Getting Results Guide, publication FTALK-GR001. Manager.
FactoryTalk Security System Configuration Guide Quick Start, publication FTSEC-QS001 Describes how to use FactoryTalk Services Platform with FactoryTalk Security.
Describes security architecture use cases for designing and deploying CIP Security
Deploying CIP Security within a Converged Plantwide Ethernet Architecture Design Guide, technology across plant-wide or site-wide Industrial Automation and Control System
publication ENET-TD022 (IACS) applications.
Describes guidelines for how to use Rockwell Automation products to improve the
System Security Design Guidelines Reference Manual, publication SECURE-RM001 security of your industrial automation system.
Describes how to design, implement, and maintain an industrial control system that
ControlLogix 5580 and GuardLogix 5580 Controllers User Manual, publication 1756-UM543 uses ControlLogix® or GuardLogix®-based controllers.
Describes how to use ControlLogix EtherNet/IP communication modules with a Logix
ControlLogix EtherNet/IP Network Devices User Manual, publication 1756-UM004 5000™ controller and communicate with devices on the Ethernet/IP network.
Describes how to use Kinetix® 5700 drive system with associated power supplies,
Kinetix 5700 Servo Drives User Manual, publication 2198-UM002 single-axis inverters, dual-axis inverters, and accessory modules in a Logix 5000
control system.
Describes how to install, start-up, and troubleshoot PowerFlex 750-Series Adjustable
PowerFlex 750-Series AC Drives Reference Manual, publication 750-PM001 Frequency AC Drives.
Describes how to use a Kinetix 5300 drive system with associated power supplies and
Kinetix 5300 Servo Drives User Manual, publication 2198-UM005 accessory modules in a Logix 5000 control system.
Describes how to use a CIP Security Proxy to provide secure communication for non-CIP
CIP Security Proxy User Manual, publication 1783-UM013 Security-capable devices.
Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1 Provides general guidelines for installing a Rockwell Automation industrial system.
Product Certifications website: rok.auto/certifications Provides declarations of conformity, certificates, and other certification details.
You can view or download publications at rok.auto/literature.

Rockwell Automation Support
Use these resources to access support information.
Technical Support Center Find help with how-to videos, FAQs, chat, user forums, and product notification updates. rok.auto/support
Knowledgebase Access Knowledgebase articles. rok.auto/knowledgebase
Local Technical Support Phone Numbers Locate the telephone number for your country. rok.auto/phonesupport
Literature Library Find installation instructions, manuals, brochures, and technical data publications. rok.auto/literature
Product Compatibility and Download Center Download firmware, associated files (such as AOP, EDS, and DTM), and access product release rok.auto/pcdc
(PCDC) notes.
Documentation Feedback
Your comments help us serve your documentation needs better. If you have any suggestions on how to improve our content, complete the
form at rok.auto/docfeedback.
Allen-Bradley, Compact 5000, CompactLogix, ControlLogix, expanding human possibility, FactoryTalk, FactoryTalk Network Manager, FLEX 5000, Kinetix, Logix 5000, POINT I/O, PowerFlex, PanelView,
Rockwell Automation, RSLinx, Stratix, Studio 5000, and Studio 5000 Logix Designer are trademarks of Rockwell Automation, Inc.
CIP, CIP Security, and EtherNet/IP is a trademark of ODVA, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Rockwell Automation maintains current product environmental compliance information on its website at rok.auto/pec.
Rockwell Otomasyon Ticaret A.Ş. Kar Plaza İş Merkezi E Blok Kat:6 34752, İçerenköy, İstanbul, Tel: +90 (216) 5698400 EEE Yönetmeliğine Uygundur
Publication SECURE-AT001B-EN-P - August 2021

Supersedes Publication SECURITY-AT001A-EN-P - September 2019 Copyright © 2021 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.

Secure At001 - en P

Uploaded by

Copyright:

Available Formats

Secure At001 - en P

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Secure At001 - en P

Uploaded by

Copyright:

Available Formats

CIP Security with Rockwell

Application Technique Original Instructions

Important User Information

Labels may also be on or inside the equipment to provide specific precautions.

2 Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021

Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021 3

4 Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021

Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021 5

6 Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021

Industrial Automation Control Systems Environment

Security risks can take many forms, for example:

Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021 7

Vulnerability and Exploits

DoS An attacker executes a DoS attack that

LNK1 LNK2 NET OK

The attacker eavesdrops on data in transit

LNK1 LNK2 NET OK

The attacker monitors or views sensitive or

LNK1 LNK2 NET OK

8 Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021

There are three steps to perform a security assessment.

Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021 9

The following are key tenets of the DiD security approach:

Figure 1 - Defense-in-Depth Architecture

10 Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021

CIP Security is an ODVA Standard

Figure 2 - CIP Security As Part of Defense-in-Depth Architecture

CIP Security is positioned at

Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021 11

12 Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021

Secure Data Transport

TLS provides the following security properties:

Table 2 - CIP Security Icons

Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021 13

Method of providing secure identity for a device. The

• Reject messages that are sent by untrusted devices.

Method of providing data integrity and message

LNK1 LNK2 NET OK

Means of using encryption to encode messages or

Lets the device take the following actions:

• Prevent viewing of EtherNet/IP data by unauthorized

IMPORTANT: This security property is optional. Some

LNK1 LNK2 NET OK

Encryption typically affects network adapter capacity. 2

14 Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021

Software and Hardware

CIP Security Software Applications

Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021 15

Software Application Description Minimum Version Required

16 Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021

CIP Security-capable Hardware Devices

The following hardware devices are CIP Security-capable.

If you use revision 31.xxx, you

Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021 17

Benefits of Using Rockwell Automation Products

CIP Security Properties

Security Profile and Attributes

18 Rockwell Automation Publication SECURE-AT001B-EN-P - August 2021

CIP Security Components